1. An Affinity Domain (RHIO, HIE) develop a set of privacy policies and each policy is given a object identifier (OID). For Example:

• No HIE use allowed
• All clinical use
• Restricted to Assigned Clinician + Emergency Mode

2. The Health care system (OpenEMR) should create different types of access policies that matches/links with the above OIDs.

3. The patient go through the above policies and his acknowledgement is captured in HL7 content structure within the CDA document

4. When the document (patient health record) is submitted to Cross Enterprise Document Sharing (XDS) Repository [HIE], it is labeled with the OID (created by the HIE) and permissions, restrictions, and obligations. The confidentiality code is captured in the XDS Repository Metadata store.

5. When the document is consumed, permissions, restrictions, and obligations are enforced based on the attached OIDs in the HIE. The items (1),(4) & (5) will be taken care at the HIE side. Tasks to be taken care at the OpenEMR side are:

• Creation of policies that matches with the privacy policies of

HIEs (How to get the specific policies created by the HIE?)

• Interface for the patient to go through the above policies and the

way to capture the acknowledgement in HL7 content structure within the CDA document