October 21st 2008 Security Conference Call
- Mike Davis Security Co-chair
- Glen Marshall Security Co-chair
- Bernd Blobel Security Co-chair, absent
- Suzanne Gonzales-Webb CBCC Co-chair
- Richard Thoreson CBCC Co-chair, absent
- Ioana Singureanu
- Tanya Newton
- Bob Horn
- Frank Din
- Craig Winter
- Sarah Maulden
- John Moehrke
- Ioana Singureanu
DRAFT Meeting Minutes
(05 min) Roll Call
(05 min) Approved October 14th Minutes (10-0-0) & Accepted Agenda (10-0-0) (M.Davis/G.Marshall)
(15 min) Update to RBAC Privacy and Authorization Terminology Project Scope Statement v0 3 Update to RBAC Privacy and Authorization Terminology Scope Approved (10-0-0) (M.Davis/G.Marshall)
- M.Davis will bring new version of project scope back to the HL7 Steering Division committee to notify them of the scope update.
(15 min) Vocabularies identified in October 14 meeting:
- Goal is to use existing RBAC Permission vocabulary for a purpose of use (POU), to allow/direct access of functional roles to an EHR or PHR. Extend vocabulary to make richer--how much richer? We need to figure out how to leverage and use them (vocabularies brought forward) in security for authorization and as support for consent directives. 'Less is more' (MDavis opinion)
- Note: that many of the objects are clinically related and may be inappropriate for Patient use/Patient access.
- Question: Additional vocabularies to be added later? i.e. Nursing or Provider taxonomy, or other clinical taxonomy. Is this list a comprehensive list?
- Answer: By testing we will see how it will fit. Would like to recommend that SNOMED be first and see what gaps we find. This will lead us to inform us as we go along. Will lead to more comprehensive idea of what structure we are trying define.
By focusing on these lists of vocabularies we may be limiting ourselves. It makes more sense to start at the larger objects. We need a common way to look at vocabularies and someone to do the evaluation work. Will we have a rule that has restrictive licenses or costs? i.e. SNOMED--non-US countries will need to pay a fee in order to use. Should we just look at vocabularies accepted by HL7? No fee vocabularies or where a country does not need to purchase licenses. Terminologies such as CPT are expensive.
- Vocabulary is very general in a provider's role.
- Links objects in a chain--every child is a subtype of an object...it is an explicit taxonomy.
- Presumably 'prevents' duplicates—however, per vocabulary experts on call this is not always true.
- Will we find the consistency, rigor that we need in Security?
- May not be the best vocabulary for use with patient directives (i.e. DNR, etc)
- ICD-10 (or possibly ICD-11 which would be linked/mapped to SNOMED)
- RadLex, RadLex.org an ACR, RSNA recognized vocabulary
- Use: When you get to procedures and procedure steps, inserting terminology, in a sense similar to LOINC.
- Proposed to use as extension support in lab use cases
- Recommendation is to not to look at this vocabulary at this time but to relook at this vocabulary at a later time.
- Vocabulary has an OID and is a recognized vocabulary in HL7.
Gap: FINANCIAL VOCABULARIES
- Need to investigate. Possibly ICD-10/ICD-11?
- Suggestion to review the current Permission vocabulary/use cases to see what level of current financial terms are being used.
- Need to approach Financial WG for
- A representative to engage in this area
- Assistance with use cases (international and US)
- Is there a financial vocabulary that can be used to support the current permission vocabulary/use cases?
- ASTM may have one of these.
- M.Davis is an ASTM member and will be able to research.
- X-12N may also be investigated (research to be done by:_______? )
- may be best to bring in someone from HL7 Financial WG. We should try to separate financial accounting control security and clinical/EHR security.
Group must be aware and careful not to select solely US-centric with financial and other vocabularies.
(15 min) Decision Making Practices (see CBCC document as example CBCC Decision Making Practices)
(5 min) Other Business