Add language and change term sensitive to legally protected.

XMLWordPrintableJSON

    • Type: Change Request
    • Resolution: Persuasive with Modification
    • Priority: Highest
    • US Da Vinci HRex (FHIR)
    • current
    • Clinical Interoperability Council
    • Approaches to Exchanging FHIR Data
    • 3.0.4 Additional Considertions
    • Hide

      Made changes in the wording agreed to add in FHIR-28849 to address the proposed new wording.

      Will add an additional sub-section in the introduction to this IG that includes the following language:

      "This section is intended to have international scope and the terminology used here is used in its traditional English usage, not necessarily as it might be defined in particular jurisdictions.  For example, the term 'sensitive data' in some jurisdictions has a specific legal meaning.  When used here, it simply means that the data may need some additional level of protection, whether for privacy, business or other reasons."

      Show
      Made changes in the wording agreed to add in  FHIR-28849  to address the proposed new wording. Will add an additional sub-section in the introduction to this IG that includes the following language: "This section is intended to have international scope and the terminology used here is used in its traditional English usage, not necessarily as it might be defined in particular jurisdictions.  For example, the term 'sensitive data' in some jurisdictions has a specific legal meaning.  When used here, it simply means that the data may need some additional level of protection, whether for privacy, business or other reasons."
    • Marti Velezis / Jimmy Tcheng : 6-0-1
    • Clarification
    • Non-substantive

      Add language and change term sensitive to legally protected. Protected health information as defined by HIPAA must be secured, regardless of whether it is “sensitive” (which is an undefined and subjective term).

      Existing Wording:

      • The necessary security steps to authenticate the systems to each other, authenticate any users involved, authorize both users and systems, and protect the data while in transit will all need to be in place. In some cases, Consent may also need to exist. Authorization rules may vary by patient, by type of data and by tags or information within the record. Discussion about general expectations around security, privacy and consent for this IG and other Da Vinci IGs can be found here. Note that not all data needs to be secured. Some data may not be sensitive and there may not be significant risk if it is accessed or even modified in transit.

      Proposed Wording:

      • The necessary security steps to authenticate the systems to each other, authenticate any users involved, authorize both users and systems, and protect the data while in transit will all need to be in place. In some cases, Consent may also need to exist. Authorization rules may vary by patient, by type of data and by tags or information within the record. Discussion about general expectations around security, privacy and consent for this IG and other Da Vinci IGs can be found here. Note that not all data needs to be secured. Some data may not be legally protected and there may not be significant risk if it is accessed or even modified in transit. Implementers are strongly encouraged to consult with the legal and compliance divisions of their organizations to ensure appropriate security and authentication measures are put in place prior to data exchange.

            Assignee:
            Unassigned
            Reporter:
            Celine Lefebvre
            Celine Lefebvre
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: