Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-28907

Do not include policy positions as conformance statements 5

    XMLWordPrintableJSON

Details

    • Icon: Change Request Change Request
    • Resolution: Not Persuasive with Modification
    • Icon: Highest Highest
    • US Da Vinci HRex (FHIR)
    • current
    • Clinical Interoperability Council
    • Security and Privacy
    • 5.5 Security and Privacy
    • Hide

      We have raised this issue with FMG and US-Realm and both have agreed that it is permissible to use conformance language (i.e. SHALL/SHOULD/MAY) when referring to content outside the scope of rules defined by the IG itself. Given that this language has undergone considerable review and discussion with groups inside and outside HL7 and the community was comfortable with the language, we do not see a good reason to relax or change it at this time.

      However, we will reword the sentence to make clear that it's setting an expectation of system behavior, not the actions of personnel or organizational policy. Specifically, will reword to:
      "Implementations SHALL ensure that release of the information without explicit request of the patient/member is based on organization policy consistent with Federal and State regulations. Examples are legal request for information and “break glass” to treat a patient that is unable to provide consent."

      Show
      We have raised this issue with FMG and US-Realm and both have agreed that it is permissible to use conformance language (i.e. SHALL/SHOULD/MAY) when referring to content outside the scope of rules defined by the IG itself. Given that this language has undergone considerable review and discussion with groups inside and outside HL7 and the community was comfortable with the language, we do not see a good reason to relax or change it at this time. However, we will reword the sentence to make clear that it's setting an expectation of system behavior, not the actions of personnel or organizational policy. Specifically, will reword to: "Implementations SHALL ensure that release of the information without explicit request of the patient/member is based on organization policy consistent with Federal and State regulations. Examples are legal request for information and “break glass” to treat a patient that is unable to provide consent."
    • Marti Velezis / Jimmy Tcheng : 6-0-1
    • Clarification
    • Non-substantive

    Description

      This IG can't make a policy position or interpretation of the law into a HL7 Conformance Statement. Please refrain from mixing implementation conformance with IG specific policy stances for the following reasons:
      *This is not part of HL7 Conformance methodology, because it is not testable given the standards included in this IG. Testable, computable ability for system components implementing HRex to support release of information without explicit request of patient/member would require inclusion of standards for access control with the ability of authorized requesters to access patient/member information per applicable policy and for the audit capability to capture that action. In addition, support for break the glass requests would need system capability to display accountability warnings.
      *If this policy stance were adopted as a conformance statement, it has the potential to influence how developers implement this IG at the peril of their legal departments, and might run afoul of the policy positions of other HL7 community member and HL7 leadership, which would likely prefer that implementable HL7 standards' conformance statements remain policy agnostic.
      Instead, this IG should strongly encourage implementers to consult with their legal counsel about whether their implementations comply with applicable organizational policy consistent with Federal and State law when release of the information without explicit request of the patient/member is permitted.

      Existing Wording:

      Release of the information without explicit request of the patient/member SHALL be based on organization policy consistent with Federal and State regulations. Examples are legal request for information and “break glass” to treat a patient that is unable to provide consent.

      Proposed Wording:

      When release of the information without explicit request of the patient/member is permitted, implementers are strongly encouraged to consult with their legal counsel about whether their implementations comply with applicable organizational policy consistent with Federal and State law.
      Examples are legal request for information and “break glass” to treat a patient that is unable to provide consent.

      Attachments

        Activity

          People

            Unassigned Unassigned
            k.connor Kathleen Connor
            Kathleen Connor
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: