Date: 05 Feb 2020

Quarter: 1 - 4

Minutes Approved as Presented 

This is to approve minutes via general consent. "You have received the minutes. Are there any corrections to the minutes? (pause) Hearing none, if there are no objections, the minutes are approved as printed."


Meeting introduction and status since last WGM.

Discussion items


Security WG Opening Session

John Moehrke

Approval of agenda. Proposed: Trish, Seconded: Dave. 6:0:0

Introductions and updates

John Moehrke: IHE continuing to revise IUA profile (OAuth for restful). End goal still not clear but correction of specification errors in mid-goal and this is around the scope. Some challenges in acceptance of this. IHE connectathon and interest in Audit event.  ONC and IHE collaboration to assess HIE guides relative to FHIR  - gap identified ithat the IG does not have a FHIR consent mechanism. Will be proposed as a new work item fro consent management in a MHDS environment.

Alexander Zautke (HL7 Germany).  FHIR implementation projects started with vengeance!

Dave Pyke (CBCP): working on TLS1.3 requirements as no common agreement on whether or extensions are sufficient secure for healthcare HIE. Would welcome discussion on this.

Hide (HL7 Japan, TC215 ISO WG4 Co-Convenor): Defining PKI infrastructure published at ISO.

Alex Mense (HL7 Austria): How to integrate FHIR with CDA existing architecture and ongoing question.

Trish Williams (HL7 Australia): Australia working on new Cybersecurity 2020 Strategy (not just for healthcare).

Kumar Satyam (Philips Architect, HL7 India): Upcoming digital health privacy act. Data sharing is open and less protected.

HL7 Project status and WGM planned project activities

  • FHIR Security Report out/S&P Considerations - John Moehrke

Sample-IG: John added some consideration that need to be included - guidance to the author on what is appropriate to include in the section and how to go about deriving the security and privacy content for this section (although missing in version on line at present - John to followup on this).

  • FHIR Connectathon Report Out - John Moehrke

No report. Lisa Nelson the general care plan area captured consent but details not known. The Netherlands, and Ontario (Canada) are implementing R4.

  • CARIN Digital Identity and Consent
    • What are they doing?
      • Patient data exchange similar to Da Vinci. They have nothing on security as yet as they are concentrating on developing the dataset on patient data exchange (Blue Button 2.0?)
    • How is it (can it be) coordinated with us? Difficulty in establishing connection. The SEC WG is happy for Dave and Kathleen to represent the SEC WG views on security at the moment. Dave/Kathleen will report back at the next meeting.
      • We are co-sponsor, as is CBCP, and we wish to ask for monthly updates - Action: Dave Pyke to initiate. 

Audit events

Audit events in FHIR

  • Change AuditEvent.outcome to CodeableConcept. Change request because HL7 Germany wants to record specific outcome of the http request as the code/number not as coded currently.


21 people signed up for the FHIR Security tutorial

Update on security label IG (to be given later in meeting) John Moehrke

Q2Audit event (continued)TrishCompletion of AuditEvent change request and proposed disposition on Jira. FHIR-25287

Provenance discussion

John Moehrke:

Jira FHIR outstanding provenance items were reviewed. Many are awaiting FHIR-I or other WGs input before complete resolution.

SMART on FHIR - Overview (if time)
Deferred to Q1 Friday.

Q3Permissions and consent discussionAlex

Permissions and consent discussion. Use cases for situations where explicit consent is not need but permission to use data based on other reason (e.g. regulations) has to be recorded or transmitted.

Discussion around possible new resource “permission” as a different concept to "Consent" to express specific permission for handling data under specific situations (regulation, etc.)

Needs to be linked to specific data or specific groups of resources. Discussion if using “Compartment” might do it. Eventually proposal is to use GraphDefinition as a more general concept. This must include residual rules. This will be leveraging HCS and GraphDefinition. 

Started to draft the new resource - John initiating.

Q4FHIR Security Preview - John MoehrkeTrishThe WG members reviewed the slides created by John for the FHIR Security and Privacy Tutorial to see where they could be shortened.

Action items