Chair: @Kathleen Connor

Scribe: @Suzanne Gonzales-Webb 

Weekly calls Tuesdays 3PM ET

Zoom Client Download

Meeting ID: 675 407 5337

Phone Number: +1 929-436-2866
Participant Passcode: 675 407 5337

Zoom Tip Sheet


Agenda Topics

Agenda Overview
  • Minutes
  • FHIR Security
  • FHIR DS4P IG - Ballot Reconciliation
  • Cross Paradigm US Security Labeling IG
  • HL7 Privacy and Security Information Model PSS
  • Infrastructure SD
  • Share with Protections White Paper Project
  • CARIN Blue Button Report Out
  • HL7 Policy Advisory Committee (PAC)
  • Chat notes

 Minutes Approval

Approve Meeting Minutes: 2020-07-28 Security WG Agenda/Minutes

Motion to Approve  7/28/2020 WG call

Moved/Second: Suzanne / Mike

Vote - Approve/Abstain/Oppose :   5 / 2 / 0

FHIR Security

2020-08-03 FHIR-Security Meeting - Discussed clarifying that Provenance.agent.type is a functional role and agent.role is a structural role per ISO  See Structural/Functional Role background.

ISO 21298:2017  “Health informatics – Functional and structural roles” and ISO 22600-2:2014 Appendix A Structural and Functional Roles.

See Structural and Functional Roles - Background

Created 2 tickets:

Clarify agent.type (i.e. what is the agent doing functionally–tied to the workflow context) vs agent.role

Structural role value set should not have functional role codes in it

ONC News

ONC Supporting Health IT for the Pediatric Care Continuum

ONC Health IT for Pediatric Care and Practice Settings

ONC Pediatric Developer Informational Resource

Learn More About Pediatric Care and Health IT

Webinar Recording: ONC hosted a question and answer session on health IT for pediatric care and settings on June 24, 2020.

Pediatric Health IT in the ONC Cures Rule: In the ONC Cures Act final rule, we outlined our approach to identifying recommendations for the voluntary certification of health IT to support the healthcare of children.

Care Continuum Tip Sheet: This tip sheet briefly outlines our scalable, repeatable approach to help enable collaborative efforts between the healthcare and health IT communities aimed at improving the effectiveness of health IT solutions targeting clinical priorities identified by stakeholders.

Pediatric Health IT Technical Analysis: In preparation for the Cures Act proposed rule, ONC sought input from a wide range of stakeholders and conducted an analysis of technical components and standards within the certification program to support voluntary certification of health IT for pediatric care

HIMSS Granular Segmentation of Privacy to Promote Interoperability meets the first Tuesday of each month,  Dial-in info is: 11 am ET

ONC Tech Forum

ONC Tech Forum Agenda  - John Moehrke and Luis Maas are session leads

ONC Tech Forum Registration

ONC Pediatric Developer Informational Resource page 43

Recommendation 4: Segmented Access to Information

This recommendation addresses the need for privacy of certain services by segmenting information and providing access to specific segments of the record to specific users. If this recommendation is not accomplished, disparities in care may result when information cannot be appropriately protected.

For example, adolescents may be allowed by law or practice to sequester access to information, such as sexual and behavioral health history in their health record. Some jurisdictions require sequestering a child’s record of sexual history or abuse. Sequestering patient-selected information from parental, billing, or insurance communications may be required to protect an adolescent or pediatric patient’s privacy.

This recommendation aligns with the following 2015 Edition Certification Criteria:



Transitions of Care


Security Tags – Summary of Care – Send*


Security Tags – Summary of Care – Receive*


Standardized API for Patient and Population Services*




* See the 21st Century Cures Act Final Rule and ONC guidance for information on effective dates, sunset dates, and other information on the certification criteria impacted by the 2015 Edition Cures Update.

Privacy & Security  Logical Model

Bernd Blobel will the be attending/speaking at the meeting this week. As he is the author of the 22600 (as well as the overarching 23903 and the 21298) we have the opportunity to get the overview about Composite Policy directly from him.

See 2020-08-05 Privacy and Security Logical Model

Calls are on Wednesdays 1 - 2 ET

Meeting ID: 675 407 5337

Phone Number: +1 929-436-2866
Participant Passcode: 675 407 5337

HL7 Privacy and Security Information Model PSS

Information model update: The new information model will consolidate and harmonize security models across HL7 standards (Access Control, Audit, TF4FA etc.) and (incomplete) updates from FHIM (Consolidated unresolved models). Also included are direct mappings to Access Control, Audit and Authentication (e.g. Class models)  mapped to Access Control services.

ISD PPS approved 7/7

TSC PSS approval before August 23, 2020

September WGM Prep

Planning is underway - See 202009 September Virtual Security WGM

We need to decide how many sessions and time slots.

September Connectathon planning is also underway.

Instead of the usual request for meeting room space, this email is asking Co-Chairs to submit the days/times that they’ll meet based on 2-hour time slots via a Doodle Poll (  The deadline to submit this information is Friday, August 7th.

Planning on hosting a Joint session? 
Joint meetings require a bit more planning. 

First, we want to be able to communicate the focus of joint meetings, so we’d like you to add the discussion topic to your Doodle entry as explained below.  Also, if possible, schedule them at 10am or 4pm ET.

The HOSTING Work Group Co-Chair(s) own the task of requesting the time in the Doodle poll.  Hence, the Co-Chairs of the HOST Work Group should reach out to the Co-Chairs of joining Work Group(s) and determine when they’ll all meet.  Once that’s determined, the Co-Chairs of the HOST Work Group will add a separate entry into the Doodle Poll FOR EACH UNIQUE JOINT MEETING that they’ll host, indicated the Work Groups that are joining and the focus of the joint meeting.


Vocab HOSTING: FHIR-I, MnM Topic: FHIR in the V3 World



Review and approve FHIR DS4P IG Out-of-cycle ballot request for 10/20 opening date.

Review Reconciliation Spreadsheets and JIRA Ballot Recon

Missed approval of Reconciliation prior to July 5th Sept NIB due date Security WG Admin

Ballot results:

Quorum met - 107 voters, FHIR DS4P IG Ballot Passed

  • Affirmative - 26
  • Negative - 13
  • Abstain - 35

Negatives - missing definitions, which is the result of tooling errors we need to fix, and a general misunderstanding that the FHIR DS4P IG is the basis for profiles for policy specific security label IGs much like the CDA DS4P IG is.  Only the profiles are implementable.

 Spreadsheet Spreadsheet


Upcoming deadlines:

  • NIB Deadline for submission - ???, 2020
  • FHIR IG must be substantively complete - ???, 2020
  • FHIR IG must be complete and handed over to sponsoring WG for QA review - ???
  • QA review cycle - ???
  • Content QA Change application - ???
  • Final content to Lynn for inclusion in Oct Out-of-cycle ballot ???
  • Submit Ballot Readiness Checklist - before ???

If you have any questions about these dates or the process, you can check out the FHIR IG Process Flow on Confluence


Cross-Paradigm US Regulatory Security Labeling IG

CUI Program Blog ( NARA is promoting NIEM 5.0 Beta as the national healthcare standard for conveying CUI

CUI Metadata standard available for review

July 2, 2020July 2, 2020, posted in General updates, Marking & examples, News

The CUI Executive Agent has been working with the CUI Advisory Council and the National Information Exchange Model (NIEM) to develop a metadata standard for CUI categories and limited dissemination controls.  NIEM is a common vocabulary that enables efficient information exchange across diverse public and private organizations.


·        Draft SP 800-172 (formerly Draft NIST SP 800-171B) is out for Public Comment

·        CUI Metadata standard available for review

·        CUI Marking Class (Webex)

FHIR US Regulatory Security Labels Continuous Build - No update in the build

GitHub repo for the source material: 

John and Mohammad are committers.

US Regulatory Security Label Example Sandbox

Security Labeling Parking Lot

US Regulatory Security Label examples were included in the FHIR DS4P IG.  These will be the starter set for the FHIR US Regulatory Security Label IG

Infrastructure SD

No updates.

Share with Protections White Paper Project

Walk through of Share with Protections White Paper; Please note new section added toward the end of the document. 

 NIB approved and submitted.   Document submitted post updates to misspells on figures.

Note: error in ballot listing was 'sharing with protections' but has now been corrected to read 'share with protections'

Motion to Approve SwP submission for Sept Ballot

2020-06-23 Minutes


Submitted for Ballot

CARIN Blue Button Report Out

Nothing to report.

Security is a cosponsor of CARIN Blue Button IG. Calls Monday Mar 2, 2020 - 02:30 PM (Eastern Time, GMT -05) or Dial: 1 646 876 9923 // Meeting ID: 461 256 971

HL7 Policy Advisory Committee (PAC)

PAC's draft HL7 responses to Artificial Intelligence survey from NIST gave good coverage of Privacy/Consent/Security/Integrity/Trustworthiness/Provenance.  Several excerpts below:

Governance of AI-enabled systems should respect agreed principles, and in areas such as:

  • Privacy. Al systems should respect individual privacy and enable safe, effective health care that requires the use of personal data;
  • Accountability.  Al systems should be auditable, and their impacts should be appropriately identified and distributed, with mutually agreed remedies as needed;
  • Safety. Al systems should be safe, performing only as intended;
  • Security. AI systems should be secure from compromise by unauthorized parties;
  • Transparency and Explainability. Design and implementation of Al systems should enable transparent operations that provide information about where, when, how, and for what purposes they are being used;
  • Fairness and Non-discrimination. Al systems should have mechanisms to address concerns about bias in their data or results, for fairness and inclusivity;
  • Human Control of Technology. Final decisions should remain subject to human review;
  • Professional Responsibility. Individuals who develop or deploy Al systems should involve appropriate stakeholders and consider long-term effects or unintended consequences; and
  • Effectiveness. The degree to which an AI-enabled system achieves its intended outcome should be measured and managed.

In addition, HL7’s Patient Engagement Work Group points to some helpful transparency practices and evolving AI policy perspectives as detailed in:

Question 4. Data integrity, data reliability, and data validity of AI-enabled systems: What characteristics related to data quality are important for standardization of AI-enabled systems, and for what purposes?

  • Controls and Provenance
  • New API standards require both provenance watermarks and e-signatures that are starting to help protect data from tampering – or flagging them when tampering is suspected
  • Visualization and reporting tools could help provide a manual check
  • Data should be managed in a secure data system with appropriate access controls
  • Data sources should be labeled with classification parameters (e.g. confidentiality or usage restrictions)
  • Data should be provided using secure delivery or access methods (e.g., S-FTP, TLS, oAuth)

Notes from CHAT
Meeting Adjournment

No additional agenda items brought forward

Meeting adjourned at 1230 Arizona time

Meeting recording: 



@Adam Wong adam.wong@hhs.govHHS
HL7 Austria
Amol Vyas amol.vyas@cambiahealth.comCambia Health
Wave One
Celine Lefebvre AMA
Clara Y. Ren Electronic Health Records Modernization (FEHRM) Office

Chris Shawn, Co-Chair


Dave SilverElectrosoft
 Ready Computing
 @David Staggs drs@securityrs.comSRS 
Debra Simmons debrasimmons@

Heather McComas AMA 
Jeff Helman
Jerry Goodnough
Jim KamperAltarum
Federal Electronic Health Records Modernization (FEHRM) Office

John Davis (Mike)


John Moehrke Co-Chair

Julie Chan jchan@cwglobalconsult.comCWGlobal

Kathleen Connor  Co-Chair

VA (Book Zurman)
Laura Bright
Laura Hoffman laura.hoffman@ama-assn.orgAMA
Lloyd McKenzie
Lorraine Constable
EMR Direct
Matthew Reid matt.reid@ama-assn.orgAMA
VA (Book Zurman)
Patient Centric Solutions
 PJM Consulting
Trustworthy EHR 

@Ricky Sahu,  

1up Health

Robert Dieterle

Russ Ott rott@deloitte.comDeloitte
Saul Kravitz saul@mitre.orgMITRE


Serafina Versaggi
Stephen MacVicar smacvicar@mitre.orgMITRE
VA (Book Zurman)

Tom Hicke
Flinders University
Vicki Giatzikis vig9034@nyp.orgNYP