Skip to end of metadata
Go to start of metadata

Chair: @Kathleen Connor

Scribe: @Suzanne Gonzales-Webb 

Weekly calls Tuesdays 3PM ET

Zoom Client Download

Meeting ID: 675 407 5337

Phone Number: +1 929-436-2866
Participant Passcode: 675 407 5337

Zoom Tip Sheet


Agenda Topics

Agenda Overview

  • Minutes
  • NLM SAMHSA VSAC Sensitive Condition Value Set
  • FHIR Security
  • Harmonization - UTG Voting Process presentation by Jeff Hellman - deferred
  • Fine Grain Access Control - co-sponsorship approval sought
  • Privacy and Security Logical Data Model update
  • HL7 Policy Advisory Committee (PAC) - Draft ISA 2021 Comments
  • FHIR DS4P IG - Ballot Reconciliation
  • Cross Paradigm US Security Labeling IG
  • Share with Protections White Paper Project
  • Infrastructure SD - No Report
  • ONC 2020-2025 Federal Health IT Strategic Plan
  • ONC FAST Security Team - next steps
  • Ballot Management - Need new PSS to reaffirm Access Control Catalog soon!
  • Chat notes

 Minutes Approval

Approve Meeting Minutes: 2020-10-27 Security WG Agenda/Minutes

Motion to Approve Meeting minutes as written

Moved/Second: Jeff / Mohammad

Vote - Approve/Abstain/Oppose :  4 / 0/ 0 approved by consensus

NLM VSAC Sensitive Condition Value Set

Issue is that DS4P is not possible without a SLS having access to a sensitive condition value set for filtering and labeling content. Mohammad can add the implementer perspective and how this value set is used in the ONC Leap Consent project.

Problem is that the VSAC Sensitive Condition Value Set, for which SAMHSA is the steward, and which was uploaded in 2016, is no longer being maintained by SAMHSA.  The codes may not be correct or retired.  New ones, and ones have not been added, and some sensitive categories, e.g., for sexual and reproductive health are not complete.

Rob McClure approached CBCP cochairs with questions about what standards rely on it and whether it should be retired. After discussion, we moved the discussion to this Security call.

Without an open, standards-based, consensus sensitive condition value set, any effort to computably segment data would have to resort to expensive, proprietary, and not interoperable value sets.

Since HL7 DS4P standards are the purview of the Security WG, what can we do to raise awareness of the importance of evolving and maintaining this invaluable value set?

Consent to Share value set have SAMHSA as a stewaard in VSAC - 

Two issues (Technical, Clinical)

Technical issues - 

two values sets using the current set of RXNorm ; expansion of the latest value set is always set out by VSAC, these two value sets of RXNorm have no values/extentions and ahve been retired out of RX Norm 'a flashing red light' - so two values sets are currently not usable.  the ti oof teh iceburerg, ... issue who owns these, are they valid?  samhsa has have not responded (Rob is currently the searad for SAMHSA, but SAMHSA no longer active in HL7 ) that technical issue in regard to VSAC which is of concern, that peole are using that that has clinical problems because/related to the echnical issues

  1. Rob has looked at some sets, one of them was amphetimaines, it had one ingrediate drug for which is no longer made, that single branded ingredient (bupophine) there are a number of mfgs that make this drugs—the original creation of the value set is flawed.  Value sets that have been used in the past, bu tno longer maintained–should be considered usable, we should deprecate.  if we don't get someone to pick them up, then they shoudl be deprecated.  this is not an hl7 question because samhsa does not promote as an hl7 product.  if the value set is being referenced/used by products in hl7, then they could be brought into HL7 vocabulary, UTG but we woudl still need someone to maintain
  2. 2. how to manage - are they still clinically valid?

we need well versed informatacists, in order to maintain, 

HL7 should look for public funding to maintain--- (kathleen); 

VSAC value set authority centerfrom the NLM is a tool.  they explicity states they are not involved with the content, that is the responsiblity fo the steward.  Rob is looking for a steward to pick this up.

there is work that has been done that references the work.  in our current environment, can we continue to use these discreet things to tag/identiy  these discreet items.  Discreet data identification using discreet data items.  either someone takes it on or we deprecate.  currently its dangerously improper.


maybe security can bring this up with vocabulary and stress where we are with this — (Rob) can tell you we will probably not get saatisfactions; despite saying this is a public good.  the problem that is facing this project, the public good and capbilitys in order to use it, are hard to envision.

some of the value sets are more stables

there are C2S value sets that hav enot been published - who have other stewards... those are all draft; and have been worked on more recently c2S_L; there are other folks who have looked at these and redone—bbut they haven't been published... BayState (question)

realistically we can look at some of the more stable RXNorm sets and briing them into the HL7 UTG.  There is no drop dead when a decision has o be made--- they're zombies—but no one has killed them off yet.  at some point (6months) we will have the ability to depreciate then a deadline will occur... VSAC 'could' delete them.

if we do take som eone - we would need to contact (Rob could make the transfer); but would like to talk to samhsa before we do that—reach out and find out 'who cares...'  anyone involved in HIT would be good — i've heard they are going out HIT entirely

VSAC Sensitive Categories Grouping spreadsheet. For the full set of value set categories, one needs a UML license to download.  If the WG desires, we can upload those individual files into the Security WG cloud server.

FHIR Security

Report out on 2020-11-02 FHIR-Security Meeting Agenda

Reviewed for approval the PSS to revise SMART

Motion to keep PSS project active, with recommendation to full Security WG to approve: Kathleen/Jose: 7-0-0

Security WG approval

Moved/Second: Beth / Suzanne

Vote - Approve/Abstain/Oppose :  4 / 0 / 0


Jeff Helman to present on UTG voting process so that we can vote on proposed security labeling codes.

Additional Codes For Security Label Vocabulary approved 10/26 have been uploaded into UTG

Security WG members who want to vote on these UTG proposals need to sign up to vote.  See: Vocabulary Maintenance at HL7

UTG Consensus Review

Anyone wishing to participate in the Consensus Review of proposals in flight is welcome to participate. No tooling is required to participate - if you want to be a reviewer/voter on vocabulary change proposals and you are not one already, click this link below: 

Request Reviewer Permissions

Documentation and Education Materials 

Unified Terminology Governance Project (UTG) Page

Curator Processing of Proposals

UTG Tooling and Proposal Documentation

Implementation of Consensus Review Voting

Deferred to next call.

Privacy & Security  Logical Data (information) Model

Review and approve P&S Logical Model draft NIB submitted without suffix "Cross-Paradigm" after TSC review.

Please review and send Mike comments on V3 Logical Model Draft 1

Meeting scheduled for document and model review

HL7 Privacy and Security Information Model PSS

Information model update: The new information model will consolidate and harmonize security models across HL7 standards (Access Control, Audit, TF4FA etc.) and (incomplete) updates from FHIM (Consolidated unresolved models). Also included are direct mappings to Access Control, Audit and Authentication (e.g. Class models)  mapped to Access Control services.

ISD PPS approved 7/7

TSC PSS approval before August 23, 2020


CBCP WG sponsored the DPROV CDA IG, which expired as a DSTU 2 years ago. Security WG cosponsored it.  It is referenced by the Security WG sponsored Basic Provenance IG.  Provenance is in the USCDI.  CBCP Cochairs have expressed an interest in retiring it, although it is still active in the Standards Grid.  Security WG could request that sponsorship moves to Security with the notion of balloting it as normative in due course.

Kathleen feels this project is still useful–it does require a few bits of clean-up.

Recommendation: Review standard and decide whether or not to allow it to remain expired or for Security to take over 

HL7 Policy Advisory Committee (PAC)

Draft Security WG Security WG ISA 2021 Comments

Security WG ONC USCDI Security WG Recommendations

Draft Consumer Privacy Framework for Health Data

 August 26, 2020 – The eHealth Initiative & Foundation (eHI) and the Center for Democracy and Technology (CDT) released A Draft Consumer Privacy Framework for Health Data. The Framework includes a description of the health data that warrant protection, as well as the standards and rules that should govern them. The Framework also includes a self-regulatory model that would hold companies accountable to these standards and rules. The work is the first output of a collaborative effort addressing gaps in legal protections for consumer health data outside of the Health Insurance Portability and Accountability Act’s (HIPAA) coverage. The collaboration was funded through a grant by the Robert Wood Johnson Foundation.

The public is invited to review the draft framework and offer constructive feedback by Friday, September 25, 2020 in the form below. 

Review and approval of the Draft Security WG Security WG ISA 2021 Comments

Security WG approval

Moved/Second Beth / Jeff

Vote - Approve/Abstain/Oppose :  4 / 0/ 0 

SOA Consent Management Service

This project is co-sponsored by Security and CBCP. 

Consent Management Service PSS

The project's model has progressed and is impressive.

See Consent Management Service Project

However, some of the underlying analysis of policy and consent differ to some extent with Security foundational standards. See PolicyVsConsent.docx

MIke reviewed and commented - see attached.


SOA invites Security to join 7 pm ET call Nov 5

Join Zoom Meeting

Phone Number: +1 770-657-9270
Participant Passcode: 071582


Moving comments from spreadsheet into JIRA Tickets - View comments at this link.

Previously approved NIB

Postponed early January ballot until regular January ballot cycle.

Review and approve FHIR DS4P IG Out-of-cycle ballot request for 10/20 opening date.

Carmela A. Couderc block - continue review

Review Reconciliation Spreadsheets and JIRA Ballot Recon

Missed approval of Reconciliation prior to July 5th Sept NIB due date Security WG Admin

Ballot results:

Quorum met - 107 voters, FHIR DS4P IG Ballot Passed

  • Affirmative - 26
  • Negative - 13
  • Abstain - 35

Negatives - missing definitions, which is the result of tooling errors we need to fix, and a general misunderstanding that the FHIR DS4P IG is the basis for profiles for policy specific security label IGs much like the CDA DS4P IG is.  Only the profiles are implementable.

 Spreadsheet Spreadsheet Spreadsheet


Upcoming deadlines:

  • FHIR IG must be substantively complete - ???, 2020
  • FHIR IG must be complete and handed over to sponsoring WG for QA review - ???
  • QA review cycle - ???
  • Content QA Change application - ???
  • Final content to Lynn for inclusion in Oct Out-of-cycle ballot ???
  • Submit Ballot Readiness Checklist - before ???

If you have any questions about these dates or the process, you can check out the FHIR IG Process Flow on Confluence


Cross-Paradigm US Regulatory Security Labeling IG

Postponed early January ballot until regular January ballot cycle.

Previously approved NIB already submitted.

JIRA tickets filed for acceptance of new UTG values/data; motion next week when we bring information forward on the value sets.

New CUI Notice 2020-06 RE CUI Marking Waivers with e.g., splash screens, seems to be limited to internal CUI use.

FHIR US Regulatory Security Labels Continuous Build - No update in the build

GitHub repo for the source material: 

John and Mohammad are committers.

US Regulatory Security Label Example Sandbox

Security Labeling Parking Lot

US Regulatory Security Label examples were included in the FHIR DS4P IG.  These will be the starter set for the FHIR US Regulatory Security Label IG

Share with Protections White Paper Project

Report out on 10/14 reconciliation work. Reconciliation will resume after ballot materials are complete for DS4P.

Started Ballot Reconciliation at WGM.



Infrastructure SDNothing to report
Ballot Management

Security Ballot Management Nov 8 - NIB Deadline - Privacy and Security Logical Model - in process

Normative ANSI Standards approaching expiration

HL7 Version 3 Standard: Healthcare (Security and Privacy) Access Control Catalog, Release 3

Need new PSS to reaffirm Access Control Catalog soon!  Expires 2021-10-05 

Dave Hamill:

Created a reaffirmation project in Project Insight...Project ID #1660

I've also created a PSS in Confluence, however, Kathleen and Suzanne will want to update the following information.  These are required fields for reaffirmations and I couldn't save the page without putting something in the fields (the last two are dropdowns, so I may have the wrong answers for them).

    Please enter valid content for ISO/IEC Standard to adopt.

    Please enter a valid value for excerpt included info.

    Please enter a valid unit of measure. 

The PSS in confluence is at:


With the move of the WGM schedule dates to start virtually on January 25, the ballot cycle and content deadline dates have also changed.

Nov 8: Next Sunday is the Notification of Intent to Ballot (NIB) deadline – Now November 8th (Ballot minus 6 weeks)

Nov 17: FHIR Connectathon proposals due– (The Connectathon dates did NOT change)

Nov 29: Reconciliation deadline for ballot items having previously balloted – (Ballot -3 weeks)

Dec 13: Final content deadline

Dec 18: Ballot opens

Dec 27: Deadline for TSC approval of PSS for 2021MAY cycle

The on-line Notification of Intent to Ballot form (off of the TSC Utilities page) is available at:

All Calendars for this cycle are available on the new Confluence Calendars page at:


Final 2020-2025 Federal Health IT Strategic Plan Now Available

Last week, ONC released the final 2020-2025 Federal Health IT Strategic Plan. The Plan defines a set of goals, objectives, and strategies that guide the federal government in supporting the access, exchange, and use of electronic health information to connect healthcare with health data. The Plan explains how the use of health IT can further support:

  • Health and wellness;
  • Delivery and experience of care; and
  • A secure, data-driven ecosystem to accelerate research and innovation.

This Plan is outcomes-driven, with goals focused on meeting the needs of individuals, populations, caregivers, healthcare providers, payers, public health professionals, researchers, developers, and innovators.

Read the Plan →

Read the blog post →

- 36 - Objective 4d:

Promote secure health information practices that protect individual privacy

As capabilities for EHI access, exchange, and use continue to expand, federal partners

should prioritize protecting individuals’ health data from misuse and threats like

cybersecurity attacks and fraud. Patients and caregivers must understand how health

data may be used and how to specify their privacy preferences. Keeping EHI secure,

preventing breaches and fraud, and curtailing other harms is crucial for maintaining

patients’ trust of their healthcare providers and in health IT.


• Integrate privacy and security considerations into the design and use of health

IT, including AI/ML, to promote a culture of privacy and security and protect

individual- and population-level data from cybersecurity attacks, fraud, misuse,

and other harms.

• Mitigate patient data security risks by developing guidance for API and app

developers on securely sharing patient data via standards-based APIs.

• Implement privacy and security mechanisms as appropriate to the sensitivity

of the information to protect individuals’ health data, including multi-factor

authentication and encryption embedded in APIs, tools that enhance patient

matching accuracy, and other technologies that enhance privacy and security.

• Provide guidance and technical assistance on policies and regulations at the

federal, state, and Tribal level that pertain to the security and privacy of EHI and

enforce such rules.

• Promote equitable access to tools and resources that protect patients from

discrimination, stigma, and exploitation based on their health information.

• Increase patient understanding of and control over their data including

building awareness of potential secondary uses of data and how to safely and

effectively access and use their EHI and make informed decisions concerning

consent and data exchange.

Next Steps report out.
OCR News

Notes from CHAT
Useful Links

Confluence and JIRA Tutorials

Meeting Adjournment

No additional agenda items brought forward

Meeting adjourned at 1300 Arizona time

Meeting recording: 



@Adam Wong adam.wong@hhs.govHHS
HL7 Austria
Amol Vyas amol.vyas@cambiahealth.comCambia Health
Wave One
Celine Lefebvre AMA
Clara Y. Ren Electronic Health Records Modernization (FEHRM) Office

Chris Shawn, Co-Chair


Dave SilverElectrosoft
 Ready Computing
 @David Staggs drs@securityrs.comSRS 

@Heather McComas AMA 

Jim KamperAltarum
Federal Electronic Health Records Modernization (FEHRM) Office

John Davis (Mike)


John Moehrke Co-Chair

Julie Chan jchan@cwglobalconsult.comCWGlobal

Kathleen Connor  Co-Chair

VA (Book Zurman)
Laura Bright
Laura Hoffman laura.hoffman@ama-assn.orgAMA


EMR Direct

Matthew Reid matt.reid@ama-assn.orgAMA
VA (Book Zurman)
Patient Centric Solutions
 PJM Consulting
Trustworthy EHR 

@Ricky Sahu,  

1up Health

Rob McClure
Saul Kravitz saul@mitre.orgMITRE


Serafina Versaggi
Stephen MacVicar smacvicar@mitre.orgMITRE
VA (Book Zurman)

Tom Hicke
Flinders University
Vicki Giatzikis vig9034@nyp.orgNYP

  • No labels