Obligation VocabularyWork in Progress

HL7 Security WGKathleen Connor VA (ESC)

January 2012

DAM Privacy Rule Obligation Attribute

DAM Privacy Rule Obligation AttributeA PrivacyRule specifies the permission allowed to a user type by the consenter for a specific type of informationThe person consenting may be either the subject of the record (the client) or the client's designated Substitute Decision MakerOne or more PrivacyRule instances comprise a privacy Consent Directive or PrivacyPolicy. A PrivacyRule is equivalent to a BasicPolicyA specific individual’s privacy consent directive consists of several rules that map to BasicPolicy instancesA PrivacyRule, from the Privacy viewpoint perspective, is equivalent to a BasicPolicy from a Security viewpoint perspectiveBasicPolicy instances comprise a CompositePolicy and PrivacyRule instances are grouped together to form a ConsentDirective.• Attribute 'PrivacyRule.obligation' of type ' ObligationCode' with cardinality of [0..1]

– This coded attribute specifies a pre-defined obligation associated with a policy or consent.

Proposed Obligation Value Set DescriptionThis is a value set for the obligation attribute on ObligationPolicy associated with BasicPolicy and on PrivacyRule.• Attribute 'ObligationPolicy.eventCode' of type ' ObligationCode' with cardinality of [*]

– This attribute identifies the action required before completing a step in the workflow that complies with a Basic Policy or a Refrain Policy. It is a coded concept for a policy domain rule reference. For example, in order to comply with a Basic Policy, there may be an obligation to audit operations. In addition, there may be a Refrain policy not to disclose information until the information is attested to by author with an associated obligation policy requiring the author's signature. This information is passed as rule for an application to enforce.

• Attribute 'PrivacyRule.obligation' of type ' ObligationCode' with cardinality of [0..1]– This coded attribute specifies a pre-defined obligation associated with a policy or consent– An obligation policy may be used to specify additional privacy preferences specified by a

client/patient. • From the Security and Privacy DAM: An ObligationPolicy may be specified in addition to a

ConstraintPolicy to fully describe a client's access control preferences. In some cases, an obligation policy may be used to indicate that the receiver of an information object may not be allowed to re-disclose or persist that information object indefinitely.

• Suggested edit: For example, an obligation policy may be used to indicate that the receiver of the information must execute 1…* system procedures to comply with commitments to enforce the sender’s information handling requirements.

• According to ISO 22600-2, ObligationPolicy instances 'are event-triggered and define actions to be performed by manager agent'.

DAM Security Obligation Policy

Proposed Obligation Policy Codes (Starter Set)

Proposed CodesParent

Proposed CodesChildren

Proposed Definition

Accounting of Disclosure

Custodian system must must make available to an information subject upon request an accounting of certain disclosures of the individual’s protected health information over a period of time. Policy may dictate that the accounting include information about the information disclosed, the date of disclosure, the identification of the receiver, the purpose of the disclosure, the time in which the disclosing entity must provide a response and the time period for which accountings of disclosure can be requested.

Anonymize Custodian system must remove any information that could result in identifying the information subject.

Audit Custodian system must monitor access to verify that unauthorized access is not occurring.

Audit Trail Custodian system must monitor and log each operation on information.

Comply with Policy Custodian system must must retrieve, evaluate, and comply with applicable policies associated with the target information.

Comply with Confidentiality Code Custodian system must retrieve, evaluate, and comply with the information handling directions of the Confidentiality Code associated with an information target.

Comply with Consent Directive Custodian system must retrieve, evaluate, and comply with applicable information subject consent directives.

Comply with Jurisdictional Privacy Policy

Custodian system must retrieve, evaluate, and comply with applicable jurisdictional privacy policies associated with the target information..

Comply with Organizational Privacy Policy

Custodian system must retrieve, evaluate, and comply with applicable jurisdictional privacy policies associated with the target information..

Comply with Organizational Security Policy

Custodian system must retrieve, evaluate, and comply with the organizational security policies associated with the target information.

Proposed Obligation Policy Codes (Starter Set)

Proposed CodesParent

Proposed CodesChildren

Proposed Definition

Deidentify Custodian system must strip information of data that would allow the identification of the source of the information or the information subject.

DeleteAfterUse Custodian system must remove target information from access after use.

Encrypt Custodian system must render information unreadable by algorithmically transforming plaintext into ciphertext.

Encrypt at Rest Custodian system must render information unreadable and unusable by algorithmically transforming plaintext into ciphertext when "at rest" or in storage.

Enrypt in Transit Custodian system must render information unreadable and unusable by algorithmically transforming plaintext into ciphertext while "in transit" or being transported by any means.

Encrypt in Use Custodian system must render information unreadable and unusable by algorithmically transforming plaintext into ciphertext while in use such that operations permitted on the target information are limited by the license granted to the end user.

Mask Custodian system must render information unreadable and unusable by algorithmically transforming plaintext into ciphertext. User may be provided a key to decrypt per license or “shared secret”.

Pseudonymize Custodian system must strip information of data that would allow the identification of the source of the information or the information subject. Custodian may retain a key to relink data necessary to reidentify the information subject.