160 likes | 292 Views
Purpose of Use (POU) Vocabulary. HL7 Security WG Presentation Kathleen Connor VA (ESC) January 2012. Problem with POU Code Systems. Current POU Code Systems a re not comprehensive , or consistent HL7 Vocabulary ActHealthInformationPrivacyReason Codes
E N D
Purpose of Use (POU) Vocabulary HL7 Security WG Presentation Kathleen Connor VA (ESC) January 2012
Problem with POU Code Systems Current POU Code Systems are not comprehensive, or consistent • HL7 Vocabulary ActHealthInformationPrivacyReason Codes • Contains most of the other concepts and fair definitions • HL7 DAM POU • Contains same concepts as XSPA and many from ISO, but not well defined • XSPA SAML and XACML Profile POU • No definitions • ISO 14265 • POU codes were not developed for purpose of categorizing security policies • NHIN Authorization • NHIN Authorization Framework Specification v 2.0 POU codes are very granular and some are about policy not POU • As a result, these POU codes are not interoperable • Yet POU is a critical concept in many privacy and security standards
Difference in POU Code Systems • ISO: POU code system provides “a framework for classifying the various specific purposes that can be defined and used by individual policy domains”. • ASTM-1986-98 (2005) POU establishes the context and conditions of data use at a specific point in time, and within a specific setting. • RBAC Constraint: • Purpose of use in relation to permission constraints provides context to requests for information resources. • Purpose of use allows the service to consult its policies to determine if the user’s claims meet or exceed those needed for access control. • NwHIN: Coded value representing the user's purpose in issuing the request
POU Harmonization Approach • Map all POU code system • Support mapping from all POU code system to the HL7 POU code system • Determine criteria for selection – e.g., NwHIN “Abuse” is covered by HL7 ActPrivacyPolicy, so not needed as a POU code • Determine Gaps • Create consistent definitions • Nest related detailed POUs under parents that are more universally applicable • Supports localized value sets without extension
Current Enumerations of POU Codes – Not Defined, Comprehensive, or Consistent DAM POU XSPA SAML Profile POU XSPA XACML Profile POU TREATMENT, PAYMENT, OPERATIONS, EMERGENCY, MARKETING, RESEARCH, REQUEST, PUBLICHEALTH
ISO/TS 14265 Purpose for POU • ISO/TS 14265:2011 Health Informatics - Classification of purposes for processing personal health information defines a set of high-level categories of purposes for which personal health information can be processed • This is in order to provide a framework for classifying the various specific purposes that can be defined and used by individual policy domains (e.g. healthcare organizations, regional health authorities, jurisdictions, countries) as an aid to the consistent management of information in the delivery of health care services and for the communication of electronic health records across organizational and jurisdictional boundaries • The scope of application of ISO/TS 14265:2011 is limited to Personal Health Information as defined in ISO 27799, information about an identifiable person that relates to the physical or mental health of the individual, or to provision of health services to the individual
NHIN Authorization Framework Specification v 2.0 3.3.2.6 Purpose of Use Attribute This <Attribute> element shall have the Name attribute set to “urn:oasis:names:tc:xspa:1.0:subject:purposeofuse”7. The value of the <AttributeValue> element is a child element, “PurposeOfUse”, in the namespace “urn:hl7-org:v3”, whose content is defined by the “CE” (coded element) data type from the HL7 version 3 specification. The PurposeOfUse element shall contain the coded representation of the Purpose for Use that is in effect for the request. An example of the syntax of this element is as follows: <saml:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse"> <saml:AttributeValue> <PurposeForUse xmlns="urn:hl7-org:v3" xsi:type="CE" code="OPERATIONS" codeSystem="2.16.840.1.113883.3.18.7.1" codeSystemName="nhin-purpose" displayName="Healthcare Operations"/> </saml:AttributeValue> </saml:Attribute> Codes are assigned as below. The codeSystem is defined to be “2.16.840.1.113883.3.18.7.1”. The codeSystemName is defined to be “nhin-purpose”. The value of the Purpose of Use attribute shall be a urn:hl7-org:v3:CE element, specifying the coded value representing the user's purpose in issuing the request, choosing from the value set listed in this specification. The codeSystem attribute of this element must be present, and must specify the OID of the "Purpose of Use" code system created by the NHIN Cooperative, 2.16.840.1.113883.3.18.7.1 .