REST Resource: projects.locations.datasets.fhirStores

Resource: FhirStore

Represents a FHIR store.

JSON representation
{
  "name": string,
  "enableUpdateCreate": boolean,
  "notificationConfig": {
    object(NotificationConfig)
  },
  "disableReferentialIntegrity": boolean,
  "disableResourceVersioning": boolean,
  "labels": {
    string: string,
    ...
  },
  "version": enum(Version),
  "streamConfigs": [
    {
      object(StreamConfig)
    }
  ],
  "enableHistoryModifications": boolean,
  "validationConfig": {
    object(ValidationConfig)
  },
  "defaultSearchHandlingStrict": boolean,
  "searchConfig": {
    object(SearchConfig)
  },
  "notificationConfigs": [
    {
      object(FhirNotificationConfig)
    }
  ],
  "consentConfig": {
    object(ConsentConfig)
  },
  "complexDataTypeReferenceParsing": enum(ComplexDataTypeReferenceParsing)
}
Fields
name

string

Output only. Identifier. Resource name of the FHIR store, of the form projects/{projectId}/locations/{location}/datasets/{datasetId}/fhirStores/{fhirStoreId}.

enableUpdateCreate

boolean

Whether this FHIR store has the updateCreate capability. This determines if the client can use an Update operation to create a new resource with a client-specified ID. If false, all IDs are server-assigned through the Create operation and attempts to update a non-existent resource return errors. It is strongly advised not to include or encode any sensitive data such as patient identifiers in client-specified resource IDs. Those IDs are part of the FHIR resource path recorded in Cloud audit logs and Pub/Sub notifications. Those IDs can also be contained in reference fields within other resources. Defaults to false.

notificationConfig
(deprecated)

object(NotificationConfig)

Deprecated. Use notificationConfigs instead. If non-empty, publish all resource modifications of this FHIR store to this destination. The Pub/Sub message attributes contain a map with a string describing the action that has triggered the notification. For example, "action":"CreateResource".

disableReferentialIntegrity

boolean

Immutable. Whether to disable referential integrity in this FHIR store. This field is immutable after FHIR store creation. The default value is false, meaning that the API enforces referential integrity and fails the requests that result in inconsistent state in the FHIR store. When this field is set to true, the API skips referential integrity checks. Consequently, operations that rely on references, such as GetPatientEverything, do not return all the results if broken references exist.

disableResourceVersioning

boolean

Immutable. Whether to disable resource versioning for this FHIR store. This field can not be changed after the creation of FHIR store. If set to false, all write operations cause historical versions to be recorded automatically. The historical versions can be fetched through the history APIs, but cannot be updated. If set to true, no historical versions are kept. The server sends errors for attempts to read the historical versions. Defaults to false.

labels

map (key: string, value: string)

User-supplied key-value pairs used to organize FHIR stores.

Label keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}][\p{Ll}\p{Lo}\p{N}_-]{0,62}

Label values are optional, must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}\p{N}_-]{0,63}

No more than 64 labels can be associated with a given store.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

version

enum(Version)

Required. Immutable. The FHIR specification version that this FHIR store supports natively. This field is immutable after store creation. Requests are rejected if they contain FHIR resources of a different version. Version is required for every FHIR store.

streamConfigs[]

object(StreamConfig)

A list of streaming configs that configure the destinations of streaming export for every resource mutation in this FHIR store. Each store is allowed to have up to 10 streaming configs. After a new config is added, the next resource mutation is streamed to the new location in addition to the existing ones. When a location is removed from the list, the server stops streaming to that location. Before adding a new config, you must add the required bigquery.dataEditor role to your project's Cloud Healthcare Service Agent service account. Some lag (typically on the order of dozens of seconds) is expected before the results show up in the streaming destination.

enableHistoryModifications

boolean

Optional. Whether to allow ExecuteBundle to accept history bundles, and directly insert and overwrite historical resource versions into the FHIR store. If set to false, using history bundles fails with an error. Defaults to false.

validationConfig

object(ValidationConfig)

Configuration for how to validate incoming FHIR resources against configured profiles.

defaultSearchHandlingStrict

boolean

If true, overrides the default search behavior for this FHIR store to handling=strict which returns an error for unrecognized search parameters. If false, uses the FHIR specification default handling=lenient which ignores unrecognized search parameters. The handling can always be changed from the default on an individual API call by setting the HTTP header Prefer: handling=strict or Prefer: handling=lenient. Defaults to false.

searchConfig

object(SearchConfig)

Configuration for how FHIR resources can be searched.

notificationConfigs[]

object(FhirNotificationConfig)

Specifies where and whether to send notifications upon changes to a Fhir store.

consentConfig

object(ConsentConfig)

Optional. Specifies whether this store has consent enforcement. Not available for DSTU2 FHIR version due to absence of Consent resources.

complexDataTypeReferenceParsing

enum(ComplexDataTypeReferenceParsing)

Enable parsing of references within complex FHIR data types such as Extensions. If this value is set to ENABLED, then features like referential integrity and Bundle reference rewriting apply to all references. If this flag has not been specified the behavior of the FHIR store will not change, references in complex data types will not be parsed. New stores will have this value set to ENABLED after a notification period. Warning: turning on this flag causes processing existing resources to fail if they contain references to non-existent resources.

Version

The FHIR specification version.

Enums
VERSION_UNSPECIFIED VERSION_UNSPECIFIED is treated as STU3 to accommodate the existing FHIR stores.
DSTU2 Draft Standard for Trial Use, Release 2
STU3 Standard for Trial Use, Release 3
R4 Release 4

StreamConfig

Contains configuration for streaming FHIR export.

JSON representation
{
  "resourceTypes": [
    string
  ],

  // Union field destination can be only one of the following:
  "bigqueryDestination": {
    object(BigQueryDestination)
  },
  "deidentifiedStoreDestination": {
    object(DeidentifiedStoreDestination)
  }
  // End of list of possible types for union field destination.
}
Fields
resourceTypes[]

string

Supply a FHIR resource type (such as "Patient" or "Observation"). See https://www.hl7.org/fhir/valueset-resource-types.html for a list of all FHIR resource types. The server treats an empty list as an intent to stream all the supported resource types in this FHIR store.

Union field destination. Specifies the streaming destination. destination can be only one of the following:
bigqueryDestination

object(BigQueryDestination)

The destination BigQuery structure that contains both the dataset location and corresponding schema config.

The output is organized in one table per resource type. The server reuses the existing tables (if any) that are named after the resource types, e.g. "Patient", "Observation". When there is no existing table for a given resource type, the server attempts to create one.

When a table schema doesn't align with the schema config, either because of existing incompatible schema or out of band incompatible modification, the server does not stream in new data.

One resolution in this case is to delete the incompatible table and let the server recreate one, though the newly created table only contains data after the table recreation.

BigQuery imposes a 1 MB limit on streaming insert row size, therefore any resource mutation that generates more than 1 MB of BigQuery data will not be streamed.

Results are written to BigQuery tables according to the parameters in BigQueryDestination.WriteDisposition. Different versions of the same resource are distinguishable by the meta.versionId and meta.lastUpdated columns. The operation (CREATE/UPDATE/DELETE) that results in the new version is recorded in the meta.tag.

The tables contain all historical resource versions since streaming was enabled. For query convenience, the server also creates one view per table of the same name containing only the current resource version.

The streamed data in the BigQuery dataset is not guaranteed to be completely unique. The combination of the id and meta.versionId columns should ideally identify a single unique row. But in rare cases, duplicates may exist. At query time, users may use the SQL select statement to keep only one of the duplicate rows given an id and meta.versionId pair. Alternatively, the server created view mentioned above also filters out duplicates.

If a resource mutation cannot be streamed to BigQuery, errors will be logged to Cloud Logging (see Viewing error logs in Cloud Logging).

deidentifiedStoreDestination

object(DeidentifiedStoreDestination)

The destination FHIR store for de-identified resources.

After this field is added, all subsequent creates/updates/patches to the source store will be de-identified using the provided configuration and applied to the destination store. Resources deleted from the source store will be deleted from the destination store. Importing resources to the source store will not trigger the streaming.

If the source store already contains resources when this option is enabled, those resources will not be copied to the destination store unless they are subsequently updated. This may result in invalid references in the destination store.

Before adding this config, you must grant the healthcare.fhirResources.update permission on the destination store to your project's Cloud Healthcare Service Agent service account. The destination store must set enableUpdateCreate to true. The destination store must have disableReferentialIntegrity set to true.

If a resource cannot be de-identified, errors will be logged to Cloud Logging (see Viewing error logs in Cloud Logging).

BigQueryDestination

The configuration for exporting to BigQuery.

JSON representation
{
  "datasetUri": string,
  "schemaConfig": {
    object(SchemaConfig)
  },
  "force": boolean,
  "writeDisposition": enum(WriteDisposition),
  "changeDataCaptureConfig": {
    object(ChangeDataCaptureConfig)
  }
}
Fields
datasetUri

string

BigQuery URI to an existing dataset, up to 2000 characters long, in the format bq://projectId.bqDatasetId.

schemaConfig

object(SchemaConfig)

The configuration for the exported BigQuery schema.

force

boolean

Use writeDisposition instead. If writeDisposition is specified, this parameter is ignored. force=false is equivalent to writeDisposition=WRITE_EMPTY and force=true is equivalent to writeDisposition=WRITE_TRUNCATE.

writeDisposition

enum(WriteDisposition)

Determines if existing data in the destination dataset is overwritten, appended to, or not written if the tables contain data. If a writeDisposition is specified, the force parameter is ignored.

changeDataCaptureConfig

object(ChangeDataCaptureConfig)

Optional. Setting this field will enable BigQuery's Change Data Capture (CDC) on the destination tables. Use this field if you: - Want to only keep the latest version of each resource. Updates and deletes to an existing resource will overwrite the corresponding row. - Have a store with enabled history modifications and want to keep the entire history of resource versions but want the history to be mutable. Updates and deletes to a specific resource version will overwrite the corresponding row. See https://cloud.google.com/bigquery/docs/change-data-capture for details.

SchemaConfig

Configuration for the FHIR BigQuery schema. Determines how the server generates the schema.

JSON representation
{
  "schemaType": enum(SchemaType),
  "recursiveStructureDepth": string,
  "lastUpdatedPartitionConfig": {
    object(TimePartitioning)
  }
}
Fields
schemaType

enum(SchemaType)

Specifies the output schema type. Schema type is required.

recursiveStructureDepth

string (int64 format)

The depth for all recursive structures in the output analytics schema. For example, concept in the CodeSystem resource is a recursive structure; when the depth is 2, the CodeSystem table will have a column called concept.concept but not concept.concept.concept. If not specified or set to 0, the server will use the default value 2. The maximum depth allowed is 5.

lastUpdatedPartitionConfig

object(TimePartitioning)

The configuration for exported BigQuery tables to be partitioned by FHIR resource's last updated time column.

SchemaType

An enum consisting of the supported output schema types.

Enums
SCHEMA_TYPE_UNSPECIFIED No schema type specified. This type is unsupported.
LOSSLESS

A data-driven schema generated from the fields present in the FHIR data being exported, with no additional simplification.

This type cannot be used for streaming to BigQuery.

ANALYTICS

Analytics schema defined by the FHIR community. See https://github.com/FHIR/sql-on-fhir/blob/master/sql-on-fhir.md.

BigQuery only allows a maximum of 10,000 columns per table. Due to this limitation, the server will not generate schemas for fields of type Resource, which can hold any resource type. The affected fields are Parameters.parameter.resource, Bundle.entry.resource, and Bundle.entry.response.outcome.

Analytics schema does not gracefully handle extensions with one or more occurrences, anaytics schema also does not handle contained resource. Additionally, extensions with a URL ending in "/{existing_resource_field_name}" may cause undefined behavior.

ANALYTICS_V2 Analytics V2, similar to schema defined by the FHIR community, with added support for extensions with one or more occurrences and contained resources in stringified JSON. Extensions with a URL ending in "/{existing_resource_field_name}" will cause conflict and prevent the resource from being sent to BigQuery. Analytics V2 uses more space in the destination table than Analytics V1. It is generally recommended to use Analytics V2 over Analytics.

TimePartitioning

Configuration for FHIR BigQuery time-partitioned tables.

JSON representation
{
  "type": enum(PartitionType),
  "expirationMs": string
}
Fields
type

enum(PartitionType)

Type of partitioning.

expirationMs

string (int64 format)

Number of milliseconds for which to keep the storage for a partition.

PartitionType

List of time partition types.

Enums
PARTITION_TYPE_UNSPECIFIED Default unknown time.
HOUR Data partitioned by hour.
DAY Data partitioned by day.
MONTH Data partitioned by month.
YEAR Data partitioned by year.

WriteDisposition

The BigQuery WriteDisposition used by the export operation.

Enums
WRITE_DISPOSITION_UNSPECIFIED Default behavior is the same as WRITE_EMPTY.
WRITE_EMPTY Only export data if the destination tables are empty.
WRITE_TRUNCATE Erase all existing data in the destination tables before writing the FHIR resources.
WRITE_APPEND Append data to the destination tables.

ChangeDataCaptureConfig

BigQuery Change Data Capture configuration.

JSON representation
{
  "historyMode": enum(HistoryMode)
}
Fields
historyMode

enum(HistoryMode)

Optional. Configures how historical versions of FHIR resources will be reflected in the destination table through updates and deletes. Defaults to HistoryMode.KEEP_LATEST_VERSION if unspecified.

HistoryMode

The history mode controlling the behavior of updates and deletes to existing rows.

Enums
HISTORY_MODE_UNSPECIFIED Default behavior is the same as KEEP_LATEST_VERSION.
KEEP_LATEST_VERSION The table will have a unique entry for each resource ID. Updates and deletes will overwrite the row matching the resource ID if it exists in the table.
KEEP_ALL_VERSIONS Historical versions of resources will be maintained. However, history mutation is allowed. Updates will overwrite the row matching the resource ID and version if it exists in the table. This option is only supported for stores with history enabled.

DeidentifiedStoreDestination

Contains configuration for streaming de-identified FHIR export.

JSON representation
{
  "store": string,
  "config": {
    object(DeidentifyConfig)
  }
}
Fields
store

string

The full resource name of a Cloud Healthcare FHIR store, for example, projects/{projectId}/locations/{locationId}/datasets/{datasetId}/fhirStores/{fhirStoreId}.

config

object(DeidentifyConfig)

The configuration to use when de-identifying resources that are added to this store.

DeidentifyConfig

Configures de-id options specific to different types of content. Each submessage customizes the handling of an https://tools.ietf.org/html/rfc6838 media type or subtype. Configs are applied in a nested manner at runtime.

JSON representation
{
  "dicom": {
    object(DicomConfig)
  },
  "dicomTagConfig": {
    object(DicomTagConfig)
  },
  "fhir": {
    object(FhirConfig)
  },
  "fhirFieldConfig": {
    object(FhirFieldConfig)
  },
  "image": {
    object(ImageConfig)
  },
  "annotation": {
    object(AnnotationConfig)
  },
  "text": {
    object(TextConfig)
  },
  "operationMetadata": {
    object(DeidentifyOperationMetadata)
  },
  "useRegionalDataProcessing": boolean
}
Fields
dicom
(deprecated)

object(DicomConfig)

Configures de-id of application/DICOM content. Deprecated. Use dicomTagConfig instead.

dicomTagConfig

object(DicomTagConfig)

Configures de-id of application/DICOM content.

fhir
(deprecated)

object(FhirConfig)

Configures de-id of application/FHIR content. Deprecated. Use fhirFieldConfig instead.

fhirFieldConfig

object(FhirFieldConfig)

Configures de-id of application/FHIR content.

image
(deprecated)

object(ImageConfig)

Configures the de-identification of image pixels in the sourceDataset. Deprecated. Use dicomTagConfig.options.clean_image instead.

annotation

object(AnnotationConfig)

Configures how annotations, meaning that the location and infoType of sensitive information findings, are created during de-identification. If unspecified, no annotations are created.

text

object(TextConfig)

Configures de-identification of text wherever it is found in the sourceDataset.

operationMetadata

object(DeidentifyOperationMetadata)

Details about the work the de-identify operation performed.

useRegionalDataProcessing

boolean

Ensures in-flight data remains in the region of origin during de-identification. The default value is false. Using this option results in a significant reduction of throughput, and is not compatible with LOCATION or ORGANIZATION_NAME infoTypes. If the deprecated DicomConfig or FhirConfig are used, then LOCATION must be excluded within TextConfig, and must also be excluded within ImageConfig if image redaction is required.

DicomConfig

Specifies the parameters needed for de-identification of DICOM stores.

JSON representation
{
  "skipIdRedaction": boolean,

  // Union field tag_filter can be only one of the following:
  "keepList": {
    object(TagFilterList)
  },
  "removeList": {
    object(TagFilterList)
  },
  "filterProfile": enum(TagFilterProfile)
  // End of list of possible types for union field tag_filter.
}
Fields
skipIdRedaction

boolean

If true, skip replacing StudyInstanceUID, SeriesInstanceUID, SOPInstanceUID, and MediaStorageSOPInstanceUID and leave them untouched. The Cloud Healthcare API regenerates these UIDs by default based on the DICOM Standard's reasoning: "Whilst these UIDs cannot be mapped directly to an individual out of context, given access to the original images, or to a database of the original images containing the UIDs, it would be possible to recover the individual's identity." http://dicom.nema.org/medical/dicom/current/output/chtml/part15/sect_E.3.9.html

Union field tag_filter. Determines tag filtering method (meaning which tags to keep/remove). tag_filter can be only one of the following:
keepList

object(TagFilterList)

List of tags to keep. Remove all other tags.

removeList

object(TagFilterList)

List of tags to remove. Keep all other tags.

filterProfile

enum(TagFilterProfile)

Tag filtering profile that determines which tags to keep/remove.

TagFilterList

List of tags to be filtered.

JSON representation
{
  "tags": [
    string
  ]
}
Fields
tags[]

string

Tags to be filtered. Tags must be DICOM Data Elements, File Meta Elements, or Directory Structuring Elements, as defined at: http://dicom.nema.org/medical/dicom/current/output/html/part06.html#table_6-1,. They may be provided by "Keyword" or "Tag". For example, "PatientID", "00100010".

TagFilterProfile

Profile that determines which tags to keep/remove.

Enums
TAG_FILTER_PROFILE_UNSPECIFIED No tag filtration profile provided. Same as KEEP_ALL_PROFILE.
MINIMAL_KEEP_LIST_PROFILE Keep only the tags required to produce valid DICOM objects.
ATTRIBUTE_CONFIDENTIALITY_BASIC_PROFILE Remove tags based on DICOM Standard's Attribute Confidentiality Basic Profile (DICOM Standard Edition 2018e) http://dicom.nema.org/medical/dicom/2018e/output/chtml/part15/chapter_E.html.
KEEP_ALL_PROFILE Keep all tags.
DEIDENTIFY_TAG_CONTENTS Inspect within tag contents and replace sensitive text. The process can be configured using the TextConfig. Applies to all tags with the following Value Representation names: AE, LO, LT, PN, SH, ST, UC, UT, DA, DT, AS

DicomTagConfig

Specifies the parameters needed for the de-identification of DICOM stores.

JSON representation
{
  "options": {
    object(Options)
  },
  "actions": [
    {
      object(Action)
    }
  ],

  // Union field profile can be only one of the following:
  "profileType": enum(ProfileType)
  // End of list of possible types for union field profile.
}
Fields
options

object(Options)

Specifies additional options to apply, overriding the base profile.

actions[]

object(Action)

Specifies custom tag selections and Actions to apply to them. Overrides options and profile. Conflicting Actions are applied in the order given.

Union field profile. Base profile that specifies how to handle tags. This behavior can be customized using Options or custom Actions. profile can be only one of the following:
profileType

enum(ProfileType)

Base profile type for handling DICOM tags.

ProfileType

Base profile that specifies how to handle tags.

Enums
PROFILE_TYPE_UNSPECIFIED No profile provided. Same as ATTRIBUTE_CONFIDENTIALITY_BASIC_PROFILE.
MINIMAL_KEEP_LIST_PROFILE Keep only the tags required to produce valid DICOM objects.
ATTRIBUTE_CONFIDENTIALITY_BASIC_PROFILE Remove tags based on DICOM Standard's Attribute Confidentiality Basic Profile (DICOM Standard Edition 2018e).
KEEP_ALL_PROFILE Keep all tags.
DEIDENTIFY_TAG_CONTENTS Inspect tag contents and replace sensitive text. The process can be configured using the TextConfig. Applies to all tags with the following Value Representations: AE, LO, LT, PN, SH, ST, UC, UT, DA, DT, AS

Options

Specifies additional options to apply to the base profile.

JSON representation
{
  "cleanImage": {
    object(ImageConfig)
  },
  "primaryIds": enum(PrimaryIdsOption),
  "cleanDescriptors": {
    object(CleanDescriptorsOption)
  }
}
Fields
cleanImage

object(ImageConfig)

Apply Action.clean_image to PixelData as configured.

primaryIds

enum(PrimaryIdsOption)

Set Action for StudyInstanceUID, SeriesInstanceUID, SOPInstanceUID, and MediaStorageSOPInstanceUID.

cleanDescriptors

object(CleanDescriptorsOption)

Set Clean Descriptors Option.

ImageConfig

Specifies how to handle de-identification of image pixels.

JSON representation
{
  "textRedactionMode": enum(TextRedactionMode),
  "additionalInfoTypes": [
    string
  ],
  "excludeInfoTypes": [
    string
  ]
}
Fields
textRedactionMode

enum(TextRedactionMode)

Determines how to redact text from image.

additionalInfoTypes[]

string

Additional InfoTypes to redact in the images in addition to those used by textRedactionMode. Can only be used when textRedactionMode is set to REDACT_SENSITIVE_TEXT, REDACT_SENSITIVE_TEXT_CLEAN_DESCRIPTORS or TEXT_REDACTION_MODE_UNSPECIFIED.

excludeInfoTypes[]

string

InfoTypes to skip redacting, overriding those used by textRedactionMode. Can only be used when textRedactionMode is set to REDACT_SENSITIVE_TEXT or REDACT_SENSITIVE_TEXT_CLEAN_DESCRIPTORS.

TextRedactionMode

How to redact text found in images (if at all).

Enums
TEXT_REDACTION_MODE_UNSPECIFIED No text redaction specified. Same as REDACT_NO_TEXT.
REDACT_ALL_TEXT Redact all text.
REDACT_SENSITIVE_TEXT Redact sensitive text. Uses the set of Default DICOM InfoTypes.
REDACT_NO_TEXT Do not redact text.
REDACT_SENSITIVE_TEXT_CLEAN_DESCRIPTORS This mode is like REDACT_SENSITIVE_TEXT with the addition of the Clean Descriptors Option enabled: When cleaning text, the process attempts to transform phrases matching any of the tags marked for removal (action codes D, Z, X, and U) in the Basic Profile. These contextual phrases are replaced with the token "[CTX]". This mode uses an additional InfoType during inspection.

PrimaryIdsOption

Set Action for StudyInstanceUID, SeriesInstanceUID, SOPInstanceUID, and MediaStorageSOPInstanceUID.

Enums
PRIMARY_IDS_OPTION_UNSPECIFIED No value provided. Default to the behavior specified by the base profile.
KEEP Keep primary IDs.
REGEN Regenerate primary IDs.

CleanDescriptorsOption

This type has no fields.

This option is based on the DICOM Standard's Clean Descriptors Option, and the CleanText Action is applied to all the specified fields. When cleaning text, the process attempts to transform phrases matching any of the tags marked for removal (action codes D, Z, X, and U) in the Basic Profile. These contextual phrases are replaced with the token "[CTX]". This option uses an additional infoType during inspection.

Action

Specifies a selection of tags and an Action to apply to each one.

JSON representation
{
  "queries": [
    string
  ],

  // Union field type can be only one of the following:
  "keepTag": {
    object(KeepTag)
  },
  "removeTag": {
    object(RemoveTag)
  },
  "deleteTag": {
    object(DeleteTag)
  },
  "resetTag": {
    object(ResetTag)
  },
  "cleanTextTag": {
    object(CleanTextTag)
  },
  "cleanImageTag": {
    object(ImageConfig)
  },
  "regenUidTag": {
    object(RegenUidTag)
  },
  "recurseTag": {
    object(RecurseTag)
  }
  // End of list of possible types for union field type.
}
Fields
queries[]

string

Select all tags with the listed tag IDs, names, or Value Representations (VRs). Examples: ID: "00100010" Keyword: "PatientName" VR: "PN"

Union field type. Type of action to apply to all selected tags. type can be only one of the following:
keepTag

object(KeepTag)

Keep tag unchanged.

removeTag

object(RemoveTag)

Replace with empty tag.

deleteTag

object(DeleteTag)

Delete tag.

resetTag

object(ResetTag)

Reset tag to a placeholder value.

cleanTextTag

object(CleanTextTag)

Inspect text and transform sensitive text. Configurable via TextConfig. Supported Value Representations: AE, LO, LT, PN, SH, ST, UC, UT, DA, DT, AS

cleanImageTag

object(ImageConfig)

Inspect image and transform sensitive burnt-in text. Doesn't apply to elements nested in a sequence, which revert to Keep. Supported tags: PixelData

regenUidTag

object(RegenUidTag)

Replace UID with a new generated UID. Supported Value Representation: UI

recurseTag

object(RecurseTag)

Recursively apply DICOM de-id to tags nested in a sequence. Supported Value Representation: SQ

KeepTag

This type has no fields.

Keep tag unchanged.

RemoveTag

This type has no fields.

Replace with empty tag.

DeleteTag

This type has no fields.

Delete tag.

ResetTag

This type has no fields.

Reset tag to a placeholder value.

CleanTextTag

This type has no fields.

Inspect text and transform sensitive text. Configurable using TextConfig. Supported Value Representations: AE, LO, LT, PN, SH, ST, UC, UT, DA, DT, AS

RegenUidTag

This type has no fields.

Replace UID with a new generated UID. Supported Value Representation: UI

RecurseTag

This type has no fields.

Recursively apply DICOM de-id to tags nested in a sequence. Supported Value Representation: SQ

FhirConfig

Specifies how to handle de-identification of a FHIR store.

JSON representation
{
  "fieldMetadataList": [
    {
      object(FieldMetadata)
    }
  ],
  "defaultKeepExtensions": boolean
}
Fields
fieldMetadataList[]

object(FieldMetadata)

Specifies FHIR paths to match and how to transform them. Any field that is not matched by a FieldMetadata is passed through to the output dataset unmodified. All extensions will be processed according to defaultKeepExtensions. If a field can be matched by more than one FieldMetadata, the first FieldMetadata.Action is applied.

defaultKeepExtensions

boolean

The behaviour for handling FHIR extensions that aren't otherwise specified for de-identification. If true, all extensions are preserved during de-identification by default. If false or unspecified, all extensions are removed during de-identification by default.

FieldMetadata

Specifies FHIR paths to match, and how to handle de-identification of matching fields.

JSON representation
{
  "paths": [
    string
  ],
  "action": enum(Action)
}
Fields
paths[]

string

List of paths to FHIR fields to redact. Each path is a period-separated list where each component is either a field name or FHIR type name. All types begin with an upper case letter. For example, the resource field "Patient.Address.city", which uses a string type, can be matched by "Patient.Address.String". Path also supports partial matching. For example, "Patient.Address.city" can be matched by "Address.city" (Patient omitted). Partial matching and type matching can be combined. For example, "Patient.Address.city" can be matched by "Address.String". For "choice" types (those defined in the FHIR spec with the form: field[x]), use two separate components. For example, "deceasedAge.unit" is matched by "Deceased.Age.unit". Supported types are: AdministrativeGenderCode, Base64Binary, Boolean, Code, Date, DateTime, Decimal, HumanName, Id, Instant, Integer, LanguageCode, Markdown, Oid, PositiveInt, String, UnsignedInt, Uri, Uuid, Xhtml. The sub-type for HumanName(for example HumanName.given, HumanName.family) can be omitted.

action

enum(Action)

Deidentify action for one field.

Action

Whether or not to redact this field, or whether to inspect it for PHI.

Enums
ACTION_UNSPECIFIED No action specified.
TRANSFORM Transform the entire field based on transformations specified in TextConfig. When the specified transformation cannot be applied to a field, RedactConfig is used. For example, a Crypto Hash transformation can't be applied to a FHIR Date field.
INSPECT_AND_TRANSFORM Inspect and transform any found PHI. When AnnotationConfig is provided, annotations of PHI will be generated, except for Date and Datetime.
DO_NOT_TRANSFORM Do not transform.

FhirFieldConfig

Specifies how to handle the de-identification of a FHIR store.

JSON representation
{
  "options": {
    object(Options)
  },
  "fieldMetadataList": [
    {
      object(FieldMetadata)
    }
  ],

  // Union field profile can be only one of the following:
  "profileType": enum(ProfileType)
  // End of list of possible types for union field profile.
}
Fields
options

object(Options)

Specifies additional options, overriding the base ProfileType.

fieldMetadataList[]

object(FieldMetadata)

Specifies FHIR paths to match and how to transform them. Any field that is not matched by a FieldMetadata action is passed through to the output dataset unmodified. All extensions will be processed according to keepExtensions. If a field can be matched by more than one FieldMetadata action, the first action option is applied. Overrides options and the union field profile in FhirFieldConfig.

Union field profile. Base profile that specifies how to handle fields. This behavior can be customized using Options or FieldMetadata. profile can be only one of the following:
profileType

enum(ProfileType)

Base profile type for handling FHIR fields.

ProfileType

Base profile that specifies how to handle fields.

Enums
PROFILE_TYPE_UNSPECIFIED No profile provided. Same as BASIC.
KEEP_ALL Keep all fields.
BASIC Transforms known HIPAA 18 fields and cleans known unstructured text fields.
CLEAN_ALL Cleans all supported tags. Applies to types: Code, Date, DateTime, Decimal, HumanName, Id, LanguageCode, Markdown, Oid, String, Uri, Uuid, Xhtml.

Options

Specifies additional options to apply to the base ProfileType.

JSON representation
{
  "characterMaskConfig": {
    object(CharacterMaskConfig)
  },
  "dateShiftConfig": {
    object(DateShiftConfig)
  },
  "cryptoHashConfig": {
    object(CryptoHashConfig)
  },
  "contextualDeid": {
    object(ContextualDeidConfig)
  },
  "keepExtensions": {
    object(KeepExtensionsConfig)
  }
}
Fields
characterMaskConfig

object(CharacterMaskConfig)

Character mask config for CharacterMaskField.

dateShiftConfig

object(DateShiftConfig)

Date shifting config for CharacterMaskField.

cryptoHashConfig

object(CryptoHashConfig)

Crypto hash config for CharacterMaskField.

contextualDeid

object(ContextualDeidConfig)

Configure contextual de-id.

keepExtensions

object(KeepExtensionsConfig)

Configure keeping extensions by default.

CharacterMaskConfig

Mask a string by replacing its characters with a fixed character.

JSON representation
{
  "maskingCharacter": string
}
Fields
maskingCharacter

string

Character to mask the sensitive values. If not supplied, defaults to "*".

DateShiftConfig

Shift a date forward or backward in time by a random amount which is consistent for a given patient and crypto key combination.

JSON representation
{
  "cryptoKey": string,
  "kmsWrapped": {
    object(KmsWrappedCryptoKey)
  }
}
Fields
cryptoKey

string (bytes format)

An AES 128/192/256 bit key. The date shift is computed based on this key and the patient ID. If the patient ID is empty for a DICOM resource, the date shift is computed based on this key and the study instance UID. If cryptoKey is not set, then kmsWrapped is used to calculate the date shift. If neither is set, a default key is generated for each de-identify operation. Must not be set if kmsWrapped is set.

A base64-encoded string.

kmsWrapped

object(KmsWrappedCryptoKey)

KMS wrapped key. If kmsWrapped is not set, then cryptoKey is used to calculate the date shift. If neither is set, a default key is generated for each de-identify operation. Must not be set if cryptoKey is set.

KmsWrappedCryptoKey

Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128-, 192-, or 256-bit key. The key must grant the Cloud IAM permission cloudkms.cryptoKeyVersions.useToDecrypt to the project's Cloud Healthcare Service Agent service account.

For more information, see Creating a wrapped key.

JSON representation
{
  "wrappedKey": string,
  "cryptoKey": string
}
Fields
wrappedKey

string (bytes format)

Required. The wrapped data crypto key.

A base64-encoded string.

cryptoKey

string

Required. The resource name of the KMS CryptoKey to use for unwrapping. For example, projects/{projectId}/locations/{locationId}/keyRings/{keyring}/cryptoKeys/{key}.

CryptoHashConfig

Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. Outputs a base64-encoded representation of the hashed output. For example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=.

JSON representation
{
  "cryptoKey": string,
  "kmsWrapped": {
    object(KmsWrappedCryptoKey)
  }
}
Fields
cryptoKey

string (bytes format)

An AES 128/192/256 bit key. Causes the hash to be computed based on this key. A default key is generated for each Deidentify operation and is used when neither cryptoKey nor kmsWrapped is specified. Must not be set if kmsWrapped is set.

A base64-encoded string.

kmsWrapped

object(KmsWrappedCryptoKey)

KMS wrapped key. Must not be set if cryptoKey is set.

ContextualDeidConfig

This type has no fields.

Fields that don't match a KeepField or CleanTextField action in the BASIC profile are collected into a contextual phrase list. For fields that match a CleanTextField action in FieldMetadata or ProfileType, the process attempts to transform phrases matching these contextual entries. These contextual phrases are replaced with the token "[CTX]". This feature uses an additional InfoType during inspection.

KeepExtensionsConfig

This type has no fields.

The behavior for handling FHIR extensions that aren't otherwise specified for de-identification. If provided, all extensions are preserved during de-identification by default. If unspecified, all extensions are removed during de-identification by default.

FieldMetadata

Specifies the FHIR paths to match and how to handle the de-identification of matching fields.

JSON representation
{
  "paths": [
    string
  ],

  // Union field action can be only one of the following:
  "keepField": {
    object(KeepField)
  },
  "removeField": {
    object(RemoveField)
  },
  "cleanTextField": {
    object(CleanTextField)
  },
  "characterMaskField": {
    object(CharacterMaskField)
  },
  "dateShiftField": {
    object(DateShiftField)
  },
  "cryptoHashField": {
    object(CryptoHashField)
  }
  // End of list of possible types for union field action.
}
Fields
paths[]

string

List of paths to FHIR fields to redact. Each path is a period-separated list where each component is either a field name or FHIR type name. All types begin with an upper case letter. For example, the resource field Patient.Address.city, which uses a string type, can be matched by Patient.Address.String.

Partial matching is supported. For example, Patient.Address.city can be matched by Address.city (with Patient omitted). Partial matching and type matching can be combined, for example Patient.Address.city can be matched by Address.String. For "choice" types (those defined in the FHIR spec with the format field[x]), use two separate components. For example, deceasedAge.unit is matched by Deceased.Age.unit.

The following types are supported: AdministrativeGenderCode, Base64Binary, Boolean, Code, Date, DateTime, Decimal, HumanName, Id, Instant, Integer, LanguageCode, Markdown, Oid, PositiveInt, String, UnsignedInt, Uri, Uuid, Xhtml. The sub-type for HumanName (for example HumanName.given, HumanName.family) can be omitted.

Union field action. Specifies the action to apply to the applicable fields. action can be only one of the following:
keepField

object(KeepField)

Keep the field unchanged.

removeField

object(RemoveField)

Remove the field.

cleanTextField

object(CleanTextField)

Inspect the field's text and transform sensitive text. Configure using TextConfig. Supported types: Code, Date, DateTime, Decimal, HumanName, Id, LanguageCode, Markdown, Oid, String, Uri, Uuid, Xhtml.

characterMaskField

object(CharacterMaskField)

Replace the field's value with a masking character. Supported types: Code, Decimal, HumanName, Id, LanguageCode, Markdown, Oid, String, Uri, Uuid, Xhtml.

dateShiftField

object(DateShiftField)

Shift the date by a randomized number of days. See date shifting for more information. Supported types: Date, DateTime.

cryptoHashField

object(CryptoHashField)

Replace field value with a hash of that value. Supported types: Code, Decimal, HumanName, Id, LanguageCode, Markdown, Oid, String, Uri, Uuid, Xhtml.

KeepField

This type has no fields.

Keep field unchanged.

RemoveField

This type has no fields.

Remove field.

CleanTextField

This type has no fields.

Inspect text and transform sensitive text. Configure using TextConfig. Supported types: Code, Date, DateTime, Decimal, HumanName, Id, LanguageCode, Markdown, Oid, String, Uri, Uuid, Xhtml.

CharacterMaskField

This type has no fields.

Replace field value with masking character. Supported types: Code, Decimal, HumanName, Id, LanguageCode, Markdown, Oid, String, Uri, Uuid, Xhtml.

DateShiftField

This type has no fields.

Shift the date by a randomized number of days. See date shifting for more information. Supported types: Date, DateTime.

CryptoHashField

This type has no fields.

Replace field value with a hash of that value. Supported types: Code, Decimal, HumanName, Id, LanguageCode, Markdown, Oid, String, Uri, Uuid, Xhtml.

AnnotationConfig

Specifies how to store annotations during de-identification operation.

JSON representation
{
  "annotationStoreName": string,
  "storeQuote": boolean
}
Fields
annotationStoreName

string

The name of the annotation store, in the form projects/{projectId}/locations/{locationId}/datasets/{datasetId}/annotationStores/{annotationStoreId}).

  • The destination annotation store must be in the same project as the source data. De-identifying data across multiple projects is not supported.
  • The destination annotation store must exist when using DeidentifyDicomStore or fhirStores.deidentify. DeidentifyDataset automatically creates the destination annotation store.
storeQuote

boolean

If set to true, the sensitive texts are included in SensitiveTextAnnotation of Annotation.

TextConfig

Configures how to transform sensitive text InfoTypes.

JSON representation
{
  "transformations": [
    {
      object(InfoTypeTransformation)
    }
  ],
  "additionalTransformations": [
    {
      object(InfoTypeTransformation)
    }
  ],
  "excludeInfoTypes": [
    string
  ],

  // Union field profile can be only one of the following:
  "profileType": enum(ProfileType)
  // End of list of possible types for union field profile.
}
Fields
transformations[]
(deprecated)

object(InfoTypeTransformation)

The transformations to apply to the detected data. Deprecated. Use additionalTransformations instead.

additionalTransformations[]

object(InfoTypeTransformation)

Additional transformations to apply to the detected data, overriding profile.

excludeInfoTypes[]

string

InfoTypes to skip transforming, overriding profile.

Union field profile.

profile can be only one of the following:

profileType

enum(ProfileType)

Base profile type for text transformation.

InfoTypeTransformation

A transformation to apply to text that is identified as a specific infoType.

JSON representation
{
  "infoTypes": [
    string
  ],

  // Union field config can be only one of the following:
  "redactConfig": {
    object(RedactConfig)
  },
  "characterMaskConfig": {
    object(CharacterMaskConfig)
  },
  "dateShiftConfig": {
    object(DateShiftConfig)
  },
  "cryptoHashConfig": {
    object(CryptoHashConfig)
  },
  "replaceWithInfoTypeConfig": {
    object(ReplaceWithInfoTypeConfig)
  }
  // End of list of possible types for union field config.
}
Fields
infoTypes[]

string

InfoTypes to apply this transformation to. If this is not specified, this transformation becomes the default transformation, and is used for any infoType that is not specified in another transformation.

Union field config.

config can be only one of the following:

redactConfig

object(RedactConfig)

Config for text redaction.

characterMaskConfig

object(CharacterMaskConfig)

Config for character mask.

dateShiftConfig

object(DateShiftConfig)

Config for date shift.

cryptoHashConfig

object(CryptoHashConfig)

Config for crypto hash.

replaceWithInfoTypeConfig

object(ReplaceWithInfoTypeConfig)

Config for replace with InfoType.

RedactConfig

This type has no fields.

Define how to redact sensitive values. Default behaviour is erase. For example, "My name is Jane." becomes "My name is ."

ReplaceWithInfoTypeConfig

This type has no fields.

When using the INSPECT_AND_TRANSFORM action, each match is replaced with the name of the infoType. For example, "My name is Jane" becomes "My name is [PERSON_NAME]." The TRANSFORM action is equivalent to redacting.

ProfileType

Base profile that specifies how to transform InfoTypes.

Enums
PROFILE_TYPE_UNSPECIFIED No profile provided. Same as BASIC.
EMPTY Empty profile which does not perform any transformations.
BASIC Automatically converts "DATE" infoTypes using a DateShiftConfig, and all other infoTypes using a ReplaceWithInfoTypeConfig.

DeidentifyOperationMetadata

Details about the work the de-identify operation performed.

JSON representation
{
  "fhirOutput": {
    object(FhirOutput)
  }
}
Fields
fhirOutput

object(FhirOutput)

Details about the FHIR store to write the output to.

FhirOutput

Details about the FHIR store to write the output to.

JSON representation
{
  "fhirStore": string
}
Fields
fhirStore

string

Name of the output FHIR store, which must already exist. You must grant the healthcare.fhirResources.update permission on the destination store to your project's Cloud Healthcare Service Agent service account. The destination store must set enableUpdateCreate to true. The destination store must use FHIR version R4. Writing these resources will consume FHIR operations quota from the project containing the source data. De-identify operation metadata is only generated for DICOM de-identification operations.

ValidationConfig

Contains the configuration for FHIR profiles and validation.

JSON representation
{
  "disableProfileValidation": boolean,
  "enabledImplementationGuides": [
    string
  ],
  "disableRequiredFieldValidation": boolean,
  "disableReferenceTypeValidation": boolean,
  "disableFhirpathValidation": boolean
}
Fields
disableProfileValidation

boolean

Whether to disable profile validation for this FHIR store. The default value is false. Set this to true to disable checking incoming resources for conformance against StructureDefinitions in this FHIR store.

enabledImplementationGuides[]

string

A list of ImplementationGuide URLs in this FHIR store that are used to configure the profiles to use for validation. For example, to use the US Core profiles for validation, set enabledImplementationGuides to ["http://hl7.org/fhir/us/core/ImplementationGuide/ig"]. If enabledImplementationGuides is empty or omitted, then incoming resources are only required to conform to the base FHIR profiles. Otherwise, a resource must conform to at least one profile listed in the global property of one of the enabled ImplementationGuides.

The Cloud Healthcare API does not currently enforce all of the rules in a StructureDefinition. The following rules are supported:

- min/max
- minValue/maxValue
- maxLength
- type
- fixed[x]
- pattern[x] on simple types
- slicing, when using "value" as the discriminator type

When a URL cannot be resolved (for example, in a type assertion), the server does not return an error.

disableRequiredFieldValidation

boolean

Whether to disable required fields validation for incoming resources. The default value is false. Set this to true to disable checking incoming resources for conformance against required fields requirement defined in the FHIR specification. This property only affects resource types that do not have profiles configured for them, any rules in enabled implementation guides will still be enforced.

disableReferenceTypeValidation

boolean

Whether to disable reference type validation for incoming resources. The default value is false. Set this to true to disable checking incoming resources for conformance against reference type requirement defined in the FHIR specification. This property only affects resource types that do not have profiles configured for them, any rules in enabled implementation guides will still be enforced.

disableFhirpathValidation

boolean

Whether to disable FHIRPath validation for incoming resources. The default value is false. Set this to true to disable checking incoming resources for conformance against FHIRPath requirement defined in the FHIR specification. This property only affects resource types that do not have profiles configured for them, any rules in enabled implementation guides will still be enforced.

SearchConfig

Contains the configuration for FHIR search.

JSON representation
{
  "searchParameters": [
    {
      object(SearchParameter)
    }
  ]
}
Fields
searchParameters[]

object(SearchParameter)

A list of search parameters in this FHIR store that are used to configure this FHIR store.

SearchParameter

Contains the versioned name and the URL for one SearchParameter.

JSON representation
{
  "parameter": string,
  "canonicalUrl": string
}
Fields
parameter

string

The versioned name of the search parameter resource. The format is projects/{project-id}/locations/{location}/datasets/{dataset-id}/fhirStores/{fhirStore-id}/fhir/SearchParameter/{resource-id}/_history/{version-id} For fhir stores with disableResourceVersioning=true, the format is projects/{project-id}/locations/{location}/datasets/{dataset-id}/fhirStores/{fhirStore-id}/fhir/SearchParameter/{resource-id}/

canonicalUrl

string

The canonical url of the search parameter resource.

FhirNotificationConfig

Contains the configuration for FHIR notifications.

JSON representation
{
  "pubsubTopic": string,
  "sendFullResource": boolean,
  "sendPreviousResourceOnDelete": boolean
}
Fields
pubsubTopic

string

The Pub/Sub topic that notifications of changes are published on. Supplied by the client.

The notification is a PubsubMessage with the following fields:

  • PubsubMessage.Data contains the resource name.
  • PubsubMessage.MessageId is the ID of this notification. It is guaranteed to be unique within the topic.
  • PubsubMessage.PublishTime is the time when the message was published.

Note that notifications are only sent if the topic is non-empty. Topic names must be scoped to a project.

The Cloud Healthcare API service account, service-@gcp-sa-healthcare.iam.gserviceaccount.com, must have publisher permissions on the given Pub/Sub topic. Not having adequate permissions causes the calls that send notifications to fail (https://cloud.google.com/healthcare-api/docs/permissions-healthcare-api-gcp-products#dicom_fhir_and_hl7v2_store_cloud_pubsub_permissions).

If a notification can't be published to Pub/Sub, errors are logged to Cloud Logging. For more information, see Viewing error logs in Cloud Logging.

sendFullResource

boolean

Whether to send full FHIR resource to this Pub/Sub topic for Create and Update operation. The default value is false. Note that setting this to true does not guarantee that all resources will be sent in the format of full FHIR resource. When a resource change is too large or during heavy traffic, only the resource name will be sent. Clients should always check the "payloadType" label from a Pub/Sub message to determine whether it needs to fetch the full resource as a separate operation.

sendPreviousResourceOnDelete

boolean

Whether to send full FHIR resource to this Pub/Sub topic for deleting FHIR resource. The default value is false. Note that setting this to true does not guarantee that all previous resources will be sent in the format of full FHIR resource. When a resource change is too large or during heavy traffic, only the resource name will be sent. Clients should always check the "payloadType" label from a Pub/Sub message to determine whether it needs to fetch the full previous resource as a separate operation.

ConsentConfig

Configures whether to enforce consent for the FHIR store and which consent enforcement version is being used.

JSON representation
{
  "version": enum(ConsentEnforcementVersion),
  "accessEnforced": boolean,
  "consentHeaderHandling": {
    object(ConsentHeaderHandling)
  },
  "accessDeterminationLogConfig": {
    object(AccessDeterminationLogConfig)
  },
  "enforcedAdminConsents": [
    string
  ]
}
Fields
version

enum(ConsentEnforcementVersion)

Required. Specifies which consent enforcement version is being used for this FHIR store. This field can only be set once by either [fhirStores.create][] or [fhirStores.patch][]. After that, you must call [fhirStores.applyConsents][] to change the version.

accessEnforced

boolean

Optional. The default value is false. If set to true, when accessing FHIR resources, the consent headers will be verified against consents given by patients. See the ConsentEnforcementVersion for the supported consent headers.

consentHeaderHandling

object(ConsentHeaderHandling)

Optional. Different options to configure the behaviour of the server when handling the X-Consent-Scope header.

accessDeterminationLogConfig

object(AccessDeterminationLogConfig)

Optional. Specifies how the server logs the consent-aware requests. If not specified, the AccessDeterminationLogConfig.LogLevel.MINIMUM option is used.

enforcedAdminConsents[]

string

The versioned names of the enforced admin Consent resource(s), in the format projects/{projectId}/locations/{location}/datasets/{datasetId}/fhirStores/{fhirStoreId}/fhir/Consent/{resourceId}/_history/{versionId}. For FHIR stores with disableResourceVersioning=true, the format is projects/{projectId}/locations/{location}/datasets/{datasetId}/fhirStores/{fhirStoreId}/fhir/Consent/{resourceId}. This field can only be updated using [fhirStores.applyAdminConsents][].

ConsentEnforcementVersion

List of consent enforcement versions supported.

Enums
CONSENT_ENFORCEMENT_VERSION_UNSPECIFIED Users must specify an enforcement version or an error is returned.
V1 Enforcement version 1. See the FHIR Consent resources in the Cloud Healthcare API guide for more details.

ConsentHeaderHandling

How the server handles the consent header.

JSON representation
{
  "profile": enum(ScopeProfile)
}
Fields
profile

enum(ScopeProfile)

Optional. Specifies the default server behavior when the header is empty. If not specified, the ScopeProfile.PERMIT_EMPTY_SCOPE option is used.

ScopeProfile

Options for general consent header scope handling.

Enums
SCOPE_PROFILE_UNSPECIFIED If not specified, the default value PERMIT_EMPTY_SCOPE is used.
PERMIT_EMPTY_SCOPE When no consent scopes are provided (for example, if there's an empty or missing header), then consent check is disabled, similar to when accessEnforced is false. You can use audit logs to differentiate these two cases by looking at the value of protopayload.metadata.consentMode. If consents scopes are present, they must be valid and within the allowed limits, otherwise the request will be rejected with a 4xx code.
REQUIRED_ON_READ The consent header must be non-empty when performing read and search operations, otherwise the request is rejected with a 4xx code. Additionally, invalid consent scopes or scopes exceeding the allowed limits are rejected.

AccessDeterminationLogConfig

Configures consent audit log config for FHIR create, read, update, and delete (CRUD) operations. Cloud audit log for healthcare API must be enabled. The consent-related logs are included as part of protoPayload.metadata.

JSON representation
{
  "logLevel": enum(LogLevel)
}
Fields
logLevel

enum(LogLevel)

Optional. Controls the amount of detail to include as part of the audit logs.

LogLevel

Lists the options for audit logging.

Enums
LOG_LEVEL_UNSPECIFIED No log level specified. This value is unused.
DISABLED No additional consent-related logging is added to audit logs.
MINIMUM

The following information is included:

  • One of the following consentMode fields:(off|emptyScope|enforced|btg|bypass).
  • The accessor's request headers
  • The logLevel of the [AccessDeterminationLogConfig][projects.locations.datasets.fhirStores#AccessDeterminationLogConfig]
  • The final consent evaluation(PERMIT, DENY, or NO_CONSENT)
  • A human-readable summary of the evaluation
VERBOSE

Includes MINIMUM and, for each resource owner, returns: * The resource owner's name * Most specific part of the X-Consent-Scope resulting in consensual determination * Timestamp of the applied enforcement leading to the decision * Enforcement version at the time the applicable consents were applied * The Consent resource name * The timestamp of the Consent resource used for enforcement * Policy type(PATIENT or ADMIN)

Note that this mode adds some overhead to CRUD operations.

ComplexDataTypeReferenceParsing

ComplexDataTypeReferenceParsing defines the parsing behavior of complex FHIR data types.

Enums
COMPLEX_DATA_TYPE_REFERENCE_PARSING_UNSPECIFIED No parsing behavior specified. This is the same as DISABLED for backwards compatibility.
DISABLED References in complex data types are ignored.
ENABLED References in complex data types are parsed.

Methods

applyAdminConsents

Applies the admin Consent resources for the FHIR store and reindexes the underlying resources in the FHIR store according to the aggregate consents.

applyConsents

Apply the Consent resources for the FHIR store and reindex the underlying resources in the FHIR store according to the aggregate consent.

configureSearch

Configure the search parameters for the FHIR store and reindex resources in the FHIR store according to the defined search parameters.

create

Creates a new FHIR store within the parent dataset.

deidentify

De-identifies data from the source store and writes it to the destination store.

delete

Deletes the specified FHIR store and removes all resources within it.

explainDataAccess

Explains all the permitted/denied actor, purpose and environment for a given resource.

export

Export resources from the FHIR store to the specified destination.

exportHistory

Export resources including historical versions from the FHIR store to the specified destination.

get

Gets the configuration of the specified FHIR store.

getFHIRStoreMetrics

Gets metrics associated with the FHIR store.

getIamPolicy

Gets the access control policy for a resource.

import

Import resources to the FHIR store by loading data from the specified sources.

importHistory

Import resource historical versions from Cloud Storage source to destination fhir store.

list

Lists the FHIR stores in the given dataset.

patch

Updates the configuration of the specified FHIR store.

rollback

Rolls back resources from the FHIR store to the specified time.

setIamPolicy

Sets the access control policy on the specified resource.

testIamPermissions

Returns permissions that a caller has on the specified resource.