A new feature has been added to the Audit Log Filters to retain the filter choices for when the user returns to the page after navigating away.

A new feature has been added to the Transaction Log Filters to retain the filter choices for when the user returns to the page after navigating away.

It is not possible to pass authorization parameters to the smileutil upload-example-dataset command.

A new feature has been added to the FHIR Storage module that allows a FHIR repository to act as an Enterprise Master Person Index (EMPI). See [/docs/fhir_storage/empi_mode.html](EMPI Mode) for more information.

The FHIR Gateway module will now make up to 10 attempts to retrieve the target server's CapabilityStatement during startup before aborting.

Outbound HL7 v2.x interfaces may now use MLLP over TLS (secure sockets) as well as HL7 over HTTP using either plain or secure TLS sockets.

The JSON Admin API operation for modifying the password of a user now returns a status object that includes details about the outcome of the operation.

Added SSL support to Kafka. This includes 6 new config parameters for specifying the locations of the trust store, key store, and passwords.

A number of password hashing schemes have been added in order to allow administrators to balance risk and security with speed, as well as to comply with local standards for deployment.

The Smile CLI Tool (smileutil) "hl7v2-transmit-flatfile" command now issues a meaningful error message to the console when multiplexing fails due to an invalid path (i.e. the argument provided for option --multiplex-on-field [path]).

A new feature called the Consent Service has been added to FHIR Storage modules. The Consent Service can be used to apply various consent and access rules to FHIR operations being invoked, including blocking and masking data being returned. See Authorization and Consent for more information.

Support for Two Factor Authentication using the TOTP protocol has been added. See Two Factor Authentication for more information.

A new API has been added to the User Management Endpoint that allows a user to modify their own password.

It is now possible to perform cascading deletes, where deleting one resource also deletes any resources that refer to that resource. See Cascading Deletes for more information.

The transaction log will now capture FHIR response bodies sent out by FHIR Endpoint modules in addition to the FHIR request bodies already captured. This can be disabled (and generally should be on servers that need to process lots of data). See Transaction Logs for more information.

The HL7 v2.x inbound processor now ensures that Patient resources resulting from the following event triggers are treated as conditional creates: A03, A06, A07, A11, A12, and A13.

The default installation of Smile CDR now uses an embedded H2 database instead of the previous DerbyDB. H2 is a similar architecture to Derby (file or memory based, runs inside the Smile CDR process so no extra installation is required) but it is better performing and more stable so it makes a better choice for testing. Derby remains supported as an alternative.

A set of features has been added to help in situations where a FHIR repository will be used to store large and/or many binary objects (i.e. as Attachments within a DocumentReference). These features include an option for using the filesystem for storage instead of putting these in a relational database, as well as a pair of new operations that can be used to read/write binary content directly (with no base64 required). See Binary Data for more information.

In addition to a link rule specifying a link level in EMPI module, we also added an optional ability for the configuration to specify a system/code/display for a tag to be added to any Person resource that has had a link automatically added to it. The setting called "Review Queue".

Added an experimental new feature called LiveBundle that allows users to define named data aggregators and register 'subscribers' against those aggregators. The LiveBundle interceptor will then aggregate matching references for that subscriber that can later be fetched as a bundle. See the LiveBundle documentation for more details.

The smileutil transmit-hl7v2-message command now accepts multiplexing paths that do not include the group name before the segment name. This makes it easier to specify paths that are appropriate for ADT transmission, since many segments are found in different paths within different structures.

The path used on HTTP endpoints for the Endpoint Health Check is now configurable. If an existing monitoring infrastructure requires a response on a path other than /endpoint-health, this can be configured.

The HL7 v2.x inbound processor now accounts for three additional codes when mapping PV1-2 (Patient Class) to Encounter.class. These codes are P, R, and B. Refer to Table 0004: Patient Class.

New documentation plus minor enhancements to support deploying and managing Smile CDR clusters using Kubernetes.

The SMART Inbound Security module will now reduce permissions on a session based on which scopes have been approved or not approved (as the SMART Outbound Security module already did). A new configuration item has also been added to both the SMART Inbound Security and SMART Outbound Security modules to control this behavior.

PostgreSQL 11.4 is now supported.

Smile CDR will now emit a warning when starting up using an embedded database such as the default H2 database. This is just a reminder that H2 and Derby should not be used in production systems.

Support for the FHIR Filter Search Parameter has been added. See this page for details.

Support for GraphQL based searches has been added.

A new feature called Performance Tracing has been added to the FHIR Storage module. This feature allows for greater insight into the generated SQL and performance implications of various queries being performed. This can help to maximize performance when building an application. See Performance Tracing for more information.

The date range pop-up for Transaction Log and Audit Log has been upgraded to include a default date range, to have the pop-up triggered when the user clicks on the calendar icon, and to display the date in more intuitive format.

The default Smile CDR configuration now uses FHIR R4 instead of FHIR STU3. Previous releases of the standard are still supported of course, and no plans exist to discontinue them at this time.

The presentation of the list of nodes and modules in the Web Admin console has been reworked so that it is more friendly to large clusters.

The default value for property subscription.consumers_per_matching_queue has been changed from 2 to 5.

Breaking Change: The response types for the 'Fetch All Module Config' and 'Fetch Single Module Config' operations on the Module Config Endpoint have been modified so that they now match the input models for the corresponding setter operations. We are not aware of any users depending on the previous behaviour so we do not consider this a significant change. Please get in touch if you believe that this assessment is incorrect.

Several columns in the Cluster Manager database have been renamed in order to avoid conflicts with new reserved words in MySQL 8.0.0

The Smile CLI Tool (smileutil) "hl7v2-transmit-flatfile"" command was not multiplexing as expected for some versions HL7 v2.x. This has been corrected.

When running an ETL import script that updates resources by setting resource IDs that do not include the resource type, the script failed with a mysterious HTTP 500 error. This has been corrected.

The following three configuration items could not be set and always used default values, and this has been corrected:

• subscription.consumers_per_matching_queue
• subscription.consumers_per_delivery_queue
• kafka.bootstrap_address

When processing HL7 v2.x messaging and using the onPreConvertHl7V2ToFhir(theMessage, theConversionResult) callback script to convert message structures (e.g. from DFT_P03 to RAS_O17), the original structure was passed along to subsequent stages of translation instead of the converted sturcture. This has been corrected.

When using Derby as the Cluster Manager database platform, initiating a module restart sometimes resulted in a deadlock error and a module restart failure. This has been corrected.

HL7 v2.x ADT_A16 message structures were not being properly identified in the Transaction Log detail view. This has been corrected.

Request validation was not working for R4 resources. This has been corrected. Also as a part of this change, the "Require Explicit Profile Definition Enabled" setting has been removed, as it was redundant.

An overly zealous ActiveMQ channel cleanup process can delete channels that are still in use and contain data during a Smile CDR shutdown. This release corrects this issue, which was only introduced in Smile CDR 2019.05.R01. Any users of that version are advised to upgrade immediately.

Several new variable subsstitutions have been added to the HTTP Access Log.

Added support for using Kafka in place of ActiveMQ.

Added a new Subscription module type that provides for a node to be dedicated to processing subscriptions. This node doesn't require a Storage module to be present; it uses a FHIR Endpoint to retrieve custom search parameters and subscriptions required by the Subscription module. Currently the Subscription module requires Kafka.

A new command has been added to the Smile CDR CLI called execute-script-function that can be used to execute Javascript functions intended for the Javascript Execution Environment outside of a Smile CDR deployment. This can be useful for development and testing.

A new function, addMessage(thePath, theMessageLevel, theIssue), has been added to the Hl7V2ReceivedMessageConversionResult callback model in the JavaScript Execution Environment.

When processing ADT_A60 messages, the HL7 v2.x inbound processor now populates AllergyIntolerance.type with a value of allergy.

The HL7 v2.x inbound processor now maps IAM-11 (Onset Date) to AllergyIntolerance.onsetDateTime.

The HL7 v2.x inbound processor now maps IAM-2 (Allergen Type Code) to AllergyIntolerance.category.

The HL7 v2.x inbound processor now maps RXC-3 (Component Amount) and RXC-4 (Component Units) to an extension on the Medication resource. We store these values in an extension to mirror Medication.amount in FHIR R4.

The HL7 v2.x inbound processor now maps RXE-23 (Give Rate Amount) and RXE-24 (Give Rate Units) to MedicationRequest.dosagaInstruction.rate[x]. They will be mapped to one of rateQuantity, rateRange, or rateRatio as appropriate.

The HL7 v2.x Listening Endpoint module can now be configured with an OBSERVATION group text delimiter for NTE segments in ORU_R01 messages. This delimiter will be used as a separator between multiple repetitions of NTE-3 (Note Text), as well as NTE-3 from multiple contiguous NTE segments following a given OBX segment. By default, \.br\ is used to indicate a newline.

The HL7 v2.x Listening Endpoint module can now be configured with an OBSERVATION group text delimiter for OBX segments in ORU_R01 messages. Where OBX-2 (Observation Value Type) is one of ST, TX, or FT, this delimiter will be used as a separator between multiple repetitions of OBX-5 (Value). By default, \.br\ is used to indicate a newline.

The HL7 v2.x inbound processor now maps OBX-15 (Producer's ID), OBX-23 (Performing Organization Name), and OBX-24 (Performing Organization Address) to Organization.identifier, Organization.name, and Organization.address respectively. The resulting Organization is referenced in Observation.performer.

The HL7 v2.x Listening Endpoint module can now be configured with an ORDER_OBSERVATION group text delimiter for NTE segments in ORU_R01 messages. This delimiter will be used as a separator between multiple repetitions of NTE-3 (Note Text), as well as NTE-3 from multiple contiguous NTE segments following a given OBR segment. By default, \.br\ is used to indicate a newline.

By default, the HL7 v2.x inbound processor now sets Procedure.status to completed.

