Community-Based Care and Privacy (CBCP) Working Group Meeting

Back to CBCP Main Page

Meeting Information

Dial-in Number:  (515) 604-9861;  Access Code: 429554
* International Dial-in Numbers: https://fccdl.in/i/cbhs

* Online Meeting Link: https://join.freeconferencecall.com/cbhs  
* Click on Join an Online Meeting Enter Online Meeting ID:  cbhs 
* Follow prompts if not automatically connected

Please be aware that teleconference meetings are recorded to assist with creating meeting minutes

Back to CBCP Main Page

Attendees

Call Recording: https://fccdl.in/0gfP7LTghl (temporary)

Back to CBCP Main Page

Agenda

1. Roll Call, Agenda Review
2. Meeting Minutes approval:
3. (5 min) CBCP FHIR THURSDAY call at 1:00 ET // FHIR Consent Directive Project Wiki, Main page
   • FHIR Consent discussion
   • FHIR CPs for review
   • FHIR Consent CPs are located: link to ALL Consent Change requests
4. FHIR Security Project Update - Johnathan
5. Privacy and Security Architecture Framework (PSAF) Ballot - update, discussion Meeting weekly on Thursdays 11:00 AM ET Meeting Link: http://www.hl7.org/concalls/CallDetails.aspx?concall=38423

Community-Based Care and Privacy (CBCP) Working Group Meeting

Back to CBCP Main Page

Meeting Information

Dial-in Number:  (515) 604-9861;  Access Code: 429554
* International Dial-in Numbers: https://fccdl.in/i/cbhs

* Online Meeting Link: https://join.freeconferencecall.com/cbhs  
* Click on Join an Online Meeting Enter Online Meeting ID:  cbhs 
* Follow prompts if not automatically connected

Please be aware that teleconference meetings are recorded to assist with creating meeting minutes

Back to CBCP Main Page

Attendees

Call Recording: https://fccdl.in/0gfP7LTghl (temporary)

Back to CBCP Main Page

Agenda

1. Roll Call, Agenda Review
2. Meeting Minutes approval:
3. (5 min) CBCP FHIR THURSDAY call at 1:00 ET // FHIR Consent Directive Project Wiki, Main page
   • FHIR Consent discussion
   • FHIR CPs for review
   • FHIR Consent CPs are located: link to ALL Consent Change requests
4. FHIR Security Project Update - Johnathan
5. Privacy and Security Architecture Framework (PSAF) Ballot - update, discussion Meeting weekly on Thursdays 11:00 AM ET Meeting Link: http://www.hl7.org/concalls/CallDetails.aspx?concall=38423

Meeting Minutes (DRAFT) (meeting recording); [https://fccdl.in/OVvromSTh8 temporary)

Privacy Study Group – Mike, Kathleen Privacy Study Group that could consider these things...?

• erasure
• patient directed - where patient has directed the EHR to send;
• patient owned EHR without 2nd or 3rd party
• patient handling instructions - where they do now want to push forward
• where a patient authorizes' to care providers to have direct communications (i.e. where patient is involved in a care plan--'I have just chosen this home nurse and they can speak directly with GP); this is perceived as a step beyond sync for science (14:00) Johnathan
  • it is that paper are based on the sync for science on the API’s and ... tangible security and privacy... (update on FHIR for security)

Privacy Study Group Update (mike -

• notification; we have been heads down on the May ballot
• Kathleen has placed additional materials into the repository; there is some interesting things going on with Zuckerberg
• we are reactivating the study group activities

ONC Paper - Johnathan

• today at 2:00ET
• API best practices document privacy and security principals;
• last week started a deep dive into security recommendations and do privacy afterwards
• good discussion of TLS and where 1.2 should be the minimum depending on the venders and API developers
• we've pulled in recommendations with modification
• input validation is the next step for today's discussion
  • sync for science - interface for research and science. into FHIR; original use case, how can apparent choose a research project "use my information"-- who does that patient engage to tell the care providers through a patient portal--they have access to my API; that has been generalized to: how can a patient authorize ANY app... (i.e. apple health) a "user-experience" because there is no technology involved--where an app can be authorized by a patient through a portal experience. the app has an OAuth token, leveraging (on top of smart on FHIR); sync for science is that last step... as opposed to pure smart on FHIR as only as provider working directly with patients themselves.
  • related to that is program by which where an induvial consumer can be brought in for sync-for-science program...

PSAF ballot (TF4FA ballot)

• PSAF calls done until reconciliation
• ballot submitted last Sunday
  • vote please
  • reconciliation
• volume 3 - Audit, started.
  • intended to cover EHR lifecycle events and audit but also provenance; a hint there in terms of the PSAF umbrella that will be doing that. a 4th volume on authentication - not sure we need the volume (it’s boring) Mike was thinking of a US-realm the fact that NIST wants their standards to be more open... the 800-63 Identity and authorization standards has been adopted by TEFCA ONC as a general standard and 800-3 - different security controls and SLS has been written in a general way. we can talk about this in a US way. authentication in general under trust is not that important a concept as the user-level... it’s more a concept at an org level. you see in the US a trend to move away from individual identity and assertation and reliance on the org as the endpoint for sharing for trust. the trust contract is between orgs and not individuals. (individuals are irrelevant in establishing the contract) thinking that the authentication may not be something to explore just yet... having gone through the authorization stuff and detailed out some of the contract items in the trust proposal in the ballot. the run-time value of things are not essential to the trust contract ...at top level. trust contract at this level is not terribly important
• for volume 3 is that pass-audit or a different direction
  • pass audit is part of the basis; wanted to work with rehash Reed Gelzer work... we did make a relationship between EHR evens audit and provenance. we've connected the dots between them and that might be a good place to start... pass audit would be a reference but PAS audit - is about audit not anything further than that.
• ISO has specifications covering that (JohnM) lifecycle events - specifically open EHR activities and audit events and that should be brought in (Gary Dickinson’s work?)
  • only partial correlation in ISO with what's been done. the idea behind is we relate lifecycle events with the W3C view;
  • audit in relationship to trust.

