• CBCP WGM Agenda

• Introductions
• Approval of agenda
• International Report outs
• Liaison Reports: ISO, IHE, ONC, OASIS
  • OASIS XSPA-SAML Update
• FHIR Security Report out/S&P Considerations - John Moehrke
• HL7 Project status and updates:
  • Is Privacy Obsolete Study Group (report out here and at joint EHR meeting and possibly FHIR group?) - Mike Davis
  • PSAF Project Refresh, Trust Framework and S&P DAM - Next Steps overview - Mike Davis

• TF4FA Volumes 1 & 2 Ballot Reconciliation
• Update of Volume 3 Draft - Mike Davis
• PASS Audit Ballot Reconciliation - Update PASS Audit per ballot dispositions

Proposed Topics: HL7 Project status and updates:

1. Trust (Luis Maas-if able to attend)
2. FHIR-Security and Privacy Topic Overview/cont.(JohnM)
   • Future FHIR-Security and Privacy topics
   • Drill down of FHIR Security-Privacy activities

• MiHIN's ONC Patient Granular Choice Pilot presentation - Shreya Patel
• FHIR Consent and FHIR Contract Comparison proposed white paper

In-depth discussion :

1. TF4FA Vol. 3 Update - Mike Davis
2. PSAF Project Update - Mike Davis
3. S&P Considerations for FHIR - John Moehrke

• Security rep to OO for FHIR2V2 PSS for security labels W Q1/Q4

• PSAF Project Refresh, Trust Framework and S&P DAM - (Information Model) Next Steps - Mike Davis

• S&P Considerations for FHIR
• 9167 AuditEvent needs to make more obvious how to record a break-glass event (John Moehrke)
• 10343 Three additional Signature.type codes (Kathleen Connor)
• 11071 Improve security label guidance (Kathleen Connor)
• 12660 HCS use clarification (John Moehrke)
• 17192 Verification of given resource without changing the content (Thomas Johansen)
• 17299 enhance current disclosure AuditEvent so that it explains what is being recorded and why (John Moehrke)
• 17300 Break-Glass description needs clarifications (John Moehrke)
• 14678 Implementation guide for signatures+-+2018-Jan Core+%231 (Brian Pech)

• GDPR Chat-a-thon Findings
• GDPR White Paper
• Security GDPR Wiki

• FHIR Consent Resource - Discussion (CBCP-Security) see Wiki: HL7 FHIR Consent Directive Project
  • Contract vs Consent Issue Grahame, Lloyd
• FHIR categorization by security/privacy considerations
  • can the FHIR tooling help build UI around categorization into various groups (public, business, personal, patient, other)
  • thus each page would have something at the top similar to 'compartment' with possibly multiple classifications
  • and each page 'might' have additional S&P considerations only where it is different than that classification
• FHIR FMM advancement for Security and Privacy resources

• Workgroup Health Update - Security needs to publish S&P DAM and align 3 Year Plan with Project Insight Security Projects.
• Infrastructure Steering Division - September Interim Report
• Security 3 Year Plan 2016
• Security 3 Year Plan 2018 draft