FHIR Chat · meta.security · implementers

Stream: implementers

Topic: meta.security

view this post on Zulip Donna Lehr (Feb 01 2021 at 18:47):

Question to group regarding applying the meta.security labels to each resource profile. http://hl7.org/fhir/R4/valueset-security-labels.html Question is, what implementation are you all using to apply the labels. There are no value sets defined for populating them that I could find. For example, HIV/AIDs - I would expect there to be a clear value set or implementation guide on flagging that, not all of us figuring it out on our own.

view this post on Zulip Lloyd McKenzie (Feb 01 2021 at 18:48):

What's the question?

view this post on Zulip Donna Lehr (Feb 01 2021 at 18:55):

Edited to include question, curious to see what others have found or are implementing on the topic

view this post on Zulip David Pyke (Feb 01 2021 at 18:57):

Application of security labels is in it's infancy. With the voluntary use within the US, many developers have chosen to focus on other methods of data filtering and segmentation

view this post on Zulip Donna Lehr (Feb 01 2021 at 19:03):

Where does it say use is voluntary? HIPAA laws in the US apply to the subject areas within these security labels.

view this post on Zulip David Pyke (Feb 01 2021 at 19:05):

Basic sensitivity labelling is needed per HIPAA but the level that the valueset defines goes beyond that and the ONC Rule left it voluntary and many orgs are looking at simple labels and filtering at source

view this post on Zulip Donna Lehr (Feb 01 2021 at 19:20):

Interesting. Filtering at source I would think could put at risk for information blocking. For example, some states have specific data sharing laws for certain types of data. Behavioral Health, Reproductive health of minors (some states don't allow birth control script to be seen by parent). HIV AIDs. I would have expected others would be implementing these tags

view this post on Zulip David Pyke (Feb 01 2021 at 19:37):

Filtering sensitive data is normally done and released with specific request (BTG or specific request with specific, often out of band, sign-off). Data labelling has a high cost to implement.

view this post on Zulip John Moehrke (Feb 01 2021 at 21:30):

@Donna Lehr have you looked at the page in the FHIR core that discusses this?
http://build.fhir.org/security-labels.html
have you reviewed the HCS documentation outlined in http://build.fhir.org/security-labels.html#hcs

You might find the report out from DS4P tracks at the FHIR-Connectathon to be informative
https://confluence.hl7.org/display/SEC/Report+Out%3A+Security+Labeling+Track+Connectathon+24

view this post on Zulip John Moehrke (Feb 01 2021 at 21:31):

You should also look to the #Security and Privacy zulip stream

view this post on Zulip Donna Lehr (Feb 01 2021 at 23:04):

Not data labeling properly has a higher cost for HIPAA fine than taking the time to implement correctly. Also overly filtering at the source and information blocking has a fat fine too. Food for thought. @David Pyke

@John Moehrke Thank you, yes I have reviewed those resources. It defines all the possible tags that can be applied, however it does not direct on an approved value set to implement the tags. If we are tagging restricted drugs for example, where is the value set that tells me which drugs to restrict? If we are restricting specific behavioral health data, or limited to how that is shared- which diagnosis/procedure codes value set do we use to apply the tag. This should be clearly defined.

view this post on Zulip Donna Lehr (Feb 01 2021 at 23:06):

Curious, is anyone on this channel implementing these- and are there any helpful resources you can share with the group?

view this post on Zulip Donna Lehr (Feb 01 2021 at 23:16):

@John Moehrke I take back my statement, I had not seen the Connectathon sources. I dug a little deeper and found one IG- I am looking closer now. Thanks for the resource. https://github.com/HL7/us-security-label-regs

view this post on Zulip John Moehrke (Feb 02 2021 at 00:52):

yes. FHIR Core is universal, so it can't declare things like how to tag for USA... yet a USA specific implementation guide can.. and even it can't know the clinical codes you use within your organization. That is why we defined a generic Service Labling Service to do that assessment of data, likely leveraging not just code matching but also clinical machine learning.

view this post on Zulip Donna Lehr (Feb 02 2021 at 18:20):

Interesting, thank you @John Moehrke for all your insight. Can you, or anyone on this channel recommend a US implementation guide that includes value sets for these tags, if that even exists. I understand implementation may very by state, any resources are appreciated. The Connectathon that @John Moehrke provided did have some useful content.

view this post on Zulip John Moehrke (Feb 02 2021 at 18:22):

That is under development. Follow that last github repo.

view this post on Zulip Donna Lehr (Feb 02 2021 at 18:31):

I see! When is this expected to be complete would you estimate? If you are unsure do you know who I could contact regarding this? @John Moehrke

view this post on Zulip John Moehrke (Feb 02 2021 at 20:33):

It is under development, going through ballot reconsilliation. The likely is this year. I would like to see a second ballot, but that is not clear right now.

view this post on Zulip Donna Lehr (Feb 27 2021 at 01:26):

Any update yet on release?

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -