Chair: @ David Pyke
Scribe: @Suzanne Gonzales-Webb
(ATTENDEES TABLE moved to after Agenda)
Meeting Minutes from Discussion
|Decision Link(if not child)|
2019-09-03 CBCP Meeting Agenda/Minutes (not ready) - push to next agenda
VOTE: (motion) : x / x
Abstain: x / Opposed: x / Approve: #
| 42CFR4 Part 2 (continued)|
(Jim Kretz additional overview?)
anything that goes unders FDA oes under separate form of consent;
|Share with Protections - Mike Davis|
(no update) Meeting set-up TBD (Mike not on) Mike is starting the PSS for this project
"Share with Protections"
- PSS update
- (document update)
Reviewing problem slide:
- Slide 3 "The Problem"
- Mike would like to go over the PPT during the WGM in more detail
- Five points
- Legislations protects certain conditions
- Segmentation for privacy works
- "Outside" providers do no receive complete records
- Affected patients are not motivated to share, even in their own best interest
- A huge issue for the VA wherein out of 9million only (approx.) 350,00 records received
- Patient sensitive information is being shared with recipients who fail to enforce its original specialty protected status
- if we share the information 'no one' does anything with it—impression seems to be with the consent then information can be shared and no longer controlled. Patient consents, but the law restricts (gap) or shares without any further control.
- This section is a problem statement and goals
- Share with Protections in a Nutshell
- As-Is: Data Segmentation for Privacy - (we have it but not necessarily being used)
receipeint per the threat sitation but enforces for local lpolicy. xxx check recording
- receivers can't even compute the labels, but there is also policy issue for being acceptable except under CUI of Part2; emphasizing the as-is
- To-be -
- data has been labels; requires the recipient retains the data, but persists the data, assigns clearances to their staff that xxx with the albes, i.e. normal , restricted clearances. the recipeint enforces the access
- notion of need-to-know, and segegations of security guide.
- in security terms, this would be an ABAC system. If clearance is greater than or equal to the deny...
- (JC) if you take HIPAA as a framework where enterprises are enforce... it may be that ABAC is not appropraite for some systems. saying aBAC is the mechanismes where peopls can.. may be a step too far. o honor any security lables but not specify how they specify the way they 'do' that.
- (Mike) this can be done is someother mechanism.. compartments or implements with roles,
- (JC) the ability to persist labels can be used downstream as appropriate, they ust use them or must use with ABAC may be going a step too far.
- (ike) will suggesetthat ABAC will be a method dof doing that–but not requireing they use it to succeed. the point we have the recipeient to use the secury and privacy inforamtion they are aware its sensistive as opposed to normal healthcare information. they treat it as such by providing more limited access otherwise. the idea is we reatin the ntoion n the disclosure that this info has sensistivy greather than normal and needs to protected in some way... other than normal. some controls over who recies as directed to the recieving enterprise.
- K - need to know is how we describe … we need to acknowledge that, ther eis documenation in HIPAA, and you have considered the risk and have addressed appropoirately.
- mike - additional slides may be adressing above
- slide 13 - legally sharing protected information with implied consent and for patient safety
- slide 14 - virtual care team
- earlier we said pateints are not motivated to share - in its optimum sense would not require patieent consent. information is shared without consent but IT IS protected by the lables. the notion is that people getting access would also receive some kind of read in, to the restricted information that would requiremethm to be trained by the sensitives of the inforamtion. they would be read into the program and received the ability to read the restricted infroation. being part of the virtual care team. people specially selected to be a care team.
- K … wherei the patient would get an accounting of disclosure
| eLTSS FHIR IG Project - Becky, Johnathan|
TSC approval of the publication request
Johnathan will take action to contact Lynn Laakso / check list is content that is entered into the form (GregW has and will sent over to johnathan)
- regarding the Connectathon; Care Plan and Management track
| eLTSS Use Case - Craig (15-20 min)|
Discussion: Next steps for Connectathon track
- nothing to add, ready to go
| Provenance DAM - Mike Davis, Kathleen|
- Quorum levels reached.
- time set aside during WGM (Tues Q2) for ballot reconciliation, comment review
| DS4P FHIR IG - Kathleen Connor|
Tuesday Q4 set aside - originally discussion for FHIR IG; turning into how to do minimum necessary filtering; there is not capability to do this filtering (AMA, Bob Dieterle involved)
Update: Approved, start date is in January for September balloting.
- Focusing on Low hanging fruit to start, starting with security labels to describe how to do data segmentation in FHIR
- (Topic for joint session (Security/CBCP))
Update Approval from FMG and will go to e-vote from TSC - completed
PSS Approved 6/4/2019: FHIR Data Segmentation for Privacy (DS4P) Implementation Guide PSS (by Steering Division)
| September 2019 WGM|
Suzanne, Kathleen to collaborate on MON Q3/Q4 and other Security/CBCP joint sessions at a future date (completed on 9/5/2019)
added: 'as mention' Preliminary Draft of the NIST Privacy Framework (Monday Q3/Q4)
Please contact Suzanne Gonzales-Webb or Kathleen Connor to add additional agenda items added to 2019 September WGM, thanks!
|Additional Agenda Items|
If you are interested in becoming a FHIR IG Author - David Pyke will send you the link to attend (SEND HIM AN e-mail!)
- FREE (ONC Sponsored)
- Course is a day and a half (Wednesday/Thursday)
- Curriculum is still being put together
Background intent is to have a pool of people to write FHIR IGs
LINK: Please e-mail David Pyke if you would like to register for this course (email@example.com)
Announcement : Interoperability Standards Advisory (ISA)
Deadline for ISA comments is September 23, 2019 1150 ET
- let them know DS4P FHIR IG project is underway
- is on Security Agenda; so that we can bring input to PAC comments (Kathleen collecting, revising comments submitted will post <<add link>>); JC recommending that eLTSS IG be added)
No meetings held recently; will be meeting during the WGM
Next Thursday at 2PM ET is next attempt for comment resolution
- some open topics; new examples uploaded
- met with patient care to talk about the use case for FHIR consent
have revised all the examples to fit the model
other changes to the documentation with minor changes; need to vet the changes before bringing forward to the WG
| Additional agenda Items?|
|Adjournment|| Meeting adjourned at 1048Time (Suzanne )||Temporary Meeting Recording: https://fccdl.in/8XwkTpIV42|