The HL7 v2.x inbound processor now maps multiple NTE segments for a given OBSERVATION group to Observation.comment. Previously, only the first such NTE segment was mapped.

The HL7 v2.x inbound processor now maps RXC-1 (RX Component Type) to Medication.ingredient.isActive.

The HL7 v2.x inbound processor now maps RXC-2.9 (Original Text) to Medication.code.text.

By default, the HL7 v2.x inbound processor will create/update contained Medication resources derived from RXE, RXC, and RXA segments in RDE and RAS messaging. A new configuration item has been added such that Medication resources derived from RXA segments will be standalone resources. This should only be enabled if RXA-5 (Administered Code) uniquely identifies a given medication and all of its meaningful fields.

By default, the HL7 v2.x inbound processor will create/update contained Medication resources derived from RXE, RXC, and RXA segments in RDE and RAS messaging. A new configuration item has been added such that Medication resources derived from RXC segments will be standalone resources. This should only be enabled if RXC-2 (Component Code) uniquely identifies a given medication and all of its meaningful fields.

By default, the HL7 v2.x inbound processor will create/update contained Medication resources derived from RXE, RXC, and RXA segments in RDE and RAS messaging. A new configuration item has been added such that Medication resources derived from RXE segments will be standalone resources. This should only be enabled if RXE-2 (Give Code) uniquely identifies a given medication and all of its meaningful fields.

The HL7 v2.x inbound processor now maps unknown values of OBR-24 (Diagnostic Service Section ID) to DiagnosticReport.category.text.

The HL7 v2.x inbound processor now maps XAD-7 (Address Type) with a value of B such that Address.use will be work and Address.type will be postal.

User supplied Java code (e.g. Hybrid Providers, custom interceptors, etc.) can now access detais about the OAuth2 authentication including claims contained in the token and the identity of the client.

A new option has been added to the Smile CDR cli for uploading a directory of json files to a FHIR endpoint.

Metrics about subscription matching and delivery are now captured and stored in the database. A future enhancement will present graphs of these in the admin console.

Clients can now use an Endpoint to change their secret using their existing secret.

A new permission has been added (FHIR_META_OPERATIONS_SUPERUSER) that allows users to perform FHIR $meta operations (both read and write) on any resource.

Added three new configuration parameters to Kafka, subscription.kafka.consumers_per_topic, subscription.kafka.auto_commit and subscription.kafka.ack_mode.

Change subscription processing from a shared thread pool to a dedicated thread pool per subscription. Both the the number of matching consumer threads and delivery threads per subscription are now configurable.

It is now possible to use a JavaScript script to modify the generated HL7 v2.x message being transmitted on an HL7 v2.x Sending Endpoint module.

Two configuration properties have been added to the FHIR Gateway module that control the client timeouts when communicating with the gateway target server. In addition, when a socket timeout occurs the gateway now responds with a more informative error message.

The Web Admin Console transaction log viewer now has buttons to show/hide the payload bodies, as well as a button to pretty-print the contents.

SMART on FHIR support in Smile CDR now includes support for resource speficic patient scopes, such as Patient/CarePlan.read or patent/Condition.write.

A new API for adding custom Z-segments to HL7 v2.x messages has been added to the JavaScript execution environment.

Subscription matching and delivery has moved to a new "Subscription Matcher" module. Servers that use subscriptions will need to add a subscription module for each storage module and link the subscription module to its corresponding storage module. The storage module is responsible for activating the subscription and adding all resources to a queue/topic and then the subscription module picks up the resources from this queue/topic matches against all active subscriptions and delivers matches to their endpoints.

A new option has been added to REST HOOK Subscription processing that allows specific base URLs to be stripped from reference URLs in resources being delivered.

A new API has been added to HAPI FHIR that allows thrown exception messages to be marked as trusted. When a message is marked as trusted, it will be exposed to the client even when Suppress Error Details mode is enabled. This can be used from Hybrid Providers code. In addition, a new JavaScript API has been added that exposes this functionality from JavaScript.

Added client details to transaction log entries

Added description "Showing x to x of x" to table pagers

Open ID Connect clients can now be disabled.

The Hl7V2ReceivedMessageConversionResult callback model now includes a property called doNotProcess. This is a flag to indicate whether or not a given message should be processed.

When processing HL7 v2.x messaging using the JavaScript Execution Environment, the getRepetitionCount() method can now be used at the group level. This is in addition to the segment and field levels.

A hasChild(name) method has been implemented in the JavaScript Execution Environment to improve HL7 v2.x processing. This method works at the message and group levels, and it can be used to interrogate the structure of a given message or group.

The JavaScript function onPreConvertHl7V2ToFhir() now has an additional parameter of type Hl7V2ReceivedMessageConversionResult. This is the same conversion result that is passed into function onPostConvertHl7V2ToFhir().

Subscription Module Runtime Status now displays subscription metrics for each subscription.

It is now possible to selectively prevent specific event types from being logged in the transaction log, in order to prevent the log from being overwhelmed with useless messages in some configurations. See Transaction Log for more information.

Function isEmpty() has been implemented at the segment, group, and field levels for HL7 v2.x entities within the JavaScript Execution Environment.

The HL7 v2.x inbound processor now maps RXA-8 (Administered Dosage Form) to Medication.form.

The inbound HL7 v2.x transaction processor now maps non-standard ZXC segments to FHIR. One or more of these optional segments can be included in the ADMINISTRATION group of an RAS_O17 message. ZXC segments use the RXC structure. A given ZXC segment is a component for its associated RXA segment just as a given RXC segment is a component for its associated RXE segment. These components are mapped to Medication resources in Smile CDR.

When processing HL7 v2.x messages with ZXT segments, ZXT segments where ZXT-2 has a value of NM can now be used to populate an arbitrary path in FHIR with integers or decimals.

A new setting has been added to DB connection pool settings that allows a maximum lifetime age for connections to be specified.

Added HL7v2 Outbound support for ADT_A31.

Addded new websocket subscription module to cdr. This module requires a subscription module to know which websocket subscriptions are active. It supplies its URL to the FHIR Endpoint module so that the websocket URL can be provided as a part of the server's capability statement.

When a subscription is deleted, now the queue (or kafka topic) for that subscription delivery will be removed.

Function encode() has been implemented at the message, segment, and field levels for HL7 v2.x entities within the JavaScript Execution Environment.

Added three new config parameters to FHIR Persistence module. reindex threads, expunge threads, expunge batch size.

A clear() method has been implemented in the JavaScript Execution Environment to improve HL7 v2.x processing. This method works at the segment, field, component, and sub-component levels, and it can be used to clear the contents of a message.

A new setting on HTTP servers has been added for specifying the size of the request queue to use when no threads are available for processing. In addition, a new graph has been added to the runtime monitors in the Web Admin console that shows threadpool usage in terms of idle and busy threads.

A new (Hl7V2)[/docs/javascript_execution_environment/hl7v2.html#the-hl7v2-object] object has been added to the JavaScript Execution Environment. This object provides utility methods that are useful when working with HL7 v2.x messaging; including function newMessage(messageCode, messageTriggerEvent, processingId) for creating a new message structure, and several methods that return a new object of a given HL7 v2.x datatype.

A new setData(object) method has been implemented in the JavaScript Execution Environment to improve HL7 v2.x processing. This method works at the field, component, and sub-component levels where such an element allows for variable HL7 v2.x datatypes. For example, OBX-5 (Observation Value) can be populated with a variety of datatypes, as identified by the value in OBX-2 (Value Type). This method has one parameter, which is a JavaScript object of an HL7 v2.x datatype.

The HL7 v2.x inbound processor now populates Observation.specimen where a given ORDER_OBSERVATION group includes a single SPECIMEN group. Where multiple SPECIMEN groups exist, a warning is issued to the Transaction Log.

A new setting has been added to the FHIR Storage module database configuration that can be used to control the use of bind variables in SQL parameters that are purely numeric. This is useful in some optimization scenarios with certain database platforms.

The HL7 v2.x inbound processor now maps XAD.7 (Address Type) values of M to Address.type of postal.

The HL7 v2.x inbound processor now populates Specimen.subject.

When mapping RAS_O17 messages to FHIR, the HL7 v2.x inbound processor now maps ORC-7.4 (Start Date/Time) to MedicationRequest.dosageInstruction.timing.event.

When mapping ORU_R01 messages to FHIR, the Hl7 v2.x inbound processor populates Observation.performer with a reference to an Organization derived from OBX-15 (Producer's ID), OBX-23 (Performing Organization Name), and OBX-24 (Performing Organization Address). Such an Organization will now have Organization.type populated with a value of prov.

The following changes were applied to both the User Manager interface of the Web Admin Console and the user-management endpoint of the JSON Admin API:

• added error message at top for validation errors
• changed username to required field
• changed email to require email format
• added * to indicate required fields for username and password (only add screen for password)
• changed password field to not show placeholder for add screen
• changed so user fields retain context after error save

Always allow anonymous access to Swagger UI and v2 resources.

Previously, the HL7 v2.x inbound processor created/updated standalone Medication resources derived from RXE, RXC, and RXA segments in RDE and RAS messaging. This assumed that RXE-2 (Give Code), RXC-2 (Component Code), and RXA-5 (Administered Code) would each uniquely identify a given medication and all of its meaningful fields. By default, the HL7 v2.x inbound processor will now create/update contained Medication resources.

When processing RDE_O11 messages, the HL7 v2.x inbound processor will now map the component identified in RXC-2 (Component Code) to a Medication referenced by the parent Medication in Medication.ingredient.itemReference if both a code and code system are provided. This only occurs when a given pharmacy order includes multiple RXC segments. Where only one RXC segment is provided, the component will be mapped to Medication.ingredient.itemCodeableConcept of the parent Medication. Regardless of the number of RXC segments, if only a textual display is provided in RXC-2.2 then the component will be mapped to Medication.ingredient.itemCodeableConcept.text.

FHIR Storage modules now come with Lucene disabled by default. Lucene is useful to support fulltext searches and some terminology operations, but also requires capacity planning. It is often not required for real-world implementations so this change should help simplify deployment.

The JavaScript functions onMessagePreConvert() and onMessagePostConvert() that were used in HL7 v2.x Listening endpoints to manipulate received messages and affect the resulting transformation to FHIR have been renamed to onPreConvertHl7V2ToFhir() and onPostConvertHl7V2ToFhir() respectively in order to have more meaningful names. Any existing functions need to be renamed.

Disabled users will no longer show up in the user manager within the Web Admin Console unless they are explicitly searched for.

Changed support for HL7 v2.x Outbound ORM^O01 (General Order Message) to OMG_O19 (General Clinical Order Message).

The default value for the following configuration items has been changed from \\.br\\ to \\n:

• hl7v2_fhir_mapper_observation_group.observation_group_text_delimiter.obx
• hl7v2_fhir_mapper_observation_group.observation_group_text_delimiter.nte
• hl7v2_fhir_mapper_order_observation_group.order_observation_group_text_delimiter.nte

The HL7 v2.x inbound processor no longer adds a urn:cedar:extension:stringFormat extension to Observation.comment.

An issue was fixed where refresh tokens issued by the SMART Outbound Security module would not always remain usable after an upgrade to Smile CDR.

When starting Smile CDR with an unsuported version of Java, an error message was logged in the logs, but nothing was reported on the console. This has been fixed.

When mapping OBX segments from ADT messages to Observation resources, the HL7 v2.x inbound processor was not populating Observation.context with a reference to an Encounter. This has been corrected.

Nulls are stripped from the end of performance graphs so they no longer drop to zero at the end of the graph.

Fixed permissioning such that ROLE_FHIR_CLIENT_SUPERUSER will be granted FHIR_ALL_READ and FHIR_ALL_WRITE when user has patient read/write scope.

Fixed security troubleshooting log to log the client id instead when user = null or unknown.

Fixed bug for SMART Inbound Security Authentication Callback Scripts where it was returning a 500 response when a newFailure() was invoked. It will now return a 401 InvalidClientException instead of 500 UsernameNotFoundException or 500 BadCredentialsException.

smileutil (CLI) was slow to start on some versions of RHEL/CentOS due to a slow random number generator being used. This has been corrected.

The FHIR_PROCESS_MESSAGE permission granted users the ability to invoke the $process-message operation at the type level (on the MessageHeader resource) but not at the server level. The FHIR specification allows for this operation to be called at both levels.

When "Enable Resource Counts" was disabled on FHIR endpoints, the resource count query could still fire in the background, wasting database cycles. This has been corrected.

The system was unable to delete expired Refresh tokens if they had an associated access token that was not expired. This has been corrected.

When processing an ORU^R01 message with no valid identifier in the OBR segment, the message was silently ignored with no error message displayed in the transaction log. This has been corrected.

CDA documents generated with the CDA exchange module had invalid namespace declarations on some tags. This has been corrected.

An issue was fixed where the Search Parameter statistics collector would sync stats to the database extremely frequently on large clusters.

The hamburger menu (for navigation on mobile devices) in the Web Admin Console was broken in Smile CDR 2019.02.R01. This has been fixed.

The HL7 v2.x inbound processor was incorrectly expecting location information within invalid extra sub-components of PV1-3 (Assigned Patient Location) and PV1-6 (Prior Patient Location). This has been corrected, and the segment definition of PV1 (Visit/Encounter) has been updated accordingly.

Method Converter.hl7v2TsToFhirDate(dt) now issues an appropriate exception for invalid input.

When using the Smile CDR CLI hl7v2-transmit-flatfile command in multithreaded mode, sometimes a failure could be obscured by log lines after the failure. This has been corrected so that the command always finishes with details about any failures.

Hide user and client cards when they don't exist for transaction log event.

The HL7 v2.x inbound processor was incorrectly mapping RXA-13 (Administered Strength) and RXA-14 (Administered Strength Units) to MedicationAdministration.dosage.rate. This has been corrected. Now RXA-12 (Administered Per (Time Unit)) is mapped to MedicationAdministration.dosage.rateRatio.denominator.unit. A value of 1 is mapped to MedicationAdministration.dosage.rateRatio.denominator.value. The numerator is populated using the values of RXA-6 (Administered Amount) and RXA-7 (Administered Units).

The HL7 v2.x inbound processor was incorrectly mapping RXA-9 (Administration Notes) to MedicationAdministration.note.text twice. This has been corrected.

Fixed a bug where Smile CDR wouldn't start due to a configuration error on a module.

When processing a FHIR Resource for an outbound HL7 v2.x Subscription, the conversion failed with an incomprehensible error if a dateTime in the resource had a time but no timezone offset. This has been corrected.

When starting Smile CDR with a brand new R4 repository, under some circumstances the server could fail to start with a cryptic error. This has been resolved.

When mapping ORU_R01 messages, the HL7 v2.x inbound processor was incorrectly mapping ORC-9 (Date/Time of Transaction) to ProcedureRequest.authoredOn and ORC-15 (Order Effective Date/Time) to ProcedureRequest.occurrenceDateTime. This has been corrected such that the ORC-7.4 (Start Date/Time) is now mapped to ProcedureRequest.occurrenceDateTime. The relevant documentation has been updated accordingly.

For some message types, the HL7 v2.x inbound processor resulted in a transaction bundle with duplicate entries for the same Practitioner. This has been corrected.

When mapping RAS_O17 messages to FHIR, the HL7 v2.x inbound processor no longer maps ORC-9 (Date/Time of Transaction) to MedicationRequest.authoredOn.

When mapping ORU_R01 messages to FHIR, the Hl7 v2.x inbound processor populates Observation.performer with a reference to an Organization derived from OBX-15 (Producer's ID), OBX-23 (Performing Organization Name), and OBX-24 (Performing Organization Address). The OBX segment definition incorrectly indicated that OBX-23.6 and OBX-23.10 would be used to populated Organization.identifier for such an Organization. In fact, OBX-15.1 and OBX-15.2 are used to populate the identifier, and the documentation now reflects this.

The ORC segment definition incorrectly identified ORC-2 (Placer Order Number) as a required field. It is in fact only conditionally required. The field must be populated in an RDE_O11 message; however, it may be omitted in an ORU_R01 message, in which case processing via the HL7 v2.x inbound processing will not result in a ProcedureRequest.

Smile CDR can now be run (and is recommended to be run) on JDK 11.0.1. JDK 1.8.0_121+ remains supported however all customers are recommeneded to upgrade to OpenJDK 11 or Oracle JDK 11 if possible.

User details have been added to both the summary and detailed Transaction Log views in the Web Admin Console.

Module type has been added to Module-config endpoints for JSON Admin API.

When processing HL7 v2.x messages with ZXT segments, ZXT segments where ZXT-2 has a value of CE can now be used to populate an arbitrary path in FHIR where one of a fixed set of codes with required binding is expected.

The HL7 v2.x inbound processor now maps OBX-23 (Performing Organization Name) to Observation.performer. If both OBX-23.6 and OBX-23.10 are populated, they will constitute Organization.identifier.system and Organization.identifier.value respectively for the Organization to be referenced in Observation.performer.

In addition to mapping ORC-9 (Date/Time of Transaction) to MedicationRequest.authoredOn, the HL7 v2.x inbound transaction processor now maps ORC-9 to ProcedureRequest.authoredOn.

It is now possible to define multiple users in an inbound security module to be used as designated anonymous users, and to specify which designated user should be used as the anonymous user for each individual endpoint. This means that different endpoints within a single Smile CDR installation may share the same inbound security module, but have different permissions associated with anonymous requests.

The smileutil "synchronize-fhir-servers" command now has a new mode called SYNTHEA that can be used to upload a set of synthea files to a server. See Synthea Mode documentation for more information.

A new property called "secret required" has been added to OAuth2/SMART client definitions. This property allows clients to be defined as not requiring direct client authentication, meaning that clients may optionally be allowed to perform the authorization code flow, refresh flow, etc., without requiring client authentication.

OpenID Connect client definitions have a new property called "Auto-Grant Scopes". Any scopes listed in this field will be automatically granted to clients any time they authorize, without requiring any approval.

OpenID Connect client definitions may now been granted Smile CDR permissions, meaning that it is now possible for clients to authenticate directly using the Client Credentials Grant, and then use the granted Access Token to access FHIR services.

A new operation has been added to the JSON Admin API module OpenID Connect Client endpoint. This operation allows an existing client definition to be retrieved by a user with appropriate permission.

It is now possible to change the Client ID of an OAuth2 Client Definition using the JSON Admin API. Previously this was only possible using the Web Admin Console.

OAuth2 client secrets are now stored in the database as salted and hashed values (using 12-round BCrypt as the current default algorithm), instead of being stored as plaintext values. In addition, the client definition editor in the Web Admin console has been improved so that multiple client secrets may be added at once if needed.

When using the FHIR Gateway module, if a client invokes an operation and includes an Accept header requesting a non-FHIR response, this Accept header will be relayed to the target server.

A new configuration item has been added to the FHIR endpoint module that allows clients to request that Media resources be served as raw content instead of FHIR encoded XML/JSON content. See Serving Raw Media Resources for more information.

When converting FHIR Patient resources to HL7 v2.x PID segments for an outbound interface, if a US Core Race or Ethnicity extension is present but it has only a category, the extension URL will not be placed in the HL7 v2.x CE value in order to reduce clutter.

A new search meta-parameter called _total has been added. This parameter can be used to force a count to be calculated, even for large searches. See Forcing A Total and Data for more information.

Several features were added to the JavaScript Execution Environment FHIR REST API. These include the following things:

• The FHIR create operation is now supported in the Fhir object
• The FHIR update operation is now supported in the Fhir object

It is now possible to add JavaScript callback functions that are executed as a part of processing incoming HL7 v2.x messages using the HL7 v2.x Receiving Endpoint module.

HTTP endpoints being secured with HTTPS (TLS) in Smile CDR may now use PKCS#12 files instead of JKS (Java Keystore) files as the keystore and truststore if desired.

Methods for URL Encoding and Decoding have been added to the Converter API in the Javascript Execution Environment.

Search results accessed via searches performed within a FHIR transaction are now audited as individual resource accesses. This means that all accessed resources within a transaction response are now audited as having been viewed.

New settings have been added to the FHIR modules for setting default Prefer header behavor, and default _total parameter behavior.

TLS servers can now optionally be configured with a whitelist and/or blacklist for supported ciphers and protocols.

A new configuration option has been added to the FHIR Storage modules that prevents any scheduled maintenance jobs from firing. This is useful for setups where multiple master storage modules are pointed at the same underlying database.

A new configuration option has been added to RDBMS connection settings, allowing the user to specify whether Smile CDR should automatically update the database schema on startup.

When parsing a JWKS / JWK (JSON Web Key) file, the parser is now more lenient about quoting and JSON format in order to be more compatible with the export format of RedHat SSO.

A new permission has been added to the Smile CDR permission system that authorizes users to perform the $meta, $meta-add, and $meta-delete FHIR operations.

When a Smile CDR HTTP Server is in Suppress Error Messages mode, stack traces generated by failures (such as callback scripts) are now suppressed.

The layout and UI style of the Smile CDR documentation in the Web Admin Console has been improved to match the layout used on https://smilecdr.com/docs/

The Cross-Organization Data Access Profile authentication script function name has been renamed from authorize(...) to authenticate(...) in order to be consistent with other functions in the ecosystem.

When mapping HL7 v2.x DG1 segments, an empty contained Practitioner resource was created as the Condition asserter even when no data was present in the DG1 segment. This has been corrected.

If Observation Identification Mode was set to USE_PARENT_IDENTIFIER_AND_OBX_CODE while both OBR-2 (Placer Order Number) and OBR-3 (Filler Order Number) were configured to be used to create identifiers for a given DiagnosticReport, only the first repetition of DiagnosticReport.identifier (Placer Order Number) was used to construct the related Observation.identifier system and value. This has been corrected such that Observation.identifier.system will be a dash-delimited concatenation of all repetitions of DiagnosticReport.identifier.system, and Observation.identifier.value will be a dash-delimited concatenation of all repetitions of DiagnosticReport.identifier.value, followed by a dash (-), followed by the observation code value found in OBX-3.1 (Observation Identifier Code).

The smileutil CLI tool "synchronize-fhir-servers" command had a bug where it failed with an error if the source server used https. This has been corrected. In addition, it is now possible to specify source and/or target directories as relative paths, e.g. --source some/directory.

The SMART Outbound Security module UserInfo endpoint did not support CORS even when CORS was enabled. This has been corrected.

When viewing the connection pool history graph in the Web Admin Console, the history for the Cluster Manager connection pool was shown in all cases, even when a different module was selected. This has been corrected.

It is now possible to perform search/read operations from within a transaction. Previously this was blocked by the security layer even the user had appropriate permissions.

It was not previously possible to clear a module dependency from a module configuration. This has been corrected.

A bug that prevented revoking refresh tokens that were linked to an active (non-expired) access token from being deleted has been fixed.

A bug in the SMART Inbound Security module definition prevented instances of this module type from being created if they did not have a configured link to a SMART Outbound Security module. This has been corrected.

Some RDBMS queries used inline parameters instead of using bind variables, which prevented statement caches in some platforms (e.g. Oracle) from effectively caching statement execution plans. This has been corrected.

The HTTP Prefer header was not included in the standard CORS Allowed Headers response. This has been added, since Prefer is often used in FHIR interactions.

When an altenate context root was selected (e.g. /baseDstu3) it was not possible to submit a FHIR transaction against the root without appending a trailing slash. This has been corrected.

A regression was fixed when performing a SMART/OAuth2 authorization flow: When a user denied some scopes, these choices were not always respected in the resulting generated token.

The HL7 v2.x transaction processor now maps RXA-20 (Completion Status) to MedicationAdministration.status.

Previously, transaction processing time was only visible from the Transaction Log summary view in the Web Admin Console. It is now also visible from the Transaction Log event view.

Authentication scripts now support a JavaScript based callback script that can be used to add additional processing rules to the authentication. See the Callback Script Documentation for more information.

Whem mapping HL7 v2.x ORC segments, the value for ORC-4 (Placer Group Number) is now mapped to ProcedureRequest.requisition.

HL7 v2.x Sending Endpoint MLLP connections may now have the send timeout configured, so that sending to an endpoint which is slow to reply does not cause an error.

When viewing HL7 v2.x Sending Endpoint deliveries in the transaction log, the ID of the triggering resource as well as the ID of the triggering subscription are now shown in the transactiong log.

HL7 v2.x inbound and outbound processors now know how to handle Observations (OBX segment) having structured numeric values (HL7 v2.x SN datatype, mapping to Quantity and Ratio datatypes in FHIR).

A new configuration property has been added to SMART/OIDC client definitions called canReissueTokens. If this property is enabled, when a client performs a SMART grant request, if a similar grant request (in terms of requested scopes, etc.) has recently been performed, the same token will be reissued. This is useful for some clients that request tokens repeatedly.

The FHIR Gateway and FHIR Hybrid Providers modules are now both able to support arbitrary extended operations (i.e. operations such as Patient/$foo that are not defined in the FHIR specification and are added by developers). Several new permissions have been added to the Smile CDR permission system to allow users to be authorized to access these operations as well.

The FHIR Gateway module now allows FHIR $operations to be called through the gateway.

Support for the SMART on FHIR Cross-Organizational Data Access Profile has been added to the SMART Outbound Security Module.

The JSON Admin API "Set configuration options for the given module" option has an input parameter named "name" that is equivalent to the parameter named "key" on all other operations. This has been renamed for consistency (although the previous parameter name will remain functional as well for now in order to reduce the burden on upgrading).

A variable called ${client_name} may now be used in SMART Outbound Security module skins to provide the name of the client being authorized.

A new route has been added to the CDA Exchange Module endpoint for creating / updating template scripts with body type application/javascript. This allows a user to directly copy and paste their JavaScript template into their request body without needing to escape any special characters.

Navigations buttons have been added to the Transaction Log viewer in the Web Admin Console. These buttons may be used to move directly to the previous or next entry in the Transaction Log.

A new FHIR operation called $trigger-subscription has been added. This operation can be used to cause a resource to be processed (or reprocessed) through a specific subcription without needing to resubmit the source resource. See Manually Triggering Subscriptions for more information.

The HL7 v2.x outbound message mapper can now use MessageHeader resources stored in the repository in order to populate the MSH segment in generated messages. See Outbound HL7 v2.x for information.

The HL7 v2.x outbound message mapper can now use NamingSystem resources in the repository to populate HL7 v2.x identifier fields with appropriate values based on naming systems found in FHIR identifiers. See NamingSystem Mapping for information on how this works.

A new configuration flag has been added to the database settings for the Cluster Manager and FHIR Storage modules called db.schema_update_mode. This setting allows an administrator to configure whether the database schema should be automatically updated upon system startup.

The Smile CDR CLI upload-csv-bulk-import-file command now has an additional option to skip the first N rows rather than uploading them. This is useful for troubleshooting or recovering from errors.

The inbound HL7 v2.x transaction processor now maps DG1-16 (Diagnosing Clinician) to a Practitioner resource that is referenced by Condition.asserter.

The inbound HL7 v2.x transaction processor now maps additional NK1 fields to FHIR, including NK1-6 (Business Phone Number), NK1-7 (Contact Role), NK1-13 (Organization Name), and NK1-33 (Next of Kin/Associated Party's Identifiers).

The inbound HL7 v2.x transaction processor was mapping PID-6 (Mother's Maiden Name) to Patient.name with a name use code of maiden. This has been corrected such that repetitions of this field are now mapped to mothersMaidenName extensions on the Patient.

The inbound HL7 v2.x transaction processor now maps PV1-14 (Admission Source) to Encounter.hospitalization.admitSource.

The inbound HL7 v2.x transaction processor includes a new configuration item for handling of PV1-3 (Assigned Patient Location) and PV1-6 (Prior Patient Location). Default behaviour is to treat each of PL-1, PL-2, and PL-3 as distinct locations (e.g. ward, room, bed). In conjunction with associated extra components, PL-1, PL-2, and PL-3 will each result in a unique Location resource. However, when hl7v2_fhir_mapper_pv1.treat_pv1_3_and_6_patient_location_as_atomic is set to true, all of PL-1, PL-2, and PL-3 will be treated as a single atomic location (e.g. ward-room-bed). Processing the PL in this way will result in a single Location resource.

The inbound HL7 v2.x transaction processor now maps PV1-36 (Discharge Disposition) to Encounter.hospitalization.dischargeDisposition.

The inbound HL7 v2.x transaction processor now maps PV1-39 (Servicing Facility) to Encounter.serviceProvider.

Previously, the inbound HL7 v2.x transaction processor would map the value of ORC-2.2 (Placer Order Number - Namespace ID) to both MedicationRequest.identifier.system and its associated MedicationAdministration.identifier.system. RXA-2 (Administration Sub-ID Counter) can now be overloaded to declare a different identifier system. If the first extra component of RXA-2 is populated, its value will be stored in MedicationAdministration.identifier.system.

The inbound HL7 v2.x transaction processor now maps non-standard ZXT segments to FHIR. One or more of these optional segments can be appended to any message structure. The general purpose for ZXT segments is to populate fields and extensions in FHIR that the inbound HL7 v2.x transaction processor doesn't already handle. Provided a declared value type, a value, and a path, the processor will populate FHIR accordingly.

When following documentation links to anchor tags, the desired content no longer hides under the webpage header.

For repetitions where RXE-7.1 and RXE-7.3 are both populated, the HL7 v2.x transaction processor maps this field to MedicationRequest.dosageInstruction.additionalInstruction. For repetitions where only RXE-7.2 is populated, the HL7 v2.x transaction processor maps this field to MedicationRequest.dosageInstruction.text. Previously, this field was only mapped to .additionalInstruction.

User logout events from the SMART Outbound Security module were not being added to the audit log. This has been corrected.

In the FHIR Gateway Endpoint module, if a client requested a search using an invalid search parameter, a meaningless error (!MESSAGE!) was returned to the client. This has been corrected.

Under some circumstances, database credentials were being added to the Smile CDR logfile. This has been corrected.

When using pinned host mode, if no port was specified in the pinned host definition, the port would default to 80. This works for HTTP, but causes weirdness for HTTPS. This has been corrected.

The SMART Outbound Security logout endpoint did not work when a custom context path has been specified. This has been corrected.

When accessing services with very high concurrency, occasional requests at the start of the day could fail with a database concurrency error. This has been corrected.

When mapping RAS_O17 messages to FHIR, the inbound HL7 v2.x transaction processor was incorrectly reading RXR segments from the ENCODING group instead of the ADMINISTRATION groups such that MedicationAdministration.dosage.route and MedicationAdministration.dosage.site were not being populated. This has been fixed.

When operating under heavy load, the first system access on a given day by a specific user could occasionally cause a failure due to concurrent database access. This has been corrected.

A new database migration utility has been added to the smileutil command. This tool allows database migrations between versions of Smile CDR to be automated.

A new option has been added to FHIR Storage module configuration that enables support for the :contains modifier on String searches.

Smile CDR now has the ability to send outbound (from the CDR) HL7 v2.x message feeds in response to data that has been created or updated in the repository. Initial support includes Orders and Observations messages, and more are planned.

A few noisy elements in the Smile CDR log (smile.log) have been removed. Specifically, regular logging about cluster heartbeats and statistics cleanup have been reduced, which means that the logs will be much less noisy when the system is not under load.

The CapabilityStatement returned by FHIR servers will now include the server base URL in the CapabilityStatement.implementation.url field.

A new API has been added to the Javascript Execution Environment that allows access to environment variables passed in from the OS or command line.

A new option has been added to the Node Configuration Properties file, allowing you to specify that all configuration in the file should take precedence over configuration in the database. This is useful if a node is unable to start because of invalid settings saved in the database, or if you wish to reconfigure a node to a known saved state.

In a clustered deployment, it is now possible to create multiple master nodes (each of which may potentially have clone nodes as well) via properties files.

The SMART Outbound Security module now supports the OAuth2 Token Revocation Endpoint (RFC 7009), as well as a new endpoint for session logout.

Support for current draft FHIR R4 resources has been added. Note that FHIR R4 remains unreleased and is subject to change until the formal release, so definitions may change slightly between releases of Smile CDR. However, this functionality can be useful for testing out upcoming functionality and preparing for the release of FHIR R4.

When using SMART on FHIR security in a multi-master clustered configuration, it was previously not possible to put the SMART Outbound Security module on a different master node from the endpoints that were secured by that module. It is now possible to use a SMART Inbound Security module on a separate master node in order to accept tokens issued by a SMART Outbound Security module within the same cluster.

A new module type CDA Exchange has been added. This module adds the following functionality:
Create, Delete, and View CDA document templates via REST api. These templates are scripts that use the JavaScript execution environment. Use a CDA document template. The user can fill in the template parameters to generate a new Fhir Composition, Fhir FullTextDocument, and/or CDA document. Note: currently, only Continuity of Care C-CDA documents are supported.

Additional search functionality has been added to the JavaScript Execution Environement. Users can now use Fhir object in the JSEE to every type of search that their Fhir server supports (previously only Token searches were supported). Additionally, the new function Fhir.getResource(String theURI) has been added to the JSEE that retrieves a specific resource.

A new method has been added to ResourceBuilder in the JavaScript Execution Environment. Users can now call ResourceBuilder.buildComposition() to create a Composition. This Composition acts like any ResourceBuilderResource, but with additional functionality to support the building of Fhir Documents and C-CDA Documents.

The inbound HL7 v2.x transaction processor now sets Condition.category to system http://hl7.org/fhir/condition-category and code encounter-diagnosis.

A new user permission called FHIR_PATCH has been added, allowing users to perform resource patches.

Documentation will now be accessible from the Web Admin Console without requiring the user to be logged in.

All HTTP servers exposed by Smile CDR may now be configured to have an access log (or multiple access logs) that contain information about individual requests. These logs may be configured to a variety of formats.

The SMART Outbound Security module now has CORS configuration matching all other HTTP server modules. Previously CORS was permanently enabled for this specific module type.

A new setting has been added to the FHIR Storage module that allows the administrator to select which FHIR resource types will be supported by the server.

A new module type called FHIR Gateway has been added. This module type works as a proxy to a remote FHIR server, adding security, management and other functionality as a part of the proxy.

Configuration category pages in the documentation (the pages listing the various possible configuration options) now includes a list of possible values for enumerated types.

Smile CDR can now be configured to connect to an external instance of ActiveMQ for powering subscriptions in a cluster-aware way.

Subscription processing now uses a separate message queue for each subscription. This means that one subscription failing to deliver will not prevent another thread from attempting to deliver. This also allows for delivery characteristics to be configurable on a per-subscription basis.

Smile CDR CLI (smileutil) now has an additional interactive method of requesting credentials from the user, instead of having them passed in on the command line. In addition, a new entry has been added to the Smile CDR configuration file called node.system_properties.source. This entry allows system properties to be read in via a properties file. These changes improve the ability to pass sensitive information such as database credentials via the command line.

A new setting has been added to HL7 v2.x Listener Endpoints that allows unprocessable messages to either be accepted (using AA response code) or rejected (using AE response code).

The FHIR endpoint authorization system has been enhanced so that read requests for data within a compartment will now often be blocked prior to any data being fetched if the user has access only to a different compartment. For example, if the user had read access to compartment Patient/123, a search for Observation?subject=456 would previously only be denied after data had been fetched (but before this data was returned to the user). The request will now be denied before data is fetched from the database.

Under certain conditions, buttons for actions that were not actually possible to take would display on the Web Admin Console console config page. This has been corrected.

Access tokens issued by the SMART Outbound Security module did not have a token_type claim, which indicates that the token is intended to be used as a Bearer token. This has been corrected.

Session management for clustered HTTP servers requiring an HTTP session (such as the SMART Outbound Security module, or the Web Admin Console) has been improved. Environments with content spraying across clusters should now be more resilient to rapid distribution of requests across the cluster.

When adding a new module in the Web Admin Console, configuration items which have an enumerated set of allowable values were incorrectly defaulting to the first item in the list instead of the specified default value. This has been corrected.

When the Web Admin Console was run with a context path other than the default, some deep links to documentation pages did not accurately reflect the context root. This has been corrected.

The smileutil "upload-csv-bulk-import-file" command did not previously have a way of specifying the ID of the ETL Importer module to target, and instead assumed that it was always called "etl". This has been corrected.

Previously, the inbound HL7 v2.x transaction processor was mapping DG1-5.1 and an extra component (effectively DG1-5.3) to Condition.onsetDateTime and Condition.abatementDateTime. This has been changed such that DG1-5.1 will now be mapped to Condition.assertedDate.

Two bugs were fixed around the use of default launch contexts in the SMART Outbound Security module. First, a crash was addressed when changing a user's default launch context from one patient to another in the Web Admin Console user manager. Second, if a user's default launch context was changed, this change was sometimes not reflected in OIDC logins happening shortly after the change was made.

When editing a module in the Web Admin Console, in the dependency list for a given module the module type was shown but not the module ID. This made it difficult to select the correct dependency when multiple modules of the same type were present.

When uploading an external CodeSystem (e.g. LOINC) to Smile CDR, some concepts did not get indexed correctly by Lucene, leading to incomplete ValueSet expansions. This has been corrected.

Several security fixes were made in order to prevent common web attacks against HTTP servers exposed by Smile CDR. These include:

• CSRF protection cookies are now sanitized in order to prevent a theoretical attack involving poisoned CSRF cookies being used to inject HTML into the user's browser
• URL parts (paths, parameter names) on the FHIR server are now sanitized in order to prevent HTML injection attacks

A bug was fixed where the SMART Outbound Security module would fail to complete the Resource Owner Credentials Grant if the client definition did not have a redirect URL defined.

When changing the date range for charts in the Web Admin Console, sometimes the chart would flicker when hovering over data points. This flickering made the charts very hard to read. This issue has been corrected.

When creating an HL7 v2.x Listening module, an incorrect default was set on the Patient Primary Identifier Search Parameter setting. This has been corrected.

An issue was fixed in the Search Parameter statistics gathering module, where servers with a very high number of changes (creates and updates) in a short period of time could cause a memory leak.

A new configuration option has been added to FHIR REST servers that allows the suppression of any identifying information about the server platform and version. This option removes the Server and X-Powered-By response headers and the software section of the server CapabilityStatement.

Additional fields have been added to the Smile CDR user manager and user data models for storing a default EHR launch context for a specific user. These fields can be used to supply a value to be returned by the SMART Outbound Security module when a client requests EHR Launch context scopes such as patient/launch and encounter/launch.

The user manager now has an additional field for the user's email address, and an additional field for capturing notes about the user. The email will be exported as a claim in any ID tokens generated by Smile CDR OpenID Connect server modules.

It is now possible for an administrator to set minimum password requirements for users setting their own password.

A new command has been added to the smileutil (CLI) tool called synchronize-fhir-servers. This command can be used to synchronize all resources from a source FHIR server into a target FHIR server.

When processing inbound (to Smile CDR) HL7 v2.x transactions, any received messages that are of an unknown type will now be ignored. Previously unknown message types caused a processing error, and an HL7 AE (error) code was returned to the sender. Now, an informational message is created, and an HL7 AA (accept) code is returned. This should make it easier to process feeds that contain extra messages that are not strictly needed.

When processing inbound HL7 v2.x messages, if the message was rejected because of missing mandatory fields or other business rules, the rejection reason was added to the transaction log (i.e. visible in the Web Admin Console) but not added to the system log (i.e. visible in smile.log). It is now logged in both places.

Periodic log entries showing queue sizes for subscription queues now include speed statistics showing throughput in and out of the queues.

A new security module called Scripted Inbound Security has been added. This module allows security decisions to be made using a customer-supplied script, meaning that external authentication providers can be called. The results of the external authentication can then be translated into Smile CDR user session permissions, SMART scopes, etc.

A new module called Hybrid Providers Endpoint has been added. This module allows the creation of custom Resource Providers (code which implements individual FHIR operations such as read, create, search, etc.) which will then be served by Smile CDR. These custom endpoints will be secured, audited, and managed by Smile CDR infrastructure, but can implement storage logic against any arbitrary data store.

ID Tokens generated by the SMART Outbound Security module now contain an at_hash claim containing the hash of the Access Token, as well as a jti claim containing a unique identifier for the token.

Latency graphs in the Web Admin Console (such as the FHIR endpoint latency graph) have been split so that the maximum latency and the average latency now appear on separate graphs. This makes it much easier to identify trends in average latency, since previously the "maximum" curve often drowned out the other two.

The end-user visible web pages provided by the SMART Outbound Security module (i.e. the Login page and the Approval page) can now be skinned rather than displaying a Smile CDR branded page.

Added route to the JSON Admin API endpoint for creating new module instances at {module_id}/{node_id}/create

When displaying the OAuth2 scope approval (confirmation) page, if only some scopes are listed in the client definition as "auto approve", these scopes will no longer appear as checkboxes for the user to approve.

A help button has been added to properties in the Web Admin Console that brings up the related property definition. This makes it easier to cross reference settings between the Web Admin Console and the properties file that is used to initialize settings.

A new FHIR operation called $expunge has been added. This operation permits an authorized user to physically (not logically) delete data from the CDR. Expunge can be used to prune old versions of resources, deleted resources, or even current live data from the database. Note that additional Smile CDR user permissions also been added to support this operation.

The Smile CLI Tool (smileutil) has been harmonized so that it also provides the features and commands of the HAPI FHIR CLI tool.

A new configuration item has been added to HTTP server modules (such as FHIR REST Endpoints or the Web Admin Console) called context_path. This setting can be used to specify that a server should serve its contents at a specific sub-path instead of servicing at the root path. See the HTTP Server Setup documentation for more information.

A new FHIR operation ($upload-external-code-system) has been enabled in Smile CDR that enables uploading of external terminology code systems such as LOINC and SNOMED CT. In addition, a command has been added to the Smile CLI Tool (smileutil) that can be used to invoke this operation from the command line.

Significant improvements have been made to the FHIR terminology services support for the LOINC code system. This includes complete support for LOINC properties and components (including the ability to search and filter based on these) as well as support for LOINC's various ValueSets (e.g. the Top 2000+ Lab Observations) and ConceptMaps (e.g. the RadLex to LOINC map).

The JavaScript Execution Environment now provides a new method within the FHIR API that facilitates terminology mapping. It is called Fhir.translate().

Any HTTP servers will now have a special [monitoring endpoint](/docs/monitoring/monitoring_basics.html#endpoint-health] that can be used by monitoring systems and network infrastucture to detect whether the server is currently operational.

It is now possible to access system environment variables and Java system properties from the Smile CDR configuration property file. See Variable Substitution for more information.

Minor layout improvements have been made to the Web Admin Console.

Smile CDR will now ignore any Authorization header containing an empty username and password. This is a workaround that allows the current version of Forge to upload conformance resources into Smile CDR despite sending an invalid Autohrization header.

The ConceptMap operation $translate has been implemented.

smileutil now includes two new commands. One is for importing and populating a ConceptMap resource from a CSV (import-csv-to-conceptmap); and one for exporting a ConceptMap resource to a CSV (export-conceptmap-to-csv).

A new short-term cache has been added to the Local Inbound Security module that will optionally cache successful authentication credentials for a very short period of time (3s) in order to avoid repeated expensive password checks when many requests are received in a short period of time. This can cause a dramatic performance increase on endpoints secured using HTTP Basic Auth, where the username and password must be checked for every request.

An optimization has been made to the way that resource counts are calculated and loaded into generated CapabilityStatements. Although these counts were already cached, previously if the cache was expired and five FHIR client requests arrived at the same time, all five threads would synchronously reload the resource counts. This could cause significant delays on heavily loaded systems where the conformance statement is reloaded regularly. After this change, resource counts will only ever be reloaded asynchronously and will never delay the FHIR client operation.

OpenID Connect Access tokens and ID tokens issued by the SMART Outbound security module will use the user's username as the iss (issuer) claim, instead of using the user's internal database ID.

The CPU usage graph in the Web Admin Console had breaks for null values on the x-axis where ticks should have indicated values of 0. This has been fixed.

Restarting a Persistence module did not correctly shut down ActiveMQ message channels (used internally for Subscription processing), causing a degradation in subscription processing and occasional errors in the logs due to the partially closed channels. This has been corrected.

MedicationAdministration resources created by processing RAS^O17 messages did not have the MedicationAdministration.subject or MedicationAdministration.context fields set.

In the Web Admin Console, exceptions are showing up while clicking on certain links/ buttons if user has fewer permissions. This has been corrected.

The SMART Outbound Security module "login" and "approve" pages were scaled badly on mobile devices, appearing small and hard to read. This has been corrected.

In the SMART Outbound Security module, the nonce parameter was not correctly being retained from the original authorization request so that it could be inserted into the generated ID Token.

While updating a user, giving a username that already exists shows an exception on admin web. This has now been fixed.

The Web Admin Console failed to come back up if it was restarted from within itself (i.e. if the "restart module" button was clicked on the Web Admin Console module itself). This has been corrected.

Search Parameters with status set to draft or disabled via the Web Admin Console now properly synchronize with server.

A regression in Smile CDR 2018-03-R01 was fixed when operating in a clustered setup. With this regression, any settings that were changed on modules on the master node did not automatically propagate to the equivalent module on any clone nodes until the entire node was restarted. This has been corrected.

When automatically deleting expired OAuth2 authentication codes, access tokens, and refresh tokens, a bunch of noisy constraint exceptions were shown in the system logs and this sometimes delayed clearing these tokens. This has been corrected.

If a client performed an OAuth2 authentication against the SMART Outbound Security module, and then subsequently performed an identical authentication within a short period of time, some attributes (specifically EHR Launch Context claims) would not be returned in the second generated grant. This has been corrected.

When working in clustered mode, the SMART Outbound Security module OAuth2 token granting process sometimes failed when used from a clone node. This has been fixed.

Editing a Search Parameter through the Web Admin Console now properly adds to that Search Parameter's history instead of creating a new one.

An issue was fixed in some module types where web content sprayed across nodes in a cluster very quickly would result in CSRF errors during login.

When multiple clients/threads tried to update the same resource at the exact same time, an HTTP 500 error with a nondescriptive message was returned to the client. This has been replaced with an HTTP 409 (Conflict) and a descriptive error message.

An occasional crash was fixed when exchanging a refresh token for an access token for the second time (i.e. on the second time that the refresh token gets used).

Redundant link to home in the Runtime dropdown menu has been removed from the Web Admin Console.

Web Admin Console now provides the option for users to change their password.

A new option has been added to CLI hl7v2-transmit-flatfile command called --count. This option specifies a maximum number of messages to send before exiting.

Incoming HL7 v2.3 RDE^O01 messages, which are replaced by the newer trigger RDE^O11 in HL7 v2.4, will be accepted and processed as RDE^O11 in order to simplify processing legacy feeds.

Custom search parameters are now supported on DSTU2 endpoints (previously only STU3/R4 endpoints would index custom search parameters).

The inbound HL7 v2.x transaction processor now maps PR1 segments to Procedure resources.

A new configuration property has been added to the persistence module that allows the generation of server-assigned IDs to be done using sequential numbers (as was previously the case, and remains the default) or using randomly generated UUIDs. The latter is useful in architectures where data will be replicated from one CDR to another separate CDR instance.

SMART Outbound Security module now optionally allows the signing JWKS file to be specified as a text string containing the raw JWKS file instead of as a resource path.

A new security module called SMART Inbound Security has been added. This module assumes the existence of an external SMART on FHIR Authorization Server (i.e. an OpenID Connect server that is not a part of Smile CDR), and it will validate and use Access Tokens granted by that server.

The SMART Outbound Security module has received a number of enhancements in order to more fully support the SMART on FHIR specification including:

• The profile scope is now fully supported.
• The server supports the OpenID Connect metadata query endpoint (/.well-known/openid-configuration).
• The server supports the Token Introspection endpoint (/oauth/token/introspect).
• Refresh tokens are supported via the refresh_token Grant Type using the offline_access and online_access scope.
• A SMART on FHIR tutorial has been added to the documentation.

A new configuration item has been added to the persistence module that allows users to disable the automatic reindexing of resources following a SearchParameter change. This can be useful on deployments with a large amount of data in the repository.

The HL7 v2.x ORU^R01 inbound processor now processes and maps several new fields:

• SPM-4 (Specimen Type)
• SPM-7 (Specimen Collection Method)
• SPM-8 (Specimen Source Site)

HL7 v2.x ORU^R01 inbound processor will now accept messages without a populated ORC segment. The generated FHIR payload will have a DiagnosticReport resource but no corresponding ProcedureRequest resource.

When processing HL7 v2.x inbound ORU feeds, OBX segments may now have values of type CWE and CE.

The smileutil command hl7v2-analyze-flatfile now allows the user to specify a path instead of a file, and the entire path will be analyzed.

A new configuration property has been added to the FHIR Persistence module types that allows Lucene indexing to be completely disabled. This can have a positive impact on storage space and performance on servers that don't require any kind of fulltext searching or large codesystem expansions.

FHIR DSTU2 repositories now support the ability to create and use custom SearchParameter resources. This functionality already existed for DSTU3 repositories and has now been backported.

A new configuration item has been added that prevents the transaction log from storing transaction bodies in the database.

Experimental support for multitenancy has been added. This feature is new, and remains unsuitable for production use but it has been added in order to begin testing it. A future release will add functionality and remove it from experimental status.

A new experimental feature has been added to the FHIR Endpoint modules called "Versioned API Mode", which allows the client to request a specific version of FHIR in the response and the server will automatically return the correct version.

A new module type called ETL Import module has been added. This module allows data to be imported from CSV extracts and converted into FHIR resources, then saved in a persistence module. This module uses a newly developed JavaScript mapping API for converting CSV rows into FHIR resources. In addition, a JSON Admin API ETL Import Endpoint has been added, as well as a smileutil command that can be used to automate processing.

When using smileutil commands that accept a file or path as an argument (such as transmit-hl7v2-flatfile), if a file has the extension .gz or .bz2 it will now automatically be expanded prior to processing.

A new configuration item has been added to the Persistence module configuration called subscription.processor_queuing_mode. This setting allows Subscription processing to be made synchronous, meaning that subscriptions are processed inline with incoming transaction requests. This can have a negative impact on performance but is useful for system testing and certain architectures/designs since clients get immediate feedback if a Subscription cannot be delivered.

The Smile CDR code for actually starting the system was packaged in a directory called ca in the [base]/classes directory within the installation. This led to confusion, as the product could not be upgraded simply by replacing the JARs in the [base]/lib directory. This has been addressed so that all code is now packaged in lib.

Status graphs on the Web Admin Console (e.g. CPU usage, throughput, etc.) have been updated to use the Chart.JS graphing library. This change doesn't have much impact on the user experience – although the graphs are a bit more fun to interact with – but it should set the stage for more graph features in the future.

Two new configuration properties have been added to database configuration pool settings:

• A property that adjusts the amount of time a request may spend waiting for a database connection to become available when the pool is exhausted.
• A property that determines whether or not prepared statements should be pooled.

In Module Config web and json, users now have the option to archive and reinstate a module when required.

When a browser is used to access a FHIR Endpoint with Syntax Highlighting enabled, the resulting page is nicely formatted and coloured for easy reading. As of this release, the formatted page includes response headers and line numbers. It also allows a user to click on links and create links that include highlighted line numbers in the response.

The validator used for DSTU3 validation has been upgraded significantly, and it now supports many advanced StructureDefinition features that were previously unsupported or only partially supported.

In the Web Admin Console, exceptions keep showing up while clicking on certain links/ buttons if user has fewer permissions. This has been corrected.

Accessing root url ("/") via an HTTP GET on FHIR endpoint was returning HTTP 500 (Internal Server Error). This has been corrected to return an HTTP 400 (Bad Request) which is the correct behaviour for this request.

HL7 v2.x inbound SPM segment processor incorrectly labelled segment identifiers mapped from SPM-2-2 (Filler ID) as being the placer identifier. This has been corrected.

When performing a $validate operation with a mode parameter of delete on a repository that had referential integrity disabled, the validate operation would delete resource reference indexes as though the delete was actually happening, which negatively affected searching for the resource that had been validated. This has been corrected.

A crash was fixed in the JSON resource parser when parsing extensions on repeatable elements (e.g. Patient.address.line) where there is an extension on the first repetition but not on subsequent repetitions of the repeatable primitive.

Two configuration properties for the HL7 v2.x Inbound Processor module called obr.use_obr2_placer_order_number_as_primary and obr.use_obr3_filler_order_number_as_primary have been renamed to hl7v2_fhir_mapper_obr.use_obr2_placer_order_number_as_primary and hl7v2_fhir_mapper_obr.use_obr3_filler_order_number_as_primary respectively. This was done in order to be more consistent with the naming of other properties in this module. If you have changed these settings from the default then you should update your configuration when upgrading.

A regression in Smile CDR 2017.11.R01 was fixed where the repository would not index for :missing search modifiers even if configured to do so.

A crash was fixed in FHIRWeb Console. When deleting a resource directly from within the console, the deletion succeeded but the resulting page in the console showed a nonspecific error message.

By default, the issuer URL for a Smart Outbound Security module was configured for HTTPS when it should be HTTP. This has been corrected.

By default, the authorizing endpoint for a Smart Outbound Security module was https://try.smilecdr.com:9200/authorize; it is now https://try.smilecdr.com:9200/oauth/authorize.

If a user had write permissions for a given resource, they were not permitted to perform PATCH operations against that resource. This has been fixed.

When the server was returning a multi-page search result where the client did not explicitly request an encoding via the _format parameter, a _format parameter was incorrectly added to the paging links in the response Bundle. This would often explicitly request XML encoding because of the browser Accept header even though this was not what the client wanted. This has been corrected.

Searches using a combination of the _id and _content parameter failed with an HTTP 500 error. This has been corrected.

A bug was fixed where resources containing indexed fields with Korean text (e.g. a Patient with a Korean name) failed with an HTTP 500 upon creation.

The inbound HL7 v2.x transaction processor now conditionally creates either contained Condition resources within an Encounter or complete Condition resources as appropriate.

FHIRWeb Console can now optionally be configured to allow anonymous access to users. See Enabling Anonymous Access for more information.

The native HL7 v2.x inbound processor now creates non-contained Location resources for Encounter locations if PV1-3.10 (Location Comprehensive Identifier) is populated. Additionally, when populating Location resources based on PV1-3 data, Location.physicalType will be populated with an appropriate code (e.g. room, bed, ward) depending on whether PV1-3.[1,2,3] are populated.

A new endpoint has been added to the JSON Admin API for accessing audit logs.

When loading transaction log events via the JSON Admin API, it is now possible to load the event body along with the details.

HL7 v2.x transactions that require a Patient (e.g. many ADT triggers) will no longer try to persist the transaction if the details of the Patient are invalid.

The HL7 v2.x inbound processor may now be configured to infer the namespace of the Patient and Encounter identifiers via a new pair of settings called Forced Namespace Mode.

The transaction log now contains details about HL7 v2.x inbound transactions that fail, including a description of the error.

HL7 v2.x MLLP listeners may now be configured to use the MSH-18 value as the message charset when parsing, or to use a hardcoded charset when parsing.

A new Inbound Security module has been added that introduces native support for authentication and authorization through an external LDAP directory such as Active Directory or OpenLDAP. Using this module, users can be authenticated using existing credentials. It is also possible to include individual permissions for users using a variety of methods. See LDAP Security for more information.

Invalid HTTP requests to the FHIR endpoint that are rejected prior to processing (such as invalid URLs, invalid authentication credentials, etc.) will now have a better error page displayed.

FHIR endpoints will now serve a /robots.txt file that requests indexers to not index the endpoint.

Failed FHIR transactions due to invalid credentials or authorization failures will now be logged in the transaction log.

MS SQL has been added to the list of supported drivers for Cluster Manager and FHIR Storage modules.

Smile CDR distribution now includes database driver JARs for supported database platforms.

The FHIR Endpoint now supports the use of the Cache-Control header on the request in order to explicitly state that a request should bypass the search result cache, or to disable paging in scenarios that require a small number of results quickly.

The Binary resource endpoint now supports the X-Security-Context header when reading or writing Binary contents using their native Content-Type (i.e exchanging the raw binary with the server as opposed to exchanging a FHIR resource).

FHIR Endpoints that are configured for CORS support will now declare suppport for the Prefer and Cache-Control headers.

FHIR Endpoints now keep an internal cache for the server CapabilityStatement (i.e. the response to the /metadata endpoint) and periodically prefetch this endpoint to keep the cache warm. This can have a significant improvement to performance for any client activities that involve loading the metadata statement since calculating resource counts can take a non-trivial amount of time. In particular, this can dramatically improve the performance of FHIRWeb.

Performance has been improved when updating resources with only minor changes. Previously, several index rows were deleted and then recreated unneccesarily during the database commit; however, these rows will no longer be touched if they have not changed, causing significant write performance improvements on some systems.

The HL7 v2.x ADT converter will attempt to reuse Practitioner resources if multiple ROL segments are found that have the same Practitioner (by ID) performing multiple roles. Previously, each segment would result in a duplicate Practitioner within the resulting FHIR Bundle, causing a minor performance overhead when saving (since the database ultimately determines that these are the same resource).

When displaying search results in FHIRWeb Console, the search URL that was displayed in the results page did not include the search parameters that were actually used to perform the search, making it misleading. This has been corrected.

An issue was corrected where resources containing a very specific pattern of deeply nested extensions (A primitive element containing an extension which in turn contained an extension containing a composite element) would not save the contents of this extension.

A regression was fixed where the SMART on FHIR demo apps (Growth Chart, BP Centiles) did not work when deployed via the SMART App Host module.

In the User Manager, the "Anonymous" role (which is actually just an internal system pseudo-role and not a real role you can assign to someone) is no longer shown next to the Anonymous user.

In the User Manager, the 'Disabled' and 'Locked' switches could be used to mark a user as disabled or locked respectively; however, it was not possible to subsequently clear these flags. This has been corrected.

In the Module Config, stopping/restarting a module will stop/restart any dependent modules.

In OpenID Connect Clients, renaming a client creates a new entry. This has been corrected.

In the User Manager within the Web Admin Console, updating any user data would incorrectly disable the User's password. This has been corrected.

When paging through multiple pages of search results, if the client had requested a subset of resources to be returned using the _elements parameter, the elements list was lost after the first page of results. This has been corrected. In addition, Smile CDR will not remove elements from search/history Bundles (i.e. elements from the Bundle itself as opposed to elements in the entry resources) unless the Bundle elements are explicitly listed (e.g. _include=Bundle.total).

The ValueSet$expand and ValueSet$validate-code operations incorrectly used the identifier parameter instead of the url parameter. This parameter was renamed during the STU3 ballot cycle but Smile CDR had not yet been updated. Either parameter is now supported.

In certain cases, if multiple clients/threads attempted to update the same resource simultaneously, an optimistic lock failure could cause a "gap" in the history numbers to occur. This would then cause a mysterious failure when trying to update this resource further. This issue has been resolved.

The resource Profile Validator has been enhanced to not try to validate bound fields where the binding strength is "example", and a crash was resolved when validating QuestionnaireResponse answers with a type of choice where the choice was bound to a ValueSet.

Processing of the If-Modified-Since header on FHIR read operations was reversed in some cases, returning a 304 when the resource had been modified recently. This has been corrected.

FHIRWeb Console will now display a helpful error message if the user attempts to perform a FHIR operation for which they lack adequate permissions.

A generic demographic mapping utility is now available for mapping from a source system to Smile CDR and/or to a downstream target system, and from Smile CDR back to the source system and/or to a downstream target system. The DemographicMapper utility can be used for both FHIR and HL7 v2.x processing.

The inbound HL7 v2.x transaction processor now maps Patient Account Number from PID-18 to Encounter.identifier as a secondary identifier.

When browser syntax highlighting is enabled, the response page presented to the browser has been enhanced to include the response http status code, and now also can be configured to include the request and response headers as well.

A new security mode for FHIR endpoints has been added. It is called trusted client mode. This allows a requesting client (generally a server connecting to Smile CDR via a trusted network) to assert that requests should be made under the authority of a specific user, optionally with specific permissions.

FHIR Subscriptions are now handled using an internal queuing mechanism, which means that all processing now happens asynchronously instead of holding up the active storage operation. This should allow Subscriptions to scale much better than they previously could.

A new "replication" mode has also been added to REST HOOK processing, which should allow one CDR to replicate its contents (or a subset of its contents) via Subscription, optionally adding a prefix to resource IDs in the process.

This rearchitecture will allow the use of an external queuing system for delivery, and should set the baseline for further performance enhancements in the future.

Several new fields for lab processing have been added to the native HL7 v2.x inbound processor:

• OBR-3 (Filler Identifier) is now captured as an additional DiagnosticReport identifier.
• OBR-14 (Date Received) is now captured.
• OBR-24 (Diagnostic Service Section ID) is now captured.
• OBX-8 (Observation Interpretation) is now captured.

A new endpoint has been added to the JSON Admin API for user management. This endpoint allows for searching, creating, and editing users programatically.

A new configuration option has been added to the FHIR Persistence Module configuration which causes the server to automatically create empty "placeholder" resources if a resource is created that contains references that are unknown.

In Smile CDR version 2017.05.R01, support for the :missing modifier on search parameters was added. This support is useful in cases where this specific type of query is required, but also has a noticeable adverse effect on write performance in many situations because it causes a number of extra rows to be written to the CDR index tables during write operations. As of this version, a new configuration option has been added to the persistence module configuration which allows support for :missing to be enabled or disabled, with the default now being set to disabled.

FHIR Subscriptions have been reworked to now use a queuing mechanism in order to decouple subscription checking and subscription delivery from the persistence and updating of data in the database. Under this new system, Subscriptions are processed in parallel, asynchronously from other parts of the write operation in the database. This system should allow Subscriptions to scale in a much more consistent way, meaning that a large number of subscriptions can now be created without slowing down the CDR storage and update functions. The new mechanism uses an embedded instance of Apache ActiveMQ for queuing. Future releases of the product will expand this to support other popular queue mechanisms.

FHIR Endpoint configuration properties defaultEncoding, defaultPrettyPrint, and baseUrl.fixed have been renamed to default_encoding, default_pretty_print and base_url.fixed respectively in order to be consistent with casing in other configuration properties.

A minor regression in 2017.07.R01 was fixed in the Web Admin Console where the favicon.ico stopped appearing.

Any OBX segments appearing after DG1 segments in HL7 v2.x ADT_A03 messages are now properly captured and processed.

When using a Local Inbound Security module, accounts created with an expiry date in the future were incorrectly denied access, and the resulting error message was not helpful. This has been corrected.

An issue was corrected where the Web Admin Console would display an error when trying to view search parameters if Smile CDR was running with PostgreSQL as the backing database.

An issue was corrected when running against an Oracle 12.2 database where the driver would run out of database cursors while performing the initial seed of SearchParameter resources to the FHIR repository, giving the error ORA-01000: maximum open cursors exceeded.

Mapping of DG1 segments in HL7 v2.x messages is greatly improved. Diagnoses are now conditionally mapped to either Encounter.reason or a contained Condition resource that is referenced by Encounter.diagnosis.

When creating a new user via the Web Admin Console, if the created user failed validation (e.g. because the username or password were blank) then the creation step silently failed. This has been fixed.

Web Admin Console showed an error message instead of the current product version when accessed from a browser with a non-US locale. This has been fixed.

Extensions on resource IDs were not correctly stored when saving resources, meaning that they were lost when the resource was accessed. This has been corrected.

An issue was corrected where search parameters containing negative numbers were sometimes treated as positive numbers when processing the search.

When performing a FHIR Transaction with an invalid request URL (e.g. "url": "Foo") the resulting error message was not particularly useful. This has been corrected.

A potential database deadlock in the stale search purging routine was fixed. This deadlock would only have occurred under very heavy load but it is no longer an issue.

When uploading a Bundle resource to the server (as a collection or document, not as a transaction) the ID was incorrectly stripped from resources being saved within the Bundle. This has been corrected.

HTTP endpoints now have a new configuration option respect_forward_header that can be used to instruct the server to look at X-Forwarded-By, Forwarded, etc. headers to receive information about the source client IP and target host name when operating behing a reverse proxy. This setting is disabled by default.

Transaction log entries are now automatically purged after a configurable amount of time. Collected runtime statistics are now automatically collapsed to more coarse entries over time, and then eventually deleted after a configurable amount of time.

Script for starting and stopping Smile CDR has been reworked so that messages logged to the console are coloured, more helpful, and report any errors completely. The script should now be more tolerant of slow startups, too (e.g. running on a very slow database).

FHIRWeb Console now supports user authentication so it can be used with a secured CDR.

The FHIRWeb Console module now has a configuration option that allows anonymous access. An anonymous user with the ACCESS_FHIRWEB permission may access the FHIRWeb Console without logging in. Note that this permission only allows access to the FHIRWeb Console; the user still needs to have other appropriate permissions for any desired operations or they will be blocked.

An optional configurable hard cap to the number of search results that can be returned by a single search is now available.

Searches using search parameters of type date can now accept minute level precision.

FHIR Transactions sent to the server will now respect the HTTP Prefer header, allowing the client to request that the complete resource body of any created/updated resources be returned in the response Bundle.

When adding tags to a resource (or saving a resource with tags), any duplicate tags are now automatically filtered (since duplicate tags do not have any meaning in FHIR).

When executing a search (HTTP GET) as a nested operation in a transaction or batch operation, the search now returns a normal page of results with a link to the next page – as any other search would. Previously, the search would return a small number of results with no paging performed so this change brings transaction and batch processing in line with other types of searches.

Additionally, the CDR no longer returns an OperationOutcome resource as the first resource in the Bundle for a response to a batch operation. This behaviour was previously present but was not specified in the FHIR specification so it caused confusion, and it was inconsistent with behaviour in other servers.

The server CapabilityStatement (metadata operation, previously known as Conformance) is now cached for a set period of time. This should improve performance fairly significantly in some cases since many clients fetch the CapabilityStatement before making a call. This behaviour can be disabled via endpoint module configuration.

A few redundant columns have been removed from some select statements in relational persistence searches, which should improve performance slightly.

Searches now load the first page of results using a scrolling cursor in a separate managed thread, which should significantly increase performance for searches that return a large number of results while ensuring that results are consistent across pages.

An issue was corrected when processing transactions where creates and updates to resources with tags caused the tags to be created twice in the database. These duplicates were automatically filtered upon read so this issue was not user-visible; however, it could occasionally lead to performance issues if a resource containing multiple tags was updated many times via transactions.

When modifying an existing user's permissions in a Local Inbound Security module, the new permissions did not take effect for up to 10 minutes due to a badly timed cache. The caching time has been reduced to 3 seconds, and a note has been added to the permission screen.

When modifying module configuration for a FHIR Storage module, the database password would be cleared even though the UI indicated that it could be left blank.

If a user has write permission to only Patient/A's compartment, attempts to update a resource in Patient/B's compartment to change the subject so that it would be in Patient/A's compartment were previously allowed to proceed. The user will now require write permission to both patients' compartments (or equivalent/greater permission) in order for this operation to be allowed by the security layer.

Searches with an empty search parameter (e.g. Patient?birthdate=&name=smith) returned an HTTP 500 Internal Server Error. Empty parameters will now be ignored.

FHIRWeb Console failed to execute FHIR transaction operations when the response Bundle contains entries with no associated Bundle.entry.resource value. This has been corrected.

When connected to a PostgreSQL database, persistence modules did not automatically expire search results from the cache if the search URL was extremely long. This has been corrected.

When creating or updating resources, the request will be rejected with an HTTP 400 Bad Request if any of the indexed reference fields refer to a deleted resource. Previously, this was not detected, which led to potential invalid references.