January 09, 2018 CBCP Conference Call
Contents
Community-Based Care and Privacy (CBCP) Working Group Meeting
Meeting Information
Dial-in Number: (515) 604-9861; Access Code: 429554 * Online Meeting Link: http://join.freeconferencecall.com/cbhs * Click on Join an Online Meeting Enter Online Meeting ID: cbhs * Follow prompts if not automatically connected
Please be aware that teleconference meetings are recorded to assist with creating meeting minutes
Attendees
| Member Name | x | Member Name | x | Member Name | x | Member Name | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| x | Johnathan ColemanCBCP Co-Chair | x | Suzanne Gonzales-Webb CBCP Co-Chair | x | Jim Kretz CBCP Co-Chair | . | David Pyke CBCP Co-Chair | ||||
| x | Kathleen Connor Security Co-Chair | x | Mike Davis | . | John Moehrke Security Co-Chair | . | Diana Proud-Madruga SOA Co-Chair | ||||
| . | Mohammed Jafari | . | Ali Khan | . | Ken Salyards | . | Ken Sinn | ||||
| x | David Staggs | . | Steve Eichner | . | Ioana Singureanu | . | Beth Pumo | ||||
| . | Chris Shawn | x | Neelima Chennamaraja | x | Joe Lamy | . | Greg Linden | ||||
| . | Irina Connelly | . | Saurav Chowdhury | x | Dave Silver | x | Francisco Jauregui | ||||
| Becky Angeles | x | akhan.md92@gmail.com | . | . |
Agenda
- (05 min) Roll Call, Approve Agenda
- Approve Meeting Minutes for December 19 call
- (05 min) Security and Privacy Impact Assessment Cookbook (SPIA) - SUR definition - Suzanne
- (20 min) CBCP FHIR THURSDAY call at 1:00 ET // FHIR Consent Directive Project Wiki, Main page
- FHIR Consent discussion
- FHIR Consent CPs are located: link to ALL Consent Change requests
- (30 min) Security and Privacy DAM - update, discussion
- (10 min) Privacy Obsolete - update
- January 2018 CBCP Working Group Meeting - New Orleans, Louisiana, USA
- September 2017 CBCC Working Group Meeting - San Diego, California USA, September 10-15, 2017 DRAFT MEETING MINUTES
Minutes
Role, Agenda Approval
Minutes Approval for 02,_2017_CBCP_Conference_Call January 02, 2018 call Objections: 0; Abstentions:0 Approve: 00
Security and Privacy Impact Assessment Cookbook (SPIA)- SUR definition - Suzanne
- Updates to document (in process)
- once complete, send over to SPG for review/approval
- request for publication
FHIR Consent - Thursday Call update
S PSAF PSS / Trust framework did modify the DAM - there are specific things we would like to add
- intended to ballot in May 2018
- currently balloted as informative; PSAF plan is to be balloted Chapter 2, volume 1 as normative.. if possible
- trying to determine if TEFCA )just released) has anything we need to add
- the behavioral model has small changes--may be able to ballot this
- review/clarify anything needed to be addressed, gap analysis (finalized)
- planned to ballot as informative (new chapter 3 AUDIT... included audit provenance, block chain provenance, EHR/...
- unsure if materials will be sufficient to ballo
- currently only conceptual level materials written
- privacy obsolete /
- continued to research anc collect sources on this to define the scope (which we say is worldwide - focusing on:
- identified a number of measures to discuss the status of privacy including
- law: specificially for those targeted countries
- is we see if the laws are updated/refreshed, presumption is that there is activity--that shuld be in favor of privacy not being dead
- continued to research anc collect sources on this to define the scope (which we say is worldwide - focusing on:
- privacy breaches - if orvewhemling for the what the law is providing
- standards activity (SC27 WG5) huge discussion on what is privacy? it is in question in their WG
- we're looking at enforcement activities; are there activities to envorced (i.e. legal due to breaches; ongoing from the the trade commission or ONC... to otherwise punish those who do
looking at privacy advocy groups for their opinions
- discussion on privacy online, facebook google IoT, etc
- current version of this - Mike will post to HL7
- we have approx. 80 breaches that have been written up, that we cite
- several links on the death of privacy ; links which have been added (11 specific articls on this)
- also SC27 - anne Kevorkian on privacy--already shared e-mail exchanges
- current version of this - Mike will post to HL7
- definitions
- information privacy, privacy laws, GDPR defintiiosn thatapply to privacy
- personal data, personal data protectiosn which the GDPR
findins so far in the last 3 years all but US have updated the privacy laws
- view is that it is eroding
- in healthcare it is thought that they may relax
- in 800-53 - will be broader used, have broader use
- onc is supporting this
impact of facebook, google, data mining, IoT is not tobe overdone... lives are affected; via personal digital devices--should all of this be public?
- in criminal cases 'you can't get into our cell'
- gov however information goes through 3rd party--means you are sharing your privacy;
- the US should increase the examination of cell, computers brought in from abroad (increase investation )
- includes foreiners, US citizens
justice Sonia sotemayer - US law is ill suited to digitial age...<<need to add>>
- we have some citations
global companies...
- breaches, fines by companies
- strongest case for privacy is EU with the GDPR; but we have also found the European, japan also have strong privacy rules which tend to be more applicable to large companies (vs small companies (
China - rules tend to control outside (i.e. US) companies more than actual privacy about
- Chinese citizen information maintanted by companiesn msut be mained on Chinese company servers... any
- isolation mode
study - is overwhelming; SC27 - looks like their standing up a document on privacy - privacy is dead part... seems they want to push toward data privacy anddata protections --- they don't want to define privacy, noting the GDPR and HIPAA do not define privacy GDPR does define personal data
privacy is about individual control their infoatnion SC27 - more abot personal data; view of corporation obeying law US - we have to objey hipaa - we have PII;
there are two view -
- i get to control my iformation; and
- companies need to follow rules about this information
slight difference between ownership an dprocedural (ann K is talking abot ownership; others are talking abo tprocedure (companie) they dont' own that data they have to follow...
- kknowing/understanind the difference will help people explain
- definition of privacy tends to be contry specific; each has different views around this
- definethe context its being used (agreed by Kathleen)
- define the relative impact on people; mike's sense (broader sense) we haven't come up with sotemeyers comment--the amount of data that is aviaalbe on us is increasing... AI to make conclusions based on our activities is hostile to any notion of privacy-- mike does nto see how legally compete against the technological challenges;
big data, AI, IoT, currently where its going is enormaous in the ability for AI based on the information; hopeiflly coming up with a simple approach where people can exercise that point. all in informative state
domains - on hl7 healthcare domain model trust framework has the notion that there are domains (i.e. domain a, b, c)
- negotiate between them
- establish a joint, federated domain using the DAM; policies to be decided upon
- discussion of the HCS and how it fits into the dm (domain model)
there are a number of dm in the hcs called classification <<need PPT>> from Mike.
1. Normal domain - where most people will be in; information from the defintions; typical non-stigmatizing information 2. restricted domain(R) - highly sensitive, potentiall stigmatizing information which presents a high risk to the information subject if disclosed without authorization
- all these are done via risk
- these are done by security...
- but you cannot write down to those without disclassifying
N, M, L can write up but not read-up to domains classified as VR
3. very restricted domain - privacy metadata indicating exrmly sensitive, likely stigmatizing information, which presents a very high risk if disclosed without authorization
adjorned: 1100
military sexual trauma
Johnathan - what is the product that is being produced here
- white paper - is privacy obselte
- coveres those attributes calle dout earlier; will be making some braod statement
- study group within HL7
- group meets informally ; we ask people post tot he wikik, information that we can evaluate
- we have an ongoing document draft with links,e tc;
- ike will post to latest version so that others can post comment and add
Johnathan - there is maybe something that it will be come 800-1721(check--#; ) pushed on some communites onto the contracting community to do work with the xxgovernment?); taking control factors from 800-53 from agreements (contractual) whih may be the catalyst to have 800-53
- it could end up being a very useful tool.
- mike will post link to wiki - so that others can view/provide comment
ADD to agenda
will make rounds at face-to-face; SOA, Security and CBCP (joint) assuming that government people canmanage to go to HL7 at Q3/Q4 joint meeting on MOnday
- connect-ta-thon report out
- continuting consumer centered data exchante showing right of acces (hoping with miHIN, showing privacy preserving OAuth ... 14 step process?
- Mohammad - instead of directing to EHRs, directing to consumers... list some of th eresources related to MU comments, clinical comment data ... this would allow onsumer to diret the app to a consent portal where they can map the app to specific end points they they want to talk to (rather than app hunting for something)
alice can stiputate that a specific endpoint to a s... remove #2, #3
ADD a QTR in CBCP for discussion
unclassified information not needed to be protected (800-171)
