This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

November 23, 2010 CBCC Conference Call

From HL7Wiki
Jump to navigation Jump to search

Community-Based Collaborative Care Working Group Meeting

Back to CBCC Main Page

Attendees

Agenda

  1. (05 min) Roll call, approve minutes November 16th, call for additional agenda items & accept agenda
  2. (55 min) Continue review of the Draft Semantic Health Information Performance and Privacy Standard Project Scope Statement Updated 11/16/2010

Minutes

1. Action Items

  • Complete - Walter Suarez shared the NCVHS Letter of Recommendations Regarding Sensitive Health Information mentioned when the concept of "data segmentation" was first raised in the context of the SHIPPS project during the Nov. 2nd CBCC WG Meeting.
    • In this letter, recently posted on the HHS website, NCVHS defines the categories of sensitive health information recommended for use by HHS as a basis for research, technical development, pilot testing, and potential future demonstration projects
  • Serafina to circulate CBCC scope statement to selected HL7 WGs to gauge level of interest and to solicit participation in the SHIPPS project. Approach:
    • Circulate to WG s (Security, PHER, SD, EHR) and to Dr. Floyd Eisenberg (NQF) and Walter Suarez (KP/NCVHS)
    • Comments to CBCC list welcomed
    • Continue discussion next week

2. Resolution

November 16, 2010 minutes approved

Motion: CBCC approves to circulate the scope statement to other potential interested parties. Vote: 7/0/0

3. Updates/Discussion

In discussing the intersection between privacy, performance and the SHIPPs project we are looking at the way clinical and other related data are captured in the electronic record. Other related support data includes e.g. privacy data, monitoring treatment process data, and all public health and safety issues data. As much as possible we need to have reusability of the information that is in the record. These support areas have separate reporting activities that require effort not normally part of the clinical service delivery. This means time savings, cost savings and quality of information need to be looked at, for example; any time we have a separate reporting process from the clinical process there is a chance the meaning of the data will be distorted.

4.a. Project Scope

Summary From Security

== Summary from security == Tony – Rob McCLure was concerned with the use of the word ‘segmentation’ in the CBCC meeting notes from last week

  • amenable to using segmentation as a verb e.g. an activity to identify information of interest for segregation
  • staying clear of using segmentation as a noun to suggest portions of the patient record are actually separated out in some persistent way for privacy or other purposes

Richard – e.g. separate out substance abuse data before my record is forwarded Tony – filter out or a masking action opposed to moving aside or moving the data into a special area Ioana – These are implementation details e.g. how to accomplish that which may be exchanged vs not exchanged is outside the scope of SHIPP Jon – segmentation defined too narrowly to tagging data to delineate the segment Ioana – Using the word ‘tagging’ data implies implementation. We don’t want implementation to lead, focus on requirements Jon – That is Rob’s point Ioana – How we do it is a different issue – this is implementation Jon – Question – Will the structure and encoding be in content or expressed in the consent themselves Ioana – The consent will refer to the diagnosis of substance abuse and the data has to be able to trace back to diagnosis to substance abuse. Based on current policy if I express a reasonable consent, how will it be done in automated way - what sort of data do you need to be able to store in your EHR system to be able to automatically tease out which record is substance abuse related and which one is not. Jon- I think this is what Rob was objecting to e.g. deciding what you have to store in the EHR system but not the data Ioana – You have to store all the data, the question is what data can be exchanged. For records management you will store all the data you are producing, the question is when you disclose data most of the privacy policies kick in. For example if the patient meets certain criteria and the data happens to be substance abuse related consent is required

  • We have to store all the data, the question is what information needs to be exchange?
  • We need to guide implementations through best practices
  • We could consider maturity levels – MITA does this effectively

Richard - Security framework – what is the relationship between security and privacy. Security is responsible for enforcing privacy at implementation. There is a level of access control service that enables the appropriate exchange of information and potential sharing of information within an enterprise. Access control includes exchange and what is going on within the enterprise. John - There do not have to be security artifacts or privacy formalism in the security models Jon – Based on the Ioana’s clarification of segmentation Rob should be ok e.g. he objected to the notion that we would mandate new segment structures that would get introduced into things like documents e.g. segmentation in CDA Richard - We need to more rigorously define segmentation – in my mind segmentation is the process by which the access control service actually implements different policies Jon – referring to the scope statement - change ‘manage’ to ‘control sharing of health information for policy reporting purposes’ Serafina - Review letter NCVHS. The term segmentation is defined as the ability to protect specific and sensitive IIHI within the electronic record from disclosure. The NCVHS recommendation includes definitions of specific categories of information and the context in which that data occurs. Jon – it does not include Richard’s point e.g. segmentation is the process by which the access control service actually implements different policies, it needs to include exchange and what is going on within the enterprise Richard - Circulate scope statement as is and get people’s attention. This is an emerging / evolving subject. Jon – I would like to see use change the word ‘manage’ to protect certain. Manage means too many things Richard – I am going in the other direction, from a policy view you want to incorporate a lot of different requirements Jon – How about ‘control sharing’ so it is not just one way. Possible change for future: The ability to control sharing of health information for privacy and policy related to reporting.

Meeting was adjourned at 3:05 PM Eastern

Retrieved from "https://wiki.hl7.org/w/index.php?title=November_23,_2010_CBCC_Conference_Call&oldid=43883"