Stream: cds hooks/github
Topic: docs / Issue #326 May 2018 Ballot Comment 120
Github Notifications (May 16 2018 at 23:02):
cds-hooks-bot milestoned Issue #326
Github Notifications (May 16 2018 at 23:02):
cds-hooks-bot labeled Issue #326
Github Notifications (May 16 2018 at 23:02):
cds-hooks-bot edited Issue #326
## May 2018 Ballot Comment 120
Submitted by @kensaku-kawamoto from University of Utah
Chapter: Passing the Access Token to the CDS Service
Section: https://cds-hooks.org/specification/1.0/
Type: NEG :exclamation:
In Person Requested? Yes :bust_in_silhouette:Comment:
The current SMART scope specificaiton seems too broad to meet HIPAA requirements for minimum necessary information disclosure, even in the context of Business Associate Agreements. E.g., providing CDS Hooks services access to patients' name, address, and identifying numbers; or their status on STD tests when all it needs is gender and blood pressure seems to potentially violate HIPAA.## :de: Köln May 2018 Working Group Vote
@kensaku-kawamoto moved the following disposition, seconded by @brynrhodes.
Disposition: Persuasive with Mod
Disposition Comment:
This is a larger issue than just CDS Hooks. We will log an issue to the appropriate working group/project (eg, FHIR/SMART/Security) to address.:+1: For: 25
:expressionless: Abstain: 1
:-1: Against: 0:tada: The motion passed! :tada:
_This issue was imported by @cds-hooks-bot from the consolidated CDS Hooks May 2018 ballot spreadsheet._
Github Notifications (May 16 2018 at 23:02):
cds-hooks-bot opened Issue #326
## May 2018 Ballot Comment 120
Submitted by @kensaku-kawamoto from University of Utah
Chapter: Passing the Access Token to the CDS Service
Section: https://cds-hooks.org/specification/1.0/
Type: NEG :exclamation:
In Person Requested? Yes :bust_in_silhouette:Comment:
The current SMART scope specificaiton seems too broad to meet HIPAA requirements for minimum necessary information disclosure, even in the context of Business Associate Agreements. E.g., providing CDS Hooks services access to patients' name, address, and identifying numbers; or their status on STD tests when all it needs is gender and blood pressure seems to potentially violate HIPAA.## :de: Köln May 2018 Working Group Vote
@kensaku-kawamoto moved the following disposition, seconded by @brynrhodes.
Disposition: Persuasive with Mod
Disposition Comment:
This is a larger issue than just CDS Hooks. We will log an issue to the appropriate working group/project (eg, FHIR/SMART/Security) to address.:+1: For: 25
:expressionless: Abstain: 1
:-1: Against: 0:tada: The motion passed! :tada:
_This issue was imported by @cds-hooks-bot from the consolidated CDS Hooks May 2018 ballot spreadsheet._
Github Notifications (Jun 14 2018 at 13:44):
cds-hooks-bot assigned Issue #326
Github Notifications (Jul 25 2018 at 14:49):
kpshek commented on Issue #326
I've logged a corresponding question regarding this to FHIR core: https://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemEdit&tracker_item_id=17552
Closing.
Github Notifications (Jul 25 2018 at 14:49):
kpshek closed Issue #326
Github Notifications (Jul 26 2018 at 13:01):
JohnMoehrke commented on Issue #326
There are many proposals in ballot comments on SMART-on-FHIR that offered improvements to the SMART scopes. My understanding is that the scopes as designed by Argonaut can't be changed, thus we agreed to delay the discussion of scope improvement until after the first version is published normatively.
https://healthcaresecprivacy.blogspot.com/2017/05/fhir-oauth-scope-proposal-using-fhir.html http://healthcaresecprivacy.blogspot.com/2016/01/fhir-oauth-scope.html http://healthcaresecprivacy.blogspot.com/2013/09/healthcare-access-control-scope.htmlThere is also cascading one can do with OAuth. Where different authorities handle a different vector.
https://healthcaresecprivacy.blogspot.com/2018/02/apple-should-have-heart.htmlThat said, i is not likely that scopes are going to be completely powerful on-their-own. Some further rule enforcement might need to be done at the RS based on information the RS knows. This is generally how consents and safety are being handled when they are complex. --- So, we should not look to scopes as the ONLY access control mechanism.
Last updated: Apr 12 2022 at 19:14 UTC
