October 17, 2017 Security Conference Call

Back to Security Main Page

Attendees

Back to Security Main Page

Agenda

1. (3 min) Roll Call, Agenda Approval
2. (5 min) Review and Approval of October 3, 2017 Minutesand October 10, 2017 minutes.
3. (5 min) Is Privacy Obsolete? Study Group wiki page with IOP? Listserve link. Update on project - Mike Davis and Chris Shawn
4. (5 min) Update on Security WG Bulk Data Transfer Comments submission - John Moehrke
5. (30 min) Review and draft Security WG comments on PAC comment guidelines and highlighted ISA items related to Security and CBCP Scope
6. (15 min) FHIR Security call - John is at IHE so no call this afternoon. Kathleen to review draft CR 14028 for Accounting of Disclosure using FHIR AuditEvent.

Meeting Materials

FHIR Security CR 14028

• Accounting of Disclousres
• Specific example of a Privacy report that is HIPAA specific, but the concept is applicable in similar forms
• There is some POLICY that drives a subset of all Access/Use/Disclosures to be explained to the patient.
• Who, What, Where, When, Reason, Purpose
• Produces some form of report to be delivered to the patient to explain all the disclosures
• Unlikely to be a structured report, but the structured report could be CSV (or AuditEvent)
• Other regulatory examples: Access Log (all accesses regardless of if they qualified under TPO)
• Would capture all potential disclosures in the AuditEvent audit log, and filter to select the reportable disclosures
• Leverage AuditEvent database. Other audit log data may additionally be added but are outside the scope of FHIR.
• Focus only on Accounting of Disclosures where the disclosure is detected and recorded using an electronic reporting sytem (Not including disclosues undetected or unknown)
• Would include paper/fax/mail disclosures provided there is some supervisory system that detects the export
• Would not include paper/fax/mail disclosures that happen outside of a workflow managed or detected by technology
• HOW
• Given that AuditEvent includes comprehensive evidence of all access/use/disclosure, then:
• Filtering of the whole AuditEvent may be complex, and would change as regulations change and as workflow patterns change.
• Filter on all AuditEvents where the Patient of interest is the subject/patient element (See patient compartment)
• Workflows may operate on patient data indirectly and thus would not be detected as having touched the patient
• Some resources don't contain a patient/subject element, but are linked to the patient/subject through another object (need explicit example?)
• Some:
• Of all the events returned from a subject search
• Filter out those events that don't need to be included in the Accounting of Disclosures
• Condense multiple events on the same Disclosure event (many audit log entries will happen that are all related to one session)
• Summarize each Disclosure detected
• Who --
• When --
• Why -- (OAuth purposeOfUse?)
• What ??? Can we leverage the <any> Resource.text element to explain 'what' data was disclosed?
• AuditEvent.text -- This field may be useful on some types of audit event recording
• De-Duplicate similar events into some description of a number of Disclosures over a period of time
• a PDF can be created with the details from this analysis or possibly a structured/coded form
• REFERENCES
• http://www.hhs.gov/hipaa/for-professionals/faq/246/do-business-associates-have-obligations/index.html From <http://www.hhs.gov/hipaa/for-professionals/faq/right-to-an-accounting-of-disclosures>
• HITECH AoD From <http://www.hipaasurvivalguide.com/hitech-act-13405.php>

Minutes