Skip to end of metadata
Go to start of metadata

Chair: @Kathleen Connor

Scribe: @Suzanne Gonzales-Webb 

Weekly calls Tuesdays 3PM ET

Zoom Client Download

Meeting ID: 675 407 5337

Phone Number: +1 929-436-2866
Participant Passcode: 675 407 5337

Zoom Tip Sheet


Agenda Topics

Agenda Overview
  • Minutes
  • FHIR Security
  • Privacy and Security Logical Model call
  • Security WGM Prep
  • FHIR DS4P IG - Ballot Reconciliation
  • Cross Paradigm US Security Labeling IG
  • Infrastructure SD
  • Share with Protections White Paper Project
  • CARIN Blue Button Report Out
  • HL7 Policy Advisory Committee (PAC)
  • Chat notes

 Minutes Approval

Approve Meeting Minutes: 2020-08-04 Security WG call minutes

2020-08-11 call canceled for the ONC Tech Forum

Motion to Approve Meeting minutes as written

Moved/Second:  Suzanne/Mike

Vote - Approve/Abstain/Oppose :   5 - 0 -0

FHIR Security
2020-08-17 FHIR Security call

Updates on FHIR Ballot

Privacy & Security  Logical (information) Model

2020-08-12 Privacy and Security Logical Model - Mike

  • Ioana presented at last week meeting, showing updates to models
  • Text did not fare well, but is being updated in Enterprise Architecture (EA)
  • Five sections
    • section 1 - cleaned up (figures numbered, format/text, etc.)
    • cited standards have been updated to include date model is being is using)
  • Mike would like to view content (continuing calls) before the WG meeting, 
  • Mike would like to propose using the name: "Privacy and Security Logical Information Model"


Bernd Blobel presented on 2020-08-05 Privacy and Security Logical Model call.

Calls are on Wednesdays 1 - 2 ET

Meeting ID: 675 407 5337

Phone Number: +1 929-436-2866
Participant Passcode: 675 407 5337

HL7 Privacy and Security Information Model PSS

Information model update: The new information model will consolidate and harmonize security models across HL7 standards (Access Control, Audit, TF4FA etc.) and (incomplete) updates from FHIM (Consolidated unresolved models). Also included are direct mappings to Access Control, Audit and Authentication (e.g. Class models)  mapped to Access Control services.

ISD PPS approved 7/7

TSC PSS approval before August 23, 2020

Mike's update:

The document has been more clearly marked into its 5 sections, Information Analysis, Security Use Case Analysis, Privacy Use Case Analysis, Security and Privacy Vocabulary Analysis, Examples:  Policies and Consent Directives.

Section I accounts for about 1/3 of the Logical Model.  It has been cleaned up and edited into a readable draft.  Duplicative sections have been consolidated.  Logical Model is defined.  Cited standards have been updated to the most current versions.  Styles have been applied to make editing and reading easier while we are updating.  Figures have been re-numbered and links will be applied using MS word References to permit easy moving/editing without requiring manual revision of links.

On Weds, we will do a walk-through.  The current headers are for organizational purposes and may change as other sections are incorporated.

Kathleen cancelled all interim calls based on decision on last call.  Are these to be reinstated?

Kathleen to reinstate calls through 9/15.

September WGM Prep

Planning is underway - See 2020-09 September Virtual Security WGM

JohnM will not be attending so deleted FHIR Security Session.

AlexM will make sessions as he is available 

  • International report out - Tuesday 9/22 4PM ET - International Security Topics (Alex will chair)

Still no confirmation from other cochairs about attendance.

Interim WG Health - See Infrastructure

Kathleen to add LHS WG on CBCP Joint 9/22 10AM ET

202009 September Virtual Security WGM


Review and approve FHIR DS4P IG Out-of-cycle ballot request for 10/20 opening date.

Review Reconciliation Spreadsheets and JIRA Ballot Recon

Missed approval of Reconciliation prior to July 5th Sept NIB due date Security WG Admin

Ballot results:

Quorum met - 107 voters, FHIR DS4P IG Ballot Passed

  • Affirmative - 26
  • Negative - 13
  • Abstain - 35

Negatives - missing definitions, which is the result of tooling errors we need to fix, and a general misunderstanding that the FHIR DS4P IG is the basis for profiles for policy specific security label IGs much like the CDA DS4P IG is.  Only the profiles are implementable.

 Spreadsheet Spreadsheet


Upcoming deadlines:

  • NIB Deadline for submission - ???, 2020
  • FHIR IG must be substantively complete - ???, 2020
  • FHIR IG must be complete and handed over to sponsoring WG for QA review - ???
  • QA review cycle - ???
  • Content QA Change application - ???
  • Final content to Lynn for inclusion in Oct Out-of-cycle ballot ???
  • Submit Ballot Readiness Checklist - before ???

If you have any questions about these dates or the process, you can check out the FHIR IG Process Flow on Confluence


Cross-Paradigm US Regulatory Security Labeling IG

CUI Program Blog ( NARA is promoting NIEM 5.0 Beta as the national healthcare standard for conveying CUI

CUI Metadata standard available for review

July 2, 2020July 2, 2020, posted in General updates, Marking & examples, News

The CUI Executive Agent has been working with the CUI Advisory Council and the National Information Exchange Model (NIEM) to develop a metadata standard for CUI categories and limited dissemination controls.  NIEM is a common vocabulary that enables efficient information exchange across diverse public and private organizations.


·        Draft SP 800-172 (formerly Draft NIST SP 800-171B) is out for Public Comment

·        CUI Metadata standard available for review

·        CUI Marking Class (Webex)

FHIR US Regulatory Security Labels Continuous Build - No update in the build

GitHub repo for the source material: 

John and Mohammad are committers.

US Regulatory Security Label Example Sandbox

Security Labeling Parking Lot

US Regulatory Security Label examples were included in the FHIR DS4P IG.  These will be the starter set for the FHIR US Regulatory Security Label IG

CUI Q4 Stakeholders Update!

CUI Q4 Stakeholders Update! Wednesday@1:00(ET)

August 17, 2020, posted in Events & reviews, General updates, Uncategorized

The conference is from 1:00 – 3:00 PM Eastern Time on August 19, 2020.
Step 1: Dial into the conference.
Dial-in: 888-251-2949 or 215-861-0694
Access Code: 2563977#
Step 2: Join the conference on your computer.
Entry Link:

Topics include:

  • CUI and Metadata (update)
  • CUI Federal Acquisition Regulation case (update)
  • Recent CUI Notices
  • An overview of some frequently asked questions
  • Live Question and Answer period

Infrastructure SD

PSS for the January 2021 Reaffirmation Ballot of CTS2 - vote underway starting 8/13

The slide deck and the recording of the August Co-Chair Update Meeting

High expectations for WG cochair involvement and for members to generally be familiar with

  • Essential Requirements
  • GOM
  • JIRA for Standards Development and progression, Change Requests, Balloting
  • UTG - actively developing and refining HL7 terminology and participating in review/approval processes - this is no long a single vocab facilitator role.  WG health metrics on level of WG member participation
  • Governance Process Participation

Melva, Dave, and Anne will be monitoring WG meeting minutes for indications that we are actually involved in governance and using the tooling.

Slide 23

File Storage S3 Connectors are added to Work Group and

Governance Group Confluence spaces – “S3 Storage”

- Will show up in your space over the next week

Easy to use
- Can create folders and sub-folders
- Encourage you to decide on a structure before you get started
▪ How to Documents
▪ Default Permissions
- mirrors Confluence permissions
➢ View, Create, Rename, Delete – Co-chairs
➢ View, Create – Jira Users
➢ View – Anonymous
▪ Have questions?
- Contact
- FAQs will be added as questions come up

Security WG File Storage - S3 Connector

Other SD

Patient Corrections FHIR Implementation Guide Project

Virginia Lorenzi - Interested Parties and Co-Sponsors: These should be other work groups.  I think we should encourage cosponsors and interested parties.  I think Patient Care and Patient Administration would be good examples here.  Also, perhaps Emergency Care would like to be an interested party.  And perhaps CBCP or Security have an angle.

Project Scope currently says: Now that patients are able to retrieve their records via the FHIR API, there will be more focus on incorrect/missing data in the EHR. HIPAA gives the right to a patient to request amendments to their chart. The old way is via a paper request. We would like to provide a new electronic way using FHIR.

Share with Protections White Paper Project

Please sign up to vote on the Share with Protections White Paper

Motion to Approve SwP submission for Sept Ballot

2020-06-23 Minute

Submitted for Ballot

ONC News

Looking for input - will discuss during WGM 9/24 at 2 PM ET

ONC is now accepting submissions for the next version of the United States Core for Data Interoperability (USCDI) through the new ONC New Data Element and Class (ONDEC) submission system. The USCDI is a standardized set of health data classes and constituent data elements for nationwide, interoperable health information exchange. The next version of the USCDI will be drafted and finalized based on your data element submissions to the ONDEC system.

Read the Blog →

Submit Comments →

CARIN Blue Button Report Out

Nothing to report.

Security is a cosponsor of CARIN Blue Button IG. Calls Monday Mar 2, 2020 - 02:30 PM (Eastern Time, GMT -05) or Dial: 1 646 876 9923 // Meeting ID: 461 256 971

HL7 Policy Advisory Committee (PAC)

USCDI Survey (see ONC news above) - need input from Security WG.  Will be on Security WGM agenda

Good article on health app policy issues:

Be Aware Before You Share: Vetting Third Party Apps Prior to Data Transfer

By Alaap Shah & Karen Mandelbaum on August 12, 2020

As the third-party application space continues to expand and data sharing becomes more prevalent, it is critical that such data sharing is done in a responsible manner and in accordance with applicable privacy and security standards. Yet, complying with applicable standards requires striking the right balance between rules promoting interoperability vis-à-vis prohibiting information blocking vs. ensuring patient privacy is protected. This is especially difficult when data is sent to third party applications that remain largely unregulated from a privacy and security perspective.

Notes from CHAT
Meeting Adjournment

No additional agenda items brought forward

Meeting adjourned at 1601 Arizona time

Meeting recording: 



@Adam Wong adam.wong@hhs.govHHS
HL7 Austria
Amol Vyas amol.vyas@cambiahealth.comCambia Health
Wave One
Celine Lefebvre AMA
Clara Y. Ren Electronic Health Records Modernization (FEHRM) Office

Chris Shawn, Co-Chair


Dave SilverElectrosoft
 Ready Computing
 @David Staggs drs@securityrs.comSRS 
Debra Simmons debrasimmons@

Heather McComas AMA 
Jeff HelmanAEGIS for SSA
Jerry Goodnough
Jim KamperAltarum
Federal Electronic Health Records Modernization (FEHRM) Office

John Davis (Mike)


John Moehrke Co-Chair

Julie Chan jchan@cwglobalconsult.comCWGlobal

Kathleen Connor  Co-Chair

VA (Book Zurman)
Laura Bright
Laura Hoffman laura.hoffman@ama-assn.orgAMA
Lloyd McKenzie
Lorraine Constable
EMR Direct
Matthew Reid matt.reid@ama-assn.orgAMA
VA (Book Zurman)
Patient Centric Solutions
 PJM Consulting
Trustworthy EHR 

@Ricky Sahu,  

1up Health

Robert Dieterle

Russ Ott rott@deloitte.comDeloitte
Saul Kravitz saul@mitre.orgMITRE


Serafina Versaggi
Stephen MacVicar smacvicar@mitre.orgMITRE
VA (Book Zurman)

Tom Hicke
Flinders University
Vicki Giatzikis vig9034@nyp.orgNYP

  • No labels