 |
Return to detail page at www.hitsp.org | HITSP/TN900 |
| Prev TOC |
| HOME | ABOUT | MEMBERSHIP | NEWS & ANNOUNCEMENTS | MEETINGS | FAQ | CONTACT US | | Powered by American National Standards Institute |
|
Return to detail page at www.hitsp.org | HITSP/TN900 |
| Prev TOC |
The following sections provide the history of all changes made to this document since the last publication.
The changes in this cycle address the following comments received during the Public Comment and Inspection Testing period (July 23, 2006 - August 17, 2007):
272, 517, 561, 562, 563, 566, 586, 587, 641, 679, 680, 681, 682, 683, 684, 685, 686, 687, 688, 689, 690, 691, 692, 743, 887, 890, 899, 922, 984, 985, 1197, 1210, 1211, 1212, 1213, 1229,1231, 1254, 1255, 1256, 1257, 1263
Upon approval by the HITSP Panel on October 15, 2007, this document has been moved to Version 1.1. This document is now Released for Implementation.
Removed Glossary. The overall HITSP glossary, applying to all documents, will be used henceforth.
Minor editorial corrections.
Upon approval by the HITSP Panel on August 27, 2008, this document is now Released for Implementation.
Editorial updates for the following:
ARRA added to list of sources.
Removed sections that are described in more detail in the security and privacy constructs.
Updated formatting and links of references to standards in Table 2-1 Guidance Standards
Added Security and Privacy Service Collaborations to list of constructs in Table 3-1 HITSP Security and Privacy Constructs
Amended descriptions of out-of-scope requirements in Table 3-2 Out-of-Scope Requirements Assessment
Added gaps to point to XSPA AND NIST levels of assurance in Table 3-3 Construct Standards Gaps
Added columns for Anonymize and Pseudonymize in Table 4-1 Relationship of Privacy Principles and HITSP Security and Privacy Constructs
Added Privacy and Security service collaborations to Table 4-3 Security and Privacy Construct Summary
Removed Figure 4.4-1 Core Security and Privacy Constructs diagram
Updated figures to reflect current updates to underlying constructs,
Removed appendix descriptions of the application of security and privacy constructs to the IS01, IS02, and IS03 specifications. These specifications have since been published with the appropriate security and privacy requirements as previously noted.
Added discussion on T31 and T33, and their relationship to TP13.
Clarified construct relationships
Added descriptions for the Anonymize, Pseudonymize, and Secure Web Connection constructs
Added descriptions for the Access Control and Security Audit Service Collaborations
Added a current list of Security, Privacy and Infrastructure Constructs
Minor editