Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-28908

Do not include policy positions as conformance statements 6

    XMLWordPrintableJSON

Details

    • Icon: Change Request Change Request
    • Resolution: Not Persuasive with Modification
    • Icon: Highest Highest
    • US Da Vinci HRex (FHIR)
    • current
    • Clinical Interoperability Council
    • Security and Privacy
    • 5.6.2 Exchange of PHI for TPO (as defined by HIPAA)
    • Hide

      We have raised this issue with FMG and US-Realm and both have agreed that it is permissible to use conformance language (i.e. SHALL/SHOULD/MAY) when referring to content outside the scope of rules defined by the IG itself. Given that this language has undergone considerable review and discussion with groups inside and outside HL7 and the community was comfortable with the language, we do not see a good reason to relax or change it at this time.

      However, we will reword the sentence to make clear that it's setting an expectation of system behavior, not the actions of personnel or organizational policy. Specifically, will reword to:
      "In all cases, the Information Supplier systems (in accordance with ..."

      Show
      We have raised this issue with FMG and US-Realm and both have agreed that it is permissible to use conformance language (i.e. SHALL/SHOULD/MAY) when referring to content outside the scope of rules defined by the IG itself. Given that this language has undergone considerable review and discussion with groups inside and outside HL7 and the community was comfortable with the language, we do not see a good reason to relax or change it at this time. However, we will reword the sentence to make clear that it's setting an expectation of system behavior, not the actions of personnel or organizational policy. Specifically, will reword to: "In all cases, the Information Supplier systems (in accordance with ..."
    • Marti Velezis / Jimmy Tcheng : 6-0-1
    • Clarification
    • Non-substantive

    Description

      This IG can't make a policy position or interpretation of the law into a HL7 Conformance Statement. Please refrain from mixing implementation conformance with IG specific policy stances for the following reasons:
      *This is not part of HL7 Conformance methodology, because it is not testable given the standards included in this IG.
      *Testable, computable ability for system components implementing HRex to support (1) logging of all IDs, access rights, requests, and exchanges would require inclusion of
      standards referenced in this IG for audit, e.g., FHIR AuditEvent; and (2) verifying rights of requestors to have access to the member's/patient's record would require inclusion of standards reference in this IG for requesters to assert and be provisioned with clearances based on RBAC or with ABAC including the security labels required to meet or exceed the security labels on the requested resources, e.g., purpose of use security labels.
      *If this policy stance were adopted as a conformance statement, it has the potential to influence how developers implement this IG at the peril of their legal departments, and might run afoul of the policy positions of other HL7 community member and HL7 leadership, which would likely prefer that implementable HL7 standards' conformance statements remain policy agnostic.
      Instead, this IG should strongly encourage implementers to consult with their legal counsel about whether their implementations comply with applicable laws governing audit and access control.

      Existing Wording:

      In all cases, the Information Supplier (in accordance with HIPAA security and privacy rules):
      SHALL log all IDs, access rights, requests, and exchanges.
      SHALL verify rights of the requestor to have access to the member’s/patient’s record.

      Proposed Wording:

      In all cases, the Information Supplier (in accordance with HIPAA security and privacy rules) is strongly encourage to consult with their legal counsel as to whether their implementations:
      Compliantly log all IDs, access rights, requests, and exchanges.
      Compliantly verify rights of the requestor to have access to the member’s/patient’s record.

      Attachments

        Activity

          People

            Unassigned Unassigned
            k.connor Kathleen Connor
            Kathleen Connor
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: