Skip to end of metadata
Go to start of metadata

Chair: @Chris Shawn

Scribe: @Suzanne Gonzales-Webb 

Weekly calls Tuesdays 3PM ET

FreeConferenceCall Online Meeting Link

Dial-in Number (United States): (515) 604-9567 Access Code: 880898#

Agenda Topics 

 Minutes Approval


2019-10-01 Security WG Agenda/Minutes

Motion to Approve with amendment to update # of approval 10/1 Minutes :   (

Moved:  Suzanne  Second: Mike

Objections: 0  Abstentions: 0; Approve: unanimous (10)

 WGM Minutes approval

Review and vote to approve 

19 Sep 2019 SEC WGM Minutes

Motion:  Kathleen  Second: Suzanne

Abstentions: none, Opposed: none; Approve: unanimous (10)

WGM Report out

Kathleen - Draft WGM Minutes - in process. 

16 SEP 2019 SEC WGM Minutes

17 SEP 2019 SEC WGM Minutes

18 SEP 2019 SEC WGM Minutes

Share with Protections

Mike Davis Update on SwP Part 1 and Part 2 (to be presented Drafts).  Recommend FHIR IG PSS for SwP. 

Three Parts:

  1. Version 1 is fairly refined (12 slides), higher level
  2. (in oven); expands on part 1 (which is conceptual)
  3. SAMHSA Omnibus Care Plan coordination system incorporated into SwP (Mike to send Omnibus

This should close out the work on SwP

PROPOSAL: Create a FHIR IG.  (workgroup vote )

There are folks who wanted to see this as a paper first.  Mike has transitioned to a PPT format.  Either way the WG needs to vote on the material

This could fit as a nice IG for protecting Privacy in FHIR - we should seriously think of having many IGs that cover different needs–this may be the next one to go on the shelf next to SMARTonFHIR.  There is some use to doing an IG that whittles down the huge HCS vocab to a handful of them, giving each policy criteria when sing the IG. (per JohnM) - this is something actionalble

this is what is on DS4P - on what a client or recipient is supposed to do, not so much the marking or designation for the send.

Mike - pretty open on this( on the form ), my intent would be to have Mohammad give suggestion on the form–he would be a good resource to use knowledge and experience. 

MOTION: To proceed with concept for FHIR IG for SwP (Mike/JohnM) and will present a draft for WG consideration, still allowing for content vote for approval

(Mike will confer with Mohammad on details and bring back to meeting attendees)

Abstentions: 2 ; Objections: none; Approval: 9

Slide decks and Sharing with Protections paper are available on Security WG Confluence site
Basic Provenance Block Vote

Brett Marquard and Russ Ott

Posted on 9/30. Eight comments  in the block (link posted in 10/1 meeting minutes)

Brett will communicate the information on the spreadsheet

  • for previous, please place information (i.e. proposed dispositions) on agenda (and send to listserve, commenters)

MOTION: To approve Basic Provenance ballot reconciliation responses to comments.  A block vote consisting of 4,7 32,40,41,63,68 and 91

Objections: none; Abstentions: 2 (Julie, Carrie Hammond)

A sub-group meeting may be planned in the future to plow through the rest of the reconciliation.

Block Vote #1, posted on 9/30/2019
(SP) 800-207, Zero Trust Architecture

Mike Davis: Should HL7  Sec WG provide comments on NIST Zero Trust Architecture relevant to standards work?  Reference HL7’s PSAF Vol 1 with links to relevant sections such as Fig 7, 9, 12, 18 etc.


We have several models in the VA, plus a SAML version where we have proposed some SAML attributes that would be trust indicators as well.  Mike believes that we review 800-27 as a group and see where NIST is coming from, return comments rom HL7 (since we also have standards in place).  Open a discussion with NIST.  Idea here is to consider this draft against our standards, make comments / make NIST aware of our standards.  What is important in their context toward healthcare–wherein FHIR may be a 

JohnM - would like to focus on healthcare specific items; as we have a lot on our plate...but if Mike has found items that are of interest

Mike - they may have thought of something we have not thought of, or vice-versa.  Sees value that a lot of Federal institutions must use.  NIST may not be writing for something specific, it would behoove us to be familiar with it. It oes deserve a review, and provide us any ideas (on healthcare) that we can apply.

Chris - for Mike to take a look and revisit at a later meeting, relaying observations, thoughts that the WG might find worth a more detailed look

We will circle back after a high-level review by Mike is completed.

Link: (SP) 800-207, Zero Trust Architecture
PSAF Provenance Volume 3 Ballot Reconciliation

Mike to propose setting up a separate call for PSAF Provenance ballot reconciliation.

Kathleen has done some reconciliation work; unless we are done would like to schedule a call.  Currently, several duplications, typos and admnistrivia type items–repeated comments (Johnathan's comments x 8).  Bernd's comments are hard that we cannot address directly. Bernd would like us to have all the components with the cube(?) which is not yet a standard. 

  • Monday 12 Pacific or 1 Pacific proposed. 
  • Monday 10-11 Pacific
  • complete reconciliation on these calls and bring back to WG for review and vote

A block vote of 'easy' items will be pulled together, distributed by Kathleen

FHIR Security

John Moehrke.  Note the call time has moved to 1PM ET, which is the hour after the CBCP calls.

REMINDER of time change

John has moved the agenda over - please check his work  

  • we have been trying to get vocabulary aligned, a POU (owned by ISO) to add mostly in Audi
    • the HL7 lifecycle events are not in any our our vocabulary - even though they are the backbone of several of our items
    • trying to get a hold of ISO on approval for vocabulary (and asked by Gary to go through ISO leadership) 
    • in the Audit we are also using DICOM vocabulary.
  • Ongoing convo doing offshoots
    • so you can have permission sets using FHIR encoding and the mechanishm defined for Consent
    • having some extentions on security labels that could point to an instance / use case
    • for CUI, need to be able to designated who pointed to that CUI (who the classifier is) - not sure how to point out that gap solution / use case

42 CFR Part 2

42 CPR Part 2 NPRMs  - Kathleen:  Comments still in process.  Feedback on draft section below, second paragraph?

Limitations on Patient Data Consent - In a number of sections, including for example on pages 24 and 25 of the proposed rule, limitations on the characteristics of those to whom a patient consents to have their data sent are discussed. Entities that might be any of the following: covered by HIPAA; covered by The Common Rule; covered by FDA regulations; somehow identified as capable of doing scientific research; and any of these involving a specifically named person or entity; etc. How the part 2 EHR system is supposed to identify these characteristics of a target system  could be clarified by referencing standards that support conveying those characteristics.

If the consent is electronically encoded with HL7 standards using CDA or FHIR, then the consent could indicate the purpose of use (codes – e.g., HIPAA Authorization for Research Disclosure or Common Rule for FDA) for which a recipient is permitted to access this information either by query or by a pushed transaction. The recipient could declare the same purpose of use code in their requests or in the credentials used to determine that the recipient is authorized using SAML or scope in a Smart on FHIR authorization request.  In order for the information to be released, the EHR would compare the purpose of use codes on the information governed by the Part 2 consent with the purpose of use codes asserted or known to apply to the requester, and permit access only where there’s a match. HL7 stands ready to provide more detailed technical information about guidance that SAMHSA could develop for the industry on how to implement this policy goal.

Direct Links to 42 CFR Part 2 Proposed Rules on the “Confidentiality of Substance Use Disorder Patient Records

NIH RFI: HL7 FHIR Interoperability Resources for Capturing and Sharing Clinical Data for Research Purposes

Federal Health IT Strategic Plan

Mike Davis Should HL7 security comment on Federal Health IT Strategic Plan –

    • Individuals perform on their own some of the activities that traditionally occur only in formal health care settings (e.g., monitoring blood pressure, tracking body mass index). An increasing number of individuals want the ability to use technology to track and improve upon their health goals, and want technology to be helpful and easy to use.
    • How does HL7 support objective 4b?
Need links.

Mike - Sequoia discussions

  • Has been looking at updating their DURSA, looking at incorporating CUI and security labeling.
  • there is a WG that is examining this - Mike is the facilitator of the group
  • Kathleen/Mike have been discussing what HL7 has been doing on CUI and labeling
  • they are leaning toward conclusion on pointing to the HL7 security items as part of their DURSA, as it appears to be mature enough
    • Gap: machine readable labels (Kathleen has fixed that gap)

FHIR Privacy and Security Considerations

FHIR DS4P Privacy and Security Considerations - Summary of discussions at the WGM about the relationship of a FHIR Right of Access Directive and FHIR Security Labeling.

Kathleen has been adding to this - Right of Access and security labeling, this was part of discussion with Laura Hoffman (AMA)

  • Can we get information on who the experts are and how they could implement (would like to decrease the burden on industry)
    • Kathleen/Mohammad have been approached by EPIC to discuss the vendor's approach to confidentiality protections.  Will ask that they present to Security WG.

AdjournmentMeeting adjourned at 1302 Arizona Time (time elapse) 

Temporary Meeting Recording:




John Moehrke Co-Chair

HL7 Austria

Kathleen Connor  Co-Chair

VA (Book Zurman)
@Trish Williams Co-ChairFlinders University

Chris Shawn, Co-Chair


John Davis (Mike)


Julie Chan jchan@cwglobalconsult.comHL7 FHIR
VA (Book Zurman)
VA (Book Zurman)
@Adam Wong adam.wong@hhs.govHHS

@Ricky Sahu,  

1up Health
Wave One

EMR Direct
Laura Bright
Jim KamperAltarum
 PJM Consulting
 @David Staggs drs@securityrs.comSRS 
 Ready Computing
Terence Cunningham (Terry) AMA
Trustworthy EHR 
Laura Hoffman laura.hoffman@ama-assn.orgAMA

Heather McComas AMA 
Matthrew Reid matt.reid@ama-assn.orgAMA

Julie MaasEMR Direct
  • No labels