Skip to end of metadata
Go to start of metadata

Chair:  John Moehrke

Scribe: John Moehrke  

Mondays at 12:00 pm Eastern Time 

Zoom Client Download

Meeting ID: 675 407 5337

Phone Number: +1 929-436-2866
Participant Passcode: 675 407 5337

Zoom Tip Sheet


Minutes Approved as Presented 2020-09-14 FHIR-Security Meeting Agenda

This is to approve minutes via general consent. "You have received the minutes. Are there any corrections to the minutes? (pause) Hearing none, if there are no objections, the minutes are approved as printed."

Agenda Topics

Agenda Outline

Agenda Item

Meeting Minutes from Discussion

Decision Link(if not child)
Management Minutes Approvalapproved by general consent

KC Proposal

Privacy Actions, Security Operations, and Security Labels

CR NPINPI as sensitive in Practitioner and PractitionerRole

The appropriate protections for Privacy and Security are specific to the risks to Privacy and the risks to Security of that data being protected. This concept of appropriate protections is a very specific thing to the actual data. Any declaration of 'required' or 'optional' requirements that could be mentioned here are only recommendations for that kind of Resource in general for the most common use of that Resource. Where one uses the Resource in a way that is different than this most common use, one will have different risks and thus need different protections.

Most Resources will need some form of Access Control to Create, Update, or Delete. The following general guidance is given only as general guidance for READ and QUERY access: Individual Sensitive:

These Resources do NOT contain Patient data, but do contain individual information about other participants. These other individuals are Practitioners, PractitionerRole, CareTeam, or other users. These identities are needed to enable the practice of healthcare. These identities are identities under general privacy regulations, and thus must consider Privacy risk. Often access to these other identities are covered by business relationships. For this purpose, access to these Resources will tend to be Role specific using methods such as RBAC or ABAC.

Kathleen proposed a new identifier information sensitivity code IDS and an extension on DS4P IG to permit pointing to a list of codes such as SSN, NPI etc.

IDS (identifier information sensitivity): Policy for handling information related to an identifier of an information subject, which will be afforded heightened confidentiality.

Usage Note: Such policies may govern the sensitivity of information related to an identifier of an act, such as the identifier of a contract; a role, such as a citizen, a patient, a practitioner, or an organization; or an entity such as a medical device due to potential impact on the privacy, well-being, safety or integrity of an information subject. For example, protection against identity fraud or counterfeit.




Josh Mandel will present at 40 minutes past the hour

Previous PSS 


Notice what HAPI has done for security. Is there something we should learn for Permission or Consent? This seems to be defining a declarative language for FHIR specific rules.

See general HAPI security

See HAPI  RuleBuilder()


updates from WGM

Kathleen Connor update?

Minutes approved

Deferred.  The approved Security WGM with recordings is available

Consult from PDex

Use of Provenance in PDex

Robert Dieterle update?

FASTpurposeOfUse subset on the request as a promise to not use the data returned beyond the subset.


Permission Resource is prototyped

FHIR Permission - for use-case submission and analysis

Kathleen added the following to  FHIR Permission

During 2020-10-19 FHIR-Security Meeting Agenda call, we discussed the need to develop boundaries for Permission Resource to help implementers determine whether to use it instead of or in combination with Security Labels, and the dependency of both on a Trust Framework.  We should determine and explain any additional implementation/processing complexity for using either approach.  In any case, a policy domain should avoid using both Permission Resource and Security Labels to serve the same use case.

FHIR IG Proposal for gov work (confluence and build shown in github readme) 


Confluence: FHIR DS4P IG

T Key Summary Assignee Reporter P Status Resolution Created Updated Due

discussion of next generation of SMART

discussion document

In Process

FHIR-24907 - Getting issue details... STATUS

waiting on iso – some movement as ISO has not provided the document. BUT still not clear if licensing is clean. 

FHIR-24676 - Getting issue details... STATUS

waiting on M&M to give modeling guidance

Block Vote

Open Items

T Key Summary Assignee Reporter P Status Resolution Created Updated Due

FHIR BlockBlock vote preparation


FMMDefined plan to mature

Connectathon Update on Security at FHIR connectathon

Management Next agenda

New Business


55 minutes

Supporting Documents

Outline Reference

Supporting Document

Minute Approval