...
| Management | HL7 WGs are required to acknowledge the operating under HL7 Code of Conduct & the HL7 Antitrust Statement at the beginning of each meeting. Professional Associations, such as HL7, which bring together competing entities are subject to strict scrutiny under applicable antitrust laws. HL7 recognizes that the antitrust laws were enacted to promote fairness in competition and, as such, supports laws against monopoly and restraints of trade and their enforcement. Each individual participating in HL7 meetings and conferences, regardless of venue, is responsible for knowing the contents of and adhering to the HL7 Antitrust Policy as stated in §05.01 of the Governance and Operations Manual (GOM). Security WG calls are recorded per WG approval during 2021-10-27 Security Call unless an objection is sustained. | |||||||
| Agenda Overview | Agenda Approval
| Approval of Moved: Julie Second: Mohammad Vote: 8-0-0 | ||||||
| Security WGM Agenda & Rooms | Alex - Check on WGM room reservations Are we good? John's tutorial on FHIR Privacy and Security at Tuesday Q3-4. ================= WG decided on Tues Q1 and Thurs Q1 Joint with FHIR-I and CBCP
Per Chris Shawn: Security asked not to schedule WG sessions Monday Q1 and preferably not Q2, which we don’t normally anyway. HQ wants good attendance to kick off the Plus program. We were also asked to review all the Plus sessions, and not schedule WG sessions that would conflict with Plus sessions on similar topics or during Plus sessions we otherwise think might be of interest to our WG members (e.g., maybe we don’t schedule security sessions that conflict with FAST). | |||||||
| 6.1.0.4 Authentication | Julie Maas asked about Lenel's question on PDEX workflow use of consent. http://hl7.org/fhir/R4/security.html#authorization/access%20control and specifically 6.1.0.4 Authentication Julie will send suggested updates to this section. John will make updates if not substantial.
| Discussed updates to PDEX workflow of consent. Julie and John discussed the edits. John suggested a few edits, which Julie accepted. Approval: Update to Security Module page with changes - change normative to informative verbs and remove links to Moved: Julie Maas Second: Mohammad Jafari Vote: 9-0-0 | ||||||
Continue discussion on the agenda. Would like members to volunteer to lead agenda items, e.g., discuss a particular FHIR Privacy/Security Resource. 2nd day will be more hands on, e.g., hacking an API or taking lock-down steps for cloud. Ideally will cover more subjects than the first day tutorial. Keynotes that people would like to propose e.g., Alicia on FHIR API security. Mohammad and Kathleen to consider leading discussion of use of AI/machine learning application to privacy, security and consent, e.g., for parsing unstructured text and automated tagging. | Sandy Vance and John with team up to facilitate the security event. John has lined up presenters. Kathleen and Mohammad working on using AI/ML for DS4P. API conference is complementary to this event. John put list of tools for testing OAuth implementation etc on FHIR Zulip. No need to reinvent tools already developed. | |||||||
| FHIR DS4P IG | Mohammad: Approval of Publication Request See FHIR Data Segmentation for Privacy Implementation Guide publication request. | Mohammad walked through the publication request. 3 negatives remain. For some reason the negative voters were not notified to withdraw including John Moehrke, Josh Mandel, and Charles Gabriel. John ran the build, and the summary url seems to be incorrect. Mohammad will change to correct. Approval: FHIR DS4P IG Publication Request with correction to new build errors. Moved: Mohammad Jafari Second: Joe Lamy Vote: 9-0-0 | ||||||
| HCS Reaffirmation | TBD Kathleen will review to see if HCS is abstract wrt to binding to vocab so that THO evolution is considered to be aligned to HCS code systems/value sets. ============== For 3 year plan, we need to do a walk through of HL7 Healthcare Privacy and Security Classification System (HCS), Release 1 Question: Can we simply reaffirm and allow the Security Label vocab to evolve independently? See instructions J - Reaffirmation Ballot Last Reaffirmation Unique Ballot ID: REAFF_HL7_PRIVSECCLASSSYS_R1_N1_2019JAN Reaffirmation of HL7 Healthcare Privacy and Security Classification System, Release 1 International standard document describing the use of a Healthcare Privacy and Security Classification System (HCS) suitable for automated labeling and segmentation of protected health care information by access control systems to enforce privacy and security policies Reaffirmation of HL7 Healthcare Privacy and Security Classification System, Release 1 (1st Normative Ballot) - REAFF_HL7_PRIVSECCLASSSYS_R1_N1_2019JAN Instruction Document<http://www.hl7.org/documentcenter/public/ballots/2019JAN/downloads/Reaffirmation%20of%20HL7%20Healthcare%20Privacy%20and%20Security%20Classification%20System%20Release%201%20Instructions.pdf> | |||||||
| DaVinci PoU codes | TBD: Need to ask US Realm and FMG to discuss the need to align accelerator IGs with the vocabulary owners rather than creating conflicting/overlapping vocabulary. Concern is that DaVinci and CARIN vocabulary are being referenced in regulation but these IG specific vocabularies are not being reviewed by the owning WGs or THO. Ask Chris Shawn to discuss with US Realm and John Moehrke to discuss with FMG. Reviewed the codes added to ValueSet: CDex Purpose of Use Value Set CDEX POU code system and value set Da Vinci PoU codes Da Vinci CDex IG has defined a number of PoU codes as an extension to the PoU codes in the core. http://build.fhir.org/ig/HL7/davinci-ecdx/branches/Sept2022Ballot/ValueSet-cdex-POU.html Suggestion made that the DaVinci POU codes be added to Security WG POU codes in THO. Comments The concepts are already covered by current PurposeOfUse for DaVinci POUs:
[Healthcare Payment as defined by HIPAA](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html) and isn't defined further to ascertain a more detailed Purpose of Use concept.
[Healthcare Operations as defined by HIPAA](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html) and isn't defined further to ascertain a more detailed Purpose of Use concept. Questions Are these needed at all and should DaVinci value set authors have discuss the reasons they didn’t think the current codes aren’t sufficient with Security WG, steward of the THO POU codes, prior to creating new ones?
To perform one or more operations on information for conducting financial or contractual activities related to payment for provision of health care
To perform one or more operations on information used for conducting administrative and contractual activities related to the provision of health care. Did DaVinci think that they needed US HIPAA specific healthcare payment/operations codes? Purpose of Use codes are meant to be associated with the prevailing realm privacy policy unless specifically associated with a realm-specific policy, e.g., 42 CFR Part 2 POUs are different from HIPAA POUs? | |||||||
| IHE PCF | IHE is developing an Implementation Guide on Privacy Consents on FHIR
| |||||||
| Notes from CHAT | Moved FHIR Chats to separate page | |||||||
| Resources | ||||||||
| Call Chat | ||||||||
| Adjournment |
...