This wiki has undergone a migration to Confluence found Here
Difference between revisions of "October 10, 2017 Security Conference Call"
Jump to navigation
Jump to search
| Line 68: | Line 68: | ||
*October 3rd Minutes reviewe deferred. | *October 3rd Minutes reviewe deferred. | ||
*Agenda reviewewed and approved | *Agenda reviewewed and approved | ||
| − | *Is Privacy Obsolete? updates - Chris and John have added articles. Links to the IPO? List Serve added. Also need to link to the Consumer Centric Data Exchange (CCDE) thread on HL7 Blog. John and Kathleen discussed the 2 individual Right of Access (RoA) use cases, which were explored in the CCDE Connectathon Track in September: (1) MU VDT with RoA requested by the patient directly - where the Discloser has already identitiy proofed and can authenticate the patient requesting RoA as well as vetted the patient designated App end point, which does not require a prospective signed RoA consent directive, and where the RoA consent directive can be memorialized retrospectively; and (2) RoA where the end point requesting access is a third party acting on behalf of the patient, which does require prospective signed individual RoA consent directive. | + | *Is Privacy Obsolete? updates - Chris and John have added articles. Links to the IPO? List Serve added. Also need to link to the Consumer Centric Data Exchange (CCDE) thread on HL7 Blog. John and Kathleen discussed the 2 individual Right of Access (RoA) use cases, which were explored in the CCDE Connectathon Track in September: (1) MU VDT with RoA requested by the patient directly - where the Discloser has already identitiy proofed and can authenticate the patient requesting RoA as well as vetted the patient designated App end point, which does not require a prospective signed RoA consent directive, and where the RoA consent directive can be memorialized retrospectively; and (2) RoA where the end point requesting access is a third party acting on behalf of the patient, which does require prospective signed individual RoA consent directive. See [https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html HHS Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524] and [https://www.hhs.gov/hipaa/for-professionals/faq/2041/why-depend-on-the-individuals-right/index.html HHS Right of Access vs. HIPAA Authorization] |
| + | |||
*FHIR Bulk Data Transfer comments. | *FHIR Bulk Data Transfer comments. | ||
*Kathleen presented topics for HL7 comments on the ONC ISA 2018 for input by Security WG. | *Kathleen presented topics for HL7 comments on the ONC ISA 2018 for input by Security WG. | ||
Revision as of 23:03, 10 October 2017
Contents
Attendees
| x | Member Name | x | Member Name | x | Member Name | x | Member Name | |||
|---|---|---|---|---|---|---|---|---|---|---|
| x | John MoehrkeSecurity Co-chair | x | Kathleen ConnorSecurity Co-chair | x | Alexander Mense Security Co-chair | . | Trish WilliamsSecurity Co-chair | |||
| . | Mike Davis | x | Suzanne Gonzales-Webb | x | David Staggs | x | Christopher Shawn | |||
| . | Mohammed Jafari | x | Beth Pumo | . | Ioana Singureanu | . | Rob Horn | |||
| x | Diana Proud-Madruga | . | Serafina Versaggi | . | Joe Lamy | . | Galen Mulrooney | |||
| . | Paul Knapp | . | Grahame Grieve | . | Johnathan Coleman | . | Aaron Seib | |||
| . | Ken Salyards | x | [1] | . | Gary Dickinson | . | Dave Silver | |||
| . | Oliver Lawless | . | Ken Rubin | . | David Tao | . | Nathan Botts |
Agenda
- (3 min) Roll Call, Agenda Approval
- (10 min) Review and Approval of October 3rd Minutes.
- (10 min) Is Privacy Obsolete? Study Group wiki page with IOP? Listserve link. Update on project - Mike Davis and Chris Shawn
- (5 min) Update on Security WG Bulk Data Transfer Comments submission - John Moehrke
- (30 min) Review and draft Security WG comments on PAC comment guidelines and highlighted ISA items related to Security and CBCP Scope
- (2 min) FHIR Security call - Call will happen at 5PM ET/2PM PT
Meeting Materials
- Potential Comment Areas
• Upgrade maturity of data segmentation on CDA ○ Include FHIR Security labels as means to protect FHIR Bundles and Resources • Add FHIR Consent and Contract to emerging Consent Directive standards ○ Include use of both for individual Right of Access • Add FHIR Provenance to DPROV • Add FHIR Audit Event ○ Include the ability to use FHIR Audit Events to generate FHIR Accounting of Disclosure Resources • Add TF4FA and FHIR Contract for App Terms of Service and for Trust Contract to determine trading partner capabilities for e.g., consuming and enforcing computable consent directives • Add NIST SP 800-63, NIST SP 800-53, and NISTR 8062 to Security Standards section.
Minutes
- Kathleen Chaired.
- October 3rd Minutes reviewe deferred.
- Agenda reviewewed and approved
- Is Privacy Obsolete? updates - Chris and John have added articles. Links to the IPO? List Serve added. Also need to link to the Consumer Centric Data Exchange (CCDE) thread on HL7 Blog. John and Kathleen discussed the 2 individual Right of Access (RoA) use cases, which were explored in the CCDE Connectathon Track in September: (1) MU VDT with RoA requested by the patient directly - where the Discloser has already identitiy proofed and can authenticate the patient requesting RoA as well as vetted the patient designated App end point, which does not require a prospective signed RoA consent directive, and where the RoA consent directive can be memorialized retrospectively; and (2) RoA where the end point requesting access is a third party acting on behalf of the patient, which does require prospective signed individual RoA consent directive. See HHS Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524 and HHS Right of Access vs. HIPAA Authorization
- FHIR Bulk Data Transfer comments.
- Kathleen presented topics for HL7 comments on the ONC ISA 2018 for input by Security WG.
