This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "October 27th 2009 CBCC Conference Call"

From HL7Wiki
Jump to navigation Jump to search
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
==[[Community-Based_Collaborative_Care| Meeting Information]]==
+
==[[Community-Based_Collaborative_Care|Back to CBCC Main Page]]==
[[Community-Based_Collaborative_Care|Back to CBCC Main Page]]
 
  
 
==Attendees==  
 
==Attendees==  
Line 11: Line 10:
 
* [mailto:djorgenson@inpriva.com Don Jorgenson]
 
* [mailto:djorgenson@inpriva.com Don Jorgenson]
 
* [mailto:rmcclure@apelon.com Rob McClure]
 
* [mailto:rmcclure@apelon.com Rob McClure]
 +
* [mailto:mailto:smeyer@computer.org Steve Meyer]
 
* [mailto:milan.petkovic@phillips.com Milan Petkovic]
 
* [mailto:milan.petkovic@phillips.com Milan Petkovic]
 
* [mailto:ppyette@perimind.com Pat Pyette]
 
* [mailto:ppyette@perimind.com Pat Pyette]
Line 23: Line 23:
 
#''(20 min)'' Privacy Consent DAM Ballot reconciliation - Canadian comments  
 
#''(20 min)'' Privacy Consent DAM Ballot reconciliation - Canadian comments  
 
#''(25 min)'' [http://gforge.hl7.org/gf/project/cbcc/scmsvn/?action=browse&path=%2Ftrunk%2FData%2520Consent%2Fdocs%2FCDAR2_CD_IG%2520_D1_2010JAN.doc&view=log DRAFT CDA Implementation Guide] - Discussion
 
#''(25 min)'' [http://gforge.hl7.org/gf/project/cbcc/scmsvn/?action=browse&path=%2Ftrunk%2FData%2520Consent%2Fdocs%2FCDAR2_CD_IG%2520_D1_2010JAN.doc&view=log DRAFT CDA Implementation Guide] - Discussion
#''(10 min)'' [http://hssp-security.wikispaces.com/PASS+Consent PASS Consent Requirements Draft version 0.01] - Next Steps
 
==Action Item==
 
Ioana/Serafina: Add the scenarios Mike submitted recently to the Security DAM as illustrations of the use cases
 
==Minutes==
 
Ioana proposed an additional agenda item
 
*Vote on the scope of the Security Domain Analysis Use Cases so we can move forward elaborating them. 
 
  
'''Summary of the meeting:'''
+
==Action Items==
*Motion for the Security Work Group to endorse the Harmonization Proposal for Confidentiality and Sensitivity was passed.  None opposed, none abstained.
+
#Pat will draft clarification the definition for Shared Secret, which will be added to the glossary (Item #16, line 19)
*Motion for the Security Work Group to agree on the scope of the Security DAM Use Cases passed.  None Opposed, None Abstained.
+
#Ioana will address the outstanding items in the Privacy DAM Ballot (related to diagram fixes/changes.)
 +
#Review draft CDA Implementation Guide for next meeting.  Continue discussion related to using sectionText versus actText on the ListServ.
  
'''Transcript of the Discussion follows:'''
+
==Minutes==
 
+
'''1. Accept Agenda'''
Ioana presented the RIM Harmonization proposal – changes to confidentialityCode and addition of a new sensitivityCode
+
*PASS Consent Requirements Draft review taken off the agenda
 
+
**Was only on the agenda as a carry over item from previous weeks
*Glen suggested it would be useful to include sensitivity as part of the message envelope. This harmonization proposal supports that suggestion because the message wrappers and control (?) wrappers are based on the generic ActYou could glean the sensitivity and confidentiality of the payload without actually opening up the payload.  This is the crux of the issue – don’t give away a secret to keep it.
+
**Not needed for the current PASS Ballot, likely to be for the May ballot, so it will be removed for now
*This proposal has several elements, which clarify the current Act.confidentialityCode that has mixed semantics. 
+
'''2. Privacy Consent DAM Ballot reconciliation – Canadian Comments'''
*#Add Role.sensitivityCode to indicate the level of sensitivity of the information that someone may access. Right now there is a Role.confidentialityCode that refers to the confidentiality of the role not in the information that role is allowed to access.   
+
*Last few comments were discussedAfter review, a vote was taken to approve the Canadian dispositions
*#*So we would have a Role.sensitivityCode and Act.sensitivityCode. 
+
*Item 57: ''Match Keyword (to override consent)'': This use case will be renamed so it doesn't imply a match is done.  
*#Suggested changes to vocabulary/terminology 
+
**This comment is related to comment #30The Match Keyword use case will be renamed to ''Assert Patient Consent (to override consent)''
*#*Right now there is the confidentiality abstract domain, with three sub domains
+
**''Shared Secret'' and ''Keyword'' are equivalent terms from the Canadian perspective (Keyword is in use in British Columbia & Newfoundland for their drug system).  Keyword enables clients to allow providers access to sensitive and/or masked/hidden information upon the provision of the Keyword at the point of care
*#**ConfidentialityByAccess type
+
**In the US, the concept of Keyword may be replaced by a “password/shared secret” or other mechanism that can be revealed at the point of care by the client if necessary
*#**Confidentiality modifiers
+
*Item 58: There was a misunderstanding about a use case triggered by Figure 4, which was cleared up by the following discussionThe Privacy DAM will be updated to clarify the intent of the use case, ''Information System Flags Masked Health Record Information'', found in the Appendix.
*#**ConfidentialityByInfoType. 
+
**Pat’s interpretation of this use case was to set the confidentiality code on an object; it wasn’t related to the policy sidePolicy would then execute based on the operations being done on that object.
*#Addition of a new Sensitivity abstract domain that would hold SensitivityModifier and SensitivityByInfoType
+
**Ioana: This came across incorrectly and we will clarify it in the document. Flagging happens as a result of executing a specific set of rules then determining whether this user with these particular assertions can see that information.  
*The Harmonization process will determine the optimal way to address these concerns.  It would straighten out some of the issues that Steve has identified with this abstract domain.
+
***The intent of this use case is to determine whether or not you can see masked information, even to see whether or not masked information exists (something masked without your knowledge). It isn’t related to setting confidentiality codes.
*Confidentiality is an abstract concept and ConfidentialityByAccess type is a specialization of Confidentiality
+
***Information is marked as masked, but without this feature, you would know there is something that you cannot see.
**Richard: does this proposal impact anyone/anything?
+
**This provides the ability, based on jurisdiction, to distinguish whether you should even know there is information that you can see. Some jurisdictions allow you to know, some do not.
*Pat: the comment received from Lloyd – the issue is that the existing definition of confidentialityCodeHis preferred solution is to modify definition of confidentialityCode. You can repeat confidentialityCode and it is currently being done, conflating confidentiality and sensitivity. There are many models where this change will have an impact.
+
**Disposition changed from Not Persuasive to Not Related.
*Ioana: this doesn’t effect existing implementationsThis proposal will only impact future implementation guides.  Right now CDA R2 implementations are tied to a particular version of the RIM. There have been many changes to the RIM since CDA R2 was released. And CDA was not affected by any of these changes.  This is not a retroactive effect.
+
*Item 62: Disposition was changed to Persuasive and proposed wording replaced existing wording for Manage Shared Secret use case
*Don: Does Lloyd usually participate in Harmonization.
+
*Item 71: Pat had a question about object reference that has a single attribute of category and there’s also information reference that has a category. What is the difference?
*Ioana: Yes, and he will be there.  He will have the chance to respond to this proposal at the Harmonization meeting in mid November. This proposal doesn’t change the RIM until Harmonization approves it.
+
**Ioana: The answer to the question is: object reference has a code that is an information object and information reference has a category code that is a whole category of information, like MedicationOne refers to atomic objects; the other refers to categories of dataInformation reference that has an attribute called category code and then objects that have an attribute called code that is an information object code like Order, MedicationBasically reflecting the current distinction in HL7 – broad categories like laboratory results, then you can have the discrete object types that would be in laboratory. There is a difference in the granularity of the dataThere is a value set from RBAC for information objects.
*Steve: I have one issue that I would like to bring up. Not sure whether the harmonization group will address this but it has to at some point .  The fact that you have the role.Sensitivity type and Act.sensitivity type and you want to use the same value set for both attributes, that will cause some problems. The concepts in the value set have role implications,  such as taboo and clinician.  Those concepts come with a certain role implication and so they’re not easily switched between the role attribute and the act attribute.
+
**Disposition comment: we will clarify the difference between category and object code.
*Ioana: so you’re saying the coded concepts associated with actSensitivity are different from roleSensitivity?
+
*Item 75: The intent of the comment was to suggest a change to the model so the client, the consenter, and target record would be differentThe Information Model (figure 10, not figure 8) will be updated to reflect the appropriate relationships.
*Steve: I’m saying if we want to use those coded concepts we probably should make them role independent.
+
**Rob was concerned about the change to the model.   
*Ioana: They are.  You are correct.  This, in my opinion, is the problem with the current roleConfidentiality.  The way it reads in the RIM, this attribute is an attribute of this Role that deems it to be ConfidentialI don’t know of anything that would imply that a role is ConfidentialBut I know that associated with that role is associated a specific level of sensitivity that is assigned to that Role.  I, as an analyst, can look at classified informationThat’s what my Role.sensitivity is.  I may not be able to look at classified information. That’s a different Role.sensitivity.  So I concur with you, it’s a qualifier of the role, but it speaks about the information that the role is intending to accessThat’s what I am trying to capture here.
+
**Pat provided the clarification for the change.
*Steve: I may be talking about something differentFor example, the coded concept of taboo carries with it an implication of Role, i.e., this is information that should be kept from the patient.  The provider has access to that information, but the patient does not have accessSo within that concept, there is an implication of role. So if you apply taboo to a role of clinician, it doesn’t really make any sense
+
***My original concern was that Client was hanging off of consenter and consenter is from a consent directive perspective is only there from an Audit thing. Who is it that created this Consent Directive?  Whereas the client is a first class and key information blob associated with the consent directive and I wanted to make sure from a modeling perspective, yes the client could be the consenter or the consenter could be an SDM, but the client wasn’t dependent on a consenter, so if the consenter went away the client wouldn’t.
*Ioana: would it mean that they could look at taboo information?
+
**Ioana: This also provides the capability to capture the relationship between the client and the consenterThis works well for CDA as well. The consenter has a relationship already, a property of this association. It is much easier in the DAM to show the consenter has a relationship to the client so that is by virtue of this relationship between the client and the consenter, there would be an attribute of this association: that would be the relationship.  That’s the major change.  This basically preserves the semantics and I think it’s a better organization.
*Steve: The definition of taboo in the HL7 sense, is information that is kept from the patient but is accessible to the provider.   
+
**Rob: I’m thinking about using these things rather than creating themWhere is this going to occur?
*Ioana: there has to be some organizational policy, some XACML policy that says if you’re the subject of the record you can’t see this information
+
**Ioana: When you issue a consent directive, you can have a SDM as the consenter who signs off on the consentAnd the consent refers to a specific client’s medical record or set of records.  We’re capturing the sign-off of the consent is separate from the consent itself.  But we also capture the relationship between the consenter and the client.
*Mike: I don’t see this is any different than anything else. The patient is also an IT userSo in order to grant the patient access to something whether it is taboo or whatever, it would have to have that attribute.  
+
**Rob: Is there a use case that would say, for this client, I consenter, am consenting for these kind of records.
*Ioana: It would be an authorization you run against enforcing the specific set of authorization policies that would include whether taboo information can be disclosed to someone who authenticates them self as a patient and is the subject of the record.
+
**Ioana: You’re consenting for a specific client for a specific set of records but it’s in the consent rule that you’re naming specific information objects or categories of information.
*Steve: I’m not saying this is not a condition, this is a requirement that a system has to block access to certain information to the patient but not to the provider. But to have that concept and now be able to use that as a value for this roleSensitivity attribute, then you can tack that concept onto a role of clinician.  What does it mean at that point?  It’s meaningless.
+
**Pat: Specific set of records doing that based on, you could say, all of them based on a category or a confidentiality code, or sensitivity code or purpose of use.
*Pat: There might be another way of looking at this, not necessarily the read part.  But in terms of which roles have the authority to flag records as taboo. Is it only primary care physicians that should have that authorityIn countries where patients are the owners of information, there would only be a finite set of folks who have the right to withhold that information that in theory they have the right to, and in theory only for a short period of time.
+
**Ioana: These are the detailed rules on what parts of my records would be protected by this particular consent that is pointing to information for patient xyz.
*Steve: I see your point and that’s valid. I think we’re going to have some problems in using concepts in these value sets that have this built-in roleWhat would probably be preferable is to have some role-ambiguous concept that says you can block access to this certain group, and this other group has access.
+
**Rob: what you’re saying is that a consenter can provide a consent directive for a clientBut when you apply that consent directive to a personal health record, it would, through a process you can identify; these are the records that are managed by that consent.  But that is completely outside of this DAM. That’s a secondary thing. I was worried that you were saying that within the context of this DAM you have some link between the consenter and the personal health record without the client, and you don’tI think this change does make sense and makes it much clearer.
*Pat: So treat it as a Permission as opposed to a specific role attribute.
+
**Ioana: No, this change doesn’t change the intent.
*Ioana: And I think that’s a valid point, but it’s out of the scope for what this proposal was originally intended to do.
+
**Disposition is updated to Persuasive and the information model will be updated.
*Steve: But you’re introducing this Role.sensitivityCode attribute.  You’re pushing the value set to a place where it was never intended to go.
+
*Ioana made a Motion to approve the revised Canadian dispositions.
*Ioana: There is a Role.confidentialityCode already.  This particular confidentiality modifier of taboo was already defined as a modifier for a Role. That’s why I say this is a little out of the scope for this proposal.  We haven’t changed things very much, and this is not a drastic change. It is just casting these different coded concepts to different abstract concepts. So right now if you want to say this role has a confidentiality of taboo (confidentiality modifier), you can do that right now.
+
**Seconded by Pat Payette
*Don: How is this impacting your work?  Why do you see the need to do this right now?
+
*'''Vote:''' Abstain: 1 (chair); Oppose: 0; Approval: 15
*Ioana: During domain analysis for security, we need to have a sensitivity indicator that would be separate and distinct from confidentiality and Security, two things became clear. 
+
'''3. CDA Implementation Guide draft'''
*#We need to have a sensitivity indicator that would be distinct from a confidentiality indicator that is more focused on access control versus sensitivity that deals with specific qualities of the data. 
 
*#The users in the security policy have to also have specific security level that matches the information. So this comes from the domain analysis. 
 
**In discussions with Lloyd, he does not disagree that they deliberately combined confidentiality (with sensitivity).  If you look at the RIM, the definition of confidentiality reads like ISO confidentiality, but the usage notes describes sensitivity.  So the definition for confidentiality is correct in the RIM.  The RIM has confidentiality, but it does not have sensitivity. The usage notes are confusing, and I hear what Pat is saying is that in Canada they’ve taken the usage notes to be more normative.  They are using confidentiality to describe sensitivity.
 
*Pat: The code set we use for confidentiality is Normal, Restricted and Taboo – so even in that code set there’s a conflation there.
 
*Ioana:  You’ve combined ConfidentialityByAccessCode with confidentiality modifier.  So we don’t have to endorse this proposal if people would like to continue to use the old ways of combing these concepts.  This is the gist of this proposal.  We don’t have to endorse this if we don’t think this prevents us from representing security concepts in the future.  But right now we would not be able to create a policy that distinguishes between confidentiality and sensitivity.
 
*Don: So what are the groups that are the other half of this .  Who are the consumers of those codes. Who provisions them? What are the groups that are responsible for the Documents and the messages and what do they have to say?
 
*Ioana: You’re correct. It would be similarly difficult to distinguish the intent of the documents.  When they are using confidentiality in Canada, they use ConfidentialityByAccessCode and confidentiality modifiers.  That’s their analogy. Their artifacts would not distinguish between confidentiality and sensitivity.
 
*Richard: so will Canada be affected by this change if they are truly tied to a version of the RIM where confidentiality is represented in the way it is being used?
 
*Pat: Each year, there is a maintenance cycle for the Canadian standards, and the intent is to stay current with the RIM whenever we can. CDA is not  big player at this time.  So from the message perspective we try and stay as consistent with the current RIM as possible.  So there will be some impact in Canada for this.  But Ioana is right, if we want to stay with a certain version of the RIM, then this would not have an impact.  But I can’t see that ever happening. 
 
*Richard: so will this make Lloyd upset?
 
*Pat: I think Lloyd will be upset, but I don’t think we need to deal with that here.  We can deal with this in harmonization.
 
*Steve: One detail, the value set is called ConfidentialityByAccessKind, not Type.
 
*Richard: The downside is perhaps in Canada, but in terms of the security DAM it makes an important distinction, so it makes sense to pursue this?
 
*Pat: To Don’s point, who are the other consumers for this? What groups are provisioning, what are the implications from their perspective. Should we try and take that into consideration before we do this, or is that something that happens at harmonization and we let them fend for themselves.
 
*Ioana: The only things provisioning anything in the US are those who are producing HL7 version 2 messages. They may or may not care about confidentiality codes at all.  The only change this will introduce is for those reading the RIM for the first time, they will notice that the conf code description is consistent with its usage.  Right now it’s not.  I think we’ve discussed this effectively.  If this work group does not wish to endorse the proposal we don’t have to take this any further.  I’d like to make a motion that to vote on whether security wishes to endorse this proposal or not.
 
*Mike: seconds the motion. For me it’s very simple. We’re trying to get this aligned with existing security standards, which it’s not
 
*Glen: chair.  Call for vote –None opposed No abstentions.  Motion passed.
 
 
 
'''Security Use Cases'''
 
 
 
Based on last week's discussion:
 
*Decided 1.9 Accounting of Disclosures use case would be referred to PASS. Don is aware of this, and PASS will be addressing the use case. The Security Wiki will be updated to note that PASS is addressing this use case.
 
*Even though 1.6 Enforce Secure Exchange of Health Records (functionality in the EHR- Functional model) is not in scope for he Security DAM, the exchange of consent directives is. On closer examination, we found this is addressed in the Composite Privacy DAM, so 1.6 is deemed out-of-scope in Security for now. Since it is addressed by the Composite Privacy DAM, we haven't lost track of this use case.  We have explicitly discussed the exchange, query and look up of consent directives with detailed scenarios. 
 
*1.5 Enforce authenticity of legal healthcare documents, 1.6 Enforce Secure Exchange of Health Records and 1.9 Accounting of Disclosures are out of scope for this version of the Security DAM.
 
*The other use cases will be further elaborated, especially 1.4 Enforce privacy policy and consent directives using access control.
 
  
Today's Discussion:
+
We don’t have time to fully review the draft Implementation Guide this weekWe will devote the full hour to it next time. Ioana provided background on the intent of the document and addressed some of the concerns raised in an email from Tom Davidson.
*Milan: One questionIt is not completely clear. Are you for an integrated Privacy and Security DAM or just Security DAM.
+
*Ioana: There are a few objectives for this GuideOne intention is to stay backwards compatible with the basic privacy consent DAM.  I don’t know if that’s a good idea or now. The question is what effect will it have on a structured document?
*Ioana: I’ll let Mike and Richard talk about that . I think they are considering an integrated DAM for perhaps a May ballotSo I think we are probably going to do that after January. Maybe this is a good time to discuss the strategy.
+
*Tom: The BPPC currently has constraints in it that may be too restrictive for what we’re doing.  Right now, it only defines a mechanism and the structured body to allow a physician to assert the consent.  It doesn’t capture half of what we’re trying to. So one of the questions I posed is, are we required to be bound by this, because BPPC already has an implementation guide for a CDA document? Do we want to look at this as a starting point but not necessarily constrain ourselves to it?  
*Mike: The strategy is to go to ballot in Jan with a Security DAM; the last CBCC ballot – DSTU for Privacy DAM.  These have been worked in parallel and Ioana has notions of how they can be put together but we haven’t really discussed that a lot. The idea was that we would go ahead with the Security DAM as it is written and then we would integrate it with the Privacy DAM at some later point.  This was based on a couple of things discovered doing this work, #1 it was clear that CBCC’s interest in the privacy dam was patient focused, and security was the focus, so they have two endpoints and outputs. But there is a lot of vocabulary on the patient side that is not of interest to Security. We’re interested in integrating privacy vocabulary with security DAM as far as enforcement of authorizations and patient consent is concerned.  The notion is that we can combine them into one giant DAM that was harmonized or we could create some binding classes to provide that interoperability, but we haven’t had that discussion as to how that might happen.  We can find usefulness for both, they’ve been on parallel tracks for now. The strategy is let them keep on parallel tracks to get votes and comments on the Security DAM in January, and then do a harmonization effort for May or maybe for September.
+
*Pat: I’ve had discussions with Glen and John about this. BPPC was never meant as the thing that we’re trying to do with the DAM. It was “the best we can do at this time”. They fully expected that in time, an APPC would be out there.  We should try to be compatible where we can but we shouldn’t be bound by it.
*Richard: And this all feeds into PASS?
+
*Ioana: My intention is to inherit the constraints that BPPC introducesThings like constraints on the header that are already in place, like document type, service event codeWhere we are differing is in the structure of the body.   
*Mike: Part of this is feeding into PASS. They are adopting the information models themselves, so it would be more useful to have something balloted rather than something draft, for them to be working with,
+
**So right now the BPPC implementation guide supports only a Non-XML body, which is a base-64 representation of a scanned document. That’s all it has.
*Don: That’s my principal concern now. In terms of the classes, they seem to be almost there.  Getting a harmonized policy structure, regardless of a vocabulary would be helpful to have at the earliest possible time.  
+
**So what the CDA consent directive Implementation Guide would introduce is additional templates to constrain, either a non-XML body or a structured body. You can have bothThat’s why I didn’t see a problem technically inheriting BPPC because you have to make a choice.  
*Mike: We know what we want to get to but we’re trying to do it in chewable steps. These are achievable outcomes that we can see are getting us thereSimilar to what we’re doing with the RBAC permission catalog.  The original catalog was very restrictive in its vocabulary and we knew there were gaps, and we had comments on the ballotSo in the next iteration we addressed those things.  We had something that provided a minimal interoperability set.  So I think our strategy is not to say that whatever we ballot in January is the final version, but it’s the DSTUIt’s important to get the exposure, to get the comments and that puts us in a good position to do the harmonization effort which we will start for May or for September. That’s the goal of the project, between Security and CBCC is to create a harmonized Domain Analysis Model.
+
**If you make a choice to do a scanned document, you’ll be consistent with BPPCThat’s where the backwards compatibility comes in.   
*Ioana: Milan, do you have any concerns about 1.6?
+
**If you make a choice to use a structured body, you will use the constraints in the implementation guideWe’re going to provide guidance on how you use the clinical statement to describe all the consent directive criteria that we have in the DAM. That’s in a nutshell what we were trying to do.   
*Milan: I have a question with respect to the scope. Scope is Access Control.  I think the part about policy exchange is addressed in the Composite Privacy DAM, but the core is the secure exchange of data obfuscation or using cryptography, this is probably something that will be addressed in future versions?
+
**You’ll also see tat we need additional constraints to the CDA header as well.  We need to include Information Recipient, to support the overall behavior of revocation of consent directives we need to support the document parentSo there are things like that in the header that we are adding on, but we are re-using the handful of constraints from BPPC. Anyone who confirms to the CDA IG, you will have to implement additional characteristics.  If you conform to this guide, you have to do many more things than you’d have to do with BPPCBut one of those choices could be to only support a scanned documentIf you disagree with this, we can take this out.
*Ioana: I will defer to Mike. You reminded me that the two major use cases that were deemed in scope were authorization and access control.  I want to mark authentication is out of scope as well.
+
*Pat: we can support both simultaneously, right? 
*Glen:  The other thing that occurs to me is that we have to be somewhat careful about diving into technologies prior to getting our context specified. Use of encryption, for example, is a way to enforce confidentiality.  The question is what is the entire thing that needs to be protected?  What are the risks that we are attempting to cover, do we have a model for people to use for that purpose?  Diving into technology would be prematurely if notWe should focus on getting the level of detail that we are currently working on down right before we go into discussions about specific technologies.
+
*Ioana: We can support either a scanned document or a computable version. But in the structured document you can have an HTML version of the documentBPPC made a choice to put a scanned document in the non-XML body.
*Mike: Glen is right in that respectIoana made a point that we need to emphasize.  We are treating this DAM, the Privacy and Security DAMS as about enforcing Access Control.
+
Tom: That’s because there’s a CDA constraint that limits the allowable form in a structured body.  There are some proposals for release 3 to allow that but right now this is a limitation.
*Glen: Access Control is a good level playing field to be on.
+
*Ioana: The actText in the structured body could be base-64.
*Mike: That’s not to say that you couldn’t view Access Control as a kind of confidentiality because you’re restricting access to information, which is to your technology point.  We would expect that you could use Access Control as  mechanism to enforce confidentialityBut our primary focus is more to the point of authorization, access control and enforcement of patient privacy.  We should take the authentication use case off the table. And we should make sure the access control use cases are sufficiently informative so people understand what we’re trying to do.   
+
Tom: But the sectionText cannotSo we’re getting into whether we use actText or scetionText and we’re probably going to loose people quickly.
*Glen: For those people who are going to read this who are not been involved in Security day-to-day, that kind of focus is critical to understanding; otherwise we’re going to continue to get questions about policy that can’t be answered or things that tell me more about clarity of understanding the document as opposed to technical pointsWe’ll continue to get questions that are not pointed to the purpose of the document.
+
*Ioana: If you have ideas and suggestions, these are the basic questionsWe can continue in this backward compatible way; if you want to use sectionText you’re going to implement a document body like BPPC suggests and scanned document, because that comes directly from scanned document XDSDOur objective it to accommodate structure as well as encoded policies, something like an XACML representation of a consent directive along side an HL7 structured representation of that same directive along with an HTML form and/or pdf form of that signed documentWe would like to support all three representations.
*Richard: The question of authentication should be considered an access control issue.
+
*Tom: That’s a lot to include in a single documentThere are other mechanisms for referring to other related documents that we might want to look at.
*Glen: To get to the point of authorization, you have to be authenticated, you have to associate credentials with who ever has been allowed into the system.  A use case for allowing someone into a system is a separate act; you have to assume that it’s been done.
+
*Ioana: That’s correct.  You can have a reference document, so we could reference the scanned document.
*Mike: We all understand that authentication is the primary service that must occur before any other service can operateThe issue about authentication would be very academic to put it inTechnically an Authentication alone in some cases might be enough to authorize access, but in that case you wouldn’t be using the Security or Policy DAMs at all.
+
*Tom: Those are options as well; you can have external references or related documents.  That can be a scanned document; the other form might be an XACML representation of it.
*Richard:  So for the naïve reader, sort of statement that explains why something that looks like it should be in scope is out-of-scope.  
+
*Ioana: We have about a monthWhat you see in the CBCC DAM is what we want to represent. We just have to look at the CDA R2 for the optimal way of doing this. I would encourage everyone to provide feedback and suggestions and we can continue the discussion about sectionText versus actText conversation on the Listserv.
*Glen: This shows that we haven’t completely explained things.
 
*Ioana: can we say that this use case does not re quire health care specific information?
 
*Mike: Fine with me. If we’re saying there’s a use case that’s the zero-end use case where the user authenticates and gains access, but it’s unlikely that that use case is going to apply to any realistic health care situation where you’re accessing protected health informationNormally the access at that level is to non-protected information.
 
*Ioana: Back to Milan’s question, things like encryption and mechanisms for assuring secure exchange of information. These are out-of-scope because there is nothing specific to health information in those use cases you would have to apply the same mechanisms
 
*Glen: To put this in context, in HITSP there are two things we are concerned with  – encryption of data in transit which would be transmission security, and we already have those things specified and they are actually very general, they are not health care specific.  The other is encryption of data at rest.  There is a very specific provisions in the HITECH act for data that is unprotected at rest, such as a USB key, laptop out of its natural environment, CD, etc. that it would be rendered unusable by someone who does not possess an encryption key.   Prior to this, for encrypted data at rest, you have to have established an authenticated connectionThere are some precedent acts – getting a hold of a decryption key. And the Access Control happens to be in that family
 
*Mike: It may sound strange, but security folks are used to thinking of these things, Access Control, Authentication and Audit as orthogonalServices in their own right.  We don’t have use cases for Audit, but if you looked at the information model for audit, you would find the same information objects that are in the RBAC modelThe audit would be linked to the terminology here, but it doesn’t drive it.  We don’t create authorizations for the purposes of satisfying an audit requirement.  It’s the other way around.  Audit is accessing the permissions and objects that the user is accessingI think for our purposes and for clarity, these are things that a Security person has some worries about but the focus should be on clarity and to be as pure as possible.  The canonical…this is Authorization. We’ve cited particular ISO standards that are about Authorization.  They have standards about these other things as well, but they are not germane.
 
*Richard: Access Control is really about Authorization.
 
*Ioana: Authorization and Access Control
 
*Mike: It’s simpler to talk about it in terms of Access Control. Access Conrol makes more sense because it is a broader termAccess Control makes more sense because we’re including privacy considerations and the models we’re using are about Access Control.  Authorization is included in that – the rights someone is given that the Access Control system is making decisions on.  
 
*Ioana: This also gives a nod to the RBAC work that has already been done, and we have a specification that delves into considerable detail about Authorizing users based on their structure and functional roles and identifies information objects and operations that apply to those objects.  It makes sense to call it out that this is just a specialization of Access Control.
 
*Mike: We need to a couple of sub-use cases  of the existing ones of patient privacy to demonstrate some significant aspects of that.
 
*Ioana: these would make very good elaborations with sequence diagrams and show them off as supporting the overall enforcement of privacy and consentYou provided those use cases to me and we discussed them informally last wee.  Those will be included as well.  They apply to enforcement.  
 
*Ioana: I'd like to make a motion to accept the Security Use Cases including the ones we’ve identified as out of scope with a caveat that specific aspects of exchanging consent directives have already been address in the Composite Privacy DAM. Do we have a second?
 
**Motion seconded by Richard
 
*Pat: Is there any chance of amending that by saying “for the current ballot”.
 
*Glen: Is that a friendly amendment?
 
**Yes
 
*Vote: None opposed, no abstentions, motion accepted
 
  
Meeting adjourned at 2:03 PM PDT
+
Meeting adjourned at 3:10 PM EDT

Latest revision as of 21:54, 16 November 2009

Back to CBCC Main Page

Attendees

Agenda

  1. (05 min) Roll Call, Approve Minutes, Call for Additional Items & Accept Agenda
  2. (20 min) Privacy Consent DAM Ballot reconciliation - Canadian comments
  3. (25 min) DRAFT CDA Implementation Guide - Discussion

Action Items

  1. Pat will draft clarification the definition for Shared Secret, which will be added to the glossary (Item #16, line 19)
  2. Ioana will address the outstanding items in the Privacy DAM Ballot (related to diagram fixes/changes.)
  3. Review draft CDA Implementation Guide for next meeting. Continue discussion related to using sectionText versus actText on the ListServ.

Minutes

1. Accept Agenda

  • PASS Consent Requirements Draft review taken off the agenda
    • Was only on the agenda as a carry over item from previous weeks
    • Not needed for the current PASS Ballot, likely to be for the May ballot, so it will be removed for now

2. Privacy Consent DAM Ballot reconciliation – Canadian Comments

  • Last few comments were discussed. After review, a vote was taken to approve the Canadian dispositions
  • Item 57: Match Keyword (to override consent): This use case will be renamed so it doesn't imply a match is done.
    • This comment is related to comment #30. The Match Keyword use case will be renamed to Assert Patient Consent (to override consent)
    • Shared Secret and Keyword are equivalent terms from the Canadian perspective (Keyword is in use in British Columbia & Newfoundland for their drug system). Keyword enables clients to allow providers access to sensitive and/or masked/hidden information upon the provision of the Keyword at the point of care
    • In the US, the concept of Keyword may be replaced by a “password/shared secret” or other mechanism that can be revealed at the point of care by the client if necessary
  • Item 58: There was a misunderstanding about a use case triggered by Figure 4, which was cleared up by the following discussion. The Privacy DAM will be updated to clarify the intent of the use case, Information System Flags Masked Health Record Information, found in the Appendix.
    • Pat’s interpretation of this use case was to set the confidentiality code on an object; it wasn’t related to the policy side. Policy would then execute based on the operations being done on that object.
    • Ioana: This came across incorrectly and we will clarify it in the document. Flagging happens as a result of executing a specific set of rules then determining whether this user with these particular assertions can see that information.
      • The intent of this use case is to determine whether or not you can see masked information, even to see whether or not masked information exists (something masked without your knowledge). It isn’t related to setting confidentiality codes.
      • Information is marked as masked, but without this feature, you would know there is something that you cannot see.
    • This provides the ability, based on jurisdiction, to distinguish whether you should even know there is information that you can see. Some jurisdictions allow you to know, some do not.
    • Disposition changed from Not Persuasive to Not Related.
  • Item 62: Disposition was changed to Persuasive and proposed wording replaced existing wording for Manage Shared Secret use case
  • Item 71: Pat had a question about object reference that has a single attribute of category and there’s also information reference that has a category. What is the difference?
    • Ioana: The answer to the question is: object reference has a code that is an information object and information reference has a category code that is a whole category of information, like Medication. One refers to atomic objects; the other refers to categories of data. Information reference that has an attribute called category code and then objects that have an attribute called code that is an information object code like Order, Medication. Basically reflecting the current distinction in HL7 – broad categories like laboratory results, then you can have the discrete object types that would be in laboratory. There is a difference in the granularity of the data. There is a value set from RBAC for information objects.
    • Disposition comment: we will clarify the difference between category and object code.
  • Item 75: The intent of the comment was to suggest a change to the model so the client, the consenter, and target record would be different. The Information Model (figure 10, not figure 8) will be updated to reflect the appropriate relationships.
    • Rob was concerned about the change to the model.
    • Pat provided the clarification for the change.
      • My original concern was that Client was hanging off of consenter and consenter is from a consent directive perspective is only there from an Audit thing. Who is it that created this Consent Directive? Whereas the client is a first class and key information blob associated with the consent directive and I wanted to make sure from a modeling perspective, yes the client could be the consenter or the consenter could be an SDM, but the client wasn’t dependent on a consenter, so if the consenter went away the client wouldn’t.
    • Ioana: This also provides the capability to capture the relationship between the client and the consenter. This works well for CDA as well. The consenter has a relationship already, a property of this association. It is much easier in the DAM to show the consenter has a relationship to the client so that is by virtue of this relationship between the client and the consenter, there would be an attribute of this association: that would be the relationship. That’s the major change. This basically preserves the semantics and I think it’s a better organization.
    • Rob: I’m thinking about using these things rather than creating them. Where is this going to occur?
    • Ioana: When you issue a consent directive, you can have a SDM as the consenter who signs off on the consent. And the consent refers to a specific client’s medical record or set of records. We’re capturing the sign-off of the consent is separate from the consent itself. But we also capture the relationship between the consenter and the client.
    • Rob: Is there a use case that would say, for this client, I consenter, am consenting for these kind of records.
    • Ioana: You’re consenting for a specific client for a specific set of records but it’s in the consent rule that you’re naming specific information objects or categories of information.
    • Pat: Specific set of records doing that based on, you could say, all of them based on a category or a confidentiality code, or sensitivity code or purpose of use.
    • Ioana: These are the detailed rules on what parts of my records would be protected by this particular consent that is pointing to information for patient xyz.
    • Rob: what you’re saying is that a consenter can provide a consent directive for a client. But when you apply that consent directive to a personal health record, it would, through a process you can identify; these are the records that are managed by that consent. But that is completely outside of this DAM. That’s a secondary thing. I was worried that you were saying that within the context of this DAM you have some link between the consenter and the personal health record without the client, and you don’t. I think this change does make sense and makes it much clearer.
    • Ioana: No, this change doesn’t change the intent.
    • Disposition is updated to Persuasive and the information model will be updated.
  • Ioana made a Motion to approve the revised Canadian dispositions.
    • Seconded by Pat Payette
  • Vote: Abstain: 1 (chair); Oppose: 0; Approval: 15

3. CDA Implementation Guide draft

We don’t have time to fully review the draft Implementation Guide this week. We will devote the full hour to it next time. Ioana provided background on the intent of the document and addressed some of the concerns raised in an email from Tom Davidson.

  • Ioana: There are a few objectives for this Guide. One intention is to stay backwards compatible with the basic privacy consent DAM. I don’t know if that’s a good idea or now. The question is what effect will it have on a structured document?
  • Tom: The BPPC currently has constraints in it that may be too restrictive for what we’re doing. Right now, it only defines a mechanism and the structured body to allow a physician to assert the consent. It doesn’t capture half of what we’re trying to. So one of the questions I posed is, are we required to be bound by this, because BPPC already has an implementation guide for a CDA document? Do we want to look at this as a starting point but not necessarily constrain ourselves to it?
  • Pat: I’ve had discussions with Glen and John about this. BPPC was never meant as the thing that we’re trying to do with the DAM. It was “the best we can do at this time”. They fully expected that in time, an APPC would be out there. We should try to be compatible where we can but we shouldn’t be bound by it.
  • Ioana: My intention is to inherit the constraints that BPPC introduces. Things like constraints on the header that are already in place, like document type, service event code. Where we are differing is in the structure of the body.
    • So right now the BPPC implementation guide supports only a Non-XML body, which is a base-64 representation of a scanned document. That’s all it has.
    • So what the CDA consent directive Implementation Guide would introduce is additional templates to constrain, either a non-XML body or a structured body. You can have both. That’s why I didn’t see a problem technically inheriting BPPC because you have to make a choice.
    • If you make a choice to do a scanned document, you’ll be consistent with BPPC. That’s where the backwards compatibility comes in.
    • If you make a choice to use a structured body, you will use the constraints in the implementation guide. We’re going to provide guidance on how you use the clinical statement to describe all the consent directive criteria that we have in the DAM. That’s in a nutshell what we were trying to do.
    • You’ll also see tat we need additional constraints to the CDA header as well. We need to include Information Recipient, to support the overall behavior of revocation of consent directives we need to support the document parent. So there are things like that in the header that we are adding on, but we are re-using the handful of constraints from BPPC. Anyone who confirms to the CDA IG, you will have to implement additional characteristics. If you conform to this guide, you have to do many more things than you’d have to do with BPPC. But one of those choices could be to only support a scanned document. If you disagree with this, we can take this out.
  • Pat: we can support both simultaneously, right?
  • Ioana: We can support either a scanned document or a computable version. But in the structured document you can have an HTML version of the document. BPPC made a choice to put a scanned document in the non-XML body.

Tom: That’s because there’s a CDA constraint that limits the allowable form in a structured body. There are some proposals for release 3 to allow that but right now this is a limitation.

  • Ioana: The actText in the structured body could be base-64.

Tom: But the sectionText cannot. So we’re getting into whether we use actText or scetionText and we’re probably going to loose people quickly.

  • Ioana: If you have ideas and suggestions, these are the basic questions. We can continue in this backward compatible way; if you want to use sectionText you’re going to implement a document body like BPPC suggests and scanned document, because that comes directly from scanned document XDSD. Our objective it to accommodate structure as well as encoded policies, something like an XACML representation of a consent directive along side an HL7 structured representation of that same directive along with an HTML form and/or pdf form of that signed document. We would like to support all three representations.
  • Tom: That’s a lot to include in a single document. There are other mechanisms for referring to other related documents that we might want to look at.
  • Ioana: That’s correct. You can have a reference document, so we could reference the scanned document.
  • Tom: Those are options as well; you can have external references or related documents. That can be a scanned document; the other form might be an XACML representation of it.
  • Ioana: We have about a month. What you see in the CBCC DAM is what we want to represent. We just have to look at the CDA R2 for the optimal way of doing this. I would encourage everyone to provide feedback and suggestions and we can continue the discussion about sectionText versus actText conversation on the Listserv.

Meeting adjourned at 3:10 PM EDT

Retrieved from "https://wiki.hl7.org/w/index.php?title=October_27th_2009_CBCC_Conference_Call&oldid=29208"