March 1, 2022 – Advisory: When No Consent Group is Specified, Clinical Consent Rules May Fail
InterSystems has identified a defect affecting Clinical Information Type (CIT) consent. In certain situations, if no consent group is specified, the CIT consent rules are ignored, and the user experiences the opposite of what was intended.
This issue affects all versions of HealthShare Information Exchange and Unified Care Record through version 2021.2.
Clinical Information Type (CIT) consent may be configured with a decision to show or block data for all users except those who are in the consent groups specified in the policy. These decisions are effective when one or more consent groups are specified. However, the policies are not effective if no consent group is specified. In these situations, the rules are ignored, and the opposite behavior is experienced: the blocking rule will permit data to be displayed to all users and the show rule will block the data from all users.
The affected consent decisions are as follows:
- System-Wide Policy:
- Always Block Except
- Always Show Except
- Default Block Except
- Default Show Except
- Facility-Wide Policy:
- Always Block Except
- Always Show Except
- Default Block Except
- Default Show Except
- Patient Policy:
- Block Except
- Show Except
This issue has been rated as a Low Risk due to the fact that these policies are intended to be used with one or more specified consent groups and omitting a group is most likely a configuration mistake and would be detected during testing.
The following decisions should be used when consent groups are not relevant:
- System-Wide Policy:
- Always Block
- Always Show
- Default Block
- Default Show
- Facility-Wide Policy:
- Always Block
- Always Show
- Default Block
- Default Show
- Patient Policy:
- Block
- Show
InterSystems recommends that customers review their consent policies to ensure that any Block Except and Show Except consent policies have one or more consent groups specified. If that is not the case, customers should add one or more consent groups or use a more appropriate decision option as described above.
This defect is identified as HSIEC-4741 and will be addressed in a future version.