Skip to end of metadata
Go to start of metadata

Chair:  John Moehrke

Scribe: John Moehrke  

Mondays at 12:00 pm Eastern Time 

Zoom Client Download

Meeting ID: 675 407 5337

Phone Number: +1 929-436-2866
Participant Passcode: 675 407 5337

Zoom Tip Sheet


Minutes Approved as Presented 2020-07-06 FHIR-Security Meeting Agenda

This is to approve minutes via general consent. "You have received the minutes. Are there any corrections to the minutes? (pause) Hearing none, if there are no objections, the minutes are approved as printed."

Agenda Topics

Agenda Outline

Agenda Item

Meeting Minutes from Discussion

Decision Link(if not child)
Management Minutes Approvalapproved by general consent

newsNo meeting next week due to conflict with IHE face-to-face***

ACTION: please review as the full codesystem for v3-ActCode seems excessive and inappropriate for provenance activity

FHIR Fine Grained Security beyond OAuth2 - led by Josh Mandel

  • Presentation decks available 

Discussion of impressions.


FAST - Luis Maas


Permission Resource is prototyped

FHIR Permission - for use-case submission and analysis

Jose added:

  1. Example: There is a policy somewhere that states e.g. "all primary teams may have access to the patient administrative and non-sensitive health data"
  2. Example 2: Access to clinical data by all Care team members.
    1. in Belgium the patient currently needs to allow the hospital to distribute the data. From this on, the hospital grants permission to the team members
  3. Need to refine who has access to the report for which purposes for how long. (what is "the report"? Only diagnosticReport? Or related Condition or treatment?)

Need to get use-cases defined so that we can do use-case analysis. Note this analysis is done on the confluence page FHIR Permissions

VhDIR use-case analysis would be a good one to get written up. Understanding is that the VhDIR service would not make fine-grain decisions, but would include in the search results as part of the directory resources a contained Consent that had residual rules of use. AND there is an extension in each resource pointing to this contained Consent. 

Discussion around data pointing at policy vs policy pointing at data vs supporting both models. Where both models makes interoperability harder.

Where data pointing at policy is fragile to changes in policy, as a change in policy must touch all the data.

Concern that policy pointing at data might be missed by recipients that don't go looking for policy. One must always have rules of engagement that demand processing behaviors. Including contained consent does not guarantee that recipient will notice or abide. this must be enforced by rules of engagement (policy). Those rules of engagement can mandate looking for Permission/Consent just as well as they can mandate one follow a contained Permission/Consent.

We might not be able to decide on ONE model, need more use-case analysis and examples to determine the solution. We might decide to have multiple models, but specific non-overlapping use-case for each model.

FHIR IG Proposal for gov work (confluence and build shown in github readme) 

will discuss tuesday and bring to the group next week Kathleen Connor


Confluence: FHIR DS4P IG

will discuss tuesday and bring to the group next week Kathleen Connor

discussion of next generation of SMART

discussion document

In Process

FHIR-24908 - Getting issue details... STATUS

waiting on dicom

FHIR-24907 – Lifecycle event valueset should include HL7 lifecycle event vocabulary (ISO 10781) – bring in HL7 lifecycle event vocabularywaiting on iso

FHIR-24676 - PurposeOfUse vocabulary from ISO 14265 – bring in ISO vocabularywaiting on iso

FHIR-23712 - Getting issue details... STATUS  waiting on ISO

waiting on iso

FHIR-11071 - Getting issue details... STATUS  DS4P and CUI will be creating IG. This exercise will result in update of the FHIR core with informed instructions

moved to DS4P

Block Vote

Open Items

T Key Summary Assignee Reporter P Status Resolution Created Updated Due

FHIR BlockBlock vote preparation


FMMDefined plan to mature

Connectathon Update on Security at FHIR connectathon

Management Next agenda

New Business


55 minutes

Supporting Documents

Outline Reference

Supporting Document

Minute Approval