This wiki has undergone a migration to Confluence found Here
Difference between revisions of "October 17, 2017 Security Conference Call"
Jump to navigation
Jump to search
(→Agenda) |
|||
| Line 53: | Line 53: | ||
=='''Meeting Materials'''== | =='''Meeting Materials'''== | ||
| + | FHIR Security CR 14028 | ||
| + | *Accounting of Disclousres | ||
| + | *Specific example of a Privacy report that is HIPAA specific, but the concept is applicable in similar forms | ||
| + | *There is some POLICY that drives a subset of all Access/Use/Disclosures to be explained to the patient. | ||
| + | *Who, What, Where, When, Reason, Purpose | ||
| + | *Produces some form of report to be delivered to the patient to explain all the disclosures | ||
| + | *Unlikely to be a structured report, but the structured report could be CSV (or AuditEvent) | ||
| + | *Other regulatory examples: Access Log (all accesses regardless of if they qualified under TPO) | ||
| + | *Would capture all potential disclosures in the AuditEvent audit log, and filter to select the reportable disclosures | ||
| + | *Leverage AuditEvent database. Other audit log data may additionally be added but are outside the scope of FHIR. | ||
| + | *Focus only on Accounting of Disclosures where the disclosure is detected and recorded using an electronic reporting sytem (Not including disclosues undetected or unknown) | ||
| + | *Would include paper/fax/mail disclosures provided there is some supervisory system that detects the export | ||
| + | *Would not include paper/fax/mail disclosures that happen outside of a workflow managed or detected by technology | ||
| + | *HOW | ||
| + | *Given that AuditEvent includes comprehensive evidence of all access/use/disclosure, then: | ||
| + | *Filtering of the whole AuditEvent may be complex, and would change as regulations change and as workflow patterns change. | ||
| + | *Filter on all AuditEvents where the Patient of interest is the subject/patient element (See patient compartment) | ||
| + | *Workflows may operate on patient data indirectly and thus would not be detected as having touched the patient | ||
| + | *Some resources don't contain a patient/subject element, but are linked to the patient/subject through another object (need explicit example?) | ||
| + | *Some: | ||
| + | *Of all the events returned from a subject search | ||
| + | *Filter out those events that don't need to be included in the Accounting of Disclosures | ||
| + | *Condense multiple events on the same Disclosure event (many audit log entries will happen that are all related to one session) | ||
| + | *Summarize each Disclosure detected | ||
| + | *Who -- | ||
| + | *When -- | ||
| + | *Why -- (OAuth purposeOfUse?) | ||
| + | *What ??? Can we leverage the <any> Resource.text element to explain 'what' data was disclosed? | ||
| + | *AuditEvent.text -- This field may be useful on some types of audit event recording | ||
| + | *De-Duplicate similar events into some description of a number of Disclosures over a period of time | ||
| + | *a PDF can be created with the details from this analysis or possibly a structured/coded form | ||
| + | *REFERENCES | ||
| + | *http://www.hhs.gov/hipaa/for-professionals/faq/246/do-business-associates-have-obligations/index.html From <http://www.hhs.gov/hipaa/for-professionals/faq/right-to-an-accounting-of-disclosures> | ||
| + | *HITECH AoD From <http://www.hipaasurvivalguide.com/hitech-act-13405.php> | ||
| + | |||
=='''Minutes'''== | =='''Minutes'''== | ||
Revision as of 19:22, 17 October 2017
Contents
Attendees
| x | Member Name | x | Member Name | x | Member Name | x | Member Name | |||
|---|---|---|---|---|---|---|---|---|---|---|
| x | John MoehrkeSecurity Co-chair | x | Kathleen ConnorSecurity Co-chair | x | Alexander Mense Security Co-chair | . | Trish WilliamsSecurity Co-chair | |||
| . | Mike Davis | x | Suzanne Gonzales-Webb | x | David Staggs | x | Christopher Shawn | |||
| . | Mohammed Jafari | x | Beth Pumo | . | Ioana Singureanu | . | Rob Horn | |||
| x | Diana Proud-Madruga | . | Serafina Versaggi | . | Joe Lamy | . | Galen Mulrooney | |||
| . | Paul Knapp | . | Grahame Grieve | . | Johnathan Coleman | . | Aaron Seib | |||
| . | Ken Salyards | x | [1] | . | Gary Dickinson | . | Dave Silver | |||
| . | Oliver Lawless | . | Ken Rubin | . | David Tao | . | Nathan Botts |
Agenda
- (3 min) Roll Call, Agenda Approval
- (5 min) Review and Approval of October 3, 2017 Minutesand October 10, 2017 minutes.
- (5 min) Is Privacy Obsolete? Study Group wiki page with IOP? Listserve link. Update on project - Mike Davis and Chris Shawn
- (5 min) Update on Security WG Bulk Data Transfer Comments submission - John Moehrke
- (30 min) Review and draft Security WG comments on PAC comment guidelines and highlighted ISA items related to Security and CBCP Scope
- (15 min) FHIR Security call - John is at IHE so no call this afternoon. Kathleen to review draft CR 14028 for Accounting of Disclosure using FHIR AuditEvent.
Meeting Materials
FHIR Security CR 14028
- Accounting of Disclousres
- Specific example of a Privacy report that is HIPAA specific, but the concept is applicable in similar forms
- There is some POLICY that drives a subset of all Access/Use/Disclosures to be explained to the patient.
- Who, What, Where, When, Reason, Purpose
- Produces some form of report to be delivered to the patient to explain all the disclosures
- Unlikely to be a structured report, but the structured report could be CSV (or AuditEvent)
- Other regulatory examples: Access Log (all accesses regardless of if they qualified under TPO)
- Would capture all potential disclosures in the AuditEvent audit log, and filter to select the reportable disclosures
- Leverage AuditEvent database. Other audit log data may additionally be added but are outside the scope of FHIR.
- Focus only on Accounting of Disclosures where the disclosure is detected and recorded using an electronic reporting sytem (Not including disclosues undetected or unknown)
- Would include paper/fax/mail disclosures provided there is some supervisory system that detects the export
- Would not include paper/fax/mail disclosures that happen outside of a workflow managed or detected by technology
- HOW
- Given that AuditEvent includes comprehensive evidence of all access/use/disclosure, then:
- Filtering of the whole AuditEvent may be complex, and would change as regulations change and as workflow patterns change.
- Filter on all AuditEvents where the Patient of interest is the subject/patient element (See patient compartment)
- Workflows may operate on patient data indirectly and thus would not be detected as having touched the patient
- Some resources don't contain a patient/subject element, but are linked to the patient/subject through another object (need explicit example?)
- Some:
- Of all the events returned from a subject search
- Filter out those events that don't need to be included in the Accounting of Disclosures
- Condense multiple events on the same Disclosure event (many audit log entries will happen that are all related to one session)
- Summarize each Disclosure detected
- Who --
- When --
- Why -- (OAuth purposeOfUse?)
- What ??? Can we leverage the <any> Resource.text element to explain 'what' data was disclosed?
- AuditEvent.text -- This field may be useful on some types of audit event recording
- De-Duplicate similar events into some description of a number of Disclosures over a period of time
- a PDF can be created with the details from this analysis or possibly a structured/coded form
- REFERENCES
- http://www.hhs.gov/hipaa/for-professionals/faq/246/do-business-associates-have-obligations/index.html From <http://www.hhs.gov/hipaa/for-professionals/faq/right-to-an-accounting-of-disclosures>
- HITECH AoD From <http://www.hipaasurvivalguide.com/hitech-act-13405.php>
