Product Brief - Privacy, Access and Security Services (PASS)

back to Main_Page
back to Product_List

Product Name

HL7 Version 3 Standard: Privacy, Access and Security Services (PASS)

Topics

• Access Control, PIM Level, Release 1
• Audit, Conceptual Level, Release 1

Standard Category

• Health Information Exchange Standards

Integration Paradigm

• Services

Type

DSTU

Releases

R1 Informative Jan2010; DSTU Sep2010

Ballots

http://www.hl7.org/special/committees/tsc/ballotmanagement/pi_index_nibs.cfm?ProjectNumber=200

Summary

The Privacy, Access and Security Services (PASS) project specifications define a set of encapsulated, loosely-coupled and composable service components that can contribute to ensuring the confidentiality and integrity of healthcare information.

The Conceptual Model for the Privacy, Access, and Security Services project Audit Service (PASS Audit Service) describes the conceptual-level viewpoints associated with the business requirements that relate to the content, structure, and functional behaviour of information important to the Audit area of the Privacy, Access, and Security domains within the healthcare environment. Thus it seeks to define the business requirements of an Audit service.

The PASS Access Control model presents the information and capabilities required to provide Access Control services to protected resources in a distributed healthcare environment, where interoperability requirements arise. A pre‐requisite to any Access Control activity is the management of Access Control policies. This document considers the behavior associated with the lifecycle of those policies.

Description

The PASS Audit Service Conceptual models present the information and capabilities required to provide Healthcare-specific Audit services to enable organizations to assure accountability in a distributed healthcare environment, where interoperability requirements arise. It is critical to note that this specification is NOT the specification of a service, document, or messaging implementation; rather it is an unconstrained conceptual specification of the domain material.

Business Case (Intended Use, Customers)

Benefits

Of all security requirements protecting personal health information, among the most important are those relating to audit and logging. These ensure accountability for patients entrusting their information to electronic health record systems and also provide a strong incentive to users of such systems to conform to the policies on the use of these systems. Effective audit and logging can help to uncover misuse of electronic health record systems or of patient data and can help organisations and patients obtain redress against users abusing their access privileges. Personal health information is regarded by many as among the most confidential of all types of personal information and protecting its confidentiality is essential if patient privacy is to be maintained. In order to protect the consistency of health information, it is also important that its entire life cycle be fully auditable.

Implementations/ Case Studies (Actual Users)

Resources

Work Groups

Services Oriented Architecture, Architecture Review Board, Security Work Group, CBCC

Education

• http://hssp-security.wikispaces.com/PASSbackgroundmaterials
• See more at http://www.hl7.org/implement/training.cfm

Certification Available

• none

Presentations

Relationship to/ Dependencies on, other standards

• Healthcare audit record collection is and has been addressed by other standards bodies and that work will serve to guide this specification. ISO CD 27789, IHE ATNA, RFC 3881, and The Open Group’s Distributed Audit System (XDAS) preliminary specification will all be used as input to this specification.
• Parallel work sponsored by the HL7 Security WG which is tasked with producing a Security Domain Analysis Model (DAM).
• ommunity‐Based Collaborative Care (CBCC) – Composite Privacy Domain Analysis Model (DSTU),

Links to current projects in development

• Project Insight ID # 578,