This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

Difference between revisions of "August 28, 2018 Security Conference Call"

From HL7Wiki
Jump to navigation Jump to search
 
Line 18: Line 18:
 
   
 
   
 
|-
 
|-
||  x|| [mailto:Diana.Proud-Madruga@electro-soft.com Diana Proud-Madruga]
+
||  .|| [mailto:Diana.Proud-Madruga@electro-soft.com Diana Proud-Madruga]
 
||||.|| [mailto:jc@securityrs.com Johnathan Coleman]
 
||||.|| [mailto:jc@securityrs.com Johnathan Coleman]
 
||||.|| [mailto:fjaureui@electrosoft-inc.com Francisco Jauregui]
 
||||.|| [mailto:fjaureui@electrosoft-inc.com Francisco Jauregui]
||||x|| [mailto:joe.lamy@aegis.net Joe Lamy]
+
||||.|| [mailto:joe.lamy@aegis.net Joe Lamy]
 
|-
 
|-
 
||  .|| [mailto:rhonna.clark@va.gov Rhonna Clark]
 
||  .|| [mailto:rhonna.clark@va.gov Rhonna Clark]
Line 67: Line 67:
 
Chair, Kathleen Connor
 
Chair, Kathleen Connor
  
Suzanne, Kathleen, Dave silver, mike, chrisS, diana, Francisco, david stagg
 
  
 
Meeting Minutes
 
Meeting Minutes
Line 75: Line 74:
  
  
'''GDPR'''
+
'''GDPR Whitepaper on FHIR'''
 
Baltimore GDPR chat-a-thon sometime during the WGM on Sunday
 
Baltimore GDPR chat-a-thon sometime during the WGM on Sunday
  
 
'''TF4FA''' Ballot Reconciliation
 
'''TF4FA''' Ballot Reconciliation
* Met this AM to review; link sent out earlier
+
* Met this AM to review; link sent out earlier to Security listserve
* Motion made to approve comments as shown (Suzanne / MikeD); comments 51-57
+
* Motion made to approve comments as shown (Suzanne / MikeD); Comments 51-57
* Vote: approve 8; no abstentions, no opposed
+
* Vote: Approve 8; No Abstentions, No Opposed
  
 
'''Trust Framework, Volume 3'''
 
'''Trust Framework, Volume 3'''
 
* Chris does not have much to say about the update
 
* Chris does not have much to say about the update
* continue to work on the figures/diagrams (completed--shared on clal previously)
+
* Continue to work on the figures/diagrams (completed--shared on call previously)
* attempting to complete the descriptions and remaining content of the doc
+
* Attempting to complete the descriptions and remaining content of the doc
** some volunteers may be assisting
+
** Some volunteers may be assisting
  
'''PASS Audit''' Document update
+
'''PASS Audit''' Document update
 
* TF4FA has been the priority
 
* TF4FA has been the priority
 
* not much happening with the document update
 
* not much happening with the document update
  
'''Review of the Poporsed Restructuring and Additions to FHIr Impement Safety Check List'''
+
'''Review of the Proposed Restructuring and Additions to FHIR Implementer Safety Check List'''
* the FHIR spec has a couple of different informational pages, security page is one that we own (signatures we owne, etc)
+
* The FHIR spec has a couple of different informational pages, security page is one that we own (signatures we own, etc.)
* ther eis a safety page that hasn't received a lto of visibility until now; if you knew the propoer incantation you were able to get ther
+
* There is a safety page that hasn't received a lot of visibility until now; if you knew the proper incantation you were able to get there
** its starting to mature and gain more visibility
+
** It’s starting to mature and gain more visibility
** it was devoid of security items that should rise to the occasion
+
** It was devoid of security items that should rise to the occasion
** Kathleen brought this into a document format inorder to do updates/mark-up
+
** Kathleen brought this into a document format in order to do updates/mark-up
* not made to be 100% complete, education--its a checkless for someone who already understands and wants to make sure they didn't miss anything
+
* Not made to be 100% complete, education--it’s a check list for someone who already understands and wants to make sure they didn't miss anything
** needs reminders of BIG things (in the security realm)
+
** Needs reminders of ''BIG'' things (in the security realm)
*** see 20 security 'top important things' - shouldn't be exhaustive
+
*** See 20 security 'top important things' - shouldn't be exhaustive
** what is shown is the word document - for editing sake they are numbered
+
** What is shown is the word document - for editing sake they are numbered
* PROPOSAL from FHIR -Security WG
+
* PROPOSAL from FHIR - Security WG
** break this checklist down into big buckets
+
** Break this checklist down into big buckets
* PRIVACY, SECURITY, etc and other sub-cateorires in security (authentication, audit, etc)
+
* PRIVACY, SECURITY, etc. and other sub-categories in security (authentication, audit, etc.) and the #NEW as a proposed new checklist item distinct i.e. #9 (9 is already there but ''new'' information added)
* and the #NEW as a proposed new checklist item distinct i.e #9 (9 is already there but ''new'' information added)
+
* our hopes are that the NEW items add value; ultimately left many descriptions open--because the SAFETY page is owned by FHIR-I (not by security); you change the consensus group you change the consensus
* our hopes are that the NEW items add value; ultimately left many descriptions open--because the SAFETY page is owend by FHIR-I (not by security); you change the concenuse group you change the concensus
 
 
* some items may no longer appear (not part of the 80%)
 
* some items may no longer appear (not part of the 80%)
  
Break down and re-sort under headers: time-keeping, communctions and the like
+
Break down and re-sort under headers: time-keeping, communications and the like
* the wording of the new items, the sentence papern in the safety checklist, is to write it as a 'security-checklist'
+
* the wording of the new items, the sentence papers in the safety checklist, is to write it as a 'security-checklist'
  
 
* LINK: in agenda
 
* LINK: in agenda
 
** for review; as a proposal to FHIR-I, we can vote on it next week or today; enhancements/review/comments are welcome
 
** for review; as a proposal to FHIR-I, we can vote on it next week or today; enhancements/review/comments are welcome
 +
 +
'''Baltimore WGM Agenda'''
 +
* John approached by PA that thought the person resource might benefit by having a security considerations section - ''hey reader who is going to use person resource...here are some security considerations''  with that thought--if every group brought this question forward---everyone---POINT everyone to the security page...
 +
* The first way to get there is to take an assessment of everything in FHIR i.e. capabilities statement (which is what a server capability is... parameters, etc.) some of these resources are inherently intended to be public--certainly if they are marked sensitivity, they can be marked that way.
 +
* things that are purely business sensitive, provider sensitivity and/or patient sensitive, etc.
 +
* doesn't take away from the need to have tagging and roles, compartments , etc... etc. just allows the reader to start with the assumption that quite possibly the resource is indeed logical and not protected by any provider or user authentication. 
 +
** One other item - there are people who when approach FHIR security and look at our security pages concluded that absolutely everything in FHIR (including test script) must have consent level control...even though the item has no PII, patient reference, or the like.  its putting a softer feel to inform the reader.
 +
* If we have broader categories and we can explain what they mean--then each resource will have a security consideration if significantly different in its category.
 +
* We can reach out to PA and financial management and gather use cases (tasked to Kathleen) to see if proposed will work
 +
** This will help to see if this works and/or if additional buckets are needed for consideration.  These are hot topics for us--risk around certain items; these are visually broad enough to cover most of the scenarios--if we can try out between now and the WGM we can provide comments
 +
* That in mind: WGM Agenda, this item will fit:
 +
* (Mike) I haven’t' looked at the list - issue we have was data quality (DQ) of codes used in the system; the codes can be incorrect, and the system may not work right.  Need to connect DQ with this and the labeling.  Not sure how much you have in system testing but the idea is to have it as automated as possible
 +
* John - I’m going a step back from system/system testing -This is at a broad brush to help distinguish the items that really should be public and why aren’t' they--vs patient sensitive and why aren't they protected.  in touch with folk with folks who had no idea of our security considerations.  this is not intended to be documented enough.
 +
* Further refine in Security and CBCP/Privacy... this is currently in our notes
 +
** the point brought up asking this system level automated, that type of system conformance testing for privacy and security SHULD happen (Kathleen) this may be a way to flag which of the items in the checklist should be had … marked patient sensitive
  
 
'''Baltimore Agenda'''
 
'''Baltimore Agenda'''
John approached by PA that thought the person resource might benefit by having a security considerations section - ''hey reader who is going to use person resource...here are some security considerations''  with that thought--if eVERY group brought this question forward---everyone---POINT everyone to the security page...
+
* Need to find a home for the topic JohnM just brought up
* the first way to get there is to take an assessment of everything in FHIR i.e. capabilities statement (which si what a server capability is... parameters, etc) some of these resources are inherently intended to be public--certainly if they are marked sensisty, they can be marked that way.  potentially pulic but can be ….(21:40)
 
* things that are purely business sensitive, provider sensisty and/or paitnet sensitive, etc
 
* doesn't take away from the need to have tagging and roles, compartments , etc... etc. just allows ther eader to start with the assumption that quite possibly the resource is indeed logical and not protected by any provider oruser authentication. 
 
** one other item - there are people who when approach fhir security and look at our security apges come to the conclusion that absolutely everyhitng in FHIR (including test script) must have consent level control...e ven thought the item has no PII, patient reference, or the like.  its putting a softer feel to inform the reader.
 
* if we have broader categories and we can explain what they mean--then each resource will have a security consideration if significatlny different in its category.
 
* we can reach out to PA and financial management and gather use cases (tasked to kathleen) to see if proposed will work
 
** this will help to see if this works and/or if additional buckets are needed for consideration.  these are hot topics for us--risk around certain items; these are visually broad enough to cover most of the scenarios--if we can try out between now and the WGM we can provide comments
 
* that in mind: WGM AGenda, this item will fit:
 
*Mike - havenet' looked at the list - issue we have was data quality (DQ) of codes used in the system; the codes can be incorrect and the system may not work right.  need to connect DQ with this and the labeling.  not sure howmuch hou have in system testing but the idea is to have it as automated as possible
 
* john - i'm going a step back from system/system testing - this is at a broad brush to help distinguish the items that really should be public and why arent' they--vs patient sensistive and why aren't thye protected.  in touch with folk with folks who had no idea of our security considerations.  this is not intended to be documented enough.... further refine
 
* further refine in Seucirty and CBCP/Privacy... cthis is currently our crib notes
 
** the point brought up aking this system lvel automated, that type of system conformance testing for privacy and security SHULD happen (Kathleen) this may be a wy to flag which of the items in the checklist should be had … marked patient sensitive
 
 
 
'''Baltimore AGenda'''
 
Finding a home for the topic JohnM just borught up
 
**
 
  
privacy obsoltel - final report out - will have PPT, document as deliverables; go though the findings
+
* Privacy Obsolete - final report out - will have PPT, document as deliverables; go through the findings
* reviewed in CBCP; recent activities this year that affected Privacy/CBCP
+
** reviewed in CBCP; recent activities this year that affected Privacy/CBCP
* need to shut the project down because its taing too much time, will present at minimum those three items
+
** need to shut the project down because its taking too much time, will present at minimum those three items
** cover in Monday Q3/Q4
+
*** cover in Monday Q3/Q4
** during regular Security Agenda
+
*** during regular Security Agenda
  
johnM topic
+
JohnM topic
 
* work session AND topic briefing
 
* work session AND topic briefing
 
* '''WED Q3''' - add Security WG - FHIR topics; further refine new S&P considerations
 
* '''WED Q3''' - add Security WG - FHIR topics; further refine new S&P considerations
 
* also add simplified view of the HCS (WED Q3);  
 
* also add simplified view of the HCS (WED Q3);  
 
* http://wiki.hl7.org/index.php?title=HL7_FHIR_Security_2018-08-28#Current_Open_Issues_in_gForge  
 
* http://wiki.hl7.org/index.php?title=HL7_FHIR_Security_2018-08-28#Current_Open_Issues_in_gForge  
** gForge items...
 
  
  
at the WGM before the meeting in germnay - we had discussed to formally publish the IM, take on the project work to update that model which my proposal--have we published it?  or do we even have a project to update it?
+
At the WGM before the meeting in Germany - we had discussed to formally publish the IM, take on the project work to update that model which my proposal--have we published it?  or do we even have a project to update it?
* asked Trish; Alex is moving the publication forward..  
+
* asked Trish; Alex is moving the publication forward.  
** mike - how long will it take; this was not favoarate solution to IM; in addition to publishing to also add discussion of updating
+
** Mike - how long will it take; this was not favorite solution to IM; in addition to publishing to also add discussion of updating
* add: '''WED Q4''' Restarting the PSAF work; (FHIM/Galen) that had several iterations of models... PSS in place, its a matter of negotiating resources and time again
+
* add: '''WED Q4''' Restarting the PSAF work; (FHIM/Galen) that had several iterations of models... PSS in place, it’s a matter of negotiating resources and time again
** the FHIM has modefided the model as well--need to take fresh look at it; revise and updatae.  in Mike's view the current is stale
+
** the FHIM has modified the model as well--need to take fresh look at it; revise and update.  in Mike's view the current is stale
  
