February 2nd 2010 CBCC Conference Call - Joint Call with Security

Back to CBCC Main Page

Attendees

• Tabitha Albertson
• Bernd Blobel Security Co-chair, absent
• Bill Braithwaite, MD
• Steven Connolly
• Mike Davis Security Co-chair
• Suzanne Gonzales-Webb CBCC Co-chair
• Allen Hobbs
• Don Jorgenson
• Pat Pyette
• Richard Thoreson CBCC Co-chair
• Serafina Versaggi, scribe
• Tony Weida
• Craig Winter

Agenda

1. (05 min) Roll Call & Call for Additional Agenda Items
2. (20 min) Report Outs from Phoenix Working Group Meeting
   • Announcements:
     • Suzanne Gonzales-Webb re-elected CBCC Co-Chair
     • Max Walker re-elected CBCC Co-Chair
     • Rob McClure appointed Vocabulary Facilitator for CBCC WG
3. (35 min) "Hot" Topics
   • Privacy Policy Template discussion

Minutes

Today's minutes are a continuation of the joint CBCC Security meeting. Earlier discussion can be found here.

Announcements

• Suzanne Gonzales-Webb re-elected CBCC Co-Chair
• Max Walker re-elected CBCC Co-Chair
• Rob McClure appointed Vocabulary Facilitator for CBCC WG

Action Items

• Suzanne: follow up with Kathleen regarding formal withdrawal of negative vote for the HL7 Permission catalog
• Don and Pat: review draft project scope statement for Privacy Templates with Security and CBCC co-chairs prior to sending out to the wider audience and placing it on the WG agenda for a future meeting

Privacy Policy Templates discussion

• There is an interest in this project on the part of SAMHSA, as a means to enhance the 42 CFR Part 2 regulation
  • How do we extend the general notion of privacy consents to work in the electronic health record world?
  • The idea of developing a set of templates to encourage the adoption of this approach to protecting privacy is very attractive
• Standards activities are associated with interoperability
  • How do you enact new regulations using legacy systems?
  • NHIN as infrastructure for exchange between HIEs
    • Gateway adapters talk to back end EHR systems and collect information to put into HITSP constructs
    • Security layer is at the gateway area – not in the application
    • Applications do not have to be modified
    • It would be great to create something like a Set Top box for those who don’t have the resources of DoD, etc.
• Demonstrations of Security and Privacy capabilities
  • The use of XACML was demonstrated using this model at RSA 2008
  • OASIS vendors demonstrated this model and the NHIN architecture at HIMSS in 2009
  • This will be demonstrated at RSA in March 2010 with OASIS
  • There are currently 16 XACML policies that are enforced in this model
  • With these initial 16 policies, patients can express consent directives against a clinician by name; by role; to express as a policy basic opt-in, opt-out; policies for controlling access to specific information in the messages themselves. (In C32, you can exclude sections of the clinical document).
  • Also demonstrating the ability to redact information based on dirty-word searches. Genomic information and exclude it from being transmitted (someone on DoD will be demonstrating this).
  • Purpose of use is also attached, allowing for different variations depending on purpose of use
  • It appears that we can write a basic set of core policies that will support requirements. All you need to do is populate the policy with the appropriate attributes for the run-time instance
    • You get those attributes from the security services data repository which have been provisioned or the requesting clinician’s asserted attributes
  • These pseudo policies could be mapped directly into a formal language (XACML, DRM, etc., or could be referenced in the CDA R2 Consent Directive. Then these policies could be enforced
• Bill Braithwaite indicates that he's been working on efforts such as these in other groups (e.g. HITSP), to come up with ways for HIEs to filter clinical information before it is released according to patient preferences and other policies.
  • Building these features into every application doesn’t make sense. This needs to be standardized in the way this filter applies the policies.
• We are at a critical juncture here. There are voices which say we have the information exchange mechanism, a simple opt-in, opt-out mechanism
  • The typical objection to anything more is “it’s too difficult”, technology/standards aren’t available
  • We are attempting to overcome these objections with multiple vendor demonstrations that fits within the current NHIN architecture with vendor off-the-shelf products
  • But we have a number of mechanisms in place to assist:
    • Information models
    • CDA R2 Consent Directive
    • XSPA health care SAML, XACML and WS-Trust profiles
    • Vendors with applications to electronically complete a consent directive

Meeting adjourned 2:50 PM EST