HL7 Secure Transactions Special Interest Group
Meeting Minutes --May 22-23, 2000
Attendees
Bern Blobel, HL7 Germany
Myrtle Burton, MetroHealth
Alan Chan, Dept. of Veterans Affairs
Blair Cockenline, University of Washington
Renard Currie, Healthdyne
Ron Gans, MedSeek
Mary Kratz, Internet2
Glen Marshall, SMS
Hendrick du Plessis, QEDI
Rick Nelson, Epic
Gregg Seppala, Dept. of Veterans Affairs
Points Discussed
1. Glen Marshall presented the status of progress made toward a common audit record
definition. The basic reception of the proposed standard was that it is a go-forward
document. The intent is for it to be balloted as in informative document in the Fall voting,
and then to become a normative standard with a timeline TBD.
Here is the presentation …
Comments from the attendees ...
a) This record transcends HIPAA. It represents a general need in the healthcare community,
both for the US as well as international.
b) HL7 will work with the ASTM E31.17 committee to harmonize the HL7 effort with their
provisional standard PS-115-99.
c) Implementation advice

Establishing various roles and policies about disclosure audits by role will lead to
clearer understanding plus administrative and technical efficiencies.

Consider bandwidth brokering/metering as a way to fund auditing for people that
want it.
d) The UUID field (for unambiguous & permanent user identification)

It is a common meeting-point with various standards efforts to define PKI and generic
person objects.

In essence, it can be used as a key to a fairly robust person record with history, etc.
Local user-ID strings don't have this implicit power, and it can be important for
investigational audits.
e) Role ID Field (introduced by HL7 in the January '00 meeting, not in SMS' definition)

The Role ID field could be better viewed as "authorization source"

Roles are ambiguous. It is better to have a taxonomy of roles derived from smaller
atomic tasks. These can be stored in a directory (LDAP).

Additional use cases are needed for roles in respect to auditing.
f) The Policy Modeling aspect can use G-CPR in addition to the new European ISO
standard. This is an area of work that needs to be done for the Fall meeting.
2. Bernd Blobel presented his work on Policy Modeling. This will be used in further
development of the audit record work.
Here is the presentation …
3. Bernd Blobel also presented an overview of the W3C working draft "XML-Signature Core
Syntax and Processing". In discussion we determined that we should move this work
forward to be balloted as an informative document.
Here is the presentation …
Issues Resolved
None
Follow-up Items & Assignments
1. Glen Marshall – Prepare informative document for the Audit Record for balloting in Fall
2000
2. Bernd Blobel – Prepare an update presentation on digital signatures for XML, in preparation
for a subsequent informative document for HL7 v3.0.
NOTE: Input to and discussion about these topics will be welcome on the SIG Secure listserve.
Schedule for the next meeting
The next meeting date for the Secure Transactions SIG will be Tuesday, September 12, 2000,
morning and afternoon. Agenda items are:
1. Status of Audit record definition, including results from the planned ballot on the informative
document.
2. A discussion of PKI for healthcare and its applicability to HL7 authentication for messages
and the CCOW user context subject.
3. An update presentation on digital signatures for XML, in preparation for an informative
document for HL7 v3.0.
4. A report and discussion on healthcare security efforts in other Standards development
organizations (such as the ASTM E31 committee), HL7's international affiliates, and efforts
to coordinate and harmonize HL7's work with them.