Contents
1.1 Error Correction using CDA replacement
1.2 CDA Sealing Documents
1.3 Seal Status Notification to HealthSpace
1.4 Use of templates
2 Storyboards
2.1 Scenario for Refusal to Seal Report
2.2 Scenario for Seal Event Report
2.3 Scenario for UnSeal Event Report
2.4 Scenario for Automated Accessor Group Change Notification
2.5 Scenario for Sealing Notification
2.6 Scenario for Manual Accessor Group Change Notification
2.7 Scenario for Unsealing Notification
3 Application Roles
3.1 Refusal To Seal Report Originating System - POCD_AR180001UK01
3.2 Refusal To Seal Report Receiving System (PSIS) - POCD_AR180002UK01
3.3 Seal Report Originating System - POCD_AR180003UK01
3.4 Seal Report Receiving System (PSIS) - POCD_AR180004UK01
3.5 UnSeal Report Originating System - POCD_AR180005UK01
3.6 UnSeal Report Receiving System (PSIS) - POCD_AR180006UK01
3.7 Notification of Seal Event Originating System - PRPA_AR000501UK01
3.8 Notification of Seal Event Receiving System - PRPA_AR000502UK01
4 Trigger Events
4.1 Refusal To Seal Report - POCD_TE180001UK01
4.2 Refusal To Seal Report Nullify By Replacement - POCD_TE180002UK02
4.3 Seal Report - POCD_TE180003UK02
4.4 Seal Report Nullify By Replacement - POCD_TE180004UK01
4.5 UnSeal Report - POCD_TE180005UK01
4.6 UnSeal Report Nullify By Replacement - POCD_TE180006UK01
4.7 Change of Sealing Status - PRPA_TE000501UK01
5 Interaction Diagrams
5.1 Seal interactions
5.2 Notification interactions
6 Interactions
6.1 Recipient responsibilities
6.2 Originator Responsibilities
6.3 PSIS Refusal To Seal Report - POCD_IN180001UK05
6.4 Nullify Refusal To Seal Report - POCD_IN180002UK05
6.5 PSIS Seal Report - POCD_IN180003UK02
6.6 Nullify Seal Report - POCD_IN180004UK02
6.7 PSIS UnSeal Report - POCD_IN180005UK02
6.8 Nullify UnSeal Report - POCD_IN180006UK02
6.9 Notification of Seal Event - PRPA_IN000501UK03
7 Message Definitions
7.1 Refusal To Seal Report - POCD_MT180001UK05
7.1.1 Example for Scenario for Refusal to Seal Report
7.2 Seal Report - POCD_MT180002UK02
7.2.1 Example for Scenario for Seal Report
7.3 UnSeal Report - POCD_MT180003UK02
7.3.1 Example for Scenario Unseal Report
7.4 Notification of Seal Event - PRPA_MT000501UK03
7.4.1 Example for notification of automated accessor group change
7.4.2 Example for notification of information being sealed
7.4.3 Example for notification of information being unsealed
7.4.4 Example for notification of manual accessor change
8 Glossary of Terms
Change History
1 Overview
"Summary Care Record Phase 4 Implementation" includes sealing of documents and the associated communications between PSIS, secondary care and primary care. No Sealing information is carried within the actual document but is held on the central access control service. The CDA sealing documents within this domain are used to maintain sealing history.
The CDA document definitions within this Implementation manual support the following care communications:
- Refusal to Seal Report
- Seal Event Report
- Unseal Event Report
- Notification of Seal Event
1.1 Error Correction using CDA replacement
If a document is sent in error, then the sending system should send a replacement document with the correct information using CDA replacement update semantics.
Where this is not possible to use the above mechanism because no correcting document is available then the previous document is required to be nullified. A ‘nullify previous document’ document should be used and further details of this type of replacement is contained in the infrastructure domain.
Documents can also be withdrawn by a receiving system see section 6.1 for further details.
1.2 CDA Sealing Documents
The CDA sealing documents (Seal Report and Unseal Report) perform no sealing function other than to allow sealing history associated with a document / message to be held on PSIS. These documents carry no references to the documents / messages involved as this information is held on a separate central access control service. The parent document class in the model is for error correction replacement semantics as details in section 1.1 of this document.
The Refusal to Seal document's function is to allow details of a refusal to seal to be held on PSIS.
Please consult the relevant sealing implementation guidance for full details of the mechanism used for sealing of PSIS documents.
1.3 Seal Status Notification to HealthSpace
In addition to the CDA documents that allow sealing history to be recorded, sealing related operations are to be reported to the HealthSpace system so that the patient can be informed of the changes.
These changes include information becoming sealed or unsealed,
often at the patient's own request (note that this reflects the act of sealing
or unsealing and not the act of breaking a seal). Also covered are changes
in who is allowed access to the sealed information, typically when a new
workgroup gains access, perhaps due to a referral of care, or a change of
the patient's GP. A dedicated notification message is provided for the notifications.
See also the Alerts domain, which covers notifying staff and patients of
seal breaks, as distinct from the seal status changes.
1.4 Use of templates
This domain uses templates, for further information on templates refer to the latest version of "NPFIT-ELIBR-AREL-P1R2-0178 Technical Guidance for Implementation of Templated CDA Domains"
2 Storyboards
Storyboards are contained Sealed Envelopes Scenarios for
Sealing Messages document and are hyperlinked from the following icon
2.1 Scenario for Refusal to Seal Report
2.2 Scenario for Seal Event Report
2.3 Scenario for UnSeal Event Report
2.4 Scenario for Automated Accessor Group Change Notification
2.5 Scenario for Sealing Notification
2.6 Scenario for Manual Accessor Group Change Notification
2.7 Scenario for Unsealing Notification
3 Application Roles
The applications involved in the processes play specific roles. These, along with the interactions associated with each role, are identified below.
3.1 Refusal To Seal Report Originating System - POCD_AR180001UK01
The Refusal To Seal Report Originating System is responsible for sending the following Refusal To Seal interactions:
PSIS Refusal To Seal Report
Nullify Refusal To Seal Report
The Refusal To Seal Originating System Report receives responses to the above interactions from the Receiving System.
3.2 Refusal To Seal Report Receiving System (PSIS) - POCD_AR180002UK01
The Refusal To Seal Report Receiving System (PSIS) receives processes and stores the following Refusal To Seal interactions:
PSIS Refusal To Seal Report
The Refusal To Seal Report Receiving System (PSIS) receives and MUST act on the following Refusal To Seal interactions:
Nullify Refusal To Seal Report
3.3 Seal Report Originating System - POCD_AR180003UK01
The Seal Report Originating System is responsible for sending the following Seal interactions:
PSIS Seal Report
Nullify Seal Report
The Seal Originating System Report receives responses to the above interactions from the Receiving System.
3.4 Seal Report Receiving System (PSIS) - POCD_AR180004UK01
The Seal Report Receiving System (PSIS) receives processes and stores the following Seal interactions:
PSIS Seal Report
The Seal Report Receiving System (PSIS) receives and MUST act on the following Seal interactions:
Nullify Seal Report
3.5 UnSeal Report Originating System - POCD_AR180005UK01
The UnSeal Report Originating System is responsible for sending the following UnSeal interactions:
PSIS UnSeal Report
Nullify UnSeal Report
The UnSeal Originating System Report receives responses to the above interactions from the Receiving System.
3.6 UnSeal Report Receiving System (PSIS) - POCD_AR180006UK01
The UnSeal Report Receiving System (PSIS) receives processes and stores the following UnSeal interactions:
PSIS UnSeal Report
The UnSeal Report Receiving System (PSIS) receives and MUST act on the following UnSeal interactions:
Nullify UnSeal Report
3.7 Notification of Seal Event Originating System - PRPA_AR000501UK01
The Notification of Seal Event Originating System (an accredited LSP system or spine application) is responsible for sending the following interactions:
Notification of Seal Event
3.8 Notification of Seal Event Receiving System - PRPA_AR000502UK01
The Notification of Seal Event Receiving System (HealthSpace) receives and processes the following interactions:
Notification of Seal Event
4 Trigger Events
4.1 Refusal To Seal Report - POCD_TE180001UK01
A Refusal To Seal Report trigger event indicates that a Refusal To Seal Report is ready to send from the originating system.
4.2 Refusal To Seal Report Nullify By Replacement - POCD_TE180002UK02
For the Refusal To Seal Report document to be nullified the trigger event is the realisation that the Refusal To Seal Report document was sent in error, in that it contained an error and should never have been sent and that no correct Refusal To Seal Report document is available to send.
4.3 Seal Report - POCD_TE180003UK02
A Seal Report trigger event indicates that a Seal Report is ready to send from the originating system.
4.4 Seal Report Nullify By Replacement - POCD_TE180004UK01
For the Seal Report document to be nullified the trigger event is the realisation that the Seal Report document was sent in error, in that it contained an error and should never have been sent and that no correct Seal Report document is available to send.
4.5 UnSeal Report - POCD_TE180005UK01
A UnSeal Report trigger event indicates that a UnSeal Report is ready to send from the originating system.
4.6 UnSeal Report Nullify By Replacement - POCD_TE180006UK01
For the UnSeal Report document to be nullified the trigger event is the realisation that the UnSeal Report document was sent in error, in that it contained an error and should never have been sent and that no correct UnSeal Report document is available to send.
4.7 Change of Sealing Status - PRPA_TE000501UK01
A Change of Seal Status trigger event indicates that information has become sealed or unsealed or that there is a change in who is allowed to access the sealed information.
5 Interaction Diagrams
5.1 Seal interactions
Note - Application Acknowledgements are sent to originating systems for notification of successful or failure handling by the receiving application.
5.2 Notification interactions
Note - Application Acknowledgements are sent to originating systems for notification of successful or failure handling by the receiving application.
6 Interactions
Note:- For CDA domains the interactions are bound
to the "NPfIT
CDA generic model" and use the "NPfIT
CDA generic schema" instead of the "NPfIT Domain CDA model
schema".
The CDA Domain models are used for conformance checking of NPfIT templates
after transforming the "Generic NPfIT CDA" instance to "NPfIT Domain
CDA" instance.
The recipient and sender responsibilities stated in sections 6.2 to 6.4 are additional to the standard CDA recipient and originator responsibilities.
An NPfIT perspective of the standard CDA responsibilities are detailed within this section.
6.1 Recipient responsibilities
Assume default values where they are defined in this specification, and where the instance does not contain a value :
-
Where CDA defines default values, the recipient must assume these values in the event that no value is contained in a CDA instance.
Parse and interpret the complete CDA header :
-
A recipient of a CDA document must be able to parse and interpret the complete CDA header.
-
Because applications may choose to display demographic and other CDA header data drawn from a central master directory, the rendering of the CDA document header is at the discretion of the recipient.
-
An NPfIT style sheet is included within the MIM .Use of this style sheets is at the discretion of the recipient.
Parse and interpret the CDA body sufficiently to be able to render it :
-
Where a system receives a document outside of its conformance level it may chose to only render the document
-
A recipient of a CDA document must be able to parse and interpret the body of a CDA document sufficiently to be able to render it, using the following rendering rules:
-
The CDA structured Body, the label of a section, as conveyed in the Section.title component, must be rendered.
-
A recipient of a CDA document is not required to parse and interpret the complete set of CDA entries contained within the CDA body only those applicable to the receiving systems conformance level.
-
A recipient of a CDA document on receipt of a document equal to or less than it's conformance level is required to validate a CDA document against referenced templates.
-
A recipient of a CDA document on receipt of a document with templates higher than it's conformance is not required process those coded entries and should render the textual representation only.
Error handling
A recipient on receipt of a invalid / incorrect document may deal with
errors by either
-
Sending an Application Acknowledgement to the originating system stating the error type using one of the error codes from the code list for the domain contained in the relevant External Interface Specification.
or
-
The receiving system may nullify the document using a "nullify document" document which MUST be sent to the originating system.
Note - Application
Acknowledgements are sent to originating systems for notification of
successful or failure handling by the receiving application.
6.2 Originator Responsibilities
Properly construct CDA Narrative Blocks :
-
An originator of a CDA document must ensure that the attested portion of the document body is structured such that a recipient, adhering to the recipient responsibilities above, will correctly render the document.
The CDA structured Body:
-
The label of a section must be conveyed in the Section.title component.
-
The attested narrative contents of a section must be placed in the Section.text field, regardless of whether information is also conveyed in CDA entries. Attested multimedia referenced by URL in the narrative must not be carried in the document sent to PSIS.
-
An originator of a CDA document is not required to fully encode all narrative into CDA entries within the CDA body only those applicable to the sending systems conformance level.
Error handling
An Originating system on receipt of an Application
Acknowledgement containing the one of the error codes from the code
list for the domain contained in the relevant External Interface Specification
should initiate a work stream to rectify any error by either
-
Replacing the invalid document with a new correct version
or
-
by nullifying the invalid document using the "Nullify Document" document which MUST be sent to all recipients.
It should also nullify any local cache / copy as necessary.
An Originating system on receipt of a "Nullify Document" document for any document it has sent, should initiate a work stream to rectify any error including nullifying any local cache / copy as necessary.
6.3 PSIS Refusal To Seal Report - POCD_IN180001UK05
Communicates a Refusal To Seal Report
to PSIS for processing and storage.
|
Sending Role |
Refusal to Seal Report originating system |
|
|
Receiving Role |
Refusal to Seal Report receiving system (PSIS) |
|
|
Trigger Event |
Refusal To Seal Report |
|
|
Transmission Wrapper |
Send Message Payload |
|
|
Control Act Wrapper |
Control Act |
|
|
Message Type |
Refusal To Seal Report |
Receiver Responsibilities
|
Reason |
Interaction |
|
On receipt of document |
Application Acknowledgement |
6.4 Nullify Refusal To Seal Report - POCD_IN180002UK05
Communicates the nullification (by replacement) of any Refusal To Seal Report sent to PSIS.
|
Sending Role |
Refusal to Seal Report originating system |
|
|
Receiving Role |
Refusal to Seal Report receiving system (PSIS) |
|
|
Trigger Event |
Refusal To Seal Report nullify by replacement |
|
|
Transmission Wrapper |
Send Message Payload |
|
|
Control Act Wrapper |
Trigger Event Control Act |
|
|
Message Type |
Nullification Document |
Receiver Responsibilities
|
Reason |
Interaction |
|
On receipt of document |
Application Acknowledgement |
6.5 PSIS Seal Report - POCD_IN180003UK02
Communicates a Seal Report to PSIS
for processing and storage.
|
Sending Role |
Seal Report originating system |
|
|
Receiving Role |
Seal Report receiving system (PSIS) |
|
|
Trigger Event |
Seal Report |
|
|
Transmission Wrapper |
Send Message Payload |
|
|
Control Act Wrapper |
Control Act |
|
|
Message Type |
Seal Report |
Receiver Responsibilities
|
Reason |
Interaction |
|
On receipt of document |
Application Acknowledgement |
6.6 Nullify Seal Report - POCD_IN180004UK02
Communicates the nullification (by replacement) of any Seal Report sent to PSIS.
|
Sending Role |
Seal Report originating system |
|
|
Receiving Role |
Seal Report receiving system (PSIS) |
|
|
Trigger Event |
Seal Report nullify by replacement |
|
|
Transmission Wrapper |
Send Message Payload |
|
|
Control Act Wrapper |
Trigger Event Control Act |
|
|
Message Type |
Nullification Document |
Receiver Responsibilities
|
Reason |
Interaction |
|
On receipt of document |
Application Acknowledgement |
6.7 PSIS UnSeal Report - POCD_IN180005UK02
Communicates a UnSeal Report to PSIS
for processing and storage.
|
Sending Role |
UnSeal Report originating system |
|
|
Receiving Role |
UnSeal Report receiving system (PSIS) |
|
|
Trigger Event |
UnSeal Report |
|
|
Transmission Wrapper |
Send Message Payload |
|
|
Control Act Wrapper |
Control Act |
|
|
Message Type |
UnSeal Report |
Receiver Responsibilities
|
Reason |
Interaction |
|
On receipt of document |
Application Acknowledgement |
6.8 Nullify UnSeal Report - POCD_IN180006UK02
Communicates the nullification (by replacement) of any UnSeal Report sent to PSIS.
|
Sending Role |
UnSeal Report originating system |
|
|
Receiving Role |
UnSeal Report receiving system (PSIS) |
|
|
Trigger Event |
UnSeal Report nullify by replacement |
|
|
Transmission Wrapper |
Send Message Payload |
|
|
Control Act Wrapper |
Trigger Event Control Act |
|
|
Message Type |
Nullification Document |
Receiver Responsibilities
|
Reason |
Interaction |
|
On receipt of document |
Application Acknowledgement |
6.9 Notification of Seal Event - PRPA_IN000501UK03
Communicates the Sealing Event message to the receiver (HealthSpace).
|
Sending Role |
Notification of Seal Event Originating System |
|
|
Receiving Role |
Notification of Seal Event Receiving System |
|
|
Trigger Event |
Change of Sealing Status |
|
|
Transmission Wrapper |
Send Message Payload |
|
|
Control Act Wrapper |
Trigger Event Control Act |
|
|
Message Type |
Notification of Seal Event |
Receiver Responsibilities
|
Reason |
Interaction |
|
On receipt of document |
Application Acknowledgement |
7 Message Definitions
There are three CDA documents associated with sealing history which are sent to PSIS.
Additionally sealing related events are communicated to patients via the HealthSpace system, using the Notification of Seal Event message.
7.1 Refusal To Seal Report - POCD_MT180001UK05
The Refusal to Seal Report records a refusal by a clinician to seal 1 or more item of information.
7.1.1 Example for Scenario for Refusal to Seal Report
7.2 Seal Report - POCD_MT180002UK02
The Seal Report records details of a sealing event.
7.2.1 Example for Scenario for Seal Report
7.3 UnSeal Report - POCD_MT180003UK02
The UnSeal Report records details Unsealing event.
7.3.1 Example for Scenario Unseal Report
7.4 Notification of Seal Event - PRPA_MT000501UK03
The Notification of Seal Event message is used to inform another system (HealthSpace) that an event relating to sealed envelopes has happened. This is typically either some information becoming sealed, locked or unsealed, or a change of who has permission to view sealed data.
7.4.1 Example for notification of automated accessor group change
7.4.2 Example for notification of information being sealed
7.4.3 Example for notification of information being unsealed
7.4.4 Example for notification of manual accessor change
8 Glossary of Terms
| Application Acknowledgement | A response from one application to another indicating that a message has been received and is valid. |
| Application Role | The role played by the application in a particular interaction. |
| Data type | The structural format of the data carried in an attribute |
| Data Type Flavour | A subdivision of a particular data type |
| DCE UUID | Universally Unique Identifier |
| ED | Emergency Department. Previously known as Accident & Emergency |
| EHR | Electronic Healthcare Record |
| Legitimate Relationship | A Legitimate Relationship is a relationship between a clinician (or NHS organisation work group) and a patient, that gives the clinician, or workgroup member, certain levels of entitlement to access that patient’s health record maintained on National Systems. |
| NHS CRS | NHS Care Record Service |
| OID | Object Identifier, a unique identifier e.g. used to identify coding systems |
| Provider | An alternative term for a fulfiller |
| PCT | Primary Care Trust, responsible for primary and community health services within a geographical boundary. |
| PDS | Patient Demographic Service |
| PSIS | Personal Spine Information Service. |
| Requestor | The HCP responsible for the request |
| SDS | Spine Directory Service |
| Service User | A person who is registered on the PDS |