August 8, 2017 Security Conference Call
|x||Member Name||x||Member Name||x||Member Name||x||Member Name|
|.||John MoehrkeSecurity Co-chair||x||Kathleen ConnorSecurity Co-chair||.||Alexander Mense Security Co-chair||.||Trish WilliamsSecurity Co-chair|
|x||Mike Davis||x||Suzanne Gonzales-Webb||x||David Staggs||x||Mohammed Jafari|
|x||Glen Marshall, SRS||x||Beth Pumo||.||Ioana Singureanu||.||Rob Horn|
|x||Diana Proud-Madruga||.||Serafina Versaggi||x||Joe Lamy||.||Galen Mulrooney|
|.||Duane DeCouteau||.||Chris Clark||.||Johnathan Coleman||.||Aaron Seib|
|.||Ken Salyards||.||Christopher D Brown TX||.||Gary Dickinson||x||Dave Silver|
|x||Rick Grow||.||William Kinsley||.||Paul Knapp||x||Mayada Abdulmannan|
|.||Kamalini Vaidya||.||Bill Kleinebecker||x||Christopher Shawn||.||Grahame Grieve|
|.||Oliver Lawless||.||Ken Rubin||.||David Tao||.||Nathan Botts|
- (2 min) Roll Call, Agenda Approval
- (4 min) Review and Approval of Security WG Call Minutes August 1, 2017
- (15 min) 21st Century Cures Act Trusted Exchange Framework and Common Agreement Public Comments Review Draft Security WG comments for approval as input to HL7 response due August 14th. - Kathleen
- (15 min) Security WG Interim Health Metrics - presiding cochair
- (10 min) FHIR Security call- cancelled
News and Review Material
- Comment Area 1: Standardization
HL7 some capabilities to propose – have done – cake and eat it too ISA – comments definition of interop in the law is far from used HIMSS standards. According to the ONC definition, adopted from IEEE, interoperability is “the ability of systems to exchange and use electronic health information from other systems without special effort on the part of the user”. The word “interoperability” appears 365 in ONC’s draft Interoperability Roadmap including an addition to the definition which says “Interoperability is made possible by the implementation of standards”. The latter perhaps brushes over that standards may be a necessary condition but are not a https://www.healthit.gov/sites/default/files/hie-interoperability/nationwide-interoperability-roadmap-final-version-1.0.pdf Comment Area 3: Cooperation and Non-Discrimination While information blocking by not sending information is one side of the coin, would choosing to avoid receiving or retrieving information, for example to avoid data overload or avoid finding out about previous services in order to get more recent or immediate test results, or to bill for redundant services be considered information blocking as well? Would requiring opt-in consent for health information exchange for purposes of treatment, payment, or operations be considered information blocking because ONC considers this unnecessary? Would permitting opt-out consent directives for health information exchange for purposes of treatment, payment, or operations be considered information blocking because ONC considers this unnecessary? Would data segmentation based on organizational policy or patient consent directive, which is not otherwise required by state or federal privacy law, be considered information blocking? Would an HIO or provider segmentation of sensitive health information by means of storing it in a separate data store with more stringent access controls be considered information blocking if not otherwise required by state or federal privacy law?
- Comment Area 4: Security and Patient Safety
Support for Data Provenance Security labeling to share with protections – rather than just protecting from sharing, Enables a Learning Health System by not silo-ing data due to privacy concerns related to ensuring privacy protection of patient deemed or policy prescribed restrictions on collection/access/use/disclosure of sensitive protected health information. This requires security labeling and data provenance to convey the privacy, security, and patient consent directive policies with which an end user must comply. Data provenance provides the stamp of authenticity, integrity, and reliability, which ensures that health information collectors, and processors are adhering to the required privacy, security, and patient consent directive policies, and provides non-repudiable accounting of disclosures especially if tracked with a digital ledger. Confidence in the authenticity, integrity, and reliability of health information is essential for patient safety. Combined with evidence of compliance with privacy, security, and patient consent directive policies assuages the currently high level of healthcare consumer concern with sharing sensitive information.
- Chaired by Kathleen
- Agenda Approved
- Review and Approval of Security WG Call Minutes August 1, 2017 deferred
- 21st Century Cures Act Trusted Exchange Framework and Common Agreement Public Comments Review Draft Security WG comments for approval as input to HL7 response due August 14th. - Kathleen
- Group was asked to Review the 6 area's in the general comments area of the Trusted Exchange
- Unclear of the position of the National Coordinator office will take on the Trust Framework
- There is some indication they will harmonize the Trust Framework
- Please include your comments
- The comments are included in the News and reviews and wik
- Security WG Interim Health Metrics - presiding cochair (Kathleen)
- We are answering questions on standerzation and how we view that within the Trust framework and consent policy, Access control models, and related works we have done in HL7 covered in the United States.
- Comment (1) (Mike): Section 4003 of ONC interperability defines it differently than HL7.
- Section 4003 (Public Law)- Enables the secure exchange of use of electronic health record.
- The Public law allows the complete secure electronic access without any special effort from the user.
- How this public law differs from HIMMS in regards to interperability: 3 levels of health info technology (1) Foundational: Technology for transmission eg: SLS (2) Structural (3) Semantics
- Core of standards work such as data labeling of HL7 messaging FHIR, and labeling with codes are not addressed
- The public law does not address information blocking
- Security and patient safety are acknowledged in the public law, but Privacy is not addressed
- Diana Comment: Part of the Trust Framework is authentication between the exchange networks
- In order to make the information useful the autherization has to be abled to be mapped
- Comment/Diana (2): Feels they will look at the road map of Trusted Framework
- Comment/Mike (3) : Industry of federal defined policies are addressed in the public law, but it leaves out States
- Comment/Mike (4): Transparency does not address privacy protection of patient, it only addresses clinician exchanging patient information regardless of the PHI
- Considering privacy and Internet of Things transparency statement in the public law causes alarm to patient privacy
- Comment (5) Kathleen: FHIR Consent Directive and CDA's can be applied to the standards
- Comment (6) Diana: Suggested to have them focus on standards road map by having them consider the HIE Advisory committee and look at the ONC road map
- access Information Blocking is not defined in 4003 but in 4004.
- 42CFR title 38 is not addressed
- Public law 1124 can be searched to review the definition of the public law
- Attribute based access control model can also be added
- Comment (7) Mike: We support clinician sharing, but we cannot ignore patient privacy. Part of trust worthiness is the ensuring of information sharing provided by providence.
- FHIR Security call- cancelled
- Call Adjourned**