Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Azure Health Data Services workspace is a logical container for all your healthcare service instances such as Fast Healthcare Interoperability Resources (FHIR®) and Digital Imaging and Communications in Medicine (DICOM®) services. The workspace also creates a compliance boundary (HIPAA, HITRUST) within which protected health information can travel.
You can provision multiple data services within a workspace, and by design, they work seamlessly with one another. With the workspace, you can organize all your Azure Health Data Services instances and manage certain configuration settings that are shared among all the underlying datasets and services.
Workspace provisioning process
One or more workspaces can be created in a resource group from the Azure portal, or using deployment scripts. An Azure Health Data Services workspace, as a parent item in the hierarchical service tree, must be created first before one or more child service instances can be created.
A workspace can't be deleted unless all child service instances within the workspace are deleted. This feature helps prevent any accidental deletion of service instances. However, when a workspace resource group is deleted, all the workspaces and child service instances within the workspace resource group get deleted.
Workspace names can be reused in the same Azure subscription, but not in a different Azure subscription, after deletion. However, when the move operation is supported and enabled, workspaces and its child resources can be moved from one subscription to another subscription if certain requirements are met. One requirement is that the two subscriptions must be part of the same Microsoft Entra tenant. Another requirement is that the Private Link configuration isn't enabled. Names for FHIR and DICOM services can be reused in the same or different subscription after deletion if there's no collision with the URLs of any existing services.
Workspace and Azure region selection
When you create a workspace, it must be configured for an Azure region, which can be the same as or different from the resource group. The region can’t be changed after the workspace is created. Within each workspace, all Azure Health Data Services (FHIR service and DICOM service) must be created in the region of the workspace and can’t be moved to a different workspace.
Workspace and Azure Health Data Services service instances
Once the Azure Health Data Services workspace is created, you’re now ready to create one or more service instances from the Azure portal. You can create multiple service instances of the same type or different types in one workspace. Within the workspace, you can apply shared configuration settings to child service instances, which are covered in the workspace and configuration settings section.
Additionally, workspaces can be created using Azure Resource Manager deployment templates, a process commonly known as infrastructure as code (IaC). This option offers the ability to customize the ARM templates and complete the workspace creation and service instance creation in a combined step.
You can use PowerShell, CLI, Terraform scripts, or the .NET SDK to deploy Azure Health Data Services. To create a service instance in the workspace, in the Azure portal, select Services, the service you want to create.
Workspace configuration settings
Some features are configured at the workspace level and apply to all child services within that workspace.
Application monitoring
Azure Monitor helps you maximize the availability and performance of your applications and services. It delivers a comprehensive solution for collecting, analyzing, and acting on system-generated logs from your cloud and on-premises environments. This information provides you with insights to how your applications are performing and lets you proactively identify and resolve issues affecting them and the resources they depend on. For information about Azure Monitor, see Azure Monitor overview documentation.
Azure role-based access control
Azure role-based access control (Azure RBAC) is a system that provides fine-grained access management of Azure resources. Using Azure RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. Furthermore, it helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. For more information, see Azure RBAC documentation.
Next steps
To start working with Azure Health Data Services, follow the 5-minute quick start to deploying a workspace.
FHIR® is a registered trademark of HL7 and is used with the permission of HL7.