Community-Based Care and Privacy (CBCP)

formerly Community Based Collaborative Care (CBCC)

DRAFT 2018 January Working Group Meeting - New Orleans, Louisiana, USA - CBCP WORKING GROUP

• HL7 WGM EVENT Page Link
• On-Site Meeting Schedule ,
• BROCHURE Link
• HL7 FHIR Connect-ta-thon
• Security WGM Agenda

Community-Based Care and Privacy (CBCP) WORKING GROUP SESSIONS

Q1 = 9:00 – 10:30 am / Q2 = 11:00 – 12:30 pm / Q3 = 1:45 – 3:00 pm / Q4 = 3:30 – 5:00 pm

Back to CBCP Wiki: Meetings

Agenda and Meeting Minutes

Back to CBCP Wiki: Meetings

Back to CBCP Wiki Meetings

Meeting Minutes Draft

Back to CBCP Wiki: Meetings

https://www.hl7.org/permalink/?WikiMinutesTemplate https://www.hl7.org/permalink/?WikiMinutesTemplate

MONDAY

Q3/Q4

Joint CBCP , Hosting Security

• Welcome and Introductions ( 21 )
• Introductions -
• Agenda Review

1. FHIR Consumer Centered Data Exchange Connect-a-thon track report out and demonstration - Kathleen Connor, Debi Willis, Bo Dagnall DCX (Plus Demo)
   • a. MiHIN contributing ACS mi
   • b. Bo will speak with DXC technologies
   • c. Aaron working with some of the developers
   • d. Terminology (Walter /
   • e. David Hayes - research app

Live demo link from Ali Khan Add mp4, https://fil.email/lTbOflPH link / materials loaded

DXC, CCDE Solution Components from Bo Dagnall PPT, slide

DXC Solution Components (pre-connect-a-thon; where VA MHS might have in their technology space to pull the pieces together, aggregate and standardize the data, CDS hooks and FHIR standards • SLS in the CCDE track in prep - architecture shown (pre-connection § FHIR resources pulling data from this including □ Synthetic mesa (MITRE □ VistA □ Allscripts sandbox □ Fitbit □ Cerner § DXC SLS pulling from Wk HU / sensitivity data set □ Pulling what out of the data set is sensitive; we were able to tab the data and add the tags back to the resources back into resource data DXC CHS § A consent manager was added "consent source' □ opt in from East clinic; □ opt out but want to allow STD information for a researcher doing research □ OIOO , POU, shared rules § Record views - sends in the clinician's data-- what role are you playing as well as asking POU • At the connectathon we were able to show interoperability; as a consent source to the DXC CHS they were able to send • Exceptions - demo from Bo Dagnall DHP Patient Viewer HenryFodWyandotte - company • Different combinations which can have fine-grained level of choices • DISCUSSION; note that demo was based off of FHIR STU3; • User role, POU, Security Label - these items are the heart of the exception. • Four organizations working together ; 3 sending data in and 3 filtering out • Is there an executive summary ; 15 minutes overview. (Bo/Kathleen to draft one?) 1. eLTSS - if available a. PPT; to be covered by Evelyn Gallegos b. Funded by CMES, led by ONC c. Developing a standard for electronic long-term services; supported by CBCC through ONC d. Use case; Medicaid waiver. - very disables, medically disabled, children issues; supports very which are non-clinical i. Waiver waves the part of these patients being in an institution - done through Medicaid (and sometimes not covered by MU;) this work is how to bring their community into standards. ii. eLTSS Core Dataset - stemming from a service plan; what are the services that the provides will provided for these services and who are providing them Most are fairly standards - some touch into consent, including signatures; Patient centered vs person centered what distinguishes them p vs p this is the same entity defined (patient, person, client, iii. What of this data is being shared; 1) Currently trying to map the standards into the data being shared 2) Starting with Care Plan (service plan, contextually the same) a) Care Plan - references to needs identified during assessment b) Outlines goals for the plan c) Specifies actions that will occur to address needs and achieve goals 3) "Procedures" (is this medical procedure… or is it services--not necessarily medical) Timeline - effort and time; through October 2018

1. ISO PPT - David Staggs a. ISO TC 215 - PPT << add link >> 2. TEFCA Discussion - (Link to all material) a. EU commission has mandated that transaction go cross border must be using the AS4 of secure communications - there isn't necessarily an alternative i. AS4 has not found any uptake other than this scenario. b. Comment: VA DOD is doing a set of comments … that Mike feels c. DS4P: that this standard should be in place -provides a mechanism for doing trust and allow information to flow more freely i. By 2020 80% of enterprises will have adopted ABAC d. Chris Shawn - noticed inconsistencies of NMLP,, soap…in the TEFCA i. Questions on the cryptography data; comments to correct the information ii. Added on idea of having healthcare information categorized FISMA moderate vs FISMA high… at least in the exchange of information vs the delivery of care--two different ways of looking at it. iii. Identity proofing - leveraging … didn't go into a lot of detail, tried to expand identity and authentication ways to get to level 2--but not very detailed. e. Johnathan - using standardized security labels--if requiring through the DURSA… and enforcing through the DURSA 3. Is Privacy Obsolete PPT - Mike Davis PPT Link https://gforge.hl7.org/gf/project/cbcc/docman/2018%20January%20WGM%20PPTs%20and%20documents%20for%20minutes/Is%20Privacy%20Obsolete.pptx; PPT Report Link :https://gforge.hl7.org/gf/project/cbcc/docman/2018%20January%20WGM%20PPTs%20and%20documents%20for%20minutes/Is%20Privacy%20Obsolete%20Study%20Group%202018%200126%20HL7.docx a. Approach - look at trends in law (what kinds of laws exist) b. Policy breaches, how many, how are they being handles c. Types of standards

○ Focuses currently on Big Data, AI - which appears to be the biggest threat § 29100 ○ Why do we care, what do we stand to lose? § Why do we care - we cannot take too myopic a view on Privacy □ There is leakage in the golden lockbox of privacy □ Should we change, continue what we're doing? § Mike's task was to do the research; not to decide what to do… □ Is there a takeaway? □ Privacy is not homogenous across the world. □ GDPR compliance? □ We are creating privacy enhancing standards (FHIR consent, SLS, etc.); we should promote the standards we have. □ We can use the information that Mike has reported on to leverage a promotion of the standards that we have created. § Challenge to take concept and HOW does it affect what we do 'here' in HL7

1. Security and Privacy DAM Update progress

2. Joint Project report out a. VENN Diagram i. Document against the .. 1) As part of the PSAF reconciliation - looking at the previous DAM; Bernd pointed out of what composite meant in the DAM (composite policy) - addition of definition of terms d(done for the trust framework) meta-, composite-policy… coming from Ponder report; which Mike wasn't aware of. These definitions are what we are going from. 2) Based on the misconception - we need to revise the DAM accordingly. 3) The trust framework need to 4) <<Mike needs << LINK to document>> 5) Do a modification of the dam to get to the correct class in the correct - best way 6) May ballot 2018 goal. >> intent to generate comments. 3. US and International Report out a. Hideki - 14 purpose code, classification term Description (informative) i. POU is 27789 audit record, ii. We should make change proposal to DICOM and added this table iii. TC215 WG2, held in NOLA discuss about DICOM; made by author of 136060 (Deepak c) 1) Health information classification of purposes ISO 14625. POU tables defined--have to refer to this table 'required' 2) All of our standards are extensible that this table is already recognized--next meeting in Brazil--will do systematic review to revise this standards and review/revise of this 14 codes; note that these codes are already published ISO/TS 14265 in 2011. iv. ISO is creating a vocabulary for a an ISO vocabulary…resulting in two POU vocab. v. Why is ISO duplicating HL7 vocabulary? In HL7 POU vocabulary Rosetree there is a mapping of the ISO vocabulary 14265 Matching 27789 and patientRecord even message of DICOM; • We should revise both 27789 and DICOM • We should propose from ISO to DICOM SC as CP; there are no PurposeOfUse and ParticipantObjectPolicySet in DICOM PS 3.15. vi. DICOM PS 3.16 Add code of POU to Content mapping resource Hideki - 4. Joint Project review • Security and Privacy advancements since last WGM, informal/around the room NEW discussion items; NEW projects; NEW PSS, etc. - note: 10 min timestamp

From <http://wiki.hl7.org/index.php?title=January_2018_CBCP_Working_Group_Meeting_-_New_Orleans,_Louisiana,_USA>

Back to CBCP Wiki: Meetings

Tuesday

Q1 - with Security

International report: Australia - coming in 2/22, DARPA breach legislations, similar to US GDPR, parameters are 30-31 days for reporting, if any of the organization also fall under GDPR, they must also comply (7 days) Intelligence agencies are exempt from DARPA breach legislation MyHealthRecord - trials on OIOO, OO would be there in legislations but delayed; now pathology and audiology will automatically be uploaded, public will not have knowledge that medical professionals (all) have access to that information

AUS all have individually identifier - if you OI - then you get government identifier, your general practitioner can upload summary record, so outside--can also upload information. Government decided to OO - everybody has a record that can be used, if you don't want to use, then you don't have to use (you must 'opt out)

Q2

PSAF -

TEFCA - Helping develop comments in the respective channels - high level questions • What is TEFCA - what does it mean? • Chris Hills IAO - sits between VA and DoD - tagged from director to coordinate DoD/VA on the TEFCA and the US CDI document that goes with that as well; • 21st century CURES act, directed ONC - trusted exchange network and framework ○ Authenticating health information network participants at a comment level ○ Organizational policies of this exchange this occur ○ Adjudicating non-compliance • There is a difference in the identifying different in how federal agency conduct identity proofing between federal/non-federal partner • TEFCA • Emergency access is missing from TEFCA as part of the POU • Look at requirements for AL2 ○ Per John Moehrke it's not for HL7 to create policy standards, ○ Johnathan Coleman for TEFCA, they are requiring AL2 ○ KConnor - we can put this as a questions - in how are we accounting for the change in LOA (level of assurance) ○ Johnathan Coleman - we are comment on the security requirements

Q3

eLTSS Initiative

Refresher on eLTSS - Evelyn Gallegos, Piper Ranallo , US realm PPT: on gForge LINK: https://gforge.hl7.org/gf/project/cbcc/docman/2018%20January%20WGM%20PPTs%20and%20documents%20for%20minutes/eLTSS%20Discussion%20Deck%20for%20JAN18HL7WGM_FINAL.pptx • Why we're here, why you should care. 1. Identifying standardized components or data elements 2. X Most of the work start within their home environment, individual (patient/ "patient entered t person centered planning and information exchange 56 dataset core eLTSS,

Would like to advance the dataset, test/pilots will test eLTSS HL7 artifacts as they are developed (AGILE development; SPRINT testing) • Aiming for June FHIR connectathon test [DevDays]

Irina, Mark, Jack Activities in an LTSS Service • Long term services and supports • Natural supports • Beneficiary steps or actions

Long term services include: case management, homemaker, home health aide, personal care

Episode of care - eLTSS is focused is coordinated care, focus has been on the 56 data elements , looking at the bigger pictures.

How to represent LTSS Services in FHR

What does depiction mean? A finessed definitions developed from a group of person; "something that requests from me…"

Kyle - ONC Patient Choice technical project / REACHnet LINK to PPT: Efforts for arcface 3 - Informed consent Research. • MiHIN - presentation (in future telecon) ONC Patient Choice Pilot: HiOH Kids

- Louisiana, Texas (5 million patient) - making data more accessible for research methods PTAS Apps, Modes & Functions

Patient Choice Pilot: Core elements • Use FHIR standards for pediatric consent; designed for distributed implementation

Understand the rationale behind the process on why this particular procedure was used versus another. • Research subject; • Lessons learned: will take back to WG to take under consideration

• Construction reference resource - as to what you've done on your text. • Additional work will be done to which where • Next steps MiHIN demonstration; as a capstone if we want to generalize… see how this can bundled up with our lessons learned to eventually proposed as a work item to be used for future work. • If this come as an IG - requirement is test scripts and guide • ONC pilot - usually ends as a specific FULL production - yes plan… for pediatric registry for completion of this year, adult

Q4 - CBCC Administrative

3-year plan reviewed, revised Meeting Planning completed for May 2018 Cologne, invite sent (http://www.hl7.org/Events/MeetingPrep/index.cfm?addQtr=1)

Back to CBCP Wiki: Meetings

WEDNESDAY

Q1 - joint with EHR CBCP Security FHIR(?) (EHR hosting) • Reed Gelzer - Accuracy/Authenticity Assurance (PPT) <<add link or PPT>> • Mike Presentation - Is Privacy Obsolete PPT

Q2

Attendee: Dave Pyke, Johnathan Coleman, Jim Kretz, Suzanne Gonzales-Webb Decision Making Process • Update CBCC to CBCP and associated language, update to current WGM Jan 2018

Motion to update DMP as discussed above (Johnathan/Jim) Vote to approve 3, no abstentions, no objections

MISSION Statement • Update CBCC to CBCP, as in DMP • Remove CIC as formal relationship • Add language… after Health and Human Services… change to 'such as…Health and Human Services and Canada Infoway. • Add provenance as an additional bullet point under work products

(eLTSS - long term care) as an additional bullet point

Motion to update as discussed Vote to approve 3, no abstentions, no objections

SWOT Update joint projects - • Remove CIC, Mobile Health • Add ONC to Strengths

Q3 Attendee: Dave Pyke, Jim Kretz, Suzanne Gonzales-Webb Administrative time Completed updates to Governance documents

Q4 Attendee: Dave Pyke, Ken Salyards, Jim Kretz, Suzanne Gonzales-Webb Piper Ranallo presentation - no show

Back to CBCP Wiki: Meetings

THURSDAY

Q1 - CBCP Hosting FHIR-I and Security

FHIR Path by Example (Josh Mandel) • Language being used a few placed to pull out/compare different resource • An outgrouth of xpath • Writing an xpath expression; FHIRpath knows what types of expressions 'recognizes'

FHIRPath - ppc-1 Eith a policy or PolicyRule (expression….0

CP 14335 motion to accept John M/ Trish 1 abstention; 0 objections; 16 approve

CP15102 (similar to above) 'duplicate'

Q2 - CBCP Hosting

1. 15113 added new CP Change as

Motion: John Moehrke/Suzanne Webb Abstentions: none; opposed none; 5 approve

Change Patient to 0..1 and change scope to extensible binding with invariants on exisiting scopes forcing patient to 1..1

Back to CBCP Wiki: Meetings