Advisory: Issue with Consent Processing in the Operational Data Store

InterSystems has corrected an issue that occurs with consent processing in the Operational Data Store (ODS).

This problem exists for Customers who use the Operational Data Store (ODS) in one of the following versions:

• HealthShare Information Exchange 2018.1.x
• HealthShare Unified Care Record 2019.1.x
• HealthShare Unified Care Record 2019.2.x
• HealthShare Unified Care Record 2020.1.x

When the Operational Data Store receives a request for a patient's data from an Access Gateway, it asynchronously fetches and processes the data. Consent is evaluated asynchronously for each SourceMRN, which is a combination of Facility, Assigning Authority, and MRN.

Previously, the consent evaluation for the first SourceMRN was applied to each of the subsequently evaluated SourceMRNs. This could cause consent to be applied incorrectly. This issue has been identified as a patient privacy concern as it could result in inappropriate access to patient data by an authorized HealthShare user. This issue does not cause an increased risk of disclosure outside of HealthShare.

InterSystems recommends that customers who use the ODS apply the fix for this defect. The fix ensures that the consent evaluation for each SourceMRN is processed independently.

The correction for this defect is identified as HSIEC-3224 and will be included in all future product releases. It is also available via Ad hoc change file (patch) or full kit distribution from the Worldwide Response Center (WRC).

If you have any questions regarding this advisory, please contact the WRC.