At each of the HRex interactions , this IG states that HRex leverages to HL7 FHIR Security principles and SMART on FHIR which is far from sufficient. - HRex #94

XMLWordPrintableJSON

    • Type: Change Request
    • Resolution: Not Persuasive with Modification
    • Priority: Medium
    • US Da Vinci HRex (FHIR)
    • Financial Mgmt
    • Profile overview [deprecated]
    • •Push •Pull •Request
    • Hide

      We will remove most of the security and privacy language from HRex and will only retain guidance when we believe it applies to a given exchange mechanism independent of use-case.  We will note in the introduction section that the lack of security and privacy guidance is because the HRex implementation guide is intended to be use-case independent and that security and privacy considerations must be evaluated in the context of the specific use-case and the actors, needs and threat environment involved.  If, after developing more robust privacy and security expectations for the various Da Vinci IGs we fine there are common sections that would benefit from being defined and maintained in a shared IG, we will evaluate migrating those into HRex.

      Show
      We will remove most of the security and privacy language from HRex and will only retain guidance when we believe it applies to a given exchange mechanism independent of use-case.  We will note in the introduction section that the lack of security and privacy guidance is because the HRex implementation guide is intended to be use-case independent and that security and privacy considerations must be evaluated in the context of the specific use-case and the actors, needs and threat environment involved.  If, after developing more robust privacy and security expectations for the various Da Vinci IGs we fine there are common sections that would benefit from being defined and maintained in a shared IG, we will evaluate migrating those into HRex.
    • Richard Esmond / Marti Velezis : 9-0-0
    • Enhancement
    • Non-substantive

      Existing Wording: HRexPush (POST and PUT)

      https://build.fhir.org/ig/HL7/davinci-ehrx/Push_(POST_and_PUT).html

      Hrex PUSH

      https://build.fhir.org/ig/HL7/davinci-ehrx/Push_(Unsolicited_Communication).html>

      HRex GET

      https://build.fhir.org/ig/HL7/davinci-ehrx/Pull_(GET).html

      Authorization

      The Information Server adheres to business rules that govern which patients can be queried by authorized Information Clients, and what information can be returned to Information Clients.

      HRex leverages core FHIR security principles (https://www.hl7.org/fhir/security.html) and SMART on FHIR (http://docs.smarthealthit.org/).

      From <https://build.fhir.org/ig/HL7/davinci-ehrx/Pull_(GET).html>

      Comment:

      At each of the HRex interactions [links in existing wording cell] this IG states that HRex leverages to HL7 FHIR Security principles and SMART on FHIR. This generic citation to abstract guidance and OAuth 2.0 authorization profile is far from sufficient for the types of use cases in CDex and PDex that are implemented using HRex interactions.

      Generally, each of the Hrex Interactions merits Security and Privacy considerations comparable to Member Mediated Exchange @ http://hl7.org/implement/standards/fhir/us/davinci-pdex/2019Jun/2-2_Member_Consent.html and 7 Member-Authorized OAuth2 Exchange @ http://hl7.org/implement/standards/fhir/us/davinci-pdex/2019Jun/7_Member-Authorized_OAuth2_Exchange.html as applicable to these diverse use cases and the US policy domains in which these interactions are envisioned to occur. That said, even these guidance do not address the requirement that an individual must sign a Right of Access directive according to OCR [https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html#newlyreleasedfaqs]

      The IG authors should set up time with the Security and CBCP WGs to help them with the gaps in this IG and those IGs inheriting from HRex to sort out the privacy and security requirements needed to progress this and relying IGs. Much more work on S&P is needed, such as the authors devoted to the Member_Consent, to progress HRex.

      Summary:

      At each of the HRex interactions , this IG states that HRex leverages to HL7 FHIR Security principles and SMART on FHIR which is far from sufficient.

            Assignee:
            Unassigned
            Reporter:
            Kathleen Connor
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: