Skip to end of metadata
Go to start of metadata

Chair: @Chris Shawn

Scribe: @Suzanne Gonzales-Webb 

Weekly calls Tuesdays 3PM ET

Zoom Client Download 

https://zoom.us/j/6754075337

Meeting ID: 675 407 5337

Phone Number: +1 929-436-2866
Participant Passcode: 675 407 5337

Zoom Tip Sheet

ATTENDEES - PLEASE TYPE YOUR NAME IN THE CHAT OR  IF YOU ARE ON THE CONFLUENCE SITE, PLEASE SCROLL DOWN TO THE BOTTOM AND CHECK YOURSELF IN TO BE COUNTED FOR ATTENDANCE - THANK YOU!

Agenda Topics 

Agenda Overview
  • Minutes
  • SOA Consent Management Service Functional Model
  • FHIR Security
  • FHIR DS4P IG
  • V2 Security Topics - Audit Service Specification
  • Cross Paradigm US Security Labeling IG
  • HL7 Privacy and Security Information Model PSS
  • Infrastructure SD
  • Share with Protections White Paper Project
  • CARIN Blue Button Report Out
  • DaVinci Payer Provider Exchange IG
  • HL7 Policy Advisory Committee (PAC)
  • Chat notes

 Minutes Approval

Approve Meeting Minutes:  2020-06-09 Minutes and 2020 5/21



Motion to Approve  6/9/2020 WG call

Moved/Second: Suzanne/ Mohammad 

Vote - Approve/Abstain/Oppose :Approved 9-0 - 0

(approved by consensus)

SOA Consent Management Service Functional Model

Discuss co-sponsorship:  Proposed Consent Management Service PSS

Scope:

Service Functional Model API capturing the results of the Consent Management Pilot which is addressing the use of existing FHIR resources for Consent Management with Patient Consent, as represented by the FHIR Consent Resource. The implementation guidance produced with address different types of exchanges including v2, Direct (C-CDA), eHealthExchange (C-CDA and XDS) and FHIR, Australian Secure Messaging Delivery (SMD) and MyHR (XDS). A companion reference implementation project is occurring as an ONC Leap Pilot. An Australian implementation is also considering developing a Consent Management Service.

It is not the intent of this project to alter the FHIR Consent or related resources, only to address the APIs used with them. Any required changes to the base resources will be addressed via FHIR change requests to the responsible work group.

Project Need:

Appropriate management of patient consent is a fundamental capability of care management. Defined Service included Service Functional Model and guidance for the use of existing standards will enable consistent integrations into existing software architectures.

Consent Management is commonly addressed in regulation in participating jurisdictions.

Deferred

Motion to Approve cosponsoring the Consent Management Service Functional Model

Moved/Second:

Vote - Approve/Abstain/Oppose: #- 0 - 0

FHIR Security2020-06-15 FHIR-Security Meeting Agenda


CDex Privacy and Security

On Wednesday 6/24 Clinical Document Exchange call, Bob and Lloyd will present on privacy and security documentation for CDEX.

Please attend if you are interested: 02:00 PM (US Eastern Time, GMT -4 DST) https://global.gotomeeting.com/join/514633709  You can also dial in using your phone. United States: +1 (872) 240-3311  Access Code: 514-633-709 


FHIR DS4P IG

Review Reconciliation Spreadsheets and JIRA Ballot Recon -

Approve Reconciliation prior to July 5th Sept NIB due date Security WG Admin

Ballot results:

Quorum met - 107 voters, FHIR DS4P IG Ballot Passed

  • Affirmative - 26
  • Negative - 13
  • Abstain - 35

Negatives - missing definitions, which is the result of tooling errors we need to fix, and a general misunderstanding that the FHIR DS4P IG is the basis for profiles for policy specific security label IGs much like the CDA DS4P IG is.  Only the profiles are implementable.

https://www.hl7.org/documentcenter/public/wg/tsc/HL7%20May%202020%20Ballot%20Results.zip


 Spreadsheet


Sept NIB by July 5 per Security WG Admin

Deferring vote on NIB until ballot reconciliation is closer to completed.

Motion to Approve FHIR DS4P IG NIB for Sept Ballot

Moved/Second:

Vote - Approve/Abstain/Oppose: #- 0 - 0

Cross-Paradigm US Regulatory Security Labeling IG

Kathleen - Continued work on the CDA templates for US Regulatory Labels.  Meeting with the Structured Document Example Task Force to ensure that templates are done correctly.

Planned for September ballot - Will be bringing ballot material forward for WG review.

FHIR US Regulatory Security Labels Continuous Build - No update in the build

GitHub repo for the source material:https://github.com/HL7/us-security-label-regs 

John and Mohammad are committers.

US Regulatory Security Label Example Sandbox

Security Labeling Parking Lot

US Regulatory Security Label examples were included in the FHIR DS4P IG.  These will be the starter set for the FHIR US Regulatory Security Label IG

Sept NIB by July 5 per Security WG Admin

Deferring until work is further along and FHIR DS4P reconciliation is closer to completion, if that is required.

Motion to Approve Cross-Paradigm US Regulatory Security Labeling IG NIB for Sept Ballot

Moved/Second:

Vote - Approve/Abstain/Oppose: #- 0 - 0

Security and Privacy  Information Model (S&P DAM REFRESH) 

Starting weekly calls dedicated to development of the HL7 Privacy and Security Information Model

Fridays 11 - 1 AM ET

HL7 Privacy and Security Information Model PSS

Information model update: The new information model will consolidate and harmonize security models across HL7 standards (Access Control, Audit, TF4FA etc.) and (incomplete) updates from FHIM (Consolidated unresolved models). Also included are direct mappings to Access Control, Audit and Authentication (e.g. Class models)  mapped to Access Control services.

ISD PPS approval - by July

TSC PSS approval before August 23, 2020




Infrastructure SD

Vote 6/12 - 6/19 on HL7 Implementation Guide(s) for CDA® Release 2 & FHIR® Release 4: Healthcare Associated Infection Reports


Share with Protections White Paper Project

Share with Protections Project Scope Statement  

Work to add functional and technical requirements underway.

Proposed NIB http://www.hl7.org/special/committees/tsc/ballotmanagement/EditNIB.cfm?ballot_document_sdo_id=1101&Action=Edit


Motion made to approve SwP NIB:  Kathleen / Mohammad

Abstentions: none; Objections: none; Approved: 9

Sept NIB by July 5 per Security WG Admin

Motion to Approve SwP NIB for Sept Ballot

Moved/Second: Kathleen/Mohammad

Vote - Approve/Abstain/Oppose: 9- 0 - 0

Security and Privacy DAM Publication

The S&P DAM is published at http://www.hl7.org/implement/standards/product_brief.cfm?product_id=536


CARIN Blue Button Report Out

Nothing to report.

Security is a cosponsor of CARIN Blue Button IG. Calls http://www.hl7.org/concalls/CallDetails.aspx?concall=48592 Monday Mar 2, 2020 - 02:30 PM (Eastern Time, GMT -05) https://leavittpartners.zoom.us/j/461256971 or Dial: 1 646 876 9923 // Meeting ID: 461 256 971


DaVinci Payer Provider Exchange IG

Bob is working on an overarching privacy and security section that would apply across DaVinci.  Will present to FM next Tuesday.  Invited to present to Security as well, but Bob plans to have it approved by DaVinci first.

Bob Dieterle asked to move discussion about (3) RE FHIR-23293 CDS Hooks OAuth Tokens (detailed below) to the PDex call 4/24.

(3) RE FHIR-23293 CDS Hooks OAuth Tokens - Waiting on Bob Dieterle's diagram of the process walk through

Mohammad states that the Proposed Disposition “A token for access to the Payer FHIR API and the URI of the appropriate endpoint  is issued by the Payer CDS service in response to a successful CDS-Hook request” to his comment seems to have missed the point. I.e., OAuth tokens are issued by OAuth servers. The CDS server is not an OAuth server and cannot “issue” OAuth tokens; that’s why I asked the question of who issues this token that’s returned by the CDS.

 BACKGROUND

FHIR-23293 – Jira Comment

From minutes:

  • Following the CDS Hooks/ SMART on FHIR use case, which has been tested at multiple Connectathons
  • Up until we used it for PDex, the use of CDS Hooks was always from a 3rd party to a provider, and not from a provider to a payer
  • Token is being issued exactly the same way
  • Responder of the CDS Hook is issuing a token in this case (the data holder is issuing the token)
  • FHIR Specification Feedback
  • FHIR-23293

It is not clear who issues this Access Token and who it is issued to - PDex #101

http://hl7.org/fhir/us/davinci-pdex/2019Jun/6-4_Hook_Configuration.html

 Resolution Description:

A token for access to the Payer FHIR API and the URI of the appropriate endpoint  is issued by the Payer CDS service in response to a successful CDS-Hook request. 

Description

Existing Wording: When a Card is returned from the CDS Hooks appointment-book service by a Health Plan it will provide the following elements:

  • An Access Token for secure access to the Health Plan's FHIR API

Comment:

It is not clear who issues this Access Token and who it is issued to. If this is an OAuth access token, the flow for issuing it and identifying the client to the OAuth server must be clarified. It is also a major flaw from the OAuth perspective that the Access Token which must be known only to the specific client (in order to ensure accountability) is shared with the CDS service. Generally access tokens should not be known to any party other than the Client and the OAuth Server.

Moreover, it must be clearly stated that this access token must be restricted only to the Member in question and the recipient must not be able to recover any other members' information using this access token.

Summary:

It is not clear who issues this Access Token and who it is issued to

4/15

A token for access to the Payer FHIR API and the URI of the appropriate endpoint  is issued by the Payer CDS service in response to a successful CDS Hook request. 


HL7 Policy Advisory Committee (PAC)


PAC calls 6/3 and 6/8 focused on HL7 draft letters on the following topics are included:

  • Congress CV4+ - Coronavirus Aid, Relief, and Economic Security (CARES) Act (areas for further PAC discussion in green)
  • OIG - Grants, Contracts, and Other Agreements: Fraud and Abuse; Information Blocking; Office of Inspector General’s Civil Money Penalty Rules Proposed Rule
  • KC suggested pointing out the HL7 Security Labels and Consent standards can be profiled to support the changes to 42 CFR Part 2 so that substance use disorder information can be shared with protections within the healthcare system in accordance with HIPAA Privacy and Security Rule, while leaving in place Part 2’s prohibition on disclosure of records outside the healthcare system.

Demonstration of ONC LEAP SLS is planned.

.

Notes from CHAT

Requesting review provide comment / recommend participants review the information (links below)

  1. High Water Mark on Bundle - https://chat.fhir.org/#narrow/stream/179247-Security-and.20Privacy/topic/Meaning.20of.20Security.20Labels.20on.20Bundles

2. Consent - https://chat.fhir.org/#narrow/stream/179247-Security-and.20Privacy/topic/Consent.20IG.3F

3. Scopes for data access - https://chat.fhir.org/login/#narrow/stream/179175-argonaut/topic/Scopes.20for.20data.20access

4. DS4P IG - https://chat.fhir.org/#narrow/stream/179247-Security-and.20Privacy/topic/DS4P.20IG


Meeting Adjournment

No additional agenda items brought forward

Meeting adjourned at 1236 Arizona time

Meeting recording:

Attendees

  •  
@Adam Wong adam.wong@hhs.govHHS
  •  
ONC
  •  
HL7 Austria
  •  
Kaiser
  •  
Amol Vyas amol.vyas@cambiahealth.comCambia Health
  •  
Wave One
  •  
Aegis
  •  
Celine Lefebvre Celine.Lefebvre@ama-assn.org AMA
  •  
Clara Y. Ren clara.y.ren.ctr@mail.milFederal Electronic Health Records Modernization (FEHRM) Office
  •  

Chris Shawn, Co-Chair

VA
  •  

Craig.Newman@altarum.org

  •  
Dave SilverElectrosoft
  •  
 Ready Computing
  •  
 @David Staggs drs@securityrs.comSRS 
  •  
Debra Simmons debrasimmons@
  •  
Sequoia
  •  
Heather McComas heather.mccomas@ama-assn.org AMA 
  •  
EPIC
  •  
Jeff Helman
  •  
Jim KamperAltarum
  •  
Federal Electronic Health Records Modernization (FEHRM) Office
  •  
SRS
  •  

John Davis (Mike)

VA
  •  

John Moehrke Co-Chair

By-Light
  •  
Aegis
  •  
Julie Chan jchan@cwglobalconsult.comCWGlobal
  •  

Kathleen Connor  Co-Chair

VA (Book Zurman)
  •  
Laura Bright laurabright4@gmail.com
  •  
Laura Hoffman laura.hoffman@ama-assn.orgAMA
  •  
EMR Direct
  •  
Sequoia
  •  
Matthew Reid matt.reid@ama-assn.orgAMA
  •  
VA (Book Zurman)
  •  
LGI Software
  •  
 PJM Consulting
  •  
Phillips
  •  
Trustworthy EHR 
  •  

@Ricky Sahu, @1up.health  

1up Health
  •  

Robert Dieterle rdieterle@enablecare.us

Enablecare
  •  
Russ Ott rott@deloitte.comDeloitte
  •  
Saul Kravitz saul@mitre.orgMITRE
  •  
Scott Fradkinsfradkin@flexion.us
  •  

Jopari

  •  
Stephen MacVicar smacvicar@mitre.orgMITRE
  •  
VA (Book Zurman)
  •  
 AMA
  •  

  •  
Flinders University
  •  
Vicki Giatzikis vig9034@nyp.orgNYP





  • No labels