Back to CBCP Main Page

August 28, 2018 CBCP Conference Call

Attendees

Back to CBCP Main Page

Back to CBCP Main Page

Agenda DRAFT

Meeting recording: TEMPORAY: https://fccdl.in/uTFcy4zkra

1. Roll Call, Agenda Review
2. Meeting Minutes approval:
   • July 10: http://wiki.hl7.org/index.php?title=July_10,_2018_CBCP_Conference_Call
   • July 17: http://wiki.hl7.org/index.php?title=July_17,_2018_CBCP_Conference_Call
   • July 31: in process (almost complete - FHIR Consent Conversation)
   • August 7
   • August 14
   • August 21
3. eLTSS Update - Irina / Becky
   • eLTSS gForge folder: https://gforge.hl7.org/gf/project/cbcc/docman/eLTSS%20-%20%20ONC%20Electronic%20Long-Term%20Services%20and%20Supports
4. Withdrawal of V3: Medical Records; Data Access Consent, Release 1 (VOTE Needed)
   • http://confluence.hl7.org/pages/viewpage.action?pageId=26575232
   • Link to Ballot content: <<add link>>
5. CBCP FHIR
   • FHIR CPs for review
   • FHIR Consent CPs are located: link to ALL Consent Change requests
   • FHIR Consent / Consent-Contract Discovery White Paper
6. Baltimore WGM Agenda DRAFT, ready for agenda items

Meeting Minutes (DRAFT)

July 10 – Approve Meeting Minutes: (Motion Suzanne / Jim)

• Vote: Opposed: none, Abstain: 1 (Johnathan); minutes approved: 11 for July 10

July 17: tentative approval (DP to add CPs worked on) Suzanne / Jim opposed: none, approved:11

• Vote: Opposed: none, Abstain: 1 (Johnathan); Minutes Approved; 11 for July 17

eLTSS Update

• (Becky) 113 persons signed up for ballot
• questions on ballot reconciliation from Becky;
  • amalgamated ballot comment reconciliation, Suzanne can review process
  • can add ballot reconciliation to WGM agenda

Withdrawal of v3: Medical Records: Data Access Consent, Release 1

• Per Dave (from e-mail sent to CBCP co-chairs – see link in Agenda above) being pulled as an ANSI-standard
  • only Canada is using (a Canadian version)
  • Recommendation is to pull from v3
• Comment/commendation to Dave for due diligence of reviewing, determining usage
  • Continued discussion to be placed in parking lot - the shared secrets usability ma want to consider for FHIR; what it does---(may be able to done with OAuth) the actual modeling the signature; allow me to break glass in an ad hoc manner - can be in an emergency (patient requesting is conscious); may have redactors or restricts--with a provider and decision made that MD may need to know; shared secret can then be entered by MD (i.e. MD is now authorized)
  • May want to replicate ability as a future use case==
    • There is background information, documents; may be used in FHIR consent

<<Kathleen to add link/documents>> for minutes

• (Mike) its fine to bring up/assess the use case; we are leaping technologies... we do not need to provide multiple capabilities;

Kathleen moves to removing from v3 / second: Suzanne (or Johnathan)

abstentions: none; opposed: none; approved: unanimous

Discussion: Mike is correct that OAuth/SAML…. the provider has received the PIN (and recorded) that has to be in place for SAML or oath pin to work.... CAPTURED AS A CONSENT DIRECTIVE

• what is necessary - n the consent resource (or appropriate); hold and override PIN for patient to override specific information to bypass OAuth… (check recording)
• Mike would like use case to be more general (less associated with technical) there are multiple technologies available); can change OAuth permission to allow one-time permission; this is an ad hoc type of authorization that the patient has capability to grant--outside the normal scope of authorization
• Kathleen - yes; they can authorize a read only; one time they can turn this on--with this secret having this secret as long as SAML can handle
  • the provider system can make request to override the secret file; whatever the last consent... allowing the one provider to read it the one time
• (Mike) so while Canada has this in place; outside of Canada may not want; changing systems with existing capabilities to do the same thing; concern on the use case implementation
• Dave - sees benefit of PIN for the override; which places control w patient; limits exception to current consent record without change anything in the resource... (stuck in the middle) need to sit down with use case and figure out the best way to look at it... likes the simplicity of the pin
• Mike; requires underlying structure to deal with the pin. have to have a mechanism to deal with the PIN... Canada does this, but the rest may not; not in favor of forcing people to adopt a technology

FHIR consent

• No CPs for review

Baltimore WGM Agenda DRAFT

• eLTSS (Irina) will be available M-Th

• Volume 3 - PPT / for TEFCA
• Privacy obsolete
• FHIR Security / privacy overview
• remainder of agenda

Tuesday

Q1

Q2 remove eLTSS

Q3

ONC pilot - ? if available / Johnathan will work out details.

Q4 - eLTSS ballot reconciliation

WEDNESDAY

Q1

Q2 cont. eLTSS ballot reconciliation; co-chair admin

Q4 Piper, BH interest group - Jim will attempt to contact /

• also, would like to add privacy obsolete update

THURSDAY

Q1 FHIR Consent discussion; report out of FHIR Connectathon

Q2

ADD Jim just off phone from financial management - interested in participating on creation of a FHIR resource for program (as opposed to ? ) may be hearing from Mary Kay; (add to agenda after confirmation of relationship to CBCP) - Kathleen to assist with scheduling...

also add to agenda - cross paradigm (Suzanne to speak to Ken Lord for update)

Privacy Obsolete - Mike

• review 2018 items
  • in a report related august 9 -- 3.1 million healthcare records were exposed by 142 by breaches by Q2 along
  • this continues Q to Q without any abatement - apparently, we are not doing our job in HL7 security and privacy
    • if no one follows the standards then there is only so much we can do
• In the news - the VA mission act passed; which made changes to 38USC7332 which allows us to share to patient information, including information that is identified as confidential in title 38 ---without an authorization. there is a trend here to offer citizens choices in their best …. i.e. upping retirement account due to cost increases-- also saw that in June there is an article that House passed a bill to align substance use Disorder 42CFR....
• article in July - which reports that says that HHS is pushing for changes in HIPAA rule and 42CFR part 2 to allow SUD to be shared without authorization -

Question to the group - are these articles on track to what this group understands - there seems to be a trend with opioid epidemic - are we moving in this direction

• what to share - what not to share (conversation between Kathleen and Mike)
• there is continues pressure in Congress to do in 42CFR part 2 - why that is, doesn't make sense (Jim) we have been getting pressure from various people on the hill which is why it was revised last year - the revision was only minor; the law its based upon is clear. what's behind the anticipated benefit is not clear. there are a lot of EHR publisher who do not want to deal with it--that appears to be enormous pressure group 42CFR Part 2 to be HIPAA compliant.

which doesn't add to the discussion.

(Mike) doesn't seem to me in the VA the way its being implement - we are opted in by default. if you want to opt out, you have the choice ; there is nothing being removed from the patient EHR; we used to require authorize... if you want to share it, it’s there but if you don’t you have to request to limit Jim - the HIPAA exceptions are what's its pointed to; where there is no option; that is to the discretion of the provider;

Mike - we've been looking at both position sides - each have incredible arguments; what I’m seeing in the reports is that there is an effort; house bill was passed in June 2018, and if HHS is pushing it--which followed the house bill, then maybe that's where we're going…

Mike - the other thing; the whole privacy landscape continues to evolve rapidly. the study can go on forever but plan to end it in September; attitudes about privacy are changing. it’s a gradual thing. we freely give out information away who give us free stuff. there are bastions, i.e. banking, healthcare where is some concern. the privacy is being attached on different fronts; a good example is new technology--to put up balloons or satellites or drones that would be operating over every sq. inch of the planet, they would provide internet services and have cameras to watch everything below; in California there is increased... to have cameras that read car licenses that take photos of you and your phone tracks you that you can turn your phone off/disable but it still tracks you. to have it stops tracking is to leave it somewhere. these are so gradual its imperectapbe we are accepting the changes one-by-one. GDPR doesn’t' address these things (it addresses structural things) but on the use of some information it doesn't address the slippery slope--where we are giving up the information we really want protected. articles being read at the moment are very doomsday but we've all gone willingly there -

• Mike trying to put together a report - short PPT and a document; an HL7 site, but plan to stop effort on research
  • if you have information or experiences you want to include please send to mike.davis@va.gov
  • GDPR is outside EU; moving its own legislation outside of privacy; it may take effect in the North America.
  • Mike trying to distinguish between GDPR and corporate abuses/abuses we do on our own; we're giving away our information for benefits there is a tremendous erosion (tweet, Facebook, etc.) being used to profile you--GDPR doesn't address that; (David) but it does because you can evoke right to erasure.

No additional items added to agenda

Motion made to adjourn: Meeting adjourned at 9:54 Arizona Time --Suzannegw (talk) 13:23, 28 August 2018 (EDT)