Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-38273

Change SHOULDs to SHALLs

    XMLWordPrintableJSON

Details

    • Icon: Change Request Change Request
    • Resolution: Not Persuasive with Modification
    • Icon: Highest Highest
    • US National Directory Attestation and Verification (FHIR)
    • 1.0.0-ballot
    • Patient Administration
    • STU
    • Security
    • Hide

      Since the national directory will not contain PHI, it is not subject to HIPAA regulations. In general, it would be inappropriate to require (e.g., SHALL) conformance to the security standards cited in the quoted paragraph.  The implementers may decide that conformance with other emerging standards is more appropriate.  It is also unlikely the BAAs will be required (again no PHI) but rather exchange of certain restricted data may rely on Data Use Agreements (DUAs) or their equivalent. We will solicit feedback on these requirements in the next round of balloting.

      Since the national directory will be providing information to a large number of distributed directories, many of which will have unauthenticated access to public data, it would not be appropriate for them to be required to either request or maintain provenance resources.  In fact, there is no intent to require the national directory to produce provenance resources.  Instead, the directory will supply verification resources upon request.

       

      Show
      Since the national directory will not contain PHI, it is not subject to HIPAA regulations. In general, it would be inappropriate to require (e.g., SHALL) conformance to the security standards cited in the quoted paragraph.  The implementers may decide that conformance with other emerging standards is more appropriate.  It is also unlikely the BAAs will be required (again no PHI) but rather exchange of certain restricted data may rely on Data Use Agreements (DUAs) or their equivalent. We will solicit feedback on these requirements in the next round of balloting. Since the national directory will be providing information to a large number of distributed directories, many of which will have unauthenticated access to public data, it would not be appropriate for them to be required to either request or maintain provenance resources.  In fact, there is no intent to require the national directory to produce provenance resources.  Instead, the directory will supply verification resources upon request.  
    • Bob Dieterle / Brian Postlethwaite: 9-0-0
    • Clarification
    • Non-substantive

    Description

      Change all SHOULDs in this paragraph to SHALLs. "National Healthcare Directory implementers SHOULD establish a risk analysis and management regime that conforms with HIPAA security regulatory requirements. In addition, implementers in the US Federal systems SHOULD conform with the risk management and mitigation requirements defined in NIST 800 series documents. This SHOULD include security category assignment in accordance with NIST 800-60 vol. 2 Appendix D.14. The coordination of risk management and the related security and privacy controls - policies, administrative practices, and technical controls - SHOULD be defined in the Business Associate Agreements."

      Change SHOULD to SHALL in the following sentence "National Healthcare Directory actors SHOULD retain Provenance information using the FHIR Provenance resource."

      These comments are applicable to all three Directory guides.

      Attachments

        Activity

          People

            Unassigned Unassigned
            celine_lefebvre Celine Lefebvre
            Celine Lefebvre
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: