Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-38273

Change SHOULDs to SHALLs

    XMLWordPrintableJSON

Details

    • Change Request
    • Resolution: Not Persuasive with Modification
    • Highest
    • US National Directory Attestation and Verification (FHIR)
    • 1.0.0-ballot
    • Patient Administration
    • STU
    • Security
    • Hide

      Since the national directory will not contain PHI, it is not subject to HIPAA regulations. In general, it would be inappropriate to require (e.g., SHALL) conformance to the security standards cited in the quoted paragraph.  The implementers may decide that conformance with other emerging standards is more appropriate.  It is also unlikely the BAAs will be required (again no PHI) but rather exchange of certain restricted data may rely on Data Use Agreements (DUAs) or their equivalent. We will solicit feedback on these requirements in the next round of balloting.

      Since the national directory will be providing information to a large number of distributed directories, many of which will have unauthenticated access to public data, it would not be appropriate for them to be required to either request or maintain provenance resources.  In fact, there is no intent to require the national directory to produce provenance resources.  Instead, the directory will supply verification resources upon request.

       

      Show
      Since the national directory will not contain PHI, it is not subject to HIPAA regulations. In general, it would be inappropriate to require (e.g., SHALL) conformance to the security standards cited in the quoted paragraph.  The implementers may decide that conformance with other emerging standards is more appropriate.  It is also unlikely the BAAs will be required (again no PHI) but rather exchange of certain restricted data may rely on Data Use Agreements (DUAs) or their equivalent. We will solicit feedback on these requirements in the next round of balloting. Since the national directory will be providing information to a large number of distributed directories, many of which will have unauthenticated access to public data, it would not be appropriate for them to be required to either request or maintain provenance resources.  In fact, there is no intent to require the national directory to produce provenance resources.  Instead, the directory will supply verification resources upon request.  
    • Bob Dieterle / Brian Postlethwaite: 9-0-0
    • Clarification
    • Non-substantive

    Description

      Change all SHOULDs in this paragraph to SHALLs. "National Healthcare Directory implementers SHOULD establish a risk analysis and management regime that conforms with HIPAA security regulatory requirements. In addition, implementers in the US Federal systems SHOULD conform with the risk management and mitigation requirements defined in NIST 800 series documents. This SHOULD include security category assignment in accordance with NIST 800-60 vol. 2 Appendix D.14. The coordination of risk management and the related security and privacy controls - policies, administrative practices, and technical controls - SHOULD be defined in the Business Associate Agreements."

      Change SHOULD to SHALL in the following sentence "National Healthcare Directory actors SHOULD retain Provenance information using the FHIR Provenance resource."

      These comments are applicable to all three Directory guides.

      Attachments

        Issue Links

          is duplicated by

          Change Request - A request for a change that is more than a simple Technical Correction to one of HL7's specifications FHIR-38272 change SHOULD to SHALL

          • Highest - This problem will block progress.
          • Duplicate
          is voted on by

          Ballot Vote - The designation of a comment about a specification as related to an overall Ballot Submission BALLOT-39540 Negative - Celine Lefebvre : 2022-Sep-FHIR IG DIRECTORY-ATTESTATION R1 STU

          • Balloted

          Activity

            People

              Unassigned Unassigned
              celine_lefebvre Celine Lefebvre
              Celine Lefebvre
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: