Scribe: @Suzanne Gonzales-Webb
Weekly calls Tuesdays 3PM ET
FreeConferenceCall Online Meeting Link https://www.freeconferencecall.com/join/security36
Dial-in Number (United States): (515) 604-9567 Access Code: 880898#
Motion to Approve with amendment to update # of approval 10/1 Minutes : (
Moved: Suzanne Second: Mike
Objections: 0 Abstentions: 0; Approve: unanimous (10)
|WGM Minutes approval|
Review and vote to approve
Motion: Kathleen Second: Suzanne
Abstentions: none, Opposed: none; Approve: unanimous (10)
|WGM Report out|
Kathleen - Draft WGM Minutes - in process.
Share with Protections
Mike Davis Update on SwP Part 1 and Part 2 (to be presented Drafts). Recommend FHIR IG PSS for SwP.
This should close out the work on SwP
PROPOSAL: Create a FHIR IG. (workgroup vote )
There are folks who wanted to see this as a paper first. Mike has transitioned to a PPT format. Either way the WG needs to vote on the material
This could fit as a nice IG for protecting Privacy in FHIR - we should seriously think of having many IGs that cover different needs–this may be the next one to go on the shelf next to SMARTonFHIR. There is some use to doing an IG that whittles down the huge HCS vocab to a handful of them, giving each policy criteria when sing the IG. (per JohnM) - this is something actionalble
this is what is on DS4P - on what a client or recipient is supposed to do, not so much the marking or designation for the send.
Mike - pretty open on this( on the form ), my intent would be to have Mohammad give suggestion on the form–he would be a good resource to use knowledge and experience.
MOTION: To proceed with concept for FHIR IG for SwP (Mike/JohnM) and will present a draft for WG consideration, still allowing for content vote for approval
(Mike will confer with Mohammad on details and bring back to meeting attendees)
Abstentions: 2 ; Objections: none; Approval: 9
|Basic Provenance Block Vote|
Brett Marquard and Russ Ott
Posted on 9/30. Eight comments in the block (link posted in 10/1 meeting minutes)
Brett will communicate the information on the spreadsheet
MOTION: To approve Basic Provenance ballot reconciliation responses to comments. A block vote consisting of 4,7 32,40,41,63,68 and 91
Objections: none; Abstentions: 2 (Julie, Carrie Hammond)
A sub-group meeting may be planned in the future to plow through the rest of the reconciliation.
|Block Vote #1, posted on 9/30/2019|
|(SP) 800-207, Zero Trust Architecture|
Mike Davis: Should HL7 Sec WG provide comments on NIST Zero Trust Architecture relevant to standards work? Reference HL7’s PSAF Vol 1 with links to relevant sections such as Fig 7, 9, 12, 18 etc.
We have several models in the VA, plus a SAML version where we have proposed some SAML attributes that would be trust indicators as well. Mike believes that we review 800-27 as a group and see where NIST is coming from, return comments rom HL7 (since we also have standards in place). Open a discussion with NIST. Idea here is to consider this draft against our standards, make comments / make NIST aware of our standards. What is important in their context toward healthcare–wherein FHIR may be a
JohnM - would like to focus on healthcare specific items; as we have a lot on our plate...but if Mike has found items that are of interest
Mike - they may have thought of something we have not thought of, or vice-versa. Sees value that a lot of Federal institutions must use. NIST may not be writing for something specific, it would behoove us to be familiar with it. It oes deserve a review, and provide us any ideas (on healthcare) that we can apply.
Chris - for Mike to take a look and revisit at a later meeting, relaying observations, thoughts that the WG might find worth a more detailed look
We will circle back after a high-level review by Mike is completed.
|Link: (SP) 800-207, Zero Trust Architecture|
|PSAF Provenance Volume 3 Ballot Reconciliation|
Mike to propose setting up a separate call for PSAF Provenance ballot reconciliation.
Kathleen has done some reconciliation work; unless we are done would like to schedule a call. Currently, several duplications, typos and admnistrivia type items–repeated comments (Johnathan's comments x 8). Bernd's comments are hard that we cannot address directly. Bernd would like us to have all the components with the cube(?) which is not yet a standard.
A block vote of 'easy' items will be pulled together, distributed by Kathleen
John Moehrke. Note the call time has moved to 1PM ET, which is the hour after the CBCP calls.
REMINDER of time change
John has moved the agenda over - please check his work
|42 CFR Part 2|
42 CPR Part 2 NPRMs - Kathleen: Comments still in process. Feedback on draft section below, second paragraph?
Limitations on Patient Data Consent - In a number of sections, including for example on pages 24 and 25 of the proposed rule, limitations on the characteristics of those to whom a patient consents to have their data sent are discussed. Entities that might be any of the following: covered by HIPAA; covered by The Common Rule; covered by FDA regulations; somehow identified as capable of doing scientific research; and any of these involving a specifically named person or entity; etc. How the part 2 EHR system is supposed to identify these characteristics of a target system could be clarified by referencing standards that support conveying those characteristics.
If the consent is electronically encoded with HL7 standards using CDA or FHIR, then the consent could indicate the purpose of use (codes – e.g., HIPAA Authorization for Research Disclosure or Common Rule for FDA) for which a recipient is permitted to access this information either by query or by a pushed transaction. The recipient could declare the same purpose of use code in their requests or in the credentials used to determine that the recipient is authorized using SAML or scope in a Smart on FHIR authorization request. In order for the information to be released, the EHR would compare the purpose of use codes on the information governed by the Part 2 consent with the purpose of use codes asserted or known to apply to the requester, and permit access only where there’s a match. HL7 stands ready to provide more detailed technical information about guidance that SAMHSA could develop for the industry on how to implement this policy goal.
Direct Links to 42 CFR Part 2 Proposed Rules on the “Confidentiality of Substance Use Disorder Patient Records
NIH RFI: HL7 FHIR Interoperability Resources for Capturing and Sharing Clinical Data for Research Purposes
|Federal Health IT Strategic Plan|
Mike Davis Should HL7 security comment on Federal Health IT Strategic Plan –
Mike - Sequoia discussions
|FHIR Privacy and Security Considerations|
FHIR DS4P Privacy and Security Considerations - Summary of discussions at the WGM about the relationship of a FHIR Right of Access Directive and FHIR Security Labeling.
Kathleen has been adding to this - Right of Access and security labeling, this was part of discussion with Laura Hoffman (AMA)
|Adjournment||Meeting adjourned at 1302 Arizona Time (time elapse)|
Temporary Meeting Recording: https://fccdl.in/WMKmphOAQq
John Moehrke Co-Chair
Kathleen Connor Co-Chair
|VA (Book Zurman)||@Trish Williams Co-Chair||Flinders University|
Chris Shawn, Co-Chair
John Davis (Mike)
|Sequoia||Julie Chan firstname.lastname@example.org||HL7 FHIR|
|VA (Book Zurman)||Kaiser|
|VA (Book Zurman)||@Adam Wong email@example.com||HHS|
@Ricky Sahu, @1up.health
|EMR Direct||Laura Bright firstname.lastname@example.org|
|PJM Consulting||@David Staggs email@example.com||SRS|
|Ready Computing||Terence Cunningham firstname.lastname@example.org (Terry)||AMA|
|Trustworthy EHR||Laura Hoffman email@example.com||AMA|
|Heather McComas firstname.lastname@example.org||AMA||Matthrew Reid email@example.com||AMA|
|Julie Maas||EMR Direct|