This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

FHIR Consent August 18, 2017

From HL7Wiki
Jump to navigation Jump to search

HL7 CBCC FHIR Consent Working Meeting

Weekly Meeting Logistics

Weekly meeting; Fridays 2:00 - 3:00 PM Eastern Time

Dial-in Number: (515) 604-9861

International Dial-in Numbers are provided

Access Code: 429554

Online Meeting Link: http://join.freeconferencecall.com/cbhs

Back to FHIR Consent Directive Project Main Page

Attendees

Member Name x Member Name x Member Name x Member Name
. David Pyke CBCC co-Chair . Johnathan Coleman CBCC Co-Chair X Suzanne Gonzales-Webb CBCC Co-Chair . Grahame Grieve FHIR Director
. Alexander Mense Security Co-Chair X Kathleen Connor Security Co-Chair X John MoehrkeSecurity Co-Chair . Jim Kretz CBCC Co-Chair
. Paul Knapp X David Staggs . Ken Salyards . Diana Proud-Madruga
. Mike Davis . Neelima Chennamaraja . Ken Sinn . Beth Pumo
. Joe Lamy, Aegis X Joseph Quinn X Iona Thraen . Serafina Versaggi
. Igor Sirkovich . Ali Khan ONC Patient Choice Project rep . Amber Patel ONC Patient Choice Project rep . Josh Bagley
. Lisa Nelson . Hank MayersPCWG Representative . Laura Heermann Langford PCWG Co-chair . Steve Eichner


Back to FHIR Consent Directive Project Main Page

Agenda

  • Roll-call
  • Review open CRs as time allows

Minutes

  • Roll Call
  • Reviewed Remove Consent.Except.Purpose [CR 11055]
    • Clarify action requests versus usage limitations.
    • This would have the security label for purpose of use, purpose element is redundant.
    • A consent may be useful having purpose of use in a separate element rather than on the governed data if the consent author is not capable of security labeling or attribute based access control.
      • one set of rules for research, different for treatment in separate provision trees.
      • Some implementations may not support purpose of use tags on the data. -- a A custodian has data, the data is tagged using just confidentiality code and sensitivity tags. They have a request coming in including SAML assertion (etc.) that id's actor as being provisioned for a confidentiality level and a sensitivity, as well as a purpose of use. The consent rules fit in between (consent on file with provisions, some having allow/deny based on purpose of use) Access control engine goes against purpose of use. How does the engine know what data if it's not tagged? In an “all and any” request, e.g., for purpose of treatment or emergency treatment, there would be no need to consider purpose of use tags on the data since all of it would be sent per HIPAA exemption of minimum necessary for push/pull to treating providers.
      • Consent forms may be the source of the labelling on data elements.
      • Security label ids the tags that the disclosed data should be assigned
      • Add to purpose and security label a comment: When the purpose of use tag is on the dates, access request purpose of use shall not conflict.
  • Reviewed CR11056
    • Change definition to "A security label, comprised of 0..* security label fields (Privacy tags), which define which resources are controlled by this exception. "