eLTSS project Irina

• no update to report
• PSS "final" please let us know if we need to change anything...
  • PSS: https://gforge.hl7.org/gf/project/cbcc/docman/eLTSS%20-%20%20ONC%20Electronic%20Long-Term%20Services%20and%20Supports

OMNIBUS Care Plan Neelima: update on project: OMNIBUS Care plan

• managed care teams and care plans
  • using FHIR profiles and using
  • defining elements, adding consent security and privacy
  • working with SAMHSA (not an HL7 project)

Meeting adjourned: (Jim) at 0935AM

Meeting Minutes (DRAFT) (meeting recording); [https://fccdl.in/OVvromSTh8 temporary)

Privacy Study Group – Mike, Kathleen Privacy Study Group that could consider these things...?

• erasure
• patient directed - where patient has directed the EHR to send;
• patient owned EHR without 2nd or 3rd party
• patient handling instructions - where they do now want to push forward
• where a patient authorizes' to care providers to have direct communications (i.e. where patient is involved in a care plan--'I have just chosen this home nurse and they can speak directly with GP); this is perceived as a step beyond sync for science (14:00) Johnathan
  • it is that paper are based on the sync for science on the API’s and ... tangible security and privacy... (update on FHIR for security)

Privacy Study Group Update (Mike)

• notification; we have been heads down on the May ballot
• Kathleen has placed additional materials into the repository; there is some interesting things going on with Zuckerberg
• we are reactivating the study group activities

ONC Paper - Johnathan

• today at 2:00ET
• API best practices document privacy and security principals;
• last week started a deep dive into security recommendations and do privacy afterwards
• good discussion of TLS and where 1.2 should be the minimum depending on the venders and API developers
• we've pulled in recommendations with modification
• input validation is the next step for today's discussion
  • sync for science - interface for research and science. into FHIR; original use case, how can apparent choose a research project "use my information"-- who does that patient engage to tell the care providers through a patient portal--they have access to my API; that has been generalized to: how can a patient authorize ANY app... (i.e. apple health) a "user-experience" because there is no technology involved--where an app can be authorized by a patient through a portal experience. the app has an OAuth token, leveraging (on top of smart on FHIR); sync for science is that last step... as opposed to pure smart on FHIR as only as provider working directly with patients themselves.
  • related to that is program by which where an induvial consumer can be brought in for sync-for-science program...

PSAF ballot (TF4FA ballot)

• PSAF calls done until reconciliation
• ballot submitted last Sunday
  • vote please
  • reconciliation
• volume 3 - Audit, started.
  • intended to cover EHR lifecycle events and audit but also provenance; a hint there in terms of the PSAF umbrella that will be doing that. a 4th volume on authentication - not sure we need the volume (it’s boring) Mike was thinking of a US-realm the fact that NIST wants their standards to be more open... the 800-63 Identity and authorization standards has been adopted by TEFCA ONC as a general standard and 800-3 - different security controls and SLS has been written in a general way. we can talk about this in a US way. authentication in general under trust is not that important a concept as the user-level... it’s more a concept at an org level. you see in the US a trend to move away from individual identity and assertation and reliance on the org as the endpoint for sharing for trust. the trust contract is between orgs and not individuals. (individuals are irrelevant in establishing the contract) thinking that the authentication may not be something to explore just yet... having gone through the authorization stuff and detailed out some of the contract items in the trust proposal in the ballot. the run-time value of things are not essential to the trust contract ...at top level. trust contract at this level is not terribly important
• for volume 3 is that pass-audit or a different direction
  • pass audit is part of the basis; wanted to work with rehash Reed Gelzer work... we did make a relationship between EHR evens audit and provenance. we've connected the dots between them and that might be a good place to start... pass audit would be a reference but PAS audit - is about audit not anything further than that.
• ISO has specifications covering that (JohnM) lifecycle events - specifically open EHR activities and audit events and that should be brought in (Gary Dickinson’s work?)
  • only partial correlation in ISO with what's been done. the idea behind is we relate lifecycle events with the W3C view;
  • audit in relationship to trust.

eLTSS project Irina

• no update to report
• PSS "final" please let us know if we need to change anything...
  • PSS: https://gforge.hl7.org/gf/project/cbcc/docman/eLTSS%20-%20%20ONC%20Electronic%20Long-Term%20Services%20and%20Supports

OMNIBUS Care Plan Neelima: update on project: OMNIBUS Care plan

• managed care teams and care plans
  • using FHIR profiles and using
  • defining elements, adding consent security and privacy
  • working with SAMHSA (not an HL7 project)

Meeting adjourned: (Jim) at 0935AM