FHIR Chat · Agenda Day 2 · Consent Decision and Management Services

Stream: Consent Decision and Management Services

Topic: Agenda Day 2

Duane Decouteau (Sep 10 2020 at 05:01):

I've extended our Day 2 to Include a Morning Session for US participants

Duane Decouteau (Sep 10 2020 at 05:04):

Day 2 - September 10th
Morning Touch Point(US) and Overview 9:00AM-10:00AM ET
Morning Touch Point(AU) 6:00PM-7:00PM ET
Participant Q&A and Support via Chat - 7:00PM-10:00PM EST Channel can be found @ https://chat.fhir.org/#narrow/stream/253681-Consent-Decision.20and.20Management.20Services
Participant Demonstrations and Discussion 10:00PM ET - As needed
Prep Report out to FHIR WG - 12:00PM ET

Duane Decouteau (Sep 10 2020 at 13:42):

Again our track zoom mtg is not linked to Whova, let's all just meet during the already schedule "Morning Touch Point" at 6pm ET. Sorry for the issues.

k connor (Sep 10 2020 at 16:55):

what's the zoom like please

Duane Decouteau (Sep 10 2020 at 18:02):

Please use Whova to access session, next touch point is today at 6pm ET, but here is the zoom link just in case

Duane Decouteau (Sep 10 2020 at 18:06):

https://zoom.us/j/8910205321?pwd=ZkkzMkhRaFg5Y1RiVG0zUjhKN3ZqZz09. For developers, if you checkout the leap-demos github repository yesterday, updates to our messages have been made for privacy-consent scenarios please do a pull "git pull" from your leap-demos directory.

Russell McDonell (Sep 10 2020 at 20:11):

Is anyone around who can help with mapping the request to the Consent resource, and the Consent resource to the response? For instance, the request has 'class' of value/system, but Consent has 'class' of code/system. Do I test that the code == value? And the Consent resource has securityLabel, but the response has id and many codes per id. Do I sort/filter/split securityLabels some how?

k connor (Sep 10 2020 at 20:59):

RE kitchen sink of security labels: If there's only one policy being represented as governing a resource, then these .security are all part of one security label. Guessing that none of the the sample resources have more than one security label. Typical security label would have one confidentiality code, 1..* sensitivity code, 1 policy code, e.g., 42 CFR Part 2, and 1..* purpose of use. Some will also have 1..* obligation or refrain codes. Mohammad and I are working on the FHIR DS4P IG to help implementers figure this out. It gets complex when there are more than one policy being conveyed by the label. But not atypical - in US, information governed under 42 CFR Part 2 and HIPAA can be in one resource or bundle.

Russell McDonell (Sep 10 2020 at 21:22):

There's no 'confidentiality', no 'sensitivity' in the FHIR Consent resource - well, nothing called that, or looking like that. Everything seems to be dropped, like a grab bag of stuff, in 'securityLabel'. But the cdsHooks response seems to split it out - some how ...
I have assumed any with a 'v3-Confidentiality' is an "id" - each in it's own "id" and everything with a 'v3-ActCode' is a 'parameter'.
So, if there's two 'v3-Confidentiality' and four 'v3-ActCode' in a securityLabel, then that's two 'id's, each with four 'parameters'. And then you have to keep the logical OR of all of that across all actors, across all Consent resources, across all FHIR servers ...

Duane Decouteau (Sep 10 2020 at 21:37):

All @ 6PM Whova will say Session has ended. Click on the "Proceed Anyway" button to enter into session.

Russell McDonell (Sep 10 2020 at 21:42):

Also, the connectathon documentation showed an example of a cdsHooks type interaction, with a JSON structure, but no JSON Schema - no cardinality. Now the test JSON has no 'class' - so my service rejects it. WIth out 'class' the Concent Decision Service does not know 'over what' the caller is seeking consent. With out 'class' it's just an ambit claim for access, with the hope that if the patient has ever lodge a Consent, then the caller can get back knowledge that there is a Consent out there somewhere, and what the 'secuityLabel's are ... My Consent Decision Service rejects ambit/fishing exercises, but I haven't found any guidance as to whether that is correct, or incorrect.