Privacy on FHIR Meeting Minutes 2014 1003

advertisement
Privacy on FHIR
Meeting Agenda and Minutes
Agenda & Meeting Minutes
Purpose of Meeting: Introductions and Review of Use Cases
Date & Time: Fri 03 Oct 2014, 1-2 PM Eastern
Location: United States: +1 (626) 521-0016 United States (toll-free): 1 866
899 4679
Access Code: 782820893
Meeting. https://global.gotomeeting.com/join/782820893
Audio PIN: Shown after joining the meeting
Meeting Password: FHIR
Meeting ID: 782-820-893
POF WIKI:
http://wiki.siframework.org/Privacy+on+FHIR
Facilitator: Mike Davis
Meeting Support:
Attendees: O = Onsite Attendee; P = Phone Attendee; X = Not Attending
o Mark Russell (MITRE)
Adrian Gropper (PPR)
o Mike Davis (VA)
Brynn Mow (Jericho)
o Mike Dufel (Jericho)
Dave Hill (MITRE)
o Mohammad Jafari (VA)
David Staggs (Jericho)
o Nagesh Bashyam (Dragon) (ONC)
Debbie Bucci (ONC)
o Nate Gould (DoD)
Duane DeCouteau (VA)
Gerry Gebel (Axiomatics)
Ross Freeman (Jericho)
John Pitale (VA)
Taylor Gill (Jericho)
Johnathan Coleman (ONC)
Terry Luedtke (VA)
Josh Mandel (MIT)
Judy Fincher (VA)
Justin Richer (MITRE/MIT)
Kathleen Connor (VA)
Ken Salyard (SAMHSA)
o
o
o
o
o
o
o
o
o
o
Thomas Hardjono (MIT)
Tim McGrail (VA)
Tony Mallia (VA)
o
William Israel (Jericho)
Andrew Malcom
o
Agenda
Page 1 of 4
Privacy on FHIR
Meeting Agenda
ID Topic
1 Minutes, Agenda
Presenter
Kathleen, Mike
5 min
2
Consent2Share-Open Source CDMS Demo
Ken Salyards (
30 min
3
OxAuth Open Source AS Demo
Duane
20 min
4
Open Discussion
All
As available
Project Deliverables
HIMSS Deliverables
1. “Wow” powered use cases meant to capture
imagination and win hearts and mind [aka “Elevator
Pitch”]
All
2. Storyboards intended to convey business
requirements and standards landscape to developers
3. Architecture
a) Choreographies and data element exchanged
b) Diagram showing subsystems and connections
between them
c) Flow diagram showing activities and message
movement between subsystems
d) Elements passed in the Tokens or request headers
relevant to access control
4. Reference Model (Open source executable code to
serve as model for developers, models, requirements
and profile)
1. “Wow” Power
 PoF Overview Presentation and HIMSS Slide
(1 per booth)
 Kathleen Use cases
2. Storyboards
 TBD
3. Architecture
a) Dragons Diagrams
b) Mohammad Diagrams
c) Mohammad Sequence Diagrams
d) Project Brief
4. Reference Models
 VA provided SLS/PPS, Test Models.
 SAMHSA Consent2Share open CDMS
Key Discussion Notes
ID Topic
1
HoF Model Diagram and Booth Diagrams will be updated to indicate that the End User is a FHIR Client and that the ACS
on the Requester side is control by the Requester’s RS to enforce access permissions conveyed by Security
Labeled/Privacy Protected disclosure from Custodian RS.
2
Wrt to HoF Model Diagram and Booth Diagrams, the senders and receivers could be any of the HIE actors, which are
HIPAA Covered Entities/~Covered Entities (e.g., SSA)/Business Associates (e.g., HIEs).
PoF should highlight the distinguishing business/policy requirements among HoF/AoF/CoF that result in differences in
the manner in which each flow is architected. E.g., because HoF custodians may have policies that override the patient’s
preferences (or to which the patient’s preferences must be constrained via policy adjudication), the flows need to
support a redirect from Custodian’s ACS to Custodian’s preferred AS, thereby possibly overriding the Patient’s AS
3
Agenda
Page 2 of 4
Privacy on FHIR
Project Deliverables
authorizations, which might block a Requester from accessing resources that the Custodian would otherwise disclose per
applicable policy.
4 Assume that CDMS has digital signature capabilities.
Action Items
ID
1
Action Items
Assigned to
3
Due
Date
How do we constrain the scope of
the use cases? We have seven
months to complete and test Demo.
What resources are available and
what can be provided by each of us?
Status
Comments
0926 Added
Standards
All
2
Assign Date
6/2014
Mike
9/2014
0912
0819
COMPLETE
Three
identified.
0613 Need to
know how
many
separate
items.
For Review
Post materials to S&I PoF page
http://wiki.siframework.org/Privacy
+on+FHIR
KC
0908
0923
Complete
Possible multiple
booths or POD.
1. Patient App
scenario
2. Consent
Directives
3. HIE
4. Standards on
FHIR
0829 Bill of Lading in
today’s presentation
0923 Documents
starting to be
uploaded.
0913 Dragon assisted
Mike with uploading
to the ONC PoF Wiki
4
Update the HoF diagram to include a
single trusted AS for the Happy Path.
Tony &
Mohammad
9/22
9/26
0926
Complete
Accepted by Group
Agenda
Page 3 of 4
Privacy on FHIR
Next Meeting
Date:
7 OCT 2014
Time:
3-4 PM (Eastern)
Location:
Dial-In Line:
Debbies GoToMeeting
Notes from 10/3/2014 meeting
Mike Davis went over the agenda and the meeting minutes from last minute.
Andrew Malcom provided a demo of Consent to share (C2S).
Andrew: This is an open-source project for capturing an enforcing patient consents controlling access to their behavioral health
data.
-
Consent directives:
o who can access to what part of record for what purpose
o limited to specific period of time
o Granular access to different parts of the behavioral health data.
Andrew showed how the patient can:
o Look up and add a provider,
o Specify types of information to disclose to each provider,
o Specifying sensitivity restrictions,
o Specifying purpose restrictions,
o Specify time limits (validity dates)
o Sign the consent directive,
o View how the record would look like after applying the terms specified by the consent directive.
Josh: Who provides this service to the patient?
A: It could be run in an original HIE or at a state HIE level, or at a local level connected to a particular HER.
Tony: How about less granular providers e.g. entire organization’s access.
Andrew: Organizations have their own NPIs. They can be looked up.
Mike: We are considering this as a potential for CDMS and since this is open-source, we can modify it.
Adrian: Can this be run at patient-level?
Andrew: This is meant to be run by the organization.
Josh: Does the data go through C2S?
Andrew: It uses a rules engine to run the redactions as a module to the ACS of the organization.
Mohammad: What’s the format in which the consents are persisted?
Andrew: It’s an XML format.
Duane: It must be CDAR2 standard format.
Tony expressed concern about the opt-out cases where the default is to share as the consent created in the C2S system is an
opt-in type.
Duane presented OxAuth Open Source AS Demo.
Agenda
Page 4 of 4
Download