* Break out session during Connectathon - to discuss the GDPR work (Alex/John); requested a breakout room for Sunday AM for a chatathon on GDPR and FHIR
+
* Break out session during Connectathon - to discuss the GDPR work (Alex/John); requested a breakout room for Sunday AM for a chat-a-thon on GDPR and FHIR
 
** interesting - California is considering implementing GDPR
 
** interesting - California is considering implementing GDPR
** Diana - actually there is a proposal that is supposed to show up in the November ballot (Kathleen says its sidelined, wealthy person sponsored, but went though legislature and a compromise is in place..
+
** Diana actually, there is a proposal that is supposed to show up in the November ballot (Kathleen says its sidelined, wealthy person sponsored, but went through legislature and a compromise is in place.
** moved to a flavor of regulation moved into the court language wherein it is less hard and fast.. .similiary to GDPR--sets its goals simililary to GDPR.  redirected nefariously into a type of regulation/law
+
** moved to a flavor of regulation moved into the court language wherein it is less hard and fast. It will be similar to GDPR and sets its goals similarly to GDPR.  It was redirected nefariously into a type of regulation/law
Katheen has put a lot of links out - has caused a ripple affectthe same folks (that JohnM described) have worked with Trump to develop the states to do the same thing)
+
 
<<44:00>>
+
* Kathleen has put a lot of links out - has caused a ripple effectThe same folks (that JohnM described) have worked with Trump to develop federal law so that the states do the same thing)
* a national … that would actually preserve privacy
+
Note: no objections to a national level initiative, so long as it protects privacy (what Kathleen is talking about will mostly likely not protect privacy)
  
During the oNC interoparetaibly forum a few weeks ago - john m led a panel discussion with 'our friends' at may (Walker Suarez, Ken-May, etc)  pre-dcussion ther eis concern that a lot of wasted energy trying to understand 12-20 leels of privacy polcy on top of each other.  if there is one national 'good' privacy ypolicy that would simplimfy a lto of work.  these people were very clear that they not wanted to erode privacy but to make it fmore clear.
+
* During the ONC interoperability forum a few weeks ago - John m led a panel discussion with 'our friends' at mayo (Walker Suarez, Ken-Mayo, etc.)  pre-discussion there is concern that a lot of wasted energy trying to understand 12-20 levels of privacy policy on top of each other.  If there is one national 'good' privacy policy that would simplify a lot of work.  These people were very clear that they not wanting to erode privacy but to make it clearer.
An emancipated minor the transicion at idffernt time is different across tate boundaries.  they have to cross tstate boundaries .. that use case is a nightmare to figure out what is it that they have to enforce.  where the person requesting the data lives?  where the dat lives... request resides, etc.?  what is the right application to do.  whent he patient says please do... what of the state location or the requester location?  there is wasted energy becaue in US we hae no unification of regulation on privacy.  
+
** An example of this: ''An emancipated minor the transition is at different time is different across state boundaries.  In situations such as large organizations, they must cross state boundaries ... that use case is a nightmare to figure out what is it that they have to enforce.  Is it where the person requesting the data lives?  Where is it the person data where they live? Where the data lives...? request resides, etc.?  What is the right application to do? especially when the patient says ‘’please do…’’. What of the state location or the requester location?'' There is wasted energy because in US we have no unification of regulation on privacy.  
* this is a strength of GDPR its the entire nation and nation to nationdiana suggests adopting GDPR and being odne with it
+
* This is a strength of GDPR its the entire UE, the entire countryDiana suggests adopting GDPR and being done with it
  
TUES Q2 PSAF Refresh -
+
Baltimore Agenda
 +
* add TUES Q2 PSAF Refresh -  
  
Motion to addjorn (Mike); meeting adjorned at 12:53 Arizona Time --[[User:Suzannegw|Suzannegw]] ([[User talk:Suzannegw|talk]]) 15:54, 28 August 2018 (EDT)
+
Motion to adjourn (Mike); meeting adjourned at 12:53 Arizona Time --[[User:Suzannegw|Suzannegw]] ([[User talk:Suzannegw|talk]]) 15:54, 28 August 2018 (EDT)

Latest revision as of 01:21, 5 September 2018

Back to Security Main Page

Attendees

x Member Name x Member Name x Member Name x Member Name
x John Moehrke Security Co-chair x Kathleen Connor Security Co-chair . Alexander Mense Security Co-chair . Trish Williams Security Co-chair
x Christopher Shawn Security Co-chair x Suzanne Gonzales-Webb x Mike Davis . David Staggs
. Diana Proud-Madruga . Johnathan Coleman . Francisco Jauregui . Joe Lamy
. Rhonna Clark . Greg Linden . Grahame Grieve x Dave Silver
. Mohammed Jafari . Jim Kretz . Peter Bachman . [mailto: ]
. Beth Pumo . Bo Dagnall . [mailto: ] . [mailto: ]

Back to Security Main Page

Agenda

Meeting Recording: (temporary)

  1. (2 min) Roll Call, Agenda Approval
  2. (5 min) Review and Approval of Minutes for August 21, 2018 Security Conference Call
  3. (5 min) GDPR whitepaper on FHIR update - Alex, John, Kathleen
  4. (5 min) TF4FA Normative Ballot reconciliation (formerly PSAF) - Mike, Chris
  5. (10 min) PASS Audit document update - Mike
  6. (05 min) TF4FA Trust Framework Volume 3 - Mike, Chris
  7. (10 min) Review of the Proposed Restructuring and Additions to FHIR Implementer’s Safety Check List developed in FHIR Security calls. - John and Kathleen
  8. (05 min) Security Working Group - upcoming HL7 Working Group Meeting, Baltimore Maryland

Meeting Minutes DRAFT

Chair, Kathleen Connor


Meeting Minutes

  • Approve Meeting Minutes from August 21, 2018 (Suzanne / ChrisS)
  • Vote: approve 8; no abstentions, no opposed
  • Suzanne to update comment ballot spreadsheet


GDPR Whitepaper on FHIR Baltimore GDPR chat-a-thon sometime during the WGM on Sunday

TF4FA Ballot Reconciliation

  • Met this AM to review; link sent out earlier to Security listserve
  • Motion made to approve comments as shown (Suzanne / MikeD); Comments 51-57
  • Vote: Approve 8; No Abstentions, No Opposed

Trust Framework, Volume 3

  • Chris does not have much to say about the update
  • Continue to work on the figures/diagrams (completed--shared on call previously)
  • Attempting to complete the descriptions and remaining content of the doc
    • Some volunteers may be assisting

PASS Audit Document update

  • TF4FA has been the priority
  • not much happening with the document update

Review of the Proposed Restructuring and Additions to FHIR Implementer Safety Check List

  • The FHIR spec has a couple of different informational pages, security page is one that we own (signatures we own, etc.)
  • There is a safety page that hasn't received a lot of visibility until now; if you knew the proper incantation you were able to get there
    • It’s starting to mature and gain more visibility
    • It was devoid of security items that should rise to the occasion
    • Kathleen brought this into a document format in order to do updates/mark-up
  • Not made to be 100% complete, education--it’s a check list for someone who already understands and wants to make sure they didn't miss anything
    • Needs reminders of BIG things (in the security realm)
      • See 20 security 'top important things' - shouldn't be exhaustive
    • What is shown is the word document - for editing sake they are numbered
  • PROPOSAL from FHIR - Security WG
    • Break this checklist down into big buckets
  • PRIVACY, SECURITY, etc. and other sub-categories in security (authentication, audit, etc.) and the #NEW as a proposed new checklist item distinct i.e. #9 (9 is already there but new information added)
  • our hopes are that the NEW items add value; ultimately left many descriptions open--because the SAFETY page is owned by FHIR-I (not by security); you change the consensus group you change the consensus
  • some items may no longer appear (not part of the 80%)

Break down and re-sort under headers: time-keeping, communications and the like

  • the wording of the new items, the sentence papers in the safety checklist, is to write it as a 'security-checklist'
  • LINK: in agenda
    • for review; as a proposal to FHIR-I, we can vote on it next week or today; enhancements/review/comments are welcome

Baltimore WGM Agenda

  • John approached by PA that thought the person resource might benefit by having a security considerations section - hey reader who is going to use person resource...here are some security considerations with that thought--if every group brought this question forward---everyone---POINT everyone to the security page...
  • The first way to get there is to take an assessment of everything in FHIR i.e. capabilities statement (which is what a server capability is... parameters, etc.) some of these resources are inherently intended to be public--certainly if they are marked sensitivity, they can be marked that way.
  • things that are purely business sensitive, provider sensitivity and/or patient sensitive, etc.
  • doesn't take away from the need to have tagging and roles, compartments , etc... etc. just allows the reader to start with the assumption that quite possibly the resource is indeed logical and not protected by any provider or user authentication.
    • One other item - there are people who when approach FHIR security and look at our security pages concluded that absolutely everything in FHIR (including test script) must have consent level control...even though the item has no PII, patient reference, or the like. its putting a softer feel to inform the reader.
  • If we have broader categories and we can explain what they mean--then each resource will have a security consideration if significantly different in its category.
  • We can reach out to PA and financial management and gather use cases (tasked to Kathleen) to see if proposed will work
    • This will help to see if this works and/or if additional buckets are needed for consideration. These are hot topics for us--risk around certain items; these are visually broad enough to cover most of the scenarios--if we can try out between now and the WGM we can provide comments
  • That in mind: WGM Agenda, this item will fit:
  • (Mike) I haven’t' looked at the list - issue we have was data quality (DQ) of codes used in the system; the codes can be incorrect, and the system may not work right. Need to connect DQ with this and the labeling. Not sure how much you have in system testing but the idea is to have it as automated as possible
  • John - I’m going a step back from system/system testing -This is at a broad brush to help distinguish the items that really should be public and why aren’t' they--vs patient sensitive and why aren't they protected. in touch with folk with folks who had no idea of our security considerations. this is not intended to be documented enough.
  • Further refine in Security and CBCP/Privacy... this is currently in our notes
    • the point brought up asking this system level automated, that type of system conformance testing for privacy and security SHULD happen (Kathleen) this may be a way to flag which of the items in the checklist should be had … marked patient sensitive

Baltimore Agenda

  • Need to find a home for the topic JohnM just brought up
  • Privacy Obsolete - final report out - will have PPT, document as deliverables; go through the findings
    • reviewed in CBCP; recent activities this year that affected Privacy/CBCP
    • need to shut the project down because its taking too much time, will present at minimum those three items
      • cover in Monday Q3/Q4
      • during regular Security Agenda

JohnM topic


At the WGM before the meeting in Germany - we had discussed to formally publish the IM, take on the project work to update that model which my proposal--have we published it? or do we even have a project to update it?

  • asked Trish; Alex is moving the publication forward.
    • Mike - how long will it take; this was not favorite solution to IM; in addition to publishing to also add discussion of updating
  • add: WED Q4 Restarting the PSAF work; (FHIM/Galen) that had several iterations of models... PSS in place, it’s a matter of negotiating resources and time again
    • the FHIM has modified the model as well--need to take fresh look at it; revise and update. in Mike's view the current is stale
  • Break out session during Connectathon - to discuss the GDPR work (Alex/John); requested a breakout room for Sunday AM for a chat-a-thon on GDPR and FHIR
    • interesting - California is considering implementing GDPR
    • Diana – actually, there is a proposal that is supposed to show up in the November ballot (Kathleen says its sidelined, wealthy person sponsored, but went through legislature and a compromise is in place.
    • moved to a flavor of regulation moved into the court language wherein it is less hard and fast. It will be similar to GDPR and sets its goals similarly to GDPR. It was redirected nefariously into a type of regulation/law
  • Kathleen has put a lot of links out - has caused a ripple effect. The same folks (that JohnM described) have worked with Trump to develop federal law so that the states do the same thing)

Note: no objections to a national level initiative, so long as it protects privacy (what Kathleen is talking about will mostly likely not protect privacy)

  • During the ONC interoperability forum a few weeks ago - John m led a panel discussion with 'our friends' at mayo (Walker Suarez, Ken-Mayo, etc.) pre-discussion there is concern that a lot of wasted energy trying to understand 12-20 levels of privacy policy on top of each other. If there is one national 'good' privacy policy that would simplify a lot of work. These people were very clear that they not wanting to erode privacy but to make it clearer.
    • An example of this: An emancipated minor the transition is at different time is different across state boundaries. In situations such as large organizations, they must cross state boundaries ... that use case is a nightmare to figure out what is it that they have to enforce. Is it where the person requesting the data lives? Where is it the person data where they live? Where the data lives...? request resides, etc.? What is the right application to do? especially when the patient says ‘’please do…’’. What of the state location or the requester location? There is wasted energy because in US we have no unification of regulation on privacy.
  • This is a strength of GDPR its the entire UE, the entire country. Diana suggests adopting GDPR and being done with it

Baltimore Agenda

  • add TUES Q2 PSAF Refresh -

Motion to adjourn (Mike); meeting adjourned at 12:53 Arizona Time --Suzannegw (talk) 15:54, 28 August 2018 (EDT)