CBCC October 2015 Working Group Meeting - Atlanta Georgia USA DRAFT

Back to CBCC Main Page

Meeting Information

October 2015 CBCC Working Group Meeting - Atlanta, GA 29th Annual Plenary & Working Group Meeting Agenda

Attendees

MONDAY

Q3 Joint Security/CBCC

text to be added

Q4 Joint Security/CBCC

text to be added

TUESDAY

Q2 CBCC

text to be added

Q3 CBCC

text to be added

Q4 CBCC

text to be added

WEDNESDAY

Q1 Joint EHR Hosting Security/CBCC/FHIR

text to be added

Q2 CBCC

text to be added

Q3 CBCC

text to be added

Q4 CBCC

text to be added

THURSDAY

Q1 Joint Security/CBCC/FHIR

text to be added

Joint CBCC/Security 2015 Formatting notwithstanding, WGM meeting minutes approved at November 24, 2015 CBCC Teleconference MONDAY Q3 RBAC Re-affirmation • Security would like to know if CBCC is interested in co-sponsoring • RBAC standard ‘expires’ in February 2015 • Will be adding SLS vocabulary “ABAC” piece • Change name from RBAC Permission Catalog to Security and Privacy Access Control Catalog o Adding a table • Relationship is association, with SAMHSA o VA is putting together some papers  See: Relationship-Based Access Control (ReBAC) Model • Used as a tool for AC – o Hinder inadvertent disclosures of data o fine grained control of those resources o may be useful for mobile devices (where patients are controlling servers o an application of an AC model where a PIP (involved in the decision of information) is the relationships managed in the social, will fall nicely into the general purpose AC model o Supports poly-relationships, distinguishable order of relationships (i.e. child-parent vs parent-child…) o captures contextual nature; can differentiate between Dr. Bob (or Mary MD in case #1 vs Dr. Bob as consulting physician in case #2 o allows users to define AC preferences, how resources should be exposed • In an AC area – concern is the unintended impact of information (papers, standards) that this is the only way, the only solution that this structure satisfies. Using a social networking concept to create relationships as to whether you have access or not to data. I.e. Dropbox – because you have data here you are part and have access to that data. • Note that the paper is a research, has citations and is not selling anything.  Modeling relationships in XACML (white paper)

International report ISO 215 report is not ready (since Paris 2015 meeting (per Hideo) next meeting will be held in Switzerland Demonstration: Duane Previous release on the FHIR side, it has been updated • Changes in search parameters (as opposed to changing the existing client, updated test scripts to demo audit event ONC-VA-Privacy on FHIR o Audit event : create patient o Audit event: read patient o Audit event: update patient • Will create an audit event of each of event Duane did look at Provenance • Clearer definition is needed as to when it makes sense, to ….. Cases where the native resource doesn’t already contain enough elements to explain who created the data. o You are not going to revise the native elements (but you will want to state why you made any changes) Review of resource AuditEvent – Examples (via FHIR DSTU2 website) • The DICOM has very specific elements for what you need to record (for imagining things), authentication events • Healthcare audit o RFC 3881 no longer exits – depreciated by ITF o IG, ISO 27789 and second DICOM all refer to the normative Paul: has never seen a ‘human’ in an audit event… good to keep examples as is, but may want to review—they are great for the examples but not necessarily the Proof of concept (and possibly bloat the code – per JMoehrke) Mill Valley Hospital VA hospital (server VA covered person going to a MV hospital and services are being billed back to VA hospital • The insurer is the VA hospital “broken arm” – related bills for injury… • See rate, bill send to VA • Shows in VA that 80% of claims were billed • Show claim transaction, details required to code the claim w ‘real time claims processing’ Next screen • Claim number in code • Audit event (number) CRxxxxx In and out events for each of the processes shown UB – uniform billing Kathleen <<add use case example>> - she is working on it

MaryKay making sure all the codes for the US are actually out there (when using VA examples); MK questions: we get and formulate claims in one batch. Which events are we talking about…? ‘We got the file’ (we have to monitor and save); ‘we change formats and validate or kick stuff back.’ Do you break that into every claim that is in every bucket, since every claim needs to be accepted or rejects. How do you know which is the beginning or end of the batch. • Event: receiving of the batch • May choose to break up the batch

Tuesday Q1 – in Security, no notes taken Q2 – Q3 – Are you going to wait for 21st century CURES (in regard to the Patient Choice ONC project which Jonathan) also says you do not consent for research because it belongs operations, does not exceed Tittle 38. Patient choice - just starting an ONC project, looks at piloting/testing different ways for patient choice (opt in/opt out) for various things, sharing. CPO is okay with this--- sharing, granular sharing. Does this except TPO, more about implementing patient generated health data (as an example) If you choose opt in, your state can do A If you choose opt out, your state can do both

Data Provenance Want to see how when records/charts are complete when moving through the episodes of care (AHIMA) would like to know even more about it and work into use case.

Get approval for publication as a DSTU post reconciliation. If we make this a joint meeting, we can make a motion and vote to move forward to publish.

Add updates to agenda on the current status of the pilots within the data provenance initiatives. If time permits after we’ve had vote an ONC S&I update will be given. Review of final products HL7 CDA R2 Implementation Guide Data Provenance, Release 1 – US Realm DSTU Oct 2015 <<ADD LINK, Document>> CDAR2_IG_DATAPROV_R1_DSTU_OCT2015 Each trading parting had the ability to persist provenance information. This way each partner gets the information data that they want without additional use cases. In order to ensure each trading partner can either persist or generate the information or say we do not collect. • Broken into 5 types of documents, 4 sections. • Entries can i.e. assembler generated document w/provenance (see document) • CDA request an author but you can say that the author is N/A and continue with the scoping organization and name the particular system which will give you information about the algorithm. The document can have different degrees with sections and from there you can pull the provenance. • This was built as a constraint on DS4P which is built on top of CDA o US Realm IG that would be conformant with the general header • Includes requirement for an authenticator (for accountability) • Has privacy consent so that you can be more expressive on the content DS4P has the mechanism for Provenance Privacy Marking Clinical Statement Templates: • Provenance Metadata allows a couple of things; if you have one entry and relate it to another entry (this capability is already available in CDA); if you want to say more i.e. who did it, you can use the data provenance as a hub, and you can use this and relate to external objects. • Label choice picks up HCS and determine there was some type of alteration or signature…whether I was asserted by roles or a list of roles (i.e. patient asserted that the provider added something.) “We consider this to be reliable…high reliable, etc.” The remaining is fine grained labels. Johnathan would like to call this forward to move forward to publication (Ioana / Trish) In Favor: objections none, abstentions: 1 Harry; 12 approve (Johnathan chair)

Johnathan presentation PPT) Likely to see more ONC projects and less S&I projects Pilot/Project selection process: Johnathan does not have an answer; just because there was a priority for the agency it was not necessarily a priority for the nation priority. It was suggested that ONC work on/take on projects that are a national priority. If projects do not align with the ….. 35:10

S&I Portfolio Snapshot • Showing active Initiatives • Community-Led or other agency-led initiatives • Inactive or Closed Initiatives (where S&I portions are complete and i.e. HL7 has taken over •

This is an evolving process, show me the work Requirements are not a technical specification, but are the desired and they become the guiding scope requirements for the pilots. There is a way of evaluating the pilots You have vendor with a really good solution, how do you prevent vendor preponderance? There will be a mechanism to evaluate the pilots against what they set out to do. ONC will make recommendations to HL7 for adoption to a national standard. So if you have resources to run pilots you are in, otherwise you’re out? (Mike) This solution is fixing in a different direction that might be efficient (JMoehrke) This is an evolving solution This is for people who are willing to prototype but not be able to put into production. So prototype wins but the community is unable to use. S&I sponsored pilots are still going to be done to S&I process. Open call, no fees, this side is unchanged. One of the things to attract pilots is because the community of expertise. Helps the attendees understand the … the need for the process is still sensitive to the resources availability. The sections of the projects are what initiatives we are going to have. Then selection within that space is being handled different. In eLTSS this is funding distributed to the states What problem are you trying to solve? The feedback from the SDO community was taking resources from SDO”s because we were developing…. That Data Access Framework (DAF) Phase 3 launched September 9th, 2015 enabling the Approach: Phase 1, phase 2, phase 3 Policy Consideration

DAF FHIR IG, DAF Document Metadata IG was just published

eLTSS is an active Initiative; bringing the care plan to the patient in the home. There is related work in HL7, presented at the Steering which suggested that this be a CBCC project. (see slide for initiative summary); TEFT • No standards have yet been identified. Want to keep HL in the loop and see if any other WG want to participate • Chat of FHIR that deals with the cross-community. There is plenty of work to bring this together (per JMoehrke) • It is suggested that CBCC and Patient care. And FHIR o Use case is social services dealing with NIEM. (per Kathleen); Johnathan does not know if this is NIEM based. But Kathleen believes this is a way to bridge this with FHIR… but much what they are looking at is paper-based and mobile. • Would this also include care plan…? Patient care plans See eltss workgroup: wiki: google search

Tuesday – Q4 Ballot Resolution BH_DAM FDA Comments: VOTE: Approve: 4, no abstentions, no objections

Review face-to-face resolutions as requested w Lisa Nelsons

MOTION: move to approve the ballot reconciliation comments for Lantana (Lisa Nelson) Approve: 4, no abstentions, no objections

WEDNESDAY Q1 – Review of W5 work to date (Friday Calls) – Gary Dickerson Provenance vs AuditEvent resources Separation of provenance and AuditEvent is sub-optimal - Prefer a single resource with clearly differentiated intent and outcome section

Provenance Design • The proximal focus of the provenance event is the creation of a version of a resource • - provenance when resource……… (see slide deck) • May have the design wrong in not catering for clarity in the separation of record and real even provenance W5 recommendations (FHIR W5 Report • Differential intent and in Provenance outcome section • Establish W5 elements in • - audit event as a base set then

• Ensure W5 synchrony at same Action Instant (point in time)?

o As captured in FHIR instance o Synchronous snapshot to ensure we can actually track  Who did What, When, Where and Whys

When should the work be completed; should this be a security project? • The work can be done under the provenance, audit umbrella • Gary will be happy to participate during the course of this work

Late Today meeting – update to alternating agenda add agenda FHIM/ W5 Lifecycle alternating weeks

Diana Warner; CBCC, Security Works, EHR, Reed

• Encourage high degree of consistency of W5 element

Update to the Record Lifecycle, Security Privacy and provenance Vocabulary alignment

How to access the Wiki site: EHR Interoperability WG > Record Lifecycle, Provenance and Vocabulary Alignment (link posted) will take you to the sites