Inera Core Implementation Guide
0.2.0 - ci-build
Sweden
Inera Core Implementation Guide - Local Development build (v0.2.0) built by the FHIR (HL7® FHIR® Standard) Build Tools. See the Directory of published versions
This page describes security and privacy requirements for Swedish FHIR implementations, focusing on compliance with Patientdatalagen (PDL), GDPR, and national healthcare regulations.
Swedish Patient Data Act (SFS 2008:355) and SVOD (Lag 2022:913 om sammanhållen vård ) regulates:
FHIR security implementations should prepare for European Health Data Space (EHDS) requirements on access control, logging, and patient rights. For architectural alignment with EHDS and EEHRxF, see the Migration Guide.
This guide encouraged the use of SMART App Launch Framework for client authentication:
GET /authorize?
response_type=code&
client_id=clinic-app-123&
redirect_uri=https://clinic.example.se/callback&
scope=patient/Condition.read patient/Observation.read launch/patient&
state=abc123&
aud=https://fhir.example.se
Scopes for Swedish Healthcare:
| Scope | Description | Use Case |
|---|---|---|
patient/*.read |
Read all patient data | Patient portal |
patient/Condition.read |
Read conditions only | Diagnosis viewer |
user/Practitioner.read |
Practitioner can read patients | Clinician access |
system/*.read |
Backend system access | Integration engine |
launch/patient |
Launch with patient context | EHR-integrated app |
JWT tokens should include Swedish HSA-ID for practitioner/organization:
{
"sub": "SE2321000016-123456",
"name": "Anna Andersson",
"hsaid": "SE2321000016-123456",
"hsaid_type": "practitioner",
"organization_hsaid": "SE2321000016-A001",
"profession": "physician",
"scope": "user/Patient.read user/Condition.read"
}
Access to patient data requires a documented care relationship. For Swedish implementations, this includes verification of Tillgänglig Patient (TGP) — confirming that the patient has an existing journal relationship with the requesting healthcare provider.
For detailed architectural guidance on implementing TGP in FHIR/SMART environments, see TGP Guidance.
Purpose of Use Codes (HL7 v3 PurposeOfUse):
| Code | Display | Swedish Equivalent |
|---|---|---|
| TREAT | Treatment | Vård och behandling |
| ETREAT | Emergency Treatment | Akut vård |
| PATADMIN | Patient Administration | Patientadministration |
| CLINTRCH | Clinical Research | Klinisk forskning |
Swedish healthcare has two types of access blocks:
Patient restricts access within a single healthcare provider (vårdgivare) between departments or care units.
{
"resourceType": "Consent",
"status": "active",
"scope": {"coding": [{"code": "patient-privacy"}]},
"category": [{
"coding": [{
"system": "https://inera.se/fhir/core/CodeSystem/consent-category-se",
"code": "inner-block"
}]
}],
"patient": {"reference": "Patient/191212121212"},
"organization": [{"reference": "Organization/caregiver-0000"}],
"policyRule": {"coding": [{"code": "OPTOUT"}]},
"provision": {
"type": "deny",
"period": {"start": "2025-01-01"},
"data": [{
"meaning": "related",
"reference": {"reference": "Condition/sensitive-diagnosis"}
}]
}
}
Patient restricts access between different healthcare providers (vårdgivare) via NPÖ (Nationell Patientöversikt).
{
"resourceType": "Consent",
"category": [{
"coding": [{
"code": "outer-block",
"display": "Yttre spärr (NPÖ)"
}]
}],
"provision": {
"type": "deny",
"actor": [{
"role": {"coding": [{"code": "national-access"}]},
"reference": {"identifier": {"value": "NPO-SYSTEM"}}
}]
}
}
Mark resources with security classifications:
{
"resourceType": "Condition",
"meta": {
"security": [
{
"system": "http://terminology.hl7.org/CodeSystem/v3-Confidentiality",
"code": "R",
"display": "Restricted"
},
{
"system": "https://inera.se/fhir/core/CodeSystem/security-label-se",
"code": "INNER_BLOCK",
"display": "Inre spärr aktiv"
}
]
}
}
Swedish Security Labels:
| Code | Display | Scope | Access Requirement |
|---|---|---|---|
INNER_BLOCK |
Inre spärr | Within healthcare provider (vårdgivare) | Override consent required within same EHR |
OUTER_BLOCK |
Yttre spärr | Between healthcare providers | National emergency access only (NPÖ) |
SENSITIVE |
Känslig information | All systems | Additional authentication |
SEKRETESS |
Sekretessmarkerad | All systems | Legal protection (socialtjänst) |
Server must filter results based on active consents:
GET /Condition?patient=191212121212
Response:
{
"resourceType": "Bundle",
"total": 3,
"entry": [
{"resource": {"id": "condition-1"}}, // Visible
{"resource": {"id": "condition-2"}} // Visible
// condition-3 filtered due to inner block
],
"extension": [{
"url": "https://inera.se/fhir/core/StructureDefinition/blocked-resources-indicator",
"valueBoolean": true
}]
}
Every access must generate an AuditEvent:
{
"resourceType": "AuditEvent",
"type": {
"system": "http://terminology.hl7.org/CodeSystem/audit-event-type",
"code": "rest",
"display": "RESTful Operation"
},
"subtype": [{
"system": "http://hl7.org/fhir/restful-interaction",
"code": "search",
"display": "search"
}],
"action": "E",
"recorded": "2025-11-24T10:30:00+01:00",
"outcome": "0",
"agent": [
{
"type": {
"coding": [{
"system": "http://terminology.hl7.org/CodeSystem/extra-security-role-type",
"code": "humanuser"
}]
},
"who": {
"identifier": {
"system": "https://hsaid.se",
"value": "SE2321000016-123456"
},
"display": "Anna Andersson"
},
"requestor": true,
"network": {
"address": "192.168.1.100",
"type": "2"
}
}
],
"source": {
"site": "FHIR Server - Region VGR",
"identifier": {
"value": "https://fhir.vgregion.se"
}
},
"entity": [
{
"what": {
"reference": "Patient/191212121212"
},
"type": {
"system": "http://terminology.hl7.org/CodeSystem/audit-entity-type",
"code": "1",
"display": "Person"
},
"role": {
"system": "http://terminology.hl7.org/CodeSystem/object-role",
"code": "1",
"display": "Patient"
}
},
{
"what": {
"reference": "Condition/diagnosis-123"
},
"type": {
"system": "http://terminology.hl7.org/CodeSystem/audit-entity-type",
"code": "2",
"display": "System Object"
}
}
],
"extension": [{
"url": "https://inera.se/fhir/core/StructureDefinition/care-relationship-id",
"valueIdentifier": {
"system": "urn:oid:1.2.752.129.2.1.2.1",
"value": "encounter-12345"
}
}]
}
| Event | Required Fields | Retention |
|---|---|---|
| Read | agent.who, entity.what, recorded | 3 years (PDL) |
| Search | agent.who, query parameters, results count | 3 years |
| Create/Update | agent.who, entity.what, changes | 3 years |
| Export | agent.who, data range, purpose | 10 years |
| Consent Override | agent.who, reason, approver | 10 years |
Support AuditEvent search for patient access requests (GDPR Article 15):
GET /AuditEvent?entity.what=Patient/191212121212
&date=ge2024-01-01
&_sort=-recorded
&_count=100
Patient should be able to see:
All FHIR endpoints MUST use TLS 1.3:
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
Certificate Requirements:
Databases storing FHIR resources should use:
When sharing data for research (non-treatment purposes):
{
"resourceType": "Condition",
"id": "anonymous-123",
"meta": {
"security": [{
"code": "ANON",
"display": "Anonymized"
}]
},
"subject": {
"identifier": {
"system": "urn:oid:1.2.752.129.2.1.3.99",
"value": "HASH-abc123def"
}
},
"code": {
"coding": [{
"code": "I10"
// No display text to reduce re-identification risk
}]
},
"onsetDateTime": "2024-11" // Reduced precision (month only)
}
Anonymization Techniques:
Resources should indicate owning organization:
{
"resourceType": "Condition",
"meta": {
"tag": [{
"system": "https://inera.se/fhir/core/CodeSystem/data-origin",
"code": "SE2321000016-0000",
"display": "Region Västra Götaland"
}]
}
}
For cross-regional access via NPÖ:
GET /Condition?patient=191212121212
Authorization: Bearer <NPO-token>
X-Requesting-Organization: SE2321000131-0000
X-NPO-Context: national-summary
Server checks:
In emergencies, override consent restrictions:
GET /Condition?patient=191212121212
Authorization: Bearer <token>
X-Emergency-Override: true
X-Emergency-Justification: "Cardiac arrest - ER"
X-Approver-HSA-ID: SE2321000016-999999
Requirements:
AuditEvent for Override:
{
"resourceType": "AuditEvent",
"subtype": [{
"system": "https://inera.se/fhir/core/CodeSystem/audit-event-subtype",
"code": "emergency-override"
}],
"purposeOfEvent": [{
"coding": [{
"code": "ETREAT",
"display": "Emergency Treatment"
}]
}],
"extension": [{
"url": "justification",
"valueString": "Cardiac arrest - need medication history"
}, {
"url": "approver",
"valueReference": {"identifier": {"value": "SE2321000016-999999"}}
}]
}
GET /Condition?patient=191212121212&_anonymize=true
Authorization: Bearer <research-token>
Server response strips identifiers:
{
"resourceType": "Condition",
"id": "ANON-abc123",
"subject": {
"reference": "Patient/PSEUDO-xyz789"
},
"code": {
"coding": [{"code": "I10"}]
}
// No recorder, no encounter references
}
Annual penetration testing should cover:
Monthly Checks:
Quarterly Reviews:
For affected patients:
Meddelande om dataintrång
Region [X] informerar om att obehörig åtkomst till dina journaluppgifter
kan ha skett den [DATUM]. Följande uppgifter kan ha exponerats:
- Diagnoser registrerade mellan [PERIOD]
- Läkemedel ordinerade av [ENHET]
Vi har vidtagit följande åtgärder:
[BESKRIVNING AV ÅTGÄRDER]
Kontakta dataskyddsombudet: dpo@region.se
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer
Permissions-Policy: geolocation=(), camera=(), microphone=()
For legally binding documents:
{
"resourceType": "Provenance",
"signature": [{
"type": [{
"code": "1.2.840.10065.1.12.1.1",
"display": "Author's Signature"
}],
"when": "2025-11-24T10:00:00+01:00",
"who": {
"identifier": {"value": "SE2321000016-123456"}
},
"sigFormat": "application/jose",
"data": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
}]
}
Use Swedish BankID for signature generation in high-assurance scenarios.
Implementation must satisfy: