Community-Based Collaborative Care Working Group Meeting

Back to CBCC Main Page

Meeting Information

Attendees

Back to CBCC Main Page

Agenda

1. (05 min) Roll Call, Approve Meeting Minutes from April 12, 2016 CBCC Conference Call
2. (15 min) Ballot Reconciliation for Consent Directive
3. (10 min) Privacy & Security by Design/NOW Privacy Impact Assessment Cookbook update - Rick
   • Privacy Impact Assessment Cookbook DRAFT
   • PbD Principles and Conformance Criteria DRAFT
   • Privacy Impact Assessment Cookbook Project Scope Statement
4. (01 min) Healthcare Security and Privacy Access Control Catalog - Update post ballot
5. (05 min) PASS Access Control Services Conceptual Model - (Standing agenda item) update (Diana)
6. (05 min) Joint EHR, Security, Privacy Vocabulary Alignment - (Standing agenda item) update (Diana/Mike)

Meeting Minutes (DRAFT)

Agenda Approved

Meeting minutes for April 05, 2016 CBCC Conference Call

Approved: 0 / Abstain: 0 / Objections: 0

Ballot Reconciliation - Consent Directive CDA R2 IG Ioana has sent out follow up e-mail for the remaining negative votes, awaiting responses from

• Austin Kreisler
• Vasil Peytchev and Nell Lapres (EPIC)
• Lisa Nelson

We are awaiting responses to the proposed dispositions

Ballot Reconciliation - Healthcare Access Control Catalog

• Suzanne has sent out follow up e-mails to the remaining DoD negative voters
  • Ollie Gray
  • Wei Guo

Privacy & Security by Design/NOW Privacy Impact Assessment Cookbook

• Diana expressed concern with the PIA being too cumbersome with HL7 developers which is why she believes the Security Risk Assessment Cookbook did not gain any traction.
• PIA cookbook; are we going to Privacy Impact Assessment, when we are looking for privacy considerations in HL7 standards?
• Mike - it’s a matter of resources and prioritizing activities. This is the simple man's PIA. We need this in place so that we don't want to be harassed in S&P, we want to give them a simple 'checklist.' Not specifically FHIR related, we have a project plan, with a new project scope statement with a trust framework which will be more Privacy by Design (PbD) - a more in-depth type of thing. We are not trying to do both in one project--we want two separate PSS's which address the specific items in each and can be properly scaled.

• Conformance criteria showed... Checklist
• Principle - Concept of choice
  • PIA Cookbook - what the developer would go through (questions, checklist)

The PbD principles are very high level; they're design principles to be considered when implementing a system. The S&P Framework is intended to be more directed toward consideration that developers or system owners would need to think about from a policy perspective. We’ve had recent discussions when you change the labels on a resource and folks within the FHIR community think they can change labels when they want to. We don't want to write policy in FHIR. In this case, the business associate agreement that they would honor the labels as present and not changed--on the other hand, with the correction, the data was labeled as sensitive but it’s not. (You’ll need to update the existing version) we could have a recommended best practice in order to deal with this.

Additional discussion, minor revisions made to the project scope

PASS Access Control

• waiting on an update from Alex regarding Bernd's comment (at Security meeting)

Joint EHR Security Privacy Vocabulary Alignment

• This morning's meeting was cancelled. Work was completed last week for presentation at today's meeting. Continuing to review how to model the vocabulary and are looking to bring in a terminologist to assist with best practices.

Meeting adjourned at 1154 AZT --Suzannegw (talk) 15:08, 19 April 2016 (EDT)