Page tree

NOTE : Please spell out all acronyms the first time the acronym occurs. 

For Reaffirmations, please refer to the FAQ within Appendix C of the PSS_with_instructions template for a list of which sections and fields should be completed.

PSS-Lite/Investigative Projects:  Sections surrounded by a BOLD OUTLINE must be completed for approval of "Investigative Projects" (a.k.a PSS-Lite).




  1. Project Name and ID



HL7 Privacy and Security Architecture Framework[PSAF]

Project ID: 914

Complete this section for all “Direct to Normative” ballot projects and when a project proceeds from “Informative to Normative” or “STU to Normative”. Forward PSS to the TSC (via ); this triggers American National Standards Institute (ANSI) Project Initiation Notification (PINS) submission.



TSC Notification:  Informative/STU to Normative 

Date:  1/18/19



- or -                     Direct to Normative (no STU) (includes reaffirmations)       


Identify ISO, IEC or ISO/IEC standard to be adopted in text box below

Enter info here if an ISO, IEC or ISO/IEC Standard is to be adopted as an American National Standard; enter the designation of the standard(s)to be adopted.

Includes text from ISO, IEC or ISO/IEC standard: Check here if this standard includes excerpted text from one or more ISO, IEC or ISO/IEC standards, but is not an identical or modified adoption.












Select the unit of measure used in the standard; if no measurements are in the standard, select N/A















Investigative Project (aka PSS-Lite)

Date : 

Check this box when the project is investigative or exploratory in nature, which allows limited project scope definition.  Sections in bold outline are mandatory for project approval of an investigative project; all other sections are optional. Sections 1-Project Name, 2-Sponsoring Group(s)/Project Team, 3a-Project Scope, 3b-Project Need, 3e-Project Objectives/Deliverables/Target Dates, 3i-Project Document Repository, 6b-[Realm, if known], and 6d-[applicable Approval Dates] are required.

Investigative Project specific instructions are highlighted in yellow.

An investigative project must advance in two WGM cycles, requiring a full scope statement.  Otherwise the project will be closed.

  1. Sponsoring Group(s) / Project Team

2.a. Primary Sponsor/Work Group

Primary Sponsor/Work Group
(1 (And Only 1) Allowed)

Security WG

2.b. Co-sponsor Work Group(s)

Co-sponsor Work Group(s)

(Enter co-sponsor approval dates in Section 6.d Project Approval Dates)


Community-Based Care and Privacy (CBCP) Work Group

Indicate the level of involvement that the co-sponsor will have for this project:


Request formal content review prior to ballot


Request periodic project updates. Specify period: 

Monthly during Security WG Calls, at WGMs, etc.


Other Involvement. Specify details here: 


2.c. Project Team

All names should have confirmed their role in the project prior to submission to the TSC.

Project facilitator ( 1 Mandatory )

Mike Davis, Chris Shawn

Other interested parties and their roles


Multi-disciplinary project team (recommended)


Modeling facilitator

Mike Davis, Chris Shawn, Diana Proud-Madruga, Dave Silver

Publishing facilitator

Mike Davis, Kathleen Connor

Vocabulary facilitator

Kathleen Connor

Domain expert rep

John Moehrke, Ioana Singureanu, Alexander Mense, Trish Williams, Suzanne Gonzales-Webb, Bernd Blobel, Diana Proud-Madruga, Ken Salyards, and Jim Kretz

Business requirement analyst

Mike Davis, Kathleen Connor

Conformance facilitator (for IG projects)

Ioana Singureanu

Other facilitators (SOA, etc)

Diana Proud-Madruga



Implementers (2 Mandatory for STU projects)

FHIR Project Note: The implementer requirement will be handled by the “balloting” project.  Therefore work groups do not fill out the above section.  However, feel free to list implementers specific to your work group’s resources if you know of any.

1)  Veterans Health Administration

2)  Substance Abuse Mental Health Administration

  1. Project Definition

3.a. Project Scope

Describe the project; include what is expected to be accomplished/delivered along with specified features and functions. Include whether the deliverables are universal, realm specific or applicable to various realms. Be sure to spell out all acronyms as these are carried forward to the NIB (Notice of Intent to Ballot) for ballot announcements.

Please reference 3.i.Lineage for history related to this updating of the current, approved Security Service Oriented Architecture project 914 .

The goal of the HL7 Privacy and Security Architecture Framework [HL7 PSAF] project is to develop a universal realm SAIF compliant Domain Analysis Model , which will be the conceptual information and behavioral foundation for past and future HL7 Privacy and Security artifacts. The Security WG in collaboration with the CBCP WG intends this to be a “living set of standards”, which will evolve over time, to incorporate and provide linkages among the platform independent and platform specific security, privacy, provenance, and trust standards developed by HL7 or by external SDOs which the HL7 PSAF standards reference based on the sufficiency of those standards to cover the requirements addressed by the PSAF standards.


The input for the PSAF:

  • HL7 Composite Security and Privacy Domain Analysis Model R1 DSTU KC – Need Publication request date from Alex


















  • HL7 v2, v3, and FHIR Security and Privacy related vocabularies
  • HL7 Privacy Projects:



3.b. Project Need

This information is required by ANSI for all ballots. Briefly explain the reason behind the need for this project. This may be related to legislative requirements, industry need, or similar justifications.

3.c. Security Risks

Will this project produce executable(s), for example, schemas, transforms, style sheets, executable program, etc.  If so the project must review and document security risks. Refer to the Cookbook for Security Considerations for additional guidance, including sample spreadsheets that may be used to conduct the security risk assessment .











3.d. External Drivers

Describe any external schedules or calendars which may not be known outside of the project team that are driving target dates for this project. Need for an overarching framework to align and harmonize all the HL7 Privacy and Security standards so that standards developers, policy makers, implementers and other stakeholders understand these specifications’ interrelationships.

3.e. Project Objectives / Deliverables / Target Dates


Target Date

Enter objective/deliverable here.

All planned ballots and their target dates should be included

The example below is a "STU to Normative" path

Enter Target Date

PSAF Volume 1 Trust Framework for Federated Authorization R1

2018 May

PSAF Volume 2 Trust Framework for Federated Authorization Behavioral Model R1

2018 May

PSAF Supplemental Guidance Release

2018 May

PSAF Volume 1, Volume 2, and Guidance Ballot Reconciliation

2018 Sept

PSAF Volume 1, Volume 2, and Guidance Publication Request

2019 Jan

PSAF Volume 3 Provenance informative ballot

2019 Jan

PSAF Volume 3 Provenance ballot reconciliation & NIB

2019 March

PSAF Volume 4 Audit normative ballot reconciliation & NIB

2019 March

PSAF Volume 3 Provenance R1 normative ballot

2019 May

PSAF Volume 4 Audit R1 normative ballot

2019 May

Possible reballot of PSAF Volume 3 & 4 R2 NIB (determined after vote review)

2019 May

PSAF Volume 3 Provenance R1 normative ballot reconciliation

2019 June

PSAF Volume 4 Audit R1 normative ballot reconciliation

2019 June

PSAF Volume 3 & 4 R1 updates & publication request or possible R2 development

2019 August

Possible reballot of PSAF Volume 3 and 4 normative R2

2019 Sept

PSAF Volume 3 & 4 normative R2 reconciliation


PSAF Volume 0 Architecture Framework NIB

2019 Sept

PSAF Volume 0 Architecture Framework development

2019 Dec

PSAF Volume 0 Architecture Framework ballot

2020 Jan




Project End Date (all objectives have been met)

Note:  For PSS-Lite/Investigative Project, End date must be no more than two WGM cycles, e.g. project initiated at January WGM must complete investigation by September WGM.

Enter Project End Date

Sept 2020

3.f.    Common Names / Keywords / Aliases

What common name does your group use to refer to the product(s) produced?  What alternative names, aliases and keywords does your group use to refer to the product(s) that will be produced?  Some examples: C-CDA, LRI, eDOS. 


PSAF [Privacy and Security Architectural Framework] or “Privacy Safe” 

3.g. Lineage

If your project creates a Post-Release 1 version; indicate the name of the prior product and if it is supplanting, replacing or coexisting with a previous release.


The PSAF project is an update to the proceeding Security/SOA WGs HSSP project, and seeks to account for the relationships among the HSSP PASS artifacts, which have been migrated to Security WG sponsorship, and the evolving suite of Security and CBCP artifacts in a manner that reflects the HL7 SAIF development methodology where applicable. 


Now, several years into the PSAF project with the changes in Security and CBCP WG interest areas, resourcing, emerging technologies and business drivers, both WGs recognize the need to restructure the previous PSS by revising:

  • The project inputs to account for specifications and projects that have been undertaken, and in some case, completed (PSAF (TF4FA Volumes 1 & 2, Access Control Catalogue, PFL); and the maturing of Security and Privacy FHIR Resources and security/privacy guidance modules since the original PSS was approved; and
  • The deliverables’ scope, naming conventions, and deliverable dates.


3.h. Project Dependencies

Enter any dependencies or the name & Project Insight ID of project(s) that this project is dependent upon to achieve its objectives.  Projects and their Project Insight IDs can be found via


No dependencies. The project deliverables can move forward independently.


3.i.    HL7-Managed Project Document Repository Location

Projects must adhere to the TSC's guidelines (which were approved on 2016-04-04 and summarized in Appendix A ).

Enter the SPECIFIC URL of the HL7-MANAGED SITE where supporting project documents, deliverables, ballot reconciliation work and other project information will be kept. A template to create a Project Page on the HL7 Wiki is available at: . to be migrated to Confluence


3.j.    Backwards Compatibility

Are the items being produced by this project backward compatible?
























If you check 'Yes' please indicate the earliest prior release and/or version to which the compatibility applies:



For V3, are you using the current data types? 

(Refer to TSC position statement on new projects using R2B for more information on the current V3 data types)
























If you check 'No' please explain the reason:

The PSAF deliverables are conceptual information and behavioral guidance with guidance.


If desired, enter additional information regarding Backwards Compatibility.

3.k. External Vocabularies

Will this project include/reference external vocabularies?

























If yes, please list the vocabularies:


  1. Products (check all that apply)


Arden Syntax



V2 Messages – Administrative


Clinical Information Modeling Initiative (CIMI)



V2 Messages - Clinical


Clinical Context Object Workgroup (CCOW)



V2 Messages - Departmental


Domain Analysis Model (DAM)



V2 Messages – Infrastructure


Electronic Health Record (EHR) Functional Profile



V3 Domain Information Model (DIM / DMIM)


FHIR Extensions



V3 Documents – Administrative (e.g. SPL)


FHIR Implementation Guide (enter FHIR product version below)



V3 Documents – Clinical (e.g. CDA)


FHIR Profiles (enter FHIR product version below)



V3 Documents - Knowledge


FHIR Resources



V3 Foundation – RIM


Guidance (e.g. Companion Guide, Cookbook, etc)



V3 Foundation – Vocab Domains & Value Sets


Logical Model



V3 Messages - Administrative


New/Modified/HL7 Policy/Procedure/Process



V3 Messages - Clinical


New Product Definition (please define below)



V3 Messages - Departmental


New Product Family (please define below)



V3 Messages - Infrastructure


Non Product Project - (Educ. Marketing, Elec. Services, etc.)



V3 Rules - GELLO


White Paper



V3 Services – Java Services (ITS Work Group)


Creating/Using a tool not listed in the HL7 Tool Inventory



V3 Services – Web Services (SOA)

If you checked New Product Definition or New Product Family, please define below:


For FHIR IGs and FHIR Profiles, what product version(s) will the profiles apply to?

  1. Project Intent (check all that apply)


Create new standard



Supplement to a current standard


Revise current standard (see text box below)



Implementation Guide (IG) will be created/modified


Reaffirmation of a standard



Project is adopting/endorsing an externally developed IG:


New/Modified HL7 Policy/Procedure/Process



Specify external organization in Sec. 6 below;





Externally developed IG is to be (select one):


White Paper (select one):



Adopted  - OR -





Balloted Informative OR


Non-balloted WG White Paper



N/A  (Project not directly related to an HL7 Standard)

If revising a current standard, indicate the following:

-         Name of the standard being revised

-         Date it was published (or request for publication, or ANSI designation date)

-         Rationale for revision

-         The relationship between the new standard and the current standard (is it designed to replace the current standard, a supplement to the current standard, etc.)


Possible deliverables are updates to existing Security WG normative standards, which were reaffirmed Jan 2019 listed as inputs above:




5.a. Ballot Type (check all that apply)


Comment (aka Comment-Only)



Joint Ballot (with other SDOs)





N/A  (project won’t go through ballot)


STU to Normative     - OR -


Normative (no STU)




If necessary, add any additional ballot information here.  If artifacts will be jointly balloted with other SDOs, list the other groups.

5.b. Joint Copyright

Check this box if you will be pursuing a joint copyright.  Note that when this box is checked, a Joint Copyright Letter of Agreement must be submitted to the TSC in order for the PSS to receive TSC approval.

Joint Copyrighted Material will be produced?









  1. Project Logistics

6.a. External Project Collaboration

Include SDOs or other external entities you are collaborating with, including government agencies as well as any industry outreach.  Indicate the nature and status of the Memorandum of Understanding (MOU) if applicable.

For projects that have some of their content already developed:

How much content for this project is already developed?

Indicate % here

75% of definite deliverables and prospective deliverables if updating current normative standards.

Was the content externally developed (Y/N)?  NO

If Yes, list developers

Is this a hosted (externally funded) project? 
(not asking for amount just if funded)













6.b. Realm


Universal     - OR -



Realm Specific




Check here if this standard balloted or was previously approved as realm specific standard


Enter “ U.S. ” or name of HL7 affiliate(s) here.  Provide explanation/justification of realm selection. For projects producing deliverables applicable to multiple realms, document those details here.

For Investigative projects, indicate if the project is planned to be Realm Specific or Universal, if known. Work Groups are encouraged designating project a Universal project initially, and discover which Realms can contribute to the work effort during the discovery phase of the project.  Note: This status is subject to change during the investigative process.  

6.c. Stakeholders / Vendors / Providers

This section must be completed for projects containing items expected to be ANSI approved, as it is an ANSI requirement for all ballots








Clinical and Public Health Laboratories




Clinical and Public Health Laboratories


Immunization Registries




Emergency Services


Quality Reporting Agencies




Local and State Departments of Health


Regulatory Agency


Health Care IT


Medical Imaging Service


Standards Development Organizations (SDOs)


Clinical Decision Support Systems


Healthcare Institutions (hospitals, long term care, home care, mental health)






Other (specify in text box below)


Other (specify in text box below)








Other (specify below)









Other:  Indicate other stakeholders, vendors or providers not listed above.


6.d. Project Approval Dates

Approvals are by simple majority vote of the approving body

Sponsoring Work Group Approval Date:

WG Approval Date 2019-01-14



Administrative review – in parallel with Work Group Approval

Co-Sponsor Group Approval Date


List each Co-Sponsor and their

Approval Date 2019-01-14


Family Management Group Approval Date(s)

CIMI Projects: CIMI Management Group

CIMI MG Approval Date CCYY-MM-DD
or “N/A”

CDA Projects: CDA Management Group

CDA MG Approval Date CCYY-MM-DD
or “N/A”

FHIR Projects: FHIR Management Group

FMG Approval Date CCYY-MM-DD
or “N/A”

V2/Publishing Projects: V2 Management Group

V2 MG Approval Date CCYY-MM-DD
or “N/A”

US Realm Projects: US Realm Steering Committee Approval
(Email WG approved PSS to: )

USRSC Approval Date CCYY-MM-DD
or indicate “N/A”

Affiliate Specific Projects: Affiliate Approval Date

Affiliate Approval Date CCYY-MM-DD or indicate “N/A”

Submit PSS to Steering Division after all of the above approvals are received

Steering Division (of Primary Sponsor WG) Approval Date:

SD Approval Date 2019-01-14


Last PBS Metrics Score :







PBS Metrics Reviewed ? (required for SD Approval if not green)





ARB and SGB approval may be in parallel

Architectural Review Board Approval Date:

(required for externally developed content)

ARB Approval Date CCYY-MM-DD
or “N/A”

If applicable, TSC has received a Joint Copyright/Distribution Agreement (containing the verbiage outlined within the SOU),
signed by both parties.








Technical Steering Committee Approval Date:
(Email Steering Division approved PSS to: )

TSC Approval Date CCYY-MM-DD