<div dir="ltr">I agree with Aaron. However the problem is far bigger. The 'vectors' that are necessary to segment data for various purpose-of-use, and various roles; are many. That is to say sensitivity is not the only vector that is necessary. See <a href="https://healthcaresecprivacy.blogspot.com/2016/08/vectors-through-consent-to-control-big.html">https://healthcaresecprivacy.blogspot.com/2016/08/vectors-through-consent-to-control-big.html</a> <div><div style="font-family:arial,tahoma,helvetica,freesans,sans-serif;font-size:13.2px;line-height:18.48px"><br></div><div style="font-family:arial,tahoma,helvetica,freesans,sans-serif;font-size:13.2px"><ul style="padding:0px 2.5em;margin:0.5em 0px;line-height:1.4"><li style="padding:0px;margin:0px 0px 0.25em"><span style="font-size:13.2px;line-height:18.48px">Data Identity - unique identifier of the data</span></li><li style="padding:0px;margin:0px 0px 0.25em"><span style="font-size:13.2px;line-height:18.48px">Folder Identity this data sits within</span></li><li style="padding:0px;margin:0px 0px 0.25em"><span style="font-size:13.2px;line-height:18.48px">When was the data created</span></li><li style="padding:0px;margin:0px 0px 0.25em"><span style="font-size:13.2px;line-height:18.48px">When was the data last updated</span></li><li style="padding:0px;margin:0px 0px 0.25em"><span style="font-size:13.2px;line-height:18.48px">Who authored the data</span></li><li style="padding:0px;margin:0px 0px 0.25em"><span style="font-size:13.2px;line-height:18.48px">Who verified the data</span></li><li style="padding:0px;margin:0px 0px 0.25em"><span style="font-size:13.2px;line-height:18.48px">Where was the data authored</span></li><li style="padding:0px;margin:0px 0px 0.25em"><span style="font-size:13.2px;line-height:18.48px">Availability, has the data been replaced or refuted</span></li><li style="padding:0px;margin:0px 0px 0.25em"><span style="font-size:13.2px;line-height:18.48px">What kind of treating facility authored the data</span></li><li style="padding:0px;margin:0px 0px 0.25em"><span style="font-size:13.2px;line-height:18.48px">What kind of care practice setting authored the data</span></li><li style="padding:0px;margin:0px 0px 0.25em"><span style="font-size:13.2px;line-height:18.48px">Predecessor data that was used in the authoring of this data (e.g. Order)</span></li><li style="padding:0px;margin:0px 0px 0.25em"><span style="font-size:13.2px;line-height:18.48px">Successor data that was created based on this data (e.g. Discharge Summary)</span></li><li style="padding:0px;margin:0px 0px 0.25em"><span style="font-size:13.2px;line-height:18.48px">Relationships to other data (e.g. folder identifier)</span></li><li style="padding:0px;margin:0px 0px 0.25em"><span style="font-size:13.2px;line-height:18.48px">Type of data object</span></li><li style="padding:0px;margin:0px 0px 0.25em"><span style="font-size:13.2px;line-height:18.48px">Type of clinical content implied by the data (e.g. Pregnant, Cancer, Addict)</span></li><li style="padding:0px;margin:0px 0px 0.25em"><span style="font-size:13.2px;line-height:18.48px">etc</span></li></ul></div><div><br></div><div>I will note that the struggle to automatically determine what data might be sensitive from what data might be normal healthdata is the topic of a 'service' in a specification from HL7. That is to note that regardless of the technical details, one really needs a service to carry out that labeling task in an automated way. That service might get the list of sensitive topics from a Healthcare organization, or might get them from the Patient; possibly both. This isolates the labeling from the Access Control decision and enforcement. -- Look for HL7 Security Labeling Service</div></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">John Moehrke<br>Principal Engineering Architect: Standards - Interoperability, Privacy, and Security<br>CyberPrivacy – Enabling authorized communications while respecting Privacy<br>M +1 920-564-2067<br><a href="mailto:JohnMoehrke@gmail.com" target="_blank">JohnMoehrke@gmail.com</a><br><a href="https://www.linkedin.com/in/johnmoehrke" target="_blank">https://www.linkedin.com/in/johnmoehrke</a><br><a href="https://healthcaresecprivacy.blogspot.com" target="_blank">https://healthcaresecprivacy.blogspot.com</a><br>"Quis custodiet ipsos custodes?" ("Who watches the watchers?")</div></div></div>
<br><div class="gmail_quote">On Sat, Mar 25, 2017 at 10:33 AM, Aaron Seib <span dir="ltr"><<a href="mailto:aaron.seib@nate-trust.org" target="_blank">aaron.seib@nate-trust.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div class="m_1865437489803582208WordSection1"><p class="MsoNormal"><span style="color:#1f497d">Nancy<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">At the end of the day I am of the opinion that relying on a coding scheme to identify what falls into a sensitive “category” and what doesn’t ends up being arbitrary and often dangerously imprecise. <u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">There is no way to apriori tag what any one consumer considers sensitive and what is considered sensitive by one consumer is not to another. <u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">In short – I am worried that if there isn’t a way for the consumer to mark what they are comfortable being shared any mechanism to make it “easy” for a data-holder to share with a third party while “respecting” the preferences of the consumer is insufficient and represents a legacy perspective. <u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">When we enable the consumer to tag their own data and constrain what is shared by the 3<sup>rd</sup> parties that disclose data “on their behalf” we don’t fall into the trap of trying to create one size fits all LOVs that are inaccurate and only reflect the requirements of a regulatory requirement established decades in the past.<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">We have to figure out how to enable the consumer to define what they want segmented if we are attempting to be respectful of the consumer’s preference. We all know that these preferences change over time and the consumer should be able to update them. <u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">I believe data segmenation without the consumer’s ‘corrections’ leaves too many inaccuracies that inevitably result in disclosures not consistent with the individuals preferences. <u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">We can certainly create categories as an aid to building a consumer specific segmentation rules set but relying on pre-defined code sets to indicate what is sensitive (driven by legacy policies) will miss the mark.<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">Aaron<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><div><p class="MsoNormal"><span style="color:#1f497d">Aaron Seib, CEO<u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">@CaptBlueButton <u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d"> (o) <a href="tel:(301)%20540-2311" value="+13015402311" target="_blank">301-540-2311</a><u></u><u></u></span></p><p class="MsoNormal"><span style="color:#1f497d">(m) <a href="tel:(301)%20326-6843" value="+13013266843" target="_blank">301-326-6843</a><u></u><u></u></span></p><p class="MsoNormal"><a href="http://nate-trust.org" target="_blank"><span style="color:#1f497d;text-decoration:none"><img border="0" width="205" height="48" id="m_1865437489803582208_x0000_i1026" src="cid:image002.jpg@01D2A55B.ABCA1400"></span></a><span style="color:#1f497d"><u></u><u></u></span></p></div><p class="MsoNormal"><span style="color:#1f497d"><u></u> <u></u></span></p><div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Openid-specs-heart [mailto:<a href="mailto:openid-specs-heart-bounces@lists.openid.net" target="_blank">openid-specs-heart-<wbr>bounces@lists.openid.net</a>] <b>On Behalf Of </b>Nancy Lush<br><b>Sent:</b> Friday, March 24, 2017 5:05 PM<br><b>To:</b> <a href="mailto:openid-specs-heart@lists.openid.net" target="_blank">openid-specs-heart@lists.<wbr>openid.net</a><br><b>Subject:</b> [Openid-specs-heart] HEART profiling for sensitive data<u></u><u></u></span></p></div></div><div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><span style="font-size:12.0pt;color:#1f3864">Hello all,<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:12.0pt;color:#1f3864"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:12.0pt;color:#1f3864">Attached is a document which includes background and suggestions for profiling sensitive data. Comments welcome. <u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:12.0pt;color:#1f3864"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:12.0pt;color:#1f3864">Thanks, and have a great weekend.<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:12.0pt;color:#1f3864"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:12.0pt;color:#1f3864">-Nancy<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:12.0pt;color:#1f3864"><u></u> <u></u></span></p><table class="m_1865437489803582208MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse"><tbody><tr style="height:1.0pt"><td width="428" colspan="2" valign="top" style="width:256.7pt;padding:0in 5.75pt 0in 5.75pt;height:1.0pt"><div style="border:none;border-bottom:solid windowtext 1.5pt;padding:0in 0in 1.0pt 0in"><p class="MsoNormal" style="line-height:115%"><span style="font-size:8.0pt;line-height:115%;color:#1f3864"><u></u> <u></u></span></p></div><p class="MsoNormal"><span style="font-size:8.0pt;color:#1f3864"><u></u> <u></u></span></p></td></tr><tr style="height:1.0pt"><td width="174" valign="top" style="width:1.45in;padding:0in 5.75pt 0in 5.75pt;height:1.0pt"><p class="MsoNormal"><b><span style="font-size:10.0pt;color:#222a35">Nancy Lush <u></u><u></u></span></b></p></td><td width="254" valign="top" style="width:152.3pt;padding:0in 5.75pt 0in 5.75pt;height:1.0pt"><p class="MsoNormal"><span style="font-size:10.0pt;color:#1f3864"><a href="mailto:nancy.lush@lgisoftware.com" target="_blank">nancy.lush@lgisoftware.com</a><u></u><u></u></span></p></td></tr><tr style="height:1.0pt"><td width="174" valign="top" style="width:1.45in;padding:0in 5.75pt 0in 5.75pt;height:1.0pt"><p class="MsoNormal"><b><span style="font-size:10.0pt;color:#222a35">Lush Group, Inc<u></u><u></u></span></b></p></td><td width="254" valign="top" style="width:152.3pt;padding:0in 5.75pt 0in 5.75pt;height:1.0pt"><p class="MsoNormal"><span style="font-size:10.0pt;color:#1f3864">Office: <a href="tel:(401)%20423-9111" value="+14014239111" target="_blank">(401) 423-9111</a><u></u><u></u></span></p></td></tr><tr style="height:1.0pt"><td width="174" valign="top" style="width:1.45in;padding:0in 5.75pt 0in 5.75pt;height:1.0pt"><p class="MsoNormal" style="line-height:115%"><span style="font-size:10.0pt;line-height:115%;color:#1f3864">28 Narragansett Ave<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:10.0pt;color:#1f3864">PO Box 651<u></u><u></u></span></p></td><td width="254" valign="top" style="width:152.3pt;padding:0in 5.75pt 0in 5.75pt;height:1.0pt"><p class="MsoNormal" style="line-height:115%"><span style="font-size:10.0pt;line-height:115%;color:#1f3864"><a href="http://www.lgisoftware.com" target="_blank">www.lgisoftware.com</a> <u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:10.0pt;color:#1f3864">Cell:<a href="tel:(401)%20965-9347" value="+14019659347" target="_blank">(401) 965-9347</a><u></u><u></u></span></p></td></tr><tr style="height:1.0pt"><td width="174" valign="top" style="width:1.45in;padding:0in 5.75pt 0in 5.75pt;height:1.0pt"><p class="MsoNormal"><span style="font-size:10.0pt;color:#1f3864">Jamestown, RI 02835<u></u><u></u></span></p></td><td width="254" valign="top" style="width:152.3pt;padding:0in 5.75pt 0in 5.75pt;height:1.0pt"></td></tr><tr><td width="174" valign="top" style="width:1.45in;padding:0in 5.75pt 0in 5.75pt"></td><td width="254" valign="top" style="width:152.3pt;padding:0in 5.75pt 0in 5.75pt"><p class="MsoNormal" style="line-height:115%"><span style="font-size:10.0pt;line-height:115%;color:#1f3864"><u></u> <u></u></span></p></td></tr><tr><td width="428" colspan="2" valign="top" style="width:256.7pt;padding:0in 5.75pt 0in 5.75pt"><p class="MsoNormal" style="line-height:115%"><span style="font-size:10.0pt;line-height:115%;color:#1f3864"><img border="0" width="153" height="50" id="m_1865437489803582208Picture_x0020_1" src="cid:image003.gif@01D2A55B.ABCA1400" alt="LGI_logo_small"><u></u><u></u></span></p></td></tr><tr><td width="174" valign="top" style="width:1.45in;padding:0in 5.75pt 0in 5.75pt"></td><td width="254" valign="top" style="width:152.3pt;padding:0in 5.75pt 0in 5.75pt"></td></tr><tr><td width="174" valign="top" style="width:1.45in;padding:0in 5.75pt 0in 5.75pt"></td><td width="254" valign="top" style="width:152.3pt;padding:0in 5.75pt 0in 5.75pt"></td></tr><tr><td width="174" valign="top" style="width:1.45in;padding:0in 5.75pt 0in 5.75pt"></td><td width="254" valign="top" style="width:152.3pt;padding:0in 5.75pt 0in 5.75pt"></td></tr><tr><td width="174" valign="top" style="width:1.45in;padding:0in 5.75pt 0in 5.75pt"></td><td width="254" valign="top" style="width:152.3pt;padding:0in 5.75pt 0in 5.75pt"></td></tr><tr><td width="174" valign="top" style="width:1.45in;padding:0in 5.75pt 0in 5.75pt"></td><td width="254" valign="top" style="width:152.3pt;padding:0in 5.75pt 0in 5.75pt"></td></tr><tr><td width="174" valign="top" style="width:1.45in;padding:0in 5.75pt 0in 5.75pt"></td><td width="254" valign="top" style="width:152.3pt;padding:0in 5.75pt 0in 5.75pt"></td></tr><tr><td width="174" valign="top" style="width:1.45in;padding:0in 5.75pt 0in 5.75pt"></td><td width="254" valign="top" style="width:152.3pt;padding:0in 5.75pt 0in 5.75pt"></td></tr><tr><td width="174" valign="top" style="width:1.45in;padding:0in 5.75pt 0in 5.75pt"></td><td width="254" valign="top" style="width:152.3pt;padding:0in 5.75pt 0in 5.75pt"></td></tr><tr><td width="174" valign="top" style="width:1.45in;padding:0in 5.75pt 0in 5.75pt"></td><td width="254" valign="top" style="width:152.3pt;padding:0in 5.75pt 0in 5.75pt"></td></tr><tr><td width="174" valign="top" style="width:1.45in;padding:0in 5.75pt 0in 5.75pt"></td><td width="254" valign="top" style="width:152.3pt;padding:0in 5.75pt 0in 5.75pt"></td></tr><tr><td width="428" colspan="2" valign="bottom" style="width:256.7pt;padding:0in 5.75pt 0in 5.75pt"></td></tr></tbody></table><p class="MsoNormal"><span style="color:#1f3864"><u></u> <u></u></span></p><p class="MsoNormal"><u></u> <u></u></p></div></div></div></div><br>______________________________<wbr>_________________<br>
Openid-specs-heart mailing list<br>
<a href="mailto:Openid-specs-heart@lists.openid.net">Openid-specs-heart@lists.<wbr>openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" rel="noreferrer" target="_blank">http://lists.openid.net/<wbr>mailman/listinfo/openid-specs-<wbr>heart</a><br>
<br></blockquote></div><br></div>