Versions Compared

Old Version 5

changes.mady.by.user John Moehrke

Saved on

compared with

New Version 6

changes.mady.by.user John Moehrke

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Management

HL7 WGs are required to acknowledge the  operating under HL7 Code of Conduct & the HL7 Antitrust Statement at the beginning of each meeting.

Professional Associations, such as HL7, which bring together competing entities are subject to strict scrutiny under applicable antitrust laws. HL7 recognizes that the antitrust laws were enacted to promote fairness in competition and, as such, supports laws against monopoly and restraints of trade and their enforcement. Each individual participating in HL7 meetings and conferences, regardless of venue, is responsible for knowing the contents of and adhering to the HL7 Antitrust Policy as stated in §05.01 of the Governance and Operations Manual (GOM).

Security WG calls are recorded per WG approval during 2021-10-27 Security Call unless an objection is sustained.


Agenda Overview

Agenda Approval


Approval of 2023-02-27 Security WG Agenda/Minutes

Moved:

Second:

Vote:




Security WGM Agenda & Rooms

Review and approve WGM Agenda.

Check on room reservations.

=================

WG decided on Tues Q1 and Thurs Q1 Joint with FHIR-I and CBCP

  • MAY WGM Agenda
  • Room reservation status

2023 05 WGM+ || Notes to Co-chairs and Management Groups on Planning your Sessions

Per Chris Shawn: Security asked not to schedule WG sessions Monday Q1 and preferably not Q2, which we don’t normally anyway. HQ wants good attendance to kick off the Plus program.

We were also asked to review all the Plus sessions, and not schedule WG sessions that would conflict with Plus sessions on similar topics or during Plus sessions we otherwise think might be of interest to our WG members (e.g., maybe we don’t schedule security sessions that conflict with FAST).


FHIR Core Security Privacy Module

Grahame has asked that we review and improve this section.

http://build.fhir.org/secpriv-module.html#roadmap


Today it says

In the STU3 release, FHIR includes building blocks and principles for creating secure, privacy-oriented health IT systems; FHIR does not mandate a single technical approach to security and privacy.

In future releases, we anticipate including guidance on:

  • incorporate the SMART on FHIR authorization specification, for user-authorized apps,
  • methods for organization-to-organization authorization,
  • more details about how to use digital Signatures for data integrity and non-repudiation, including an approach that supports some level of manipulation of resources (e.g. separating the entries in a bundle, or conversion between XML and JSON during processing),
  • more detailed Consent management, including support for specific consent use cases.
  • guidance and methods to support GDPR or other emerging Privacy regulations.

recommendation

FHIR includes building blocks and principles for creating secure, privacy-oriented health IT systems; FHIR does not mandate a single technical approach to security and privacy.

In future releases, we anticipate including guidance on:

  • more details about how to use digital Signatures for data integrity and non-repudiation, including an approach that supports some level of manipulation of resources (e.g. separating the entries in a bundle, or conversion between XML and JSON during processing),
  • develop a Permission resource and show relationship to Consent and distributed Access Control and Enforcement

HL7 cyber security event

Discussion about how Security WG can best assist with this effort.

Any news on why Security is in the TSC grouping or what the role of the representative is?


FHIR DS4P IG

Mohammad:Update on binding of IG to THO 5.1

Approval of Publication Request

See https://bitbucket.hl7.org/projects/UTG/repos/utg/pull-requests/10/overview


HCS Reaffirmation

For 3 year plan, we need to do a walk through of HL7 Healthcare Privacy and Security Classification System (HCS), Release 1

Question:  Can we simply reaffirm and allow the Security Label vocab to evolve independently?

See instructions J - Reaffirmation Ballot

Security Ballot Tracker

ANSI Standards approaching expiration 

Decide on whether to revise or just point to THO for vocab updates.  NIB must be completed for ballot before expiration on 20240607.

Last Reaffirmation

Unique Ballot ID: REAFF_HL7_PRIVSECCLASSSYS_R1_N1_2019JAN

From <http://www.hl7.org/documentcenter/public_temp_C758EC27-1C23-BA17-0C263FB82AB641AC/ballots/2019JAN/downloads/Reaffirmation%20of%20HL7%20Healthcare%20Privacy%20and%20Security%20Classification%20System%20Release%201%20Instructions.pdf>

Reaffirmation of HL7 Healthcare Privacy and Security Classification System, Release 1

International standard document describing the use of a Healthcare Privacy and

Security Classification System (HCS) suitable for automated labeling and

segmentation of protected health care information by access control systems to

enforce privacy and security policies

Reaffirmation of HL7 Healthcare Privacy and Security Classification System, Release 1 (1st Normative Ballot) - REAFF_HL7_PRIVSECCLASSSYS_R1_N1_2019JAN

Instruction Document<http://www.hl7.org/documentcenter/public/ballots/2019JAN/downloads/Reaffirmation%20of%20HL7%20Healthcare%20Privacy%20and%20Security%20Classification%20System%20Release%201%20Instructions.pdf>


Kathleen will review to see if HCS is abstract wrt to binding to vocab so that THO evolution is considered to be aligned to HCS code systems/value sets.
DaVinci PoU codes

Review the codes added to ValueSet: CDex Purpose of Use Value Set

CDEX POU code system and value set Da Vinci PoU codes

Da Vinci CDex IG has defined a number of PoU codes as an extension to the PoU codes in the core. 

http://build.fhir.org/ig/HL7/davinci-ecdx/branches/Sept2022Ballot/ValueSet-cdex-POU.html

Suggestion made that the DaVinci POU codes be added to Security WG POU codes in THO.

Comments

The concepts are already covered by current PurposeOfUse for DaVinci POUs:

[Healthcare Payment as defined by HIPAA](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html) and isn't defined further to ascertain a more detailed Purpose of Use concept.

[Healthcare Operations as defined by HIPAA](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html) and isn't defined further to ascertain a more detailed Purpose of Use concept.

Questions

Are these needed at all and should DaVinci value set authors have discuss the reasons they didn’t think the current codes aren’t sufficient with Security WG, steward of the THO POU codes, prior to creating new ones?

To perform one or more operations on information for conducting financial or contractual activities related to payment for provision of health care

To perform one or more operations on information used for conducting administrative and contractual activities related to the provision of health care.

Did DaVinci think that they needed US HIPAA specific healthcare payment/operations codes?  Purpose of Use codes are meant to be associated with the prevailing realm privacy policy unless specifically associated with a realm-specific policy, e.g., 42 CFR Part 2 POUs are different from HIPAA POUs?

Need to ask US Realm and FMG to discuss the need to align accelerator IGs with the vocabulary owners rather than creating conflicting/overlapping vocabulary.  Concern is that DaVinci and CARIN vocabulary are being referenced in regulation but these IG specific vocabularies are not being reviewed by the owning WGs or THO.  Ask Chris Shawn to discuss with US Realm and John Moehrke to discuss with FMG.
IHE PCF

IHE is developing an Implementation Guide on Privacy Consents on FHIR 


Notes from CHAT

Moved FHIR Chats to separate page

FHIR Privacy and Security Zulip Chats


Resources

Security Project and Ballot Management Resources FAQs

Confluence and JIRA Tutorials

TSC Decisions


Call Chat

 Adjournment


...