This wiki has undergone a migration to Confluence found Here
Difference between revisions of "October 3, 2017 Security Conference Call"
Jump to navigation
Jump to search
(→Agenda) |
|||
| Line 55: | Line 55: | ||
#''(2 min)'' '''FHIR Security call''' - Call will happen at 5PM ET/2PM PT | #''(2 min)'' '''FHIR Security call''' - Call will happen at 5PM ET/2PM PT | ||
=='''Meeting Materials'''== | =='''Meeting Materials'''== | ||
| + | Bulk Data Transfer Access Control & Authorization Questions: | ||
| + | * What is the use-case for use of this? | ||
| + | * There are use-cases that have legitimate authorization to all data of a given patient. For these use-cases a binary PERMIT vs DENY might be sufficient, but it is not clear what the use-case are. | ||
| + | * What is the intended PurposeOfUse? Is it Treatment? Payment? Coverage? Research? Public Health? Each of these may or may-not provide binary PERMIT vs DENY ALL. Information used for Payment purpose of use, for example, does not include all information used for treatment. | ||
| + | * Based on the use-case the functionality of Minimum-Necessary may apply. Is enforcement of minimum necessary requirements considered a source system responsibility? | ||
| + | * How is Consent going to affect this API? | ||
| + | * How might ConfidentialityCode affect this API? | ||
| + | *Audit Logging: Given the API, the Audit Logging needs to be defined clearly. Even if the AuditEvent resource is not mandated (which I think it should be), the functionality must be clearly defined. KC –Audit logs are required under HIPAA and MU. | ||
| + | ** Is this bulk access request recorded as ONE audit log entry, **ONE per patient, or is each Resource returned identified in the audit log. | ||
| + | **ONE per patient would be needed if accounting of disclosure is a potential requirement. | ||
| + | *What happens when the Resources that are being requested in a Bulk Data Transfer have Security Labels that, for example (1) require a higher level of authorization for transfer; (2) obligate the recipient to limit purpose of use; or (3) prohibit the recipient from further disclosure? | ||
| + | |||
| + | *Will the POU for which the API was authorized to retrieve a Group be persisted as a security label on each Resource in the Group so that downstream compliance is assured? | ||
==Minutes== | ==Minutes== | ||
Revision as of 18:26, 2 October 2017
Contents
Attendees
| x | Member Name | x | Member Name | x | Member Name | x | Member Name | |||
|---|---|---|---|---|---|---|---|---|---|---|
| x | John MoehrkeSecurity Co-chair | x | Kathleen ConnorSecurity Co-chair | x | Alexander Mense Security Co-chair | . | Trish WilliamsSecurity Co-chair | |||
| x | Mike Davis | x | Suzanne Gonzales-Webb | x | David Staggs | x | Christopher Shawn | |||
| . | Mohammed Jafari | . | Beth Pumo | . | Ioana Singureanu | x | Rob Horn | |||
| x | Diana Proud-Madruga | . | Serafina Versaggi | x | Joe Lamy | . | Galen Mulrooney | |||
| . | Paul Knapp | . | Grahame Grieve | . | Johnathan Coleman | . | Aaron Seib | |||
| . | Ken Salyards | . | Christopher D Brown TX | . | Gary Dickinson | . | Dave Silver | |||
| . | Oliver Lawless | . | Ken Rubin | . | David Tao | . | Nathan Botts |
Agenda
- (3 min) Roll Call, Agenda Approval
- (10 min) Review and Approval of September 26th Minutes. Review and approval of the HL7 Sept 2017 WGM San Diego Minutes
- (10 min) Is Privacy Obsolete Study Group update - Mike
- (10 min) #FHIR and Bulk Data Access ProposalPosted on September 20, 2017 by Grahame Grieve.
- See John's comment at bottom of page and his and Bulk De-Identification blog
- Draft Security WG comments - See ideas from last week's discussion below.
- (10 min) Next version of the Interoperability Standards Advisory HL7 Policy Advisory Committee [PAC] would like to ask all workgroups to review the ISA for their areas of interest and let the HL7 Policy Advisory Committee know of any suggestions by October 15 at policyinput@lists.hl7.org. - Kathleen to point out any privacy/security hot topics.
- (10 min) vvvv
- (2 min) FHIR Security call - Call will happen at 5PM ET/2PM PT
Meeting Materials
Bulk Data Transfer Access Control & Authorization Questions:
- What is the use-case for use of this?
- There are use-cases that have legitimate authorization to all data of a given patient. For these use-cases a binary PERMIT vs DENY might be sufficient, but it is not clear what the use-case are.
- What is the intended PurposeOfUse? Is it Treatment? Payment? Coverage? Research? Public Health? Each of these may or may-not provide binary PERMIT vs DENY ALL. Information used for Payment purpose of use, for example, does not include all information used for treatment.
- Based on the use-case the functionality of Minimum-Necessary may apply. Is enforcement of minimum necessary requirements considered a source system responsibility?
- How is Consent going to affect this API?
- How might ConfidentialityCode affect this API?
- Audit Logging: Given the API, the Audit Logging needs to be defined clearly. Even if the AuditEvent resource is not mandated (which I think it should be), the functionality must be clearly defined. KC –Audit logs are required under HIPAA and MU.
- Is this bulk access request recorded as ONE audit log entry, **ONE per patient, or is each Resource returned identified in the audit log.
- ONE per patient would be needed if accounting of disclosure is a potential requirement.
- What happens when the Resources that are being requested in a Bulk Data Transfer have Security Labels that, for example (1) require a higher level of authorization for transfer; (2) obligate the recipient to limit purpose of use; or (3) prohibit the recipient from further disclosure?
- Will the POU for which the API was authorized to retrieve a Group be persisted as a security label on each Resource in the Group so that downstream compliance is assured?
