This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "April 10, 2018 CBCP Conference Call"

From HL7Wiki
Jump to navigation Jump to search
 
Line 1: Line 1:
 +
=Community-Based Care and Privacy (CBCP) Working Group Meeting=
 +
 +
[[Community-Based_Collaborative_Care|Back to CBCP Main Page]]
 +
 +
==[[Community-Based_Collaborative_Care| Meeting Information]]==
 +
 +
Dial-in Number:  '''(515) 604-9861;  Access Code: 429554'''
 +
* International Dial-in Numbers: https://fccdl.in/i/cbhs
 +
 +
* Online Meeting Link: '''[https://join.freeconferencecall.com/cbhs https://join.freeconferencecall.com/cbhs ]'''
 +
* Click on ''Join an Online Meeting'' Enter Online Meeting ID: ''' ''cbhs'' '''
 +
* Follow prompts if not automatically connected
 +
 +
''Please be aware that '''teleconference meetings are recorded''' to assist with creating meeting minutes''
 +
 +
[[Community-Based_Collaborative_Care|Back to CBCP Main Page]]
 +
 +
==Attendees==
 +
Call Recording: [https://fccdl.in/0gfP7LTghl https://fccdl.in/0gfP7LTghl] (temporary)
 +
 +
{| class="wikitable"
 +
 +
|-
 +
! ||'''Member Name'''|| !!  x ||'''Member Name''' !!|| x ||'''Member Name''' !!|| x ||'''Member Name''' !!
 +
|-
 +
||  x|| [mailto:jc@securityrs.com Johnathan Coleman]CBCP Co-Chair
 +
||||x|| [mailto:suzanne.webb@bookzurman.com Suzanne Gonzales-Webb] CBCP Co-Chair 
 +
||||x|| [mailto:jim.kretz@samhsa.hhs.gov Jim Kretz] CBCP Co-Chair
 +
||||x|| [mailto:david.pyke@readycomputing.com David Pyke] CBCP Co-Chair
 +
|-
 +
 +
||  x|| [mailto:Kathleen_Connor@comcast.net Kathleen Connor] Security Co-Chair
 +
||||x|| [mailto:mike.davis@va.gov Mike Davis]
 +
||||x|| [mailto:johnmoehrke@gmail.com John Moehrke] Security Co-Chair
 +
|||.x|| [mailto:Diana.Proud-Madruga@engilitycorp.com Diana Proud-Madruga]
 +
 +
|-
 +
||  .|| [mailto:Chistopher.Shawn@va.gov Chris Shawn] 
 +
||||x|| [mailto:neelimaj70@gmail.com Neelima Chennamaraja]
 +
||||.|| [mailto:Joseph.lamy@ssa.gov Joe Lamy]
 +
||||.|| [mailto:glinden@lindentechadvisors.com Greg Linden]
 +
|-
 +
|-
 +
||  x|| [mailto:irina.connolly@gtri.gatech.edu Irina Connelly]
 +
||||.|| [mailto:saurav.chowdhury@esacinc.com Saurav Chowdhury]
 +
||||x|| [mailto:dave.silver@electrosoft.com Dave Silver]
 +
||||x|| [mailto:fjauregui@electrosoft.com Francisco Jauregui]
 +
|-
 +
||  .|| [mailto:patricia.peretz@gmail.com Patricia Peretz]
 +
||||.|| [mailto:ayp@securityrs.com Amber Patel]
 +
||||x|| [mailto:becky.angeles@carradora.com Becky Angeles]
 +
||||.|| [mailto:Jennifer.brush@esacinc.com Jennifer Brush]
 +
|-
 +
 +
||  .|| [mailto:mjafari@edmondsci.com Mohammed Jafari]
 +
||||.|| [mailto:ali.khan@gmail.com Ali Khan]
 +
||||.|| [mailto:kenneth.salyards@samhsa.hhs.gov Ken Salyards]
 +
||||.|| [mailto:kensinn@gmail.com Ken Sinn]
 +
|-
 +
||  .|| [mailto:david.staggs@bookzurman.com David Staggs]
 +
||||.|| [mailto:Steve.Eichner@dshs.state.tx.us Steve Eichner]
 +
||||.|| [mailto:ioana.singureanu@gmail.com Ioana Singureanu]
 +
||||x|| [mailto:Beth.Pumo@kp.org Beth Pumo]
 +
 +
|}
 +
 +
 +
[[Community-Based_Collaborative_Care|Back to CBCP Main Page]]
 +
 +
===Agenda===
 +
# Roll Call, Agenda Review
 +
# Meeting Minutes approval:
 +
# ''(5 min)'' '''CBCP FHIR THURSDAY call at 1:00 ET // [http://wiki.hl7.org/index.php?title=HL7_FHIR_Consent_Directive_Project FHIR Consent Directive Project Wiki, Main page]
 +
#* [http://gforge.hl7.org/gf/download/docmanfileversion/9485/14983/FHIR%20Consent%20Resource%20STU3%20POU%20Discussion.docx FHIR Consent discussion]
 +
#* FHIR CPs for review
 +
#* FHIR Consent CPs are located: [https://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemBrowse&tracker_id=677&querynav=%2Fgf%2Fproject%2Ffhir%2Ftracker%2F%3Faction%3DTrackerItemBrowse%26tracker_id%3D677%26forget_query%3D1&quickquery=1&tracker_item_id=&summary=&submitted_by=&priority=&assigned_to=&extra_field%5B4214%5D=&extra_field%5B4215%5D=&extra_field%5B4060%5D=&extra_field%5B3631%5D=&extra_field%5B3807%5D=19593&extra_field%5B3808%5D=&extra_field%5B3628%5D=&extra_field%5B3626%5D=&extra_field%5B4065%5D=&extra_field%5B4092%5D=&extra_field%5B4063%5D=&extra_field%5B4062%5D=&extra_field%5B2415%5D=-3&extra_field%5B4252%5D=&extra_field%5B3633%5D=&extra_field%5B3969%5D=&extra_field%5B4069%5D=&extra_field%5B4066%5D=&extra_field%5B4071%5D=&extra_field%5B3632%5D=&sortcol=priority&sortord=DESC link to ALL Consent Change requests]
 +
# '''FHIR Security Project Update''' - Johnathan
 +
# '''Privacy and Security Architecture Framework (PSAF) Ballot''' - update, discussion Meeting weekly on Thursdays 11:00 AM ET [http://www.hl7.org/concalls/CallDetails.aspx?concall=38423 Meeting Link:] http://www.hl7.org/concalls/CallDetails.aspx?concall=38423
 +
 
=Community-Based Care and Privacy (CBCP) Working Group Meeting=
 
=Community-Based Care and Privacy (CBCP) Working Group Meeting=
  
Line 91: Line 170:
  
 
'''Privacy Study Group Update''' (mike -
 
'''Privacy Study Group Update''' (mike -
 +
* notification; we have been heads down on the May ballot
 +
* Kathleen has placed additional materials into the repository; there is some interesting things going on with Zuckerberg
 +
* we are reactivating the study group activities
 +
 +
'''ONC Paper''' - Johnathan
 +
* today at 2:00ET
 +
* API best practices document privacy and security principals;
 +
* last week started a deep dive into security recommendations and do privacy afterwards
 +
* good discussion of TLS and where 1.2 should be the minimum depending on the venders and API developers
 +
* we've pulled in recommendations with modification
 +
* input validation is the next step for today's discussion
 +
** sync for science - interface for research and science. into FHIR; original use case, how can apparent choose a research project "use my information"-- who does that patient engage to tell the care providers through a patient portal--they have access to my API; that has been generalized to: how can a patient authorize ANY app... (i.e. apple health) a "user-experience" because there is no technology involved--where an app can be authorized by a patient through a portal experience.  the app has an OAuth token, leveraging (on top of smart on FHIR); sync for science is that last step... as opposed to pure smart on FHIR as only as provider working directly with patients themselves.
 +
** related to that is program by which where an induvial consumer can be brought in for sync-for-science program...
 +
 +
 +
'''PSAF ballot''' (TF4FA ballot)
 +
* PSAF calls done until reconciliation
 +
* ballot submitted last Sunday
 +
** vote please
 +
** reconciliation
 +
* volume 3 - Audit, started.
 +
** intended to cover EHR lifecycle events and audit but also provenance; a hint there in terms of the PSAF umbrella that will be doing that.  a 4th volume on authentication - not sure we need the volume (it’s boring) Mike was thinking of a US-realm the fact that NIST wants their standards to be more open... the 800-63 Identity and authorization standards has been adopted by TEFCA ONC as a general standard and 800-3 - different security controls and SLS has been written in a general way.  we can talk about this in a US way.  authentication in general under trust is not that important a concept as the user-level... it’s more a concept at an org level.  you see in the US a trend to move away from individual identity and assertation and reliance on the org as the endpoint for sharing for trust.  the trust contract is between orgs and not individuals. (individuals are irrelevant in establishing the contract) thinking that the authentication may not be something to explore just yet...  having gone through the authorization stuff and detailed out some of the contract items in the trust proposal in the ballot. the run-time value of things are not essential to the trust contract ...at top level.  trust contract at this level is not terribly important
 +
* for volume 3 is that pass-audit or a different direction
 +
** pass audit is part of the basis; wanted to work with rehash Reed Gelzer work... we did make a relationship between EHR evens audit and provenance.  we've connected the dots between them and that might be a good place to start... pass audit would be a reference but PAS audit - is about audit not anything further than that.
 +
* ISO has specifications covering that (JohnM) lifecycle events - specifically open EHR activities and audit events and that should be brought in (Gary Dickinson’s work?)
 +
** only partial correlation in ISO with what's been done.  the idea behind is we relate lifecycle events with the W3C view;
 +
** audit in relationship to trust.
 +
 +
'''eLTSS project''' Irina
 +
* no update to report
 +
* PSS "final" please let us know if we need to change anything...
 +
** PSS: https://gforge.hl7.org/gf/project/cbcc/docman/eLTSS%20-%20%20ONC%20Electronic%20Long-Term%20Services%20and%20Supports
 +
 +
'''OMNIBUS Care Plan'''
 +
Neelima:
 +
update on project: OMNIBUS Care plan
 +
* managed care teams and care plans
 +
** using FHIR profiles and using
 +
** defining elements, adding consent security and privacy
 +
** working with SAMHSA (not an HL7 project)
 +
 +
Meeting adjourned: (Jim) at 0935AM
 +
 +
'''Meeting Minutes (DRAFT)'''
 +
(meeting recording); [https://fccdl.in/OVvromSTh8 temporary)
 +
 +
'''Privacy Study Group''' – Mike, Kathleen
 +
Privacy Study Group that could consider these things...?
 +
* erasure
 +
* patient directed - where patient has directed the EHR to send;
 +
* patient owned EHR without 2nd or 3rd party
 +
* patient handling instructions - where they do now want to push forward
 +
* where a patient authorizes' to care providers to have direct communications (i.e. where patient is involved in a care plan--'I have just chosen this home nurse and they can speak directly with GP); this is perceived as a step beyond sync for science (14:00) Johnathan
 +
** it is that paper are based on the sync for science on the API’s and ...  tangible security and privacy... (update on FHIR for security)
 +
 +
'''Privacy Study Group Update''' (Mike)
 
* notification; we have been heads down on the May ballot
 
* notification; we have been heads down on the May ballot
 
* Kathleen has placed additional materials into the repository; there is some interesting things going on with Zuckerberg
 
* Kathleen has placed additional materials into the repository; there is some interesting things going on with Zuckerberg

Latest revision as of 23:47, 4 June 2018

Community-Based Care and Privacy (CBCP) Working Group Meeting

Back to CBCP Main Page

Meeting Information

Dial-in Number:  (515) 604-9861;  Access Code: 429554
* International Dial-in Numbers: https://fccdl.in/i/cbhs

* Online Meeting Link: https://join.freeconferencecall.com/cbhs  
* Click on Join an Online Meeting Enter Online Meeting ID:  cbhs 
* Follow prompts if not automatically connected

Please be aware that teleconference meetings are recorded to assist with creating meeting minutes

Back to CBCP Main Page

Attendees

Call Recording: https://fccdl.in/0gfP7LTghl (temporary)

Member Name x Member Name x Member Name x Member Name
x Johnathan ColemanCBCP Co-Chair x Suzanne Gonzales-Webb CBCP Co-Chair x Jim Kretz CBCP Co-Chair x David Pyke CBCP Co-Chair
x Kathleen Connor Security Co-Chair x Mike Davis x John Moehrke Security Co-Chair .x Diana Proud-Madruga
. Chris Shawn x Neelima Chennamaraja . Joe Lamy . Greg Linden
x Irina Connelly . Saurav Chowdhury x Dave Silver x Francisco Jauregui
. Patricia Peretz . Amber Patel x Becky Angeles . Jennifer Brush
. Mohammed Jafari . Ali Khan . Ken Salyards . Ken Sinn
. David Staggs . Steve Eichner . Ioana Singureanu x Beth Pumo


Back to CBCP Main Page

Agenda

  1. Roll Call, Agenda Review
  2. Meeting Minutes approval:
  3. (5 min) CBCP FHIR THURSDAY call at 1:00 ET // FHIR Consent Directive Project Wiki, Main page
  4. FHIR Security Project Update - Johnathan
  5. Privacy and Security Architecture Framework (PSAF) Ballot - update, discussion Meeting weekly on Thursdays 11:00 AM ET Meeting Link: http://www.hl7.org/concalls/CallDetails.aspx?concall=38423

Community-Based Care and Privacy (CBCP) Working Group Meeting

Back to CBCP Main Page

Meeting Information

Dial-in Number:  (515) 604-9861;  Access Code: 429554
* International Dial-in Numbers: https://fccdl.in/i/cbhs

* Online Meeting Link: https://join.freeconferencecall.com/cbhs  
* Click on Join an Online Meeting Enter Online Meeting ID:  cbhs 
* Follow prompts if not automatically connected

Please be aware that teleconference meetings are recorded to assist with creating meeting minutes

Back to CBCP Main Page

Attendees

Call Recording: https://fccdl.in/0gfP7LTghl (temporary)

Member Name x Member Name x Member Name x Member Name
x Johnathan ColemanCBCP Co-Chair x Suzanne Gonzales-Webb CBCP Co-Chair x Jim Kretz CBCP Co-Chair x David Pyke CBCP Co-Chair
x Kathleen Connor Security Co-Chair x Mike Davis x John Moehrke Security Co-Chair .x Diana Proud-Madruga
. Chris Shawn x Neelima Chennamaraja . Joe Lamy . Greg Linden
x Irina Connelly . Saurav Chowdhury x Dave Silver x Francisco Jauregui
. Patricia Peretz . Amber Patel x Becky Angeles . Jennifer Brush
. Mohammed Jafari . Ali Khan . Ken Salyards . Ken Sinn
. David Staggs . Steve Eichner . Ioana Singureanu x Beth Pumo


Back to CBCP Main Page

Agenda

  1. Roll Call, Agenda Review
  2. Meeting Minutes approval:
  3. (5 min) CBCP FHIR THURSDAY call at 1:00 ET // FHIR Consent Directive Project Wiki, Main page
  4. FHIR Security Project Update - Johnathan
  5. Privacy and Security Architecture Framework (PSAF) Ballot - update, discussion Meeting weekly on Thursdays 11:00 AM ET Meeting Link: http://www.hl7.org/concalls/CallDetails.aspx?concall=38423

Meeting Minutes (DRAFT) (meeting recording); [https://fccdl.in/OVvromSTh8 temporary)

Privacy Study Group – Mike, Kathleen Privacy Study Group that could consider these things...?

  • erasure
  • patient directed - where patient has directed the EHR to send;
  • patient owned EHR without 2nd or 3rd party
  • patient handling instructions - where they do now want to push forward
  • where a patient authorizes' to care providers to have direct communications (i.e. where patient is involved in a care plan--'I have just chosen this home nurse and they can speak directly with GP); this is perceived as a step beyond sync for science (14:00) Johnathan
    • it is that paper are based on the sync for science on the API’s and ... tangible security and privacy... (update on FHIR for security)

Privacy Study Group Update (mike -

  • notification; we have been heads down on the May ballot
  • Kathleen has placed additional materials into the repository; there is some interesting things going on with Zuckerberg
  • we are reactivating the study group activities

ONC Paper - Johnathan

  • today at 2:00ET
  • API best practices document privacy and security principals;
  • last week started a deep dive into security recommendations and do privacy afterwards
  • good discussion of TLS and where 1.2 should be the minimum depending on the venders and API developers
  • we've pulled in recommendations with modification
  • input validation is the next step for today's discussion
    • sync for science - interface for research and science. into FHIR; original use case, how can apparent choose a research project "use my information"-- who does that patient engage to tell the care providers through a patient portal--they have access to my API; that has been generalized to: how can a patient authorize ANY app... (i.e. apple health) a "user-experience" because there is no technology involved--where an app can be authorized by a patient through a portal experience. the app has an OAuth token, leveraging (on top of smart on FHIR); sync for science is that last step... as opposed to pure smart on FHIR as only as provider working directly with patients themselves.
    • related to that is program by which where an induvial consumer can be brought in for sync-for-science program...


PSAF ballot (TF4FA ballot)

  • PSAF calls done until reconciliation
  • ballot submitted last Sunday
    • vote please
    • reconciliation
  • volume 3 - Audit, started.
    • intended to cover EHR lifecycle events and audit but also provenance; a hint there in terms of the PSAF umbrella that will be doing that. a 4th volume on authentication - not sure we need the volume (it’s boring) Mike was thinking of a US-realm the fact that NIST wants their standards to be more open... the 800-63 Identity and authorization standards has been adopted by TEFCA ONC as a general standard and 800-3 - different security controls and SLS has been written in a general way. we can talk about this in a US way. authentication in general under trust is not that important a concept as the user-level... it’s more a concept at an org level. you see in the US a trend to move away from individual identity and assertation and reliance on the org as the endpoint for sharing for trust. the trust contract is between orgs and not individuals. (individuals are irrelevant in establishing the contract) thinking that the authentication may not be something to explore just yet... having gone through the authorization stuff and detailed out some of the contract items in the trust proposal in the ballot. the run-time value of things are not essential to the trust contract ...at top level. trust contract at this level is not terribly important
  • for volume 3 is that pass-audit or a different direction
    • pass audit is part of the basis; wanted to work with rehash Reed Gelzer work... we did make a relationship between EHR evens audit and provenance. we've connected the dots between them and that might be a good place to start... pass audit would be a reference but PAS audit - is about audit not anything further than that.
  • ISO has specifications covering that (JohnM) lifecycle events - specifically open EHR activities and audit events and that should be brought in (Gary Dickinson’s work?)
    • only partial correlation in ISO with what's been done. the idea behind is we relate lifecycle events with the W3C view;
    • audit in relationship to trust.

eLTSS project Irina

OMNIBUS Care Plan Neelima: update on project: OMNIBUS Care plan

  • managed care teams and care plans
    • using FHIR profiles and using
    • defining elements, adding consent security and privacy
    • working with SAMHSA (not an HL7 project)

Meeting adjourned: (Jim) at 0935AM

Meeting Minutes (DRAFT) (meeting recording); [https://fccdl.in/OVvromSTh8 temporary)

Privacy Study Group – Mike, Kathleen Privacy Study Group that could consider these things...?

  • erasure
  • patient directed - where patient has directed the EHR to send;
  • patient owned EHR without 2nd or 3rd party
  • patient handling instructions - where they do now want to push forward
  • where a patient authorizes' to care providers to have direct communications (i.e. where patient is involved in a care plan--'I have just chosen this home nurse and they can speak directly with GP); this is perceived as a step beyond sync for science (14:00) Johnathan
    • it is that paper are based on the sync for science on the API’s and ... tangible security and privacy... (update on FHIR for security)

Privacy Study Group Update (Mike)

  • notification; we have been heads down on the May ballot
  • Kathleen has placed additional materials into the repository; there is some interesting things going on with Zuckerberg
  • we are reactivating the study group activities

ONC Paper - Johnathan

  • today at 2:00ET
  • API best practices document privacy and security principals;
  • last week started a deep dive into security recommendations and do privacy afterwards
  • good discussion of TLS and where 1.2 should be the minimum depending on the venders and API developers
  • we've pulled in recommendations with modification
  • input validation is the next step for today's discussion
    • sync for science - interface for research and science. into FHIR; original use case, how can apparent choose a research project "use my information"-- who does that patient engage to tell the care providers through a patient portal--they have access to my API; that has been generalized to: how can a patient authorize ANY app... (i.e. apple health) a "user-experience" because there is no technology involved--where an app can be authorized by a patient through a portal experience. the app has an OAuth token, leveraging (on top of smart on FHIR); sync for science is that last step... as opposed to pure smart on FHIR as only as provider working directly with patients themselves.
    • related to that is program by which where an induvial consumer can be brought in for sync-for-science program...


PSAF ballot (TF4FA ballot)

  • PSAF calls done until reconciliation
  • ballot submitted last Sunday
    • vote please
    • reconciliation
  • volume 3 - Audit, started.
    • intended to cover EHR lifecycle events and audit but also provenance; a hint there in terms of the PSAF umbrella that will be doing that. a 4th volume on authentication - not sure we need the volume (it’s boring) Mike was thinking of a US-realm the fact that NIST wants their standards to be more open... the 800-63 Identity and authorization standards has been adopted by TEFCA ONC as a general standard and 800-3 - different security controls and SLS has been written in a general way. we can talk about this in a US way. authentication in general under trust is not that important a concept as the user-level... it’s more a concept at an org level. you see in the US a trend to move away from individual identity and assertation and reliance on the org as the endpoint for sharing for trust. the trust contract is between orgs and not individuals. (individuals are irrelevant in establishing the contract) thinking that the authentication may not be something to explore just yet... having gone through the authorization stuff and detailed out some of the contract items in the trust proposal in the ballot. the run-time value of things are not essential to the trust contract ...at top level. trust contract at this level is not terribly important
  • for volume 3 is that pass-audit or a different direction
    • pass audit is part of the basis; wanted to work with rehash Reed Gelzer work... we did make a relationship between EHR evens audit and provenance. we've connected the dots between them and that might be a good place to start... pass audit would be a reference but PAS audit - is about audit not anything further than that.
  • ISO has specifications covering that (JohnM) lifecycle events - specifically open EHR activities and audit events and that should be brought in (Gary Dickinson’s work?)
    • only partial correlation in ISO with what's been done. the idea behind is we relate lifecycle events with the W3C view;
    • audit in relationship to trust.

eLTSS project Irina

OMNIBUS Care Plan Neelima: update on project: OMNIBUS Care plan

  • managed care teams and care plans
    • using FHIR profiles and using
    • defining elements, adding consent security and privacy
    • working with SAMHSA (not an HL7 project)

Meeting adjourned: (Jim) at 0935AM