Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.

Chair: @Kathleen Connor

Scribe: @Suzanne Gonzales-Webb 

Weekly calls Tuesdays 3PM ET

Zoom Client Download

Meeting ID: 895 5988 3576

Passcode: 258923

Find your local number:

Zoom Tip Sheet


Agenda Topics

Agenda Overview

  • Minutes
  • FHIR Security
  • Harmonization - UTG Voting Process presentation by Jeff Hellman
  • Privacy and Security Logical Data Model update
  • HL7 Policy Advisory Committee (PAC)
  • FHIR DS4P IG - Ballot Reconciliation
  • Cross Paradigm US Security Labeling IG
  • Share with Protections White Paper Project
  • Infrastructure SD - Reaffirmation of Access Control Catalog
  • ONC 2020-2025 Federal Health IT Strategic Plan
  • ONC FAST Security Team - next steps
  • Ballot Management - Need new PSS to reaffirm Access Control Catalog soon!
  • Chat notes

 Minutes Approval

Approve Meeting Minutes:

2020-11-10 Security WG Agenda/Minutes

Motion to Approve Meeting minutes as written

Moved/Second: Beth / Mohammad

Vote - Approve/Abstain/Oppose :  (7) approved by consensus

FHIR Security

  • review of current vNEXT on how they deal with security labeling. meeting cut short

PSAF Provenance Errata

Review and approve Errata Letter for CTO Consideration

QA of final ANSI publication submittal missed that Volume 3 Provenance DAM did not include the Contributor Table.

We are requesting an errata version.  May not be possible because ANSI has already approved it.

Mike's alternative: wants to claim an author name on HL7 formal letterhead (not to add as an ANSI change)



Jeff Helman to present on UTG voting process so that we can vote on proposed security labeling codes.

Additional Codes For Security Label Vocabulary approved 10/26 have been uploaded into UTG

Security WG members who want to vote on these UTG proposals need to sign up to vote.  See: Vocabulary Maintenance at HL7

UTG Consensus Review

Anyone wishing to participate in the Consensus Review of proposals in flight is welcome to participate. No tooling is required to participate - if you want to be a reviewer/voter on vocabulary change proposals and you are not one already, click this link below: 

Request Reviewer Permissions

Documentation and Education Materials 

Unified Terminology Governance Project (UTG) Page

Curator Processing of Proposals

UTG Tooling and Proposal Documentation

Implementation of Consensus Review Voting

11/10 Mohammad already rebased this, and pushed new commit to Bitbucket repo. Should be a timely way to do this - needs to be reviewed and approved by harmonization process so that we don't have to continually redo.  Also, Security members who have asked to be reviewers have not been responded to.  We will ask that someone from UTG join Security to help us progress our proposals.

Privacy & Security  Logical Data  Model

Review and approve P&S Logical Model draft NIB submitted without suffix "Cross-Paradigm" after TSC review.

2020-11-11 Privacy and Security Logical Data Model meeting did not meet quorum.

Please review and send Mike comments on V3 Logical Model Draft 1116.docx

  • models have updated per comments, including ABAC (new material)
  • working on one more model- showing relationship between class model and 
  • The majority of the changes are in the ABAC section.
  • Mike will walk though the changes at tomorrow's meeting

Meeting scheduled for document and model review

HL7 Privacy and Security Information Model PSS

Information model update: The new information model will consolidate and harmonize security models across HL7 standards (Access Control, Audit, TF4FA etc.) and (incomplete) updates from FHIM (Consolidated unresolved models). Also included are direct mappings to Access Control, Audit and Authentication (e.g. Class models)  mapped to Access Control services.

ISD PPS approved 7/7

TSC PSS approval before August 23, 2020

Update on CBCP transitioning sponsorship to Security.
Next steps:  STU extension request listing emerging use cases, and possible sponsors for preparing DPROV CDA IG for normative ballot

SOA Consent Management Service

This project is co-sponsored by Security and CBCP. 

Consent Management Service PSS

The project's model has progressed and is impressive.

See Consent Management Service Project

However, some of the underlying analysis of policy and consent differ to some extent with Security foundational standards. See PolicyVsConsent.docx

MIke reviewed and commented - see attached.


SOA invites Security to join 7 pm ET call Nov 5

Join Zoom Meeting

Phone Number: +1 770-657-9270
Participant Passcode: 071582


<ADD MOTION> made by Jeff:  Security labeling reduces information blocking when used properly. Data holder can share more information by accurately labeling information that should not be shared. This allows for less sensitive information to be shared according to is associated security labeling. The net result is more information shared, along with the ability to defend why sensitive information is not being shared.

BLOCK: 1-24 Motion to approve as presented (Suzanne / Mike ) 

VOTE: abstain/opposed Motion passes (6)

Moving comments from spreadsheet into JIRA Tickets - View comments at this link.

Previously approved NIB

Postponed early January ballot until regular January ballot cycle.

Review and approve FHIR DS4P IG Out-of-cycle ballot request for 10/20 opening date.

Carmela A. Couderc block - continue review

Review Reconciliation Spreadsheets and JIRA Ballot Recon

Missed approval of Reconciliation prior to July 5th Sept NIB due date Security WG Admin

Ballot results:

Quorum met - 107 voters, FHIR DS4P IG Ballot Passed

  • Affirmative - 26
  • Negative - 13
  • Abstain - 35

Negatives - missing definitions, which is the result of tooling errors we need to fix, and a general misunderstanding that the FHIR DS4P IG is the basis for profiles for policy specific security label IGs much like the CDA DS4P IG is.  Only the profiles are implementable.

 Spreadsheet Spreadsheet Spreadsheet


Upcoming deadlines:

  • FHIR IG must be substantively complete - ???, 2020
  • FHIR IG must be complete and handed over to sponsoring WG for QA review - ???
  • QA review cycle - ???
  • Content QA Change application - ???
  • Final content to Lynn for inclusion in Oct Out-of-cycle ballot ???
  • Submit Ballot Readiness Checklist - before ???

If you have any questions about these dates or the process, you can check out the FHIR IG Process Flow on Confluence


DS4P Use Cases - work in progress.  Being incorporated in the FHIR DS4P IG.

Discussed Genevieve Luensman's (CD) Comment #121

We would like to ensure that this IG provides for management of workers compensation and occupational health activities. Data tagging is not always sufficient; in some instances data should not be sent at all. Ex 1: information pertaining to a work-related event needs to be segregated and all other information needs to be protected, to prevent inadvertent transfer of information not related to a workers' compensation claim with others. Ex. 2: there is a need to prevent the inappropriate transfer of information that can indicate a risk for genetically transmitted diseases, including a family history of diseases, as specified in the Genetic Information Nondiscrimination Act (GINA). Ex. 3: The Americans with Disabilities Act (ADA) needs to be included. Among other things, the ADA specifies how health information is to be managed in relationship to employment. For example, employers can be given doctor's notes about return-to-work limitations, but cannot be given diagnoses.

Proposed Disposition

MOTION: Suzanne / Beth

VOTE: Abstain/Opposed: None Motion passes: (7)

RE "Data tagging is not always sufficient; in some instances data should not be sent at all."

We agree that data tagging is not sufficient if the governing policy requires that certain tagged data not be disclosed.

However, data tagging is necessary for filtering on data, which is not disclosed fully as how security labels are used by Access Control Systems is somewhat out of scope.

As is, the use cases do not adequately describe that access control will still need to be performed on specific requests even where the requester's capability statement indicate that the requester can consume, persist, and enforce labels.

We will discuss how security labels are used in Access Control Systems briefly in the Use Cases and reference other HL7 standards that are more focused on this aspect of data segmentation.

That said, this IG is policy agnostic and conceptual. Requirements for the policy specific use cases listed in this comment could be profiled for various policy specific use cases.


WG discussed need to continue to emphasize that security labeling enables maximum sharing to avoid information blocking.

Cross-Paradigm US Regulatory Security Labeling IG

Postponed early January ballot until regular January ballot cycle.

Previously approved NIB already submitted.

JIRA tickets filed for acceptance of new UTG values/data; motion next week when we bring information forward on the value sets.

New CUI Notice 2020-06 RE CUI Marking Waivers with e.g., splash screens, seems to be limited to internal CUI use.

FHIR US Regulatory Security Labels Continuous Build - No update in the build

GitHub repo for the source material: 

John and Mohammad are committers.

US Regulatory Security Label Example Sandbox

Security Labeling Parking Lot

US Regulatory Security Label examples were included in the FHIR DS4P IG.  These will be the starter set for the FHIR US Regulatory Security Label IG

Share with Protections White Paper Project

Worked on ballot recon with Beth for KP comments.  Ready for review.

 SwP Ballot Comment Spreadsheet

SwP White Paper

Infrastructure SD

Progress on ISD approval of Project for Reaffirmation of Normative Healthcare (Security and Privacy) Access Control Catalog, Release 3

Kathleen moved for Security.  Need a second, 3 days of discussion, and then the vote.

Reaffirm HL7 Version 3 Standard: Healthcare (Security and Privacy) Access Control Catalog, Release 3

ANSI Standards approaching expiration

Ballot Management

With the move of the WGM schedule dates to start virtually on January 25, the ballot cycle and content deadline dates have also changed.

Nov 8: Next Sunday is the Notification of Intent to Ballot (NIB) deadline – Now November 8th (Ballot minus 6 weeks)

Nov 17: FHIR Connectathon proposals due– (The Connectathon dates did NOT change)

Nov 29: Reconciliation deadline for ballot items having previously balloted – (Ballot -3 weeks)

Dec 13: Final content deadline

Dec 18: Ballot opens

Dec 27: Deadline for TSC approval of PSS for 2021MAY cycle

The on-line Notification of Intent to Ballot form (off of the TSC Utilities page) is available at:

All Calendars for this cycle are available on the new Confluence Calendars page at:


Final HL7 ISA and SVAP letters

Final 2020-2025 Federal Health IT Strategic Plan Now Available

Read the Plan →

Read the blog post →

Webinar Recording

Next Steps report out.
OCR News

Notes from CHAT

Sub-resource labeling

Useful Links

Confluence and JIRA Tutorials

Meeting Adjournment

No additional agenda items brought forward

Meeting adjourned at 1350 Arizona time

Meeting recording: 



@Adam Wong adam.wong@hhs.govHHS
HL7 Austria
Amol Vyas amol.vyas@cambiahealth.comCambia Health
Wave One
Celine Lefebvre AMA
Clara Y. Ren Electronic Health Records Modernization (FEHRM) Office

Chris Shawn, Co-Chair


Dave SilverElectrosoft
 Ready Computing
 @David Staggs drs@securityrs.comSRS 

@Heather McComas AMA 

Jim KamperAltarum
Federal Electronic Health Records Modernization (FEHRM) Office

John Davis (Mike)


John Moehrke Co-Chair

Julie Chan jchan@cwglobalconsult.comCWGlobal

Kathleen Connor  Co-Chair

VA (Book Zurman)
Laura Bright
Laura Hoffman laura.hoffman@ama-assn.orgAMA


EMR Direct

Matthew Reid matt.reid@ama-assn.orgAMA
VA (Book Zurman)
Patient Centric Solutions
 PJM Consulting
Trustworthy EHR 

@Ricky Sahu,  

1up Health

Rob McClure
Saul Kravitz saul@mitre.orgMITRE


Serafina Versaggi
Stephen MacVicar smacvicar@mitre.orgMITRE
VA (Book Zurman)

Tom Hicke
Flinders University
Vicki Giatzikis vig9034@nyp.orgNYP