Presentation is loading. Please wait.

Presentation is loading. Please wait.

Obligation Vocabulary Work in Progress HL7 Security WG Kathleen Connor VA (ESC) January 2012.

Published byPreston Haynes Modified over 9 years ago

Similar presentations

Presentation on theme: "Obligation Vocabulary Work in Progress HL7 Security WG Kathleen Connor VA (ESC) January 2012."— Presentation transcript:

1 Obligation Vocabulary Work in Progress HL7 Security WG Kathleen Connor VA (ESC) January 2012

2 DAM Privacy Rule Obligation Attribute

3 A PrivacyRule specifies the permission allowed to a user type by the consenter for a specific type of information The person consenting may be either the subject of the record (the client) or the client's designated Substitute Decision Maker One or more PrivacyRule instances comprise a privacy Consent Directive or PrivacyPolicy. A PrivacyRule is equivalent to a BasicPolicy A specific individual’s privacy consent directive consists of several rules that map to BasicPolicy instances A PrivacyRule, from the Privacy viewpoint perspective, is equivalent to a BasicPolicy from a Security viewpoint perspective BasicPolicy instances comprise a CompositePolicy and PrivacyRule instances are grouped together to form a ConsentDirective. Attribute 'PrivacyRule.obligation' of type ' ObligationCode' with cardinality of [0..1] – This coded attribute specifies a pre-defined obligation associated with a policy or consent.

4 Proposed Obligation Value Set Description This is a value set for the obligation attribute on ObligationPolicy associated with BasicPolicy and on PrivacyRule. Attribute 'ObligationPolicy.eventCode' of type ' ObligationCode' with cardinality of [*] – This attribute identifies the action required before completing a step in the workflow that complies with a Basic Policy or a Refrain Policy. It is a coded concept for a policy domain rule reference. For example, in order to comply with a Basic Policy, there may be an obligation to audit operations. In addition, there may be a Refrain policy not to disclose information until the information is attested to by author with an associated obligation policy requiring the author's signature. This information is passed as rule for an application to enforce. Attribute 'PrivacyRule.obligation' of type ' ObligationCode' with cardinality of [0..1] – This coded attribute specifies a pre-defined obligation associated with a policy or consent – An obligation policy may be used to specify additional privacy preferences specified by a client/patient. From the Security and Privacy DAM: An ObligationPolicy may be specified in addition to a ConstraintPolicy to fully describe a client's access control preferences. In some cases, an obligation policy may be used to indicate that the receiver of an information object may not be allowed to re-disclose or persist that information object indefinitely. Suggested edit: For example, an obligation policy may be used to indicate that the receiver of the information must execute 1…* system procedures to comply with commitments to enforce the sender’s information handling requirements. According to ISO 22600-2, ObligationPolicy instances 'are event-triggered and define actions to be performed by manager agent'.

5 DAM Security Obligation Policy

6 Proposed Obligation Policy Codes (Starter Set) Proposed Codes Parent Proposed Codes Children Proposed Definition Accounting of Disclosure Custodian system must must make available to an information subject upon request an accounting of certain disclosures of the individual’s protected health information over a period of time. Policy may dictate that the accounting include information about the information disclosed, the date of disclosure, the identification of the receiver, the purpose of the disclosure, the time in which the disclosing entity must provide a response and the time period for which accountings of disclosure can be requested. AnonymizeCustodian system must remove any information that could result in identifying the information subject. AuditCustodian system must monitor access to verify that unauthorized access is not occurring. Audit TrailCustodian system must monitor and log each operation on information. Comply with PolicyCustodian system must must retrieve, evaluate, and comply with applicable policies associated with the target information. Comply with Confidentiality CodeCustodian system must retrieve, evaluate, and comply with the information handling directions of the Confidentiality Code associated with an information target. Comply with Consent DirectiveCustodian system must retrieve, evaluate, and comply with applicable information subject consent directives. Comply with Jurisdictional Privacy Policy Custodian system must retrieve, evaluate, and comply with applicable jurisdictional privacy policies associated with the target information.. Comply with Organizational Privacy Policy Custodian system must retrieve, evaluate, and comply with applicable jurisdictional privacy policies associated with the target information.. Comply with Organizational Security Policy Custodian system must retrieve, evaluate, and comply with the organizational security policies associated with the target information.

7 Proposed Obligation Policy Codes (Starter Set) Proposed Codes Parent Proposed Codes Children Proposed Definition DeidentifyCustodian system must strip information of data that would allow the identification of the source of the information or the information subject. DeleteAfterUseCustodian system must remove target information from access after use. EncryptCustodian system must render information unreadable by algorithmically transforming plaintext into ciphertext. Encrypt at RestCustodian system must render information unreadable and unusable by algorithmically transforming plaintext into ciphertext when "at rest" or in storage. Enrypt in TransitCustodian system must render information unreadable and unusable by algorithmically transforming plaintext into ciphertext while "in transit" or being transported by any means. Encrypt in UseCustodian system must render information unreadable and unusable by algorithmically transforming plaintext into ciphertext while in use such that operations permitted on the target information are limited by the license granted to the end user. MaskCustodian system must render information unreadable and unusable by algorithmically transforming plaintext into ciphertext. User may be provided a key to decrypt per license or “shared secret”. PseudonymizeCustodian system must strip information of data that would allow the identification of the source of the information or the information subject. Custodian may retain a key to relink data necessary to reidentify the information subject.

Download ppt "Obligation Vocabulary Work in Progress HL7 Security WG Kathleen Connor VA (ESC) January 2012."

Similar presentations

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Informed Consent.

Informed Consent.
University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.

University of Miami1 HIPAA Survival Skills An Introduction to HIPAA and Research University of Miami Human Subjects Research Office October 31, 2006 Evelyne.
Data Segmentation Model 17 Jan 2012 John (Mike) Davis HL7 Security Co-Chair.

Data Segmentation Model 17 Jan 2012 John (Mike) Davis HL7 Security Co-Chair.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.

Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.

Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Lecture 7 Access Control

Lecture 7 Access Control
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.
The EHR: Benefits for Privacy and Security How the EHR Protects Health Information.

The EHR: Benefits for Privacy and Security How the EHR Protects Health Information.
Anglican Province of Canada Privacy Policy. Commitment to Privacy The Privacy Policy, including the Web Privacy Statement, is the Anglican Province of.

Anglican Province of Canada Privacy Policy. Commitment to Privacy The Privacy Policy, including the Web Privacy Statement, is the Anglican Province of.
Copyright © 2015 Pearson Education, Inc. Confidentiality and Privacy Controls Chapter 9 9-1.

Copyright © 2015 Pearson Education, Inc. Confidentiality and Privacy Controls Chapter
DATABASE SECURITY By Oscar Suciadi CS 157B Prof. Sin-Min Lee.

DATABASE SECURITY By Oscar Suciadi CS 157B Prof. Sin-Min Lee.
Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.

Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.
XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.

XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.
Service Organization Control (SOC) Reporting Options and Information

Service Organization Control (SOC) Reporting Options and Information
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
1 Disclosures © HIPAA Pros 2002 All rights reserved.

1 Disclosures © HIPAA Pros 2002 All rights reserved.

Similar presentations

Ads by Google