Skip to end of metadata
Go to start of metadata

202009 September WGM Prep202009 September WGM Prep

2020-09 September CBCP WGM Agenda/Minutes Plenary VIRTUAL Meeting (FINAL)

Security WGM Recordings

General Participant FAQs for the WGM

Q: How do I access Whova from my desktop?

Click here to access the web app in your browser (Chrome and Safari preferred)

• Sign up using the same email address you used during registration:

➢ Sign in if you have an existing Whova account

➢ Click "Sign up here" if you don't have an existing Whova account

➢ Complete the sign-in process and start exploring!

Q: How do I download the Whova mobile app?

A: On your phone or tablet, click here to access the app store for your device.

➢ Download the Whova app to your mobile device

➢ Sign in using the email and password you used to access Whova on your PC or Mac

➢ Select the 34th Annual Plenary & Working Group Meeting and start exploring

202009 Security WGM Attendees - Please add your name

202009 WGM Agenda






Mon 9/2110 AM ETPlenary

4 PM ETJoint



Security Opening Session


Welcome, review of WGM Agenda, and introductions.

International and SDO Report Outs. 

Brief ballot outcome, IG status, and Connectathon. 

Current Security WG Projects

Other WG Sessions of interest.

202009 Security WGM Attendees - please sign in

26 Attendees

Agenda approved by consensus

International and SDO Report Outs

Share with Protections White Paper ballot outcome

Vote Count

Comment Count

Negative - 74

Affirmative - 57

Privacy/Security Connectathon Tracks

Duane Decouteau will present on 2020-09 Consent Management and Enforcement Services Track 2PM ET Wed 9/23

Other Privacy/Security tracks:

2020-09 FHIR Bulk Data

2020-09 Argonaut Granular Controls

Current Projects

Privacy and Security Logical Model - Mike reported on current draft, updates to the classes, revised models, and incorporation of HIMSS new definition of interoperability and continuation of project calls.


Mohammad and Kathleen discussed terminology issues and sub-resource labeling.   Mohammad described updates to terminology and sub-resource applicability for security labels based on FHIRpath. Grahame said that labeling parts of a resource is quite challenging.  He discussed potential pitfalls, noting that

Confidentiality for sub-resource can be confusing.  Mohammad asked him about the challenges. Grahame stated that is because a resource is a unit of transaction and sub-resource restrictions could be confusing

Nancy echoed concern with not evaluating what parameters need to be put on such a capability.

CBCP Update

CBCP report-out:

Johanthan: there was a more comprehensive reportout earlier in the CBCP meeting. (eLTSS and PACIO)

Dave Hill:

  - had a good connectathon.

  - demoed six use-case for care coordination in May.

  - connecting Nursing home, home health agency, hospitals.

  - collecting information in the form of questionnaires and storing them in a FHIR server as a central datahub for care coordination and careplans and goals.

  - authentication was added to the endpoints in Sept connectathon.

  - demonstration of exchanging clinical quality measures

  - 63 people at the track many of whom were active participants and developers

  - New use-cases: advanced directive

 Johnathan: ELTSS IG is also going well

Kathleen: gravity project?

Dave hill: Worked with them in the may conncetathon

Dave Pike:

 Joint meeting with SOA group on their consent work.

Moving towards making the resource normative.

Kathleen asked Dave: Consent calls to be restored.

Dave Hill: work on patient empowerment WG on advanced directive

Kathleen: work on advanced directive to be coordinated with CBCP

SDO and Federal Agency updates:

ONC Session on Privacy/Security topics 10 AM ET - 9/24

FTC to Host Virtual Workshop on Data Portability on September 22, 2020

ONC, in partnership with the Office for Civil Rights (OCR) today released an update to the HHS Security Risk Assessment (SRA) Tool and Webinar Recording

ONC Social Determinants of Health Workshop

Monday, September 21, 2020  |  10:00 AM – 3:00 PM ET

Other WG Topics

FHIR Registry Birds of a Feather Recording

This session presented an overview of the new FHIR registry,, which will soon be made available for use by HL7 International.

Security Opening Session Recording

Tues 9/2210 AM ETJoint



CBCP Opening Session

Learning Health System

LHS WG to join for second hour to discuss new Care Team DAM, consent, care team configurations, access control and security labeling. 

LHS representatives were not available.  CBCP had already done Opening Session on Monday.  Meeting adjourned early.

12 PM ET

SecurityShare with Protection Work Session

Ballot outcome and reconciliation.

Ballot Passed

Vote Count

Comment Count

Negative - 74

Affirmative - 57

Comments submitted without a vote = 5

Voters with comments

Beth Pumo KP - Negatives

Celine A Lefebvre AMA - Negatives

Christopher Schaut/Isaac Vetter comments EPIC - Negatives

Craig Newman Altarum - Affirmatives

Vannak Kann – VA = all Affirmative

Genevieve Luensman CDC/NIOSH - Affirmatives

Ron Parker CA – Harsh Shama points to Ron Parker comments, which were not included

Zabrina Gonzaga Lantanta – Affirmatives



SecurityPrivacy & Security Logical Model Work Session

Review of updated models and preparation for January Ballot.

CBCP meeting separately

Privacy and Security Logical Model ppt

Mike walked through the Logical Model, and did a deep dive on two model diagrams.







Consent Management Services

4 - 5 ET Trish Williams - report on Australia's move to more virtual care.

5 - 6 ET Consent Management Services Update - Lorraine Constable, Vincent McCauley, and Jerry Goodnough

2020-09 Consent Management and Enforcement Services Track

(7AM AU / 11 PM EU?)

Trish – Presentation; Reimagining a Better Healthcare System Through virtual Care; Cisco-Flinders Digital Health Design Lab / Trish Williams, Lua Perimal-Lewis

  • What the problems are that we are trying to solve
    • What makes sense for Australia
    • End-to-end care/telecare

Trish DHDL Virtual Care 21-09-2020.pdf

Bernd Blobel described similar efforts for "ubiquitous healthcare" in EU.  He sent the following documents:



Wed 9/2310 AM ET



Privacy & Security Logical Model Work Session

Continued review of updated models and preparation for January Ballot.

Continued review of model diagrams, made class and association changes that Bernd recommended with input from Alexander, and walked through the text.

Mike brought up alternatives for how to deal with the relationship of the Logical model to the DAM - e.g., Logical model deprecates the DAM, or the Logical model makes only the models normative and brings over the other sections of the DAM. 

Kathleen suggested that the Logical model be positioned as the next level of detailed modeling based on the DAM, and leave the DAM be as it is, not bringing over its text into the Logical model document.

Mike moves to approve Kathleen's proposal.  Suzanne seconds.  Motion carries 5-0-0.

Mike is still working on Figure 2 - the pyramid diagram - to add a 3rd base layer with examples of basic policy instantiations such as Provenance, Privacy, Security, Legal, and Business policies.



12 PM ET
SecuritySecurity IG Ballot Work Session

FHIR DS4P IG review and prep for early January Ballot.

CBCP meeting separately

Kathleen walked through FHIR DS4P IG May ballot, pointing areas that received comments and proposed approaches for addressing them. Updates to the IG have been in fixing misimplemented vocabulary, which could not be properly uploaded into the IG, getting spreadsheet comments to load into JIRA for reconciliation, and design of a sub-resource labeling extension. Most commenters wanted clarification about the text and the implementation impact on EHR vendors.  Epic comments were reviewed during this session with Chris Shaut, which was very helpful  Understanding the IG author and the commenters intentions expedited reaching tentative dispositions. See attached disposition spreadsheet.




Moved to 6 PM Slot

SecurityConnectathon Report Out

Cancelled and moved to the 6PM ET slot.

4 PM ETGeneral Session

SecurityConnectathon Report Out

Duane Decouteau presented the LEAP Consent Management and Enforcement Track outcomes and showed us a demo of how he had integrated the Security Labeling Service and Privacy Protective Services as hooks in FHIR HAPI Server.

Mohammad Jafari described the Consent Management Service he developed for this LEAP grant. 

All of the LEAP grant code is open source.



Thurs 9/2410 AM ET


CURES Rule Privacy/Security Topics

ONC representatives will join to discuss topics that have come up in our WGs, including: 

  • OAuth and Right of Access Request for 3rd Party requirements
  • DS4P Infeasibility Exception and optional Certification Criteria
  • HIPAA Consent and Privacy Exception to Information Blocking provisions in ONC Cures Rule
  • TEFCA and requirements for CUI, NIEM and HL7 CUI  - map out the use case on the applicability of CUI if change is made at an entry.
  • USCDI and Consent, Security Labeling, and advanced Provenance

One goal is to develop questions we would like to submit through the PAC for ONC consideration.

Another is to add DS4P and CUI use cases to DS4P Use Cases and US Regulatory Security Labeling Use Cases.

Very helpful dialogue with ONC on the topics in the agenda.  We skipped discussion on the

HIPAA Consent and Privacy Exception to Information Blocking provisions in ONC Cures Rule topic due to time constraints.

Much of the discussion centered on CUI impacts.  Several Federal Agency participants discussed how their agencies are addressing the CUI requirements, including the anticipated FARs Case, which will specify how Federal Agencies are to contract with contractors acting on their behalf wrt to applying CUI markings and enforcing NIST SP 800-171 confidentiality safeguard.  Questions about how downstream users must handle CUI were raised.

Please review the recording for this session for more details.


Regulatory citations relevant to discussion topics from Alex Kontur:

12 PM ET
SecuritySecurity IG Ballot Work Session

Cross-Paradigm US Regulatory Security Labeling IG review and prep for early January Ballot.

CBCP meeting separately

This session was lightly attended. Kathleen gave Jeff Helman (SSA) a walk-though of the background for the Cross-Paradigm US Regulatory Security Labeling IG.  See



SecurityDraft USCDI Privacy & Security Comments for PAC

The Policy Advisory Committee approved submission of the Security WG USCDI Security Label proposal, which will be forward to the Executive Committee for final approval.

USCDI-ONDEC-Submission-Form Security Label Data Class v2.docx




Alex and Kathleen met briefly.  

Alex is going to take care of interim calls.

Kathleen will complete the minutes and attendance.

Trish is volunteered to review Security WG Governance to determine whether we have pressing governance docs to update.  If so, we will address during the interim.  Also, which need updating during January WGM.

We propose monthly Cochair calls at 5 PM ET?  Which day?

We will address the following during the first Security WG Cochair meeting

  • No labels