February 28th, 2012 Security Working Group Conference Call
'Bold text'=Security Working Group Meeting=
- Kathleen Connor
- Suzanne Gonzales-Webb CBCC Co-chair
- Jim Kretz
- John Moehrke Security Co-chair
- Tony Weida
- Trish Williams
- (05 min) Roll Call, Approve Minutes & Accept Agenda
- (15 min) Review of updates and request for approval to submit final Harmonization proposals - Kathleen
- (15 min) Review and approval of the May 2011 Security and Privacy Ontology reconciliation spreadsheet
- (15 min) Changes to the ontology scope - John Moehrke
- (5 min) Interim Co-chair - Discussion postponed to March 6 meeting
Roll Call, Approve Minutes & Accept Agenda
Roll Call, Approve Minutes & Accept Agenda
- John Moehrke - presiding cochair
- Agenda Changes:
- Added discussion about meeting with TSC on change of Security and Privacy Ontology balloting status. Moved Harmonization proposal discussion to end of agenda
Review and approval of the May 2011 Security and Privacy Ontology reconciliation spreadsheet
- John Moehrke discussed outcome of Security WG (John and Mike) cochair presentation to TSC requesting change to ballot status for Security and Privacy Ontology from DSTU to “for comment only” ballot in May 2012. After that ballot, cochairs requested approval to move the Ontology to the Normative ballot track.
- TSC questioned whether and how conformance to the Ontology could be tested as that is a key criteria for qualifying as normative ballot material. In response, John noted that the Ontology is applicable to the HL7 SOA Access Control Service as an invocable service. Kathleen asked John whether the Ontology might also be considered applicable to implementations of the Consent CDA and Data Consent v.3 messages as well as the Security and Privacy DAM. John agreed that the Ontology could be invoked in implementations of the former, but not to the DAM. Kathleen will draft statement for WG about applicability to HL7 standards for the WG to consider submitting to the TSC.
- Procedurally, the TSC did not approve the request without further justification. However, the WG can close out the DSTU by responding to the comments and responding to the balloters—that we are now moving forward with the ballot as ‘for comment only’. There is no need to approve a change in project scope statement to do so.
John noted that the TSC suggested as an alternative that the Security WG consider submission of the Ontology to HL7 Vocabulary Harmonization. Then, the Ontology could be invoked as a coded data type by various HL7 v.3 normative artifacts, thereby making it “normative” by reference.
- WG members were uncertain whether the HL7 vocabulary machinery can support an OWL ontology. Trish noted that the Ontology may not be amenable to current HL7 Vocabulary methodology. Further investigation about this approach is needed.
Review and approval of the Security and Privacy Ontology DSTU May 2011 Ballot Reconciliation Spreadsheet
- Tony Weida noted that since May 2011, the WG has discussed the reconciliation comments, dispositions, and amendments he’s made to the Ontology to address comments in detail on multiple occasions. He said that he has addressed all changes agreed to in the spreadsheet.
- Kathleen suggested that since there’ve been numerous discussions about the ballot comment dispositions since May 2011 that the WG should vote to approve the ballot reconciliation so that the spreadsheet can be posted. John asked the WG whether this vote should be delayed to notify more stakeholders or whether there had been enough discussion to have given stakeholders sufficient opportunity to weigh in. The WG decided to hold a vote. Kathleen’s motion was seconded by Suzanne. Motion carried 5-0-0 without further discussion.
- Cochair Action Item: Negative voters will be notified that Security will not be pursuing the DSTU path for the Ontology, and instead will be balloting in May 2012 as "For Comment only"
Review and request for approval to submit final Harmonization proposals
- Kathleen presented an overview of the WG’s final proposal changes based on Vocabulary Technical Review feedback.
- Kathleen walked through the ActPolicyType Technical Correction for binding value sets to concept domains already approved in November. She provided the WG with a “refresh” on how that vocabulary is structured so that the sensitivity codes can only be associated with appropriate classes. For example, location sensitivity can only be associated with a location role. She noted a slight change in definitions to clarify that implementers may want to include multiple policies as governing the sensitivity of an information object, e.g., Title 38 Section 7332 and HIV.
- With respect to the proposed addition of a consent directive code for “notice of privacy practices” (NOPP), Trish asked whether there needs to be a code to indicate that a specific consent directive type or no consent directive had not been completed. John said he’d used modeling means rather than vocabulary to indicate “null”. The WG discussed a variety of modeling approaches using various “negation indicators” and actCode cardinality for indicating that no consent directive had been completed; that a specific type of consent directive had not been signed; that a patient declined to agree to a consent directive; or that no specific consent directive type is indicated.
- A number of questions about HL7 vocabulary machinery and value set binding were discussed. Kathleen will check with Russ Hamm prior to final submission to make sure that she has made the requisite value set bindings.
- With respect to the Act Security, Obligation and Refrain Policy Type proposal, Kathleen noted these vocabularies are structured to reflect the ISO 22500 differentiation between Obligation Policy workflow mandates from Refrain Policy prohibitions.
- The main impetus behind the Purpose of Use Vocabulary proposal is the WG’s effort to harmonize the multiple new purpose of use vocabularies with the preexisting HL7 purpose of use vocabulary. The proposal greys out additions, and creates a “GeneralPurposeOfUse” value set in support of stakeholders who prefer less granular codes in their purpose of use value sets, limiting these to e.g., treatment, payment, operations, research, public health, and patient request. If other implementers want to create different value sets, they can do so through harmonization or by extending existing value sets with codes for concepts that are not represented.
- Kathleen noted that this mapping work is based on several WG members’ efforts, especially the mappings previously done by Suzanne and Serafina.
- John asked for a motion to approve for submission of these proposals to March Harmonization. Kathleen moved; Trish Williams seconded. Motion carried 5-0-0 without further discussion.
- As there were no further items to discuss, John adjourned the call at 1:57 PM Eastern.