All PAS Resources, include PAS Extension that use these Resources must be labeled to ensure that Access Control Systems can determine authorized access. - PAS #35

XMLWordPrintableJSON

    • Type: Change Request
    • Resolution: Not Persuasive with Modification
    • Priority: Medium
    • US Da Vinci PAS (FHIR)
    • STU3
    • Financial Mgmt
    • (profiles) [deprecated]
    • Institutional Encoun
    • Hide

      There is no use-case for 'contained' elements in this implementation guide, so it would not be appropriate for us to provide guidance on the use of 'contained'. However, it's bad practice to prohibit 'contained' given that implementers are permitted to send data above and beyond what this IG expresses and we don't want to prohibit the use of 'contained' if its use is appropriate. Any guidance on the use of high water marks should be conveyed as generic security guidance, not as something specific to PAS. Also, the use of security labels for this IG is only really relevant insofar as the relevant concepts are exposed by the mapped X12 transactions. Content not exposed in X12 is not (and cannot) be required to be used by payers. If there are legal obligations to convey security tags, these obligations will need to be addressed within the X12 standards before this IG can be adapted to support them.

      We will update the list of sections of the core spec implementers are expected to read and be familiar with to include the 'security checklist' page. We will also refer to this in the Security & Privacy section of the IG.

      This will cover the same issue raised by Kathleen on various other profiles. We will mark those as duplicates and point them to this resolution.

      Show
      There is no use-case for 'contained' elements in this implementation guide, so it would not be appropriate for us to provide guidance on the use of 'contained'. However, it's bad practice to prohibit 'contained' given that implementers are permitted to send data above and beyond what this IG expresses and we don't want to prohibit the use of 'contained' if its use is appropriate. Any guidance on the use of high water marks should be conveyed as generic security guidance, not as something specific to PAS. Also, the use of security labels for this IG is only really relevant insofar as the relevant concepts are exposed by the mapped X12 transactions. Content not exposed in X12 is not (and cannot) be required to be used by payers. If there are legal obligations to convey security tags, these obligations will need to be addressed within the X12 standards before this IG can be adapted to support them. We will update the list of sections of the core spec implementers are expected to read and be familiar with to include the 'security checklist' page. We will also refer to this in the Security & Privacy section of the IG. This will cover the same issue raised by Kathleen on various other profiles. We will mark those as duplicates and point them to this resolution.
    • Robert Dieterle / Rachael Foerster: 20-0-1
    • Correction
    • Non-substantive

      Existing Wording: http://hl7.org/fhir/us/davinci-pas/2019SEP/profile-claim-definitions.html#Claim.contained

      Contained resources may have profiles and tags In their meta elements, but SHALL NOT have security labels.

      Proposed Wording: If a PAS Claim Resource includes a contained resource assume that this information is specially protected information To avoid the risk of breach or unauthorized access, assign a security label to the PAS Claim with a confidentiality code "R" (restricted), a purpose of use code "TREAT" (treatment), and a refrain code "NODSCLCD" (no disclosure without consent directive). If a provider shares the provider's access token with a payer following the CDS Hooks protocol, the payer's Access Control System must prevent the payer from accessing any PAS Resource with this security label in order to avoid unauthorized access.

      In the alternative, work with FHIR-I to develop a means for overriding dom-5: If a resource is contained in another resource, it SHALL NOT have a security label : contained.meta.security.empty() on all PAS Resources so that PAS Resource.contained elements can support meta-security.

      The simplest fix is to remove the .contained element.

      Comment:

      A PAS extension on PAS Claim may include contained resources http://hl7.org/fhir/us/davinci-pas/2019SEP/profile-claim-definitions.html#Claim.contained, which cannot support security labels, and which could be information identifying a patient as being or having been diagnosed with a substance use disorder, having or having had a substance use disorder, or being or having been referred for treatment of a substance use disorder that is governed under 42 CFR Part 2, and therefore raise substantial privacy and security issues.

      Without the ability to label the contained resources, an automated security labeling service would not have requisite information to apply a Part 2 security label at the PAS Claim Resource Level.

      As a result, the payer accessing this information using the provider's access token (via CDS-Hook), would not know that they needed authorization to access it. The provider that permitted the payer to use the provider's access token may be disclosing this information without consent because (1) under the CDS-Hook Resource Assess specification, the provider's Access Control System would not be able to check whether the patient had consented to disclose to the payer; and (2) even if an Access Control System were able to intermediate the access, there'd be no security label on the PAS Claim Resource indicating that it contained Part 2 information.

      Summary:

      All PAS Resources, include PAS Extension that use these Resources must be labeled to ensure that Access Control Systems can determine authorized access.

            Assignee:
            Unassigned
            Reporter:
            Kathleen Connor
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: