This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "October 10, 2017 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
Line 69: Line 69:
 
*Agenda reviewewed and approved
 
*Agenda reviewewed and approved
 
*Quick look at [https://www.healthit.gov/buzz-blog/interoperability/get-ready-for-a-showdown The Secure API Server Showdown Challenge]
 
*Quick look at [https://www.healthit.gov/buzz-blog/interoperability/get-ready-for-a-showdown The Secure API Server Showdown Challenge]
*Is Privacy Obsolete? updates - Chris and John have added articles. Links to the IPO? List Serve added.  Also need to link to the Consumer Centric Data Exchange (CCDE) thread on HL7 Blog.  John and Kathleen discussed the 2 individual Right of Access (RoA) use cases, which were explored in the CCDE Connectathon Track in September: (1) MU VDT with RoA requested by the patient directly - where the Discloser has already identitiy proofed and can authenticate the patient requesting RoA as well as vetted the patient designated App end point, which does not require a prospective signed RoA consent directive, and where the RoA consent directive can be memorialized retrospectively; and (2) RoA where the end point requesting access is a third party acting on behalf of the patient, which does require prospective signed individual RoA consent directive. See [https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html HHS Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524] and [https://www.hhs.gov/hipaa/for-professionals/faq/2041/why-depend-on-the-individuals-right/index.html HHS Right of Access vs. HIPAA Authorization]  
+
*Is Privacy Obsolete? updates - Chris and John have added articles. Links to the IPO? List Serve added.   
 
+
*John referenced the HL7 Blog Posts by Sandeep Giri [http://blog.hl7.org/hl7_fhir_connectathon16_patientconsent_oauth2 HL7® FHIR® Connectathon 16: Patient Consent Forms: Redundant in the World of OAuth2? Part 1 of 2] and [http://blog.hl7.org/hl7_fhir_connectathon16_patientconsent_oauth2-0 HL7® FHIR® Connectathon 16: Patient Consent Forms: Redundant in the World of OAuth2? Part 2 of 2] which captured the main findings from the CCDE Connectathon Track.
*FHIR Bulk Data Transfer comments.
+
*Kathleen will add links to the Consumer Centric Data Exchange (CCDE) thread on HL7 Blog, from the Connectathon wiki, and MiHIN CCDE Confluence stite.   
*Kathleen presented topics for HL7 comments on the ONC ISA 2018 for input by Security WG.
+
*John and Kathleen discussed the 2 individual Right of Access (RoA) use cases, which were explored in the CCDE Connectathon Track in September: (1) MU VDT with RoA requested by the patient directly - where the Discloser has already identitiy proofed and can authenticate the patient requesting RoA as well as vetted the patient designated App end point, which does not require a prospective signed RoA consent directive, and where the RoA consent directive can be memorialized retrospectively; and (2) RoA where the end point requesting access is a third party acting on behalf of the patient, which does require prospective signed individual RoA consent directive. See [https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html HHS Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524] and [https://www.hhs.gov/hipaa/for-professionals/faq/2041/why-depend-on-the-individuals-right/index.html HHS Right of Access vs. HIPAA Authorization]  
 +
*FHIR Bulk Data Transfer comments - John indicated that he'd posted these.
 +
*Kathleen presented topics for HL7 comments on the ONC ISA 2018 for input by Security WG. Plan is to continue comment development in these areas and seek WG approval during next week's call.
 +
*John will hold a FHIR Security call later in the day.
 +
*Meeting adjourned.

Revision as of 15:30, 11 October 2017

Back to Security Main Page

Attendees

x Member Name x Member Name x Member Name x Member Name
x John MoehrkeSecurity Co-chair x Kathleen ConnorSecurity Co-chair x Alexander Mense Security Co-chair . Trish WilliamsSecurity Co-chair
. Mike Davis x Suzanne Gonzales-Webb x David Staggs x Christopher Shawn
. Mohammed Jafari x Beth Pumo . Ioana Singureanu . Rob Horn
x Diana Proud-Madruga . Serafina Versaggi . Joe Lamy . Galen Mulrooney
. Paul Knapp . Grahame Grieve . Johnathan Coleman . Aaron Seib
. Ken Salyards x [1] . Gary Dickinson . Dave Silver
. Oliver Lawless . Ken Rubin . David Tao . Nathan Botts

Back to Security Main Page

Agenda

  1. (3 min) Roll Call, Agenda Approval
  2. (10 min) Review and Approval of October 3rd Minutes.
  3. (10 min) Is Privacy Obsolete? Study Group wiki page with IOP? Listserve link. Update on project - Mike Davis and Chris Shawn
  4. (5 min) Update on Security WG Bulk Data Transfer Comments submission - John Moehrke
  5. (30 min) Review and draft Security WG comments on PAC comment guidelines and highlighted ISA items related to Security and CBCP Scope
  6. (2 min) FHIR Security call - Call will happen at 5PM ET/2PM PT

Meeting Materials

  • Potential Comment Areas

• Upgrade maturity of data segmentation on CDA ○ Include FHIR Security labels as means to protect FHIR Bundles and Resources • Add FHIR Consent and Contract to emerging Consent Directive standards ○ Include use of both for individual Right of Access • Add FHIR Provenance to DPROV • Add FHIR Audit Event ○ Include the ability to use FHIR Audit Events to generate FHIR Accounting of Disclosure Resources • Add TF4FA and FHIR Contract for App Terms of Service and for Trust Contract to determine trading partner capabilities for e.g., consuming and enforcing computable consent directives • Add NIST SP 800-63, NIST SP 800-53, and NISTR 8062 to Security Standards section.

Minutes

  • Kathleen Chaired.
  • October 3rd Minutes reviewe deferred.
  • Agenda reviewewed and approved
  • Quick look at The Secure API Server Showdown Challenge
  • Is Privacy Obsolete? updates - Chris and John have added articles. Links to the IPO? List Serve added.
  • John referenced the HL7 Blog Posts by Sandeep Giri HL7® FHIR® Connectathon 16: Patient Consent Forms: Redundant in the World of OAuth2? Part 1 of 2 and HL7® FHIR® Connectathon 16: Patient Consent Forms: Redundant in the World of OAuth2? Part 2 of 2 which captured the main findings from the CCDE Connectathon Track.
  • Kathleen will add links to the Consumer Centric Data Exchange (CCDE) thread on HL7 Blog, from the Connectathon wiki, and MiHIN CCDE Confluence stite.
  • John and Kathleen discussed the 2 individual Right of Access (RoA) use cases, which were explored in the CCDE Connectathon Track in September: (1) MU VDT with RoA requested by the patient directly - where the Discloser has already identitiy proofed and can authenticate the patient requesting RoA as well as vetted the patient designated App end point, which does not require a prospective signed RoA consent directive, and where the RoA consent directive can be memorialized retrospectively; and (2) RoA where the end point requesting access is a third party acting on behalf of the patient, which does require prospective signed individual RoA consent directive. See HHS Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524 and HHS Right of Access vs. HIPAA Authorization
  • FHIR Bulk Data Transfer comments - John indicated that he'd posted these.
  • Kathleen presented topics for HL7 comments on the ONC ISA 2018 for input by Security WG. Plan is to continue comment development in these areas and seek WG approval during next week's call.
  • John will hold a FHIR Security call later in the day.
  • Meeting adjourned.
Retrieved from "https://wiki.hl7.org/w/index.php?title=October_10,_2017_Security_Conference_Call&oldid=147405"