FIRE Mins 2019-10-29
From IDESG Wiki
Minutes of regular weekly meeting of the FIRE WG
- Date 2019-10-29
- Jim Kragh - Chair
- Sal D'Agostino
- Mary Hodder
- Jeff Brennen
- Tom Jones - recorded these mins
- Agenda - discuss doc Patient Choice
- Discussion of where to take the doc when approved - Jim's proposal was to vet the doc with Dr. Tom Sullivan and the present to Debbie Buchie at ONC. From there it can be presented to the various groups, like the CARIN Alliance.
- Main point of doc was to ensure the following direction of the Trustworthy Healthcare Ecosystem and the Health Care Profile
- There will be a trust registry of web sites that have been confirmed as entities that are covered by the HIPAA regulations with free access by patients.
- There will be a way to evaluate healthcare apps that protect patient healthcare Information (PHI) that the patient or guardian accesses.
- There will be a way to authenticate users to NIST SP 800-63-3 IAL2 and AAL2 that will inter-operate across the above listed entities.
- The user will trust the resultant healthcare ecosystem.
- The following is a proposed plan for getting to trustworthy patient apps.
- Code of Conduct of the app - starting with the proposal from the CARIN Alliance with possible input from ME2B work.
- Code of Practice - a more technical presentation of how the app achieves the designation of meeting the code of conduct.
- A set of question for the developers and auditors to assure compliance.
- A regulatory support system from appropriate legal and audit agencies (some means for selecting the approved auditors, etc.)
- Accepting and incorporating feedback from the field.
- When is a web site or user app considered trustworthy.
- There is a code of practice and audit available to vet that the software meets the requirements.
- This is necessary to assure that patient health information in HIPAA covered entities it kept secure and private.
- This is already in process for web sites
- If the user is to have real Patient Choice it is necessary that the same process apply to patient apps.
- Mary and Jeff listed the processes that allowed the IDEF to become operational
- Took 1.5 years of weekly meetings to refine the NSTIC principles in the security, privacy and user experience committees.
- At the end of that process the efforts were harmonized and the need for a interop section was uncovered.
- A concierge was hired to help with the coordination, publishing and support for entities that wanted to achieve compliance.
- Feedback from the result was taken and a second display (trust registry) was created to incorporate that feedback.
- The experience of creating the IDEF would be a good plan for how to move our plans into practice.
- Discussion of patient consent resulting in some ideas to feedback into the Kantara groups working on that part of the problem.
- Tom will take Mark's diagram and change the labels to meet the Health Care Profile now in development.
- After the meeting the following diagram was distributed. This DOES NOT include the binding to establish AAL2 assurance.