Agenda Overview

 Minutes Approval

Motion to Approve Meeting minutes as written

Moved/Second: Beth / Mohammad

Vote - Approve/Abstain/Oppose :  (7) approved by consensus

FHIR Security

• review of current vNEXT on how they deal with security labeling. meeting cut short

Note that we approved Security WG continued co-sponsorship of PSS to revise SMART

Review and approve Errata Letter for CTO Consideration

QA of final ANSI publication submittal missed that Volume 3 Provenance DAM did not include the Contributor Table.

We are requesting an errata version.  May not be possible because ANSI has already approved it.

Mike's alternative: wants to claim an author name on HL7 formal letterhead (not to add as an ANSI change)

Document

Review and approve P&S Logical Model draft NIB submitted without suffix "Cross-Paradigm" after TSC review.

Please review and send Mike comments on V3 Logical Model Draft 1116.docx

• models have updated per comments, including ABAC (new material)
• working on one more model- showing relationship between class model and 
• The majority of the changes are in the ABAC section.
• Mike will walk though the changes at tomorrow's meeting

Meeting scheduled for document and model review

• Calls are on Wednesdays 1 - 2 ET http://www.hl7.org/concalls/CallDetails.aspx?concall=50666

  https://us02web.zoom.us/j/89559883576?pwd=ckd0N2V1L1FybXhhbHhVdElQekg2QT09

  Meeting ID: 895 5988 3576

  Passcode: 258923

  Find your local number: https://zoom.us/u/abruqg5or

HL7 Privacy and Security Information Model PSS

Information model update: The new information model will consolidate and harmonize security models across HL7 standards (Access Control, Audit, TF4FA etc.) and (incomplete) updates from FHIM (Consolidated unresolved models). Also included are direct mappings to Access Control, Audit and Authentication (e.g. Class models)  mapped to Access Control services.

ISD PPS approved 7/7

TSC PSS approval before August 23, 2020

Next call tomorrow! 

2020-11-18 Privacy and Security Logical Data Model

This project is co-sponsored by Security and CBCP. 

Consent Management Service PSS

The project's model has progressed and is impressive.

See Consent Management Service Project

However, some of the underlying analysis of policy and consent differ to some extent with Security foundational standards. See PolicyVsConsent.docx

MIke reviewed and commented - see attached.

Document

SOA invites Security to join 7 pm ET call Nov 5

Join Zoom Meeting

https://hl7-org.zoom.us/j/93128162118?pwd=dnZlSzNVOThpeWdpb2hWOHFMU29aQT09

Phone Number: +1 770-657-9270
Participant Passcode: 071582

FHIR DS4P IG

<ADD MOTION> made by Jeff:  Security labeling reduces information blocking when used properly. Data holder can share more information by accurately labeling information that should not be shared. This allows for less sensitive information to be shared according to is associated security labeling. The net result is more information shared, along with the ability to defend why sensitive information is not being shared.

BLOCK: 1-24 Motion to approve as presented (Suzanne / Mike ) 

VOTE: abstain/opposed Motion passes (6)

Moving comments from spreadsheet into JIRA Tickets - View comments at this link.

Previously approved NIB

Postponed early January ballot until regular January ballot cycle.

Review and approve FHIR DS4P IG Out-of-cycle ballot request for 10/20 opening date.

Carmela A. Couderc block - continue review

Review Reconciliation Spreadsheets and JIRA Ballot Recon

Missed approval of Reconciliation prior to July 5th Sept NIB due date Security WG Admin

Ballot results:

Quorum met - 107 voters, FHIR DS4P IG Ballot Passed

• Affirmative - 26
• Negative - 13
• Abstain - 35

Negatives - missing definitions, which is the result of tooling errors we need to fix, and a general misunderstanding that the FHIR DS4P IG is the basis for profiles for policy specific security label IGs much like the CDA DS4P IG is.  Only the profiles are implementable.

https://www.hl7.org/documentcenter/public/wg/tsc/HL7%20May%202020%20Ballot%20Results.zip

Spreadsheet Spreadsheet

 Spreadsheet

Upcoming deadlines:

• FHIR IG must be substantively complete - ???, 2020
• FHIR IG must be complete and handed over to sponsoring WG for QA review - ???
• QA review cycle - ???
• Content QA Change application - ???
• Final content to Lynn for inclusion in Oct Out-of-cycle ballot ???
  
• Submit Ballot Readiness Checklist - before ???

If you have any questions about these dates or the process, you can check out the FHIR IG Process Flow on Confluence

(https://confluence.hl7.org/display/FHIR/B+-+Content+Development+and+Submission)

DS4P Use Cases - work in progress.  Being incorporated in the FHIR DS4P IG.

Discussed Genevieve Luensman's (CD) Comment #121

We would like to ensure that this IG provides for management of workers compensation and occupational health activities. Data tagging is not always sufficient; in some instances data should not be sent at all. Ex 1: information pertaining to a work-related event needs to be segregated and all other information needs to be protected, to prevent inadvertent transfer of information not related to a workers' compensation claim with others. Ex. 2: there is a need to prevent the inappropriate transfer of information that can indicate a risk for genetically transmitted diseases, including a family history of diseases, as specified in the Genetic Information Nondiscrimination Act (GINA). Ex. 3: The Americans with Disabilities Act (ADA) needs to be included. Among other things, the ADA specifies how health information is to be managed in relationship to employment. For example, employers can be given doctor's notes about return-to-work limitations, but cannot be given diagnoses.

=====

WG discussed need to continue to emphasize that security labeling enables maximum sharing to avoid information blocking.

Postponed early January ballot until regular January ballot cycle.

Previously approved NIB already submitted.

JIRA tickets filed for acceptance of new UTG values/data; motion next week when we bring information forward on the value sets.

New CUI Notice 2020-06 RE CUI Marking Waivers with e.g., splash screens, seems to be limited to internal CUI use.

FHIR US Regulatory Security Labels Continuous Build - No update in the build

GitHub repo for the source material:https://github.com/HL7/us-security-label-regs 

John and Mohammad are committers.

US Regulatory Security Label Example Sandbox

Security Labeling Parking Lot

US Regulatory Security Label examples were included in the FHIR DS4P IG.  These will be the starter set for the FHIR US Regulatory Security Label IG

Share with Protections White Paper Project

Worked on ballot recon with Beth for KP comments.  Ready for review.

 SwP Ballot Comment Spreadsheet

SwP White Paper

Requesting review provide comment / recommend participants review the information (links below)

High Water Mark on Bundle - https://chat.fhir.org/#narrow/stream/179247-Security-and.20Privacy/topic/Meaning.20of.20Security.20Labels.20on.20Bundles

Consent - https://chat.fhir.org/#narrow/stream/179247-Security-and.20Privacy/topic/Consent.20IG.3F

Scopes for data access - https://chat.fhir.org/login/#narrow/stream/179175-argonaut/topic/Scopes.20for.20data.20access

DS4P IG - https://chat.fhir.org/#narrow/stream/179247-Security-and.20Privacy/topic/DS4P.20IG

Fine-grained Security Policies

Consent Provisions

OCR ruling related to Cost for Right of Access

Grahame Provenance agent.type vs agent.role value sets and element semantics