Product Brief - Privacy, Access and Security Services (PASS)
- 1 Product Brief - Privacy, Access and Security Services (PASS)
- 1.1 Product Name
- 1.1.1 Topics
- 1.1.2 Standard Category
- 1.1.3 Integration Paradigm
- 1.1.4 Type
- 1.1.5 Releases
- 1.1.6 Summary
- 1.1.7 Description
- 1.1.8 Business Case (Intended Use, Customers)
- 1.1.9 Benefits
- 1.1.10 Implementations/ Case Studies (Actual Users)
- 1.1.11 Resources
- 1.1.12 Relationship to/ Dependencies on, other standards
- 1.1.13 Links to current projects in development
- 1.1 Product Name
HL7 Version 3 Standard: Privacy, Access and Security Services (PASS)
- Access Control, PIM Level, Release 1
- Audit, Conceptual Level, Release 1
- Health Information Exchange Standards
R1 Informative Jan2010; DSTU Sep2010
The Privacy, Access and Security Services (PASS) project specifications define a set of encapsulated, loosely-coupled and composable service components that can contribute to ensuring the confidentiality and integrity of healthcare information.
The Conceptual Model for the Privacy, Access, and Security Services project Audit Service (PASS Audit Service) describes the conceptual-level viewpoints associated with the business requirements that relate to the content, structure, and functional behaviour of information important to the Audit area of the Privacy, Access, and Security domains within the healthcare environment. Thus it seeks to define the business requirements of an Audit service.
The PASS Access Control model presents the information and capabilities required to provide Access Control services to protected resources in a distributed healthcare environment, where interoperability requirements arise. A pre‐requisite to any Access Control activity is the management of Access Control policies. This document considers the behavior associated with the lifecycle of those policies.
The PASS Audit Service Conceptual models present the information and capabilities required to provide Healthcare-specific Audit services to enable organizations to assure accountability in a distributed healthcare environment, where interoperability requirements arise. It is critical to note that this specification is NOT the specification of a service, document, or messaging implementation; rather it is an unconstrained conceptual specification of the domain material.
Business Case (Intended Use, Customers)
Of all security requirements protecting personal health information, among the most important are those relating to audit and logging. These ensure accountability for patients entrusting their information to electronic health record systems and also provide a strong incentive to users of such systems to conform to the policies on the use of these systems. Effective audit and logging can help to uncover misuse of electronic health record systems or of patient data and can help organisations and patients obtain redress against users abusing their access privileges. Personal health information is regarded by many as among the most confidential of all types of personal information and protecting its confidentiality is essential if patient privacy is to be maintained. In order to protect the consistency of health information, it is also important that its entire life cycle be fully auditable.
Implementations/ Case Studies (Actual Users)
- See more at http://www.hl7.org/implement/training.cfm
Relationship to/ Dependencies on, other standards
- Healthcare audit record collection is and has been addressed by other standards bodies and that work will serve to guide this specification. ISO CD 27789, IHE ATNA, RFC 3881, and The Open Group’s Distributed Audit System (XDAS) preliminary specification will all be used as input to this specification.
- Parallel work sponsored by the HL7 Security WG which is tasked with producing a Security Domain Analysis Model (DAM).
- ommunity‐Based Collaborative Care (CBCC) – Composite Privacy Domain Analysis Model (DSTU),