FHIR Chat · Letter from PE WG to PAC on Alissa Knight Findings

Stream: patient empowerment

Topic: Letter from PE WG to PAC on Alissa Knight Findings

Andrea Downing (Nov 12 2021 at 21:10):

2021-10-25-HL7-Patient-Empowerment-WG-meeting-DRAFT-proposed-response-to-Playing-with-FHIR_v5.docx [2021-10-25-HL7-Patient-Empowerment-WG-meeting-DRAFT-proposed-response-to-Playing-with-FHIR_v5.pdf]

(/user_uploads/10155/iJRrvUKxURmfNm1ZZmenaNip/2021-10-25-HL7-Patient-Empowerment-WG-meeting-DRAFT-proposed-response-to-Playing-with-FHIR_v5.pdf)

Hi All: Following up on this week's meeting at the HL7 PE WG regarding FHIR Security recommendations, following Alissa Knight's report.

We will NOT be able to meet for discussion prior to next Thursday due to bandwidth/schedule availability. The goal of sharing the latest version is to allow all stakeholders to propose their redlines / comment directly. Please log any further changes by Tuesday 5 pm PT at the latest.

Next Thursday's WG meeting will be used as a forum to discuss AND close out any final changes that we have not in our letter accepted, which were submitted prior to Tuesday.

@Dave deBronkart @Virginia Lorenzi @Abbie Watson @John Moehrke @Ryan Harrison @Lloyd McKenzie @Grahame Grieve

Andrea Downing (Nov 17 2021 at 04:10):

Hi @Dave deBronkart @Virginia Lorenzi I need to let you know that I cannot join this Thursday's meeting. I'm hoping @Ryan Harrison can carry this forward, or alternatively we table it until next week.

Ryan Harrison (Nov 17 2021 at 15:41):

Yes, I will join tomorrow's PE call.
And thank y'all for moving the ball forward.

John Moehrke (Nov 18 2021 at 13:27):

I have the usual conflict. I reviewed the draft this morning, it is covering a bunch of topics that I think are good topics but these topics feel out-of-place given the context of the Patient Empowerment perspective. I think the text would be more powerful if it focused on the impact to the patient, and leave the other technical points (which are good points) out.

I don't think this paper focuses on the fact that Privacy is more than just access control failures. The Privacy Principles are well documented in many standards, and fundamental to GDPR. They however never get full perspective in the USA. (my article https://healthcaresecprivacy.blogspot.com/2015/04/privacy-principles.html)

Collection Limitation Principle
Data Quality Principle
Purpose Specification Principle
Use Limitation Principle
Security Safeguards Principle
Openness Principle
Individual Participation Principle
Accountability Principle

Note #5 is about the core security failures. This is not the only one of these 8 that hurt Patients when they fail.

John Moehrke (Nov 18 2021 at 13:30):

The second problem I think Patient Empowerment should mention that is not mentioned in the current draft, but for which the current draft layout is clear evidence of this problem.... There is way too much patchwork of Privacy Policies. The very fact you need to have different sections speaking to ONC, CMS, HHS, FTC, and all of the states... The Patient, especially their Privacy (Principles) are harmed by this non-coordinated effort. This chaos enables abuse of Patient Privacy Principles in the gaps, and prevents failures from being enforced as the bodies presume the other organization is covering 'that' issue.

John Moehrke (Nov 18 2021 at 13:34):

That said... These are my perspectives of what I think a Patient Empowerment group should be focused on. The consensus should be what is actually used to draft the text. I am coming in late with this very different perspective, I am one voice, and I must admit to not participating as much as the rest of you (I have too many conflicts).

Andrea Downing (Nov 18 2021 at 16:26):

@Ryan Harrison making sure you see this....

Ryan Harrison (Nov 18 2021 at 20:18):

@Andrea Downing
The working group approved the letter and 5 recommendations.
The 6th recommendation was moved to "needs work."

The next step are for you to...

Prepare a clean version of the document (including exporting to Word and checking the formatting ).
Post the cleaned version in #patient empowerment for as the final "this is the cleaned-up version of what we've approved today."
Send Virginia the clean document so she can send to PAC.

Dave deBronkart (Nov 19 2021 at 15:26):

@Ryan Harrison carried it forward admirably. He's a star! Aside from technical knowledge he has the rare ability to corral a discussion and drive the cattle home to a conclusion on schedule

Abbie Watson (Nov 19 2021 at 16:48):

Ryan Harrison said:

Andrea Downing
The working group approved the letter and 5 recommendations.
The 6th recommendation was moved to "needs work."

The next step are for you to...

Prepare a clean version of the document (including exporting to Word and checking the formatting ).

Post the cleaned version in #patient empowerment for as the final "this is the cleaned-up version of what we've approved today."

Send Virginia the clean document so she can send to PAC.

I was extremely disappointed with this document, @Ryan Harrison. Please do more research and discussion before removing people's contributions. You should have asked for clarification before removing those sections.

Abbie Watson (Nov 19 2021 at 16:50):

Dave deBronkart said:

Ryan Harrison carried it forward admirably. He's a star! Aside from technical knowledge he has the rare ability to corral a discussion and drive the cattle home to a conclusion on schedule

I disagree, @Dave. The 'corraling' occurred by removing the opinions and contributions that he didn't understand or agree with. This is not the HL7 way. Important things were left out of that document; making it less effective than it could have been.

Dave deBronkart (Nov 19 2021 at 19:18):

To each his own, @Abbie Watson :smile:

Abbie Watson (Nov 19 2021 at 19:59):

The ironic thing, of course, is that it gets sent to the PAC, then to HHS and the ONC, they'll forward it to MITRE because we manage both the Health and Cyber FFRDCs, then gets sent to the Inferno team, and they ask who is working on security test scripts for FHIR APIs.... and its likely to wind up in my inbox. Don't be surprised if those comments that were removed from the PE letterhead wind up part of a MITRE response. :shrug: