Skip to end of metadata
Go to start of metadata

Chair:  John Moehrke

Scribe: John Moehrke  

Mondays at 12:00 pm Eastern Time 

Zoom Client Download

Meeting ID: 675 407 5337

Phone Number: +1 929-436-2866
Participant Passcode: 675 407 5337

Zoom Tip Sheet


Minutes Approved as Presented 2020-06-29 FHIR-Security Meeting Agenda

This is to approve minutes via general consent. "You have received the minutes. Are there any corrections to the minutes? (pause) Hearing none, if there are no objections, the minutes are approved as printed."

Agenda Topics

Agenda Outline

Agenda Item

Meeting Minutes from Discussion

Decision Link(if not child)
Management Minutes Approvalapproved by general consent


ACTION: please review as the full codesystem for v3-ActCode seems excessive and inappropriate for provenance activity

FHIR Fine Grained Security beyond OAuth2 - led by Josh Mandel

  • Presentation decks available 
  • play back of the meeting 

Discussion of impressions.

Note the whole thing is recorded and can be reviewed from the youtube link

Good to get a set of those trying to implement engaged

Many diverse solutions discussed. Most of them are detailed on their mechanics, but not detailed on what problem they are solving.

Some solutions have seen some success outside of healthcare. Not clear they can handle the additional vectors that healthcare needs

Many leveraged attribute based access control and compartments.  All focus on compartments were on how to make a configurable compartment in the spirit of REST compartment. No one mentioned the abstraction of compartment that already exists using codes for compartments. Codes for compartments leaves the definition of the mechanics out-of-scope for interoperability, as that tends to be a local problem that does not need to be externalized.

Josh point on pre-processing and post-processing is a good mechanic, but is also a systems design aspect, not an interop aspect. However this systems design aspect is useful in that it allows compartments to be more simple, as post processing can remove fine grain resource/elements that are further needed to be removed by policy.

Leading with a technical solution may be fast, but it will likely lead to a system that is not future proof. Need complete perspective even if we solve issues incrementally.

Need a way to describe overall rules, and the variations allowed within a sub-policy (e.g. consent) 

Many solutions did recognize ConfidentialityCode as a good first step toward more fine grain.

FAST - Luis Maas


Permission Resource is prototyped

FHIR Permission - for use-case submission and analysis

Jose added:

  1. Example: There is a policy somewhere that states e.g. "all primary teams may have access to the patient administrative and non-sensitive health data"
  2. Example 2: Access to clinical data by all Care team members.
    1. in Belgium the patient currently needs to allow the hospital to distribute the data. From this on, the hospital grants permission to the team members
  3. Need to refine who has access to the report for which purposes for how long. (what is "the report"? Only diagnosticReport? Or related Condition or treatment?)

Need to get use-cases defined so that we can do use-case analysis. Note this analysis is done on the confluence page FHIR Permissions

FHIR IG Proposal for gov work (confluence and build shown in github readme) 

will discuss tuesday and bring to the group next week Kathleen Connor


Confluence: FHIR DS4P IG

will discuss tuesday and bring to the group next week Kathleen Connor

discussion of next generation of SMART

discussion document

In Process

FHIR-24908 - Getting issue details... STATUS

waiting on dicom

FHIR-24907 – Lifecycle event valueset should include HL7 lifecycle event vocabulary (ISO 10781) – bring in HL7 lifecycle event vocabularywaiting on iso

FHIR-24676 - PurposeOfUse vocabulary from ISO 14265 – bring in ISO vocabularywaiting on iso

FHIR-23712 - Getting issue details... STATUS  waiting on ISO

waiting on iso

FHIR-11071 - Getting issue details... STATUS  DS4P and CUI will be creating IG. This exercise will result in update of the FHIR core with informed instructions

moved to DS4P

Block Vote

Open Items

T Key Summary Assignee Reporter P Status Resolution Created Updated Due

FHIR BlockBlock vote preparation


FMMDefined plan to mature

Connectathon Update on Security at FHIR connectathon

Management Next agenda

New Business


55 minutes

Supporting Documents

Outline Reference

Supporting Document

Minute Approval