...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
Kantara Initiative Health Identity Assurance WG Teleconference
Table of Contents | ||||||||
---|---|---|---|---|---|---|---|---|
|
Info |
---|
DRAFT minutes, pending HIAWG approval |
...
Meeting not quorate - Meeting notes follow |
Date and Time
Date: Thursday, 6 June 2013
Time: 10:00 PT | 12:00 CT | 13:00 ET
Dial in: TurboBridge Conferencing
- Skype: +99051000000481
- North American Dial-In: +1-805-309-2350
- Room Code: 613-2898
- For more dial-in information, see: http://kantarainitiative.org/confluence/display/GI/Telco+Bridge+Info
Health Identity Assurance Working Group Home Page
Agenda
- Administration:
- Roll Call
- Agenda Confirmation
- Leadership Nominations / Election
- Upcoming Events page: http://kantarainitiative.org/confluence/x/pYDWAw
- Report out from latest LC meeting
- Discussion
- New Mission Statement for the Group
- WG Charter
- Aligning efforts with DirectTrust.org, EHNAC, and IDESG
- Deliverables for on-boarding healthcare worker digital identities
- Presentation on “A Privacy Strategy for the United States Healthcare Industry” (see attached) - Barry Hieb
- AOB
- (proposed for next meeting) Presentation on conducting risk assessments for apps dealing with PHI - Linda Goettler
- Adjourn
Attendees
...
Info |
---|
As of 6 June 2013, quorum is 9 of 16 |
Voting
- Barry Hieb
- Laurie Tull
- Pete Palmer
- Andrew Hughes
- Minze Chien
- Rick Moore
Non-Voting
- Bill Braithwaite
- Nathan Faut
Staff
...
- None
Administration
...
- Discussion
Feedback to the Government of Canada on "Guidelines on Identity Assurance"
- Call for verbal comments or discussion prior to written response
- Due to day-job time commitments, little progress
- Ken offered to extend the deadline for comments to June 13 2013
- Question: how does the Canadian document relate to similar docs from US or UK? Answer: the material was reviewed during document development. NZ & UK gov has provided comments so far.
RP Guidelines
- Myisha notified that a draft call for participation has been sent out to the list
- Please send feedback
Ad Hoc Team Updates
Alignment with SP 800-63
- Richard Wilsher provided a join.me
- Work to date has been distributed to IAWG list
- Has restructured 800-63-2 to make analysis easier
- Kantara talks about Subscriber and Subjects - NIST does not differentiate: they only use Subscriber - check the glossary section
- 5.3 6.3 7.3 8.3 9.3 have been mapped - has skipped overviews and tutorial sections
- Has added sub-numbering to enable more specific discussion
- 5.3 section: the way 800-63-2 treats different LOAs is a bit mixed. RGW has re-sorted them into sections by LOA
- Has broken down distinct requirements even if they originally appeared in single statements
- then mapped each to the existing KI IAF item
- there is a Many:Many relationship
- In the KI SAC - has inserted indexes back into the modified 800-63
- Note that there are SAC criteria that do not have an equivalent
- Comment: for those extra items, they originally came from Good Practice - Kantara's aim is to determine if the organization is sound. NIST assumes that Government Agencies are sound and following GSA guidance
- Comment: Some of the items that are not specifically 800-63 criteria might actually be Privacy criteria
- To create a Privacy profile, just go through the SAC and annotate them
- There are some puzzling items
- e.g. 5.3.1.2.5 question about item c) - it reads as if the bullets apply to all LOAs - it is difficult to disentangle the statements - is this a change request to NIST? RGW needs feedback.
- Red Text to indicate where there might be the opportunity to define a US Profile:
- 800-63-2 becomes very specific - there may be other options that could meet the criteria.
- There might be options that work outside of the US.
- These might be criteria that could be less specific in the SAC and use the US profile to include the more prescriptive material
- There are items that do not currently exist in the SAC - question is do they need to be added?
- Requested comments by 20 June 2013
- RGW will send out a formal request for comment with a formal comments form
- Intent with this work is
- Result will be a Kantara owned publication
- The mapping document will remain publicly viewable
- Will be provided to NIST as suggestions for updates
- The Comments back to RGW should eventually be posted to the wiki to enable future understanding of rationale
- Comment: once the work is done, should schedule a IAWG F2F in DC area to discuss the approach and documents to update NIST and seek feedback
AOB
...
- Leadership Nominations / Election
- Meeting is not quorate
- Upcoming Events page: http://kantarainitiative.org/confluence/x/pYDWAw
- Send updates to staff@kantarainitiative.org
- Noted that Allan Foster is speaking today at the Michigan HIE event
- Report out from latest LC meeting
- Quarterly reports - HIAWG is waaaay behind
- The quarterly report will be changed into a monthly survey to make it easier to provide information
- Exec Director report - not much on this call
- Election rounds happening soon
- New work items:
- New Kantara Discussion Group - Identity of Things
- Reached out to a University to see if interns can be sourced to help with secretary roles
- WG Updates
- Board of Trustees - 2 new orgs have been Approved as CSP - announcements soon
- Will be a F2F LC meeting June 20-21 in Portland
- Quarterly reports - HIAWG is waaaay behind
Discussion
New Mission Statement for the Group
- Discussed the need for refocusing and fixing the charter
- ACH to post a draft of the goals and mission statement for discussion
- Important to note that HIAWG is the only forum for recommending adjustments to the KI IAF
Aligning efforts with DirectTrust.org, EHNAC, and IDESG
- There is a pilot project underway that is examining how Health Providers might be ID Proofed once in an environment.
- This might be a very good proving ground for the Direct-Kantara MOU
Deliverables for on-boarding healthcare worker digital identities
- Carried over to next meeting
Presentation - Barry Hiebe
NOTE: Link to the Privacy whitepaper here: http://kantarainitiative.org/confluence/download/attachments/64389330/privacywhitepaper5-21-13.pdf
- The Privacy white paper proposes an approach for privacy in the US Healthcare environment
- Published a few weeks ago by Global Patient Identifiers Inc. (GPII)
- Healthcare Privacy environment is very complex
- Some design considerations:
- each individual has requirements
- the system must be voluntary - if, when, how to participate
- must be very simple
- must be flexible
- must work with existing systems - this is very challenging - no existing commonality wrt security, privacy, data segregation
- patients and physicians must be empowered
- concern has been raised that if there is good privacy, then standard of care will suffer - false dichotomy
- allow for exceptions - e.g. break the glass scenario & its reversibility
- make it as hard as possible to make errors, but as easy as possible to recover from errors
- must be inexpensive to implement and operate
- Accurate Patient Identification is essential
- Suggest creating 2 types of identifier: Public and Private - give these to the patient and have them apply them as appropriate
- This design concept is inherently simple and easy to explain
- Currently doing proof of concept deployments
- Questions
- What path would be needed to standardize this in a way for vendors to implement?
- Looking for ideas for best approach - engaging about 35 in the initial development stage of the whitepaper
- This will have to be a grassroots approach - patient demand
- e.g. if a patient pays for an encounter, then it must be segregateable from the data set & not reportable to the insurance company
- Are there 'official' endorsements yet?
- Looking to see if Kantara will endorse it
- Would like to find some pilot sites to demonstrate how it works
- Comment: Might be appropriate to send this out to the WG for comments, and possible sending to LC as a recommendation for approval/endorsement.
- Most vendors have several identifiers in the system: external and internal. Is this approach similar? If so, the vendors would have to adopt this as the internal identifier, correct?
- The whitepaper suggests methods that could be used to include the privacy identifiers into records for data segmentation
- Have there been discussions with EHR vendors about what would be needed to implement this?
- Yes, some
- DS4P (Data Segmentation For Privacy) - is a complex approach that is also attempting this
- http://wiki.siframework.org/Data+Segmentation+for+Privacy+Homepage
- Some chatter online that this might be how Meaningful Use 3 will be done - but it is not settled
- Comment: Perhaps look to Project VRM and similar initiatives for ideas around implementation
- Comment: Perhaps reach out to Canada Health Infoway for ideas
- Comment: Perhaps approaching EHNAC and Direct might help to get to vendors interested in working out some of the details
- What path would be needed to standardize this in a way for vendors to implement?
- Please send comments on the whitepaper and potential connections to Barry.
AOB
- None raised
Action Items
Item # | Description | Assigned to | Est. Completion | Status | ||
---|---|---|---|---|---|---|
2013-06-06-001 | Review and provide feedback on Govt. Canada guideline. IAWG will collect and send a consolidated version. | All | 13 June 2013Provide a link to the Privacy Whitepaper | Andrew | 6 June 2013 | 6 Jun 2013 Complete |
2013-06-06-002 | Review RGW 800-63-2 vs KI IAF mapping documents and provide feedback | All | 20 June 2013Create and post straw man discussion version of new charter and goals for the group | Andrew | 13 June 2013 | |
2013-06-06-003 | Review and provide feed back comments to Myisha on Relying Party Guidelines call for participationBarry Hieb on the GPII Privacy whitepaper | All | 13 June 2013 2013-06-06-004 | Send in event information to Staff for updating the community calendar and Upcoming Events | All | Info only |
2013-06-06-005 | IAWG-NIST F2F in DC area to discuss approach and feedback on 800-63 v IAF analysis approach | Staff / IAWG Leads | TBD | |||
...
Attachments
Guideline on Identity Assurance-Consultation Draft Apr 25 2013.pdf
Standard_on_Identity_and_Credential_Assurance.pdf
Kantara IAF-1400 SAC-63-2 v0-1.docxprivacywhitepaper5-21-13.pdf
Next Meeting
Date: Thursday,
...
20 June 2013
Time:
...
10:00 PT |
...
12:00
...
CT |
...
- Conference ID: 613-2898
...
13:00 ET
Dial in: TurboBridge Conferencing
- Skype: +99051000000481
- North American Dial-In: +1-805-309-2350
- Room Code: 613-2898
- For more dial-in information, see: http://kantarainitiative.org/confluence/display/GI/Telco+Bridge+Info