Do not include policy positions as conformance statements 4

XMLWordPrintableJSON

    • Type: Change Request
    • Resolution: Not Persuasive with Modification
    • Priority: Highest
    • US Da Vinci HRex (FHIR)
    • current
    • Clinical Interoperability Council
    • Security and Privacy
    • 5.5 Security and Privacy
    • Hide

      We have raised this issue with FMG and US-Realm and both have agreed that it is permissible to use conformance language (i.e. SHALL/SHOULD/MAY) when referring to content outside the scope of rules defined by the IG itself. Given that this language has undergone considerable review and discussion with groups inside and outside HL7 and the community was comfortable with the language, we do not see a good reason to relax or change it at this time.

      However, we will reword the sentence to make clear that it's setting an expectation of system behavior, not the actions of personnel or organizational policy. Specifically, will reword to:
      "Where permitted by law and in accordance with legal requirements, systems SHALL always support release of additionally protected information."

      Show
      We have raised this issue with FMG and US-Realm and both have agreed that it is permissible to use conformance language (i.e. SHALL/SHOULD/MAY) when referring to content outside the scope of rules defined by the IG itself. Given that this language has undergone considerable review and discussion with groups inside and outside HL7 and the community was comfortable with the language, we do not see a good reason to relax or change it at this time. However, we will reword the sentence to make clear that it's setting an expectation of system behavior, not the actions of personnel or organizational policy. Specifically, will reword to: "Where permitted by law and in accordance with legal requirements, systems SHALL always support release of additionally protected information."
    • Marti Velezis / Jimmy Tcheng : 6-0-1
    • Clarification
    • Non-substantive

      This IG can't make a policy position or interpretation of the law into a HL7 Conformance Statement. Please refrain from mixing implementation conformance with IG specific policy stances for the following reasons:
      *This is not part of HL7 Conformance methodology, because it is not testable given the standards included in this IG. Testable, computable ability for system components implementing HRex to support release of additionally protected information would require inclusion of standards for (1) implementation of security labeling based on a consensus on how to detect additionally protected information based on codes in structured data or use of NLP on unstructured data; (2) the custodian establish policies on additionally protected information and support for applicable privacy consent directives; and (3) an access control system capable of enforcing the custodian's policies on additionally protected information and any applicable privacy consent directives, all of which are deemed out of scope by this IG.
      *If this policy stance were adopted as a conformance statement, it has the potential to influence how developers implement this IG at the peril of their legal departments, and might run afoul of the policy positions of other HL7 community member and HL7 leadership, which would likely prefer that implementable HL7 standards' conformance statements remain policy agnostic.
      Instead, this IG should strongly encourage implementers to consult with their legal counsel about whether their implementations comply with all applicable laws governing release of additionally protected information.

      Existing Wording:

      The following guidelines apply unless otherwise dictated by statute or regulation: Where permitted by law and in accordance with legal requirements, release of additionally protected information SHALL always be supported.

      Proposed Wording:

      The following guidelines apply unless otherwise dictated by statute or regulation:
      Where permitted by law and in accordance with legal requirements, implementers are strongly encouraged to consult with their legal counsel about whether their implementations comply with all applicable laws governing release of additionally protected information.

            Assignee:
            Unassigned
            Reporter:
            Kathleen Connor
            Kathleen Connor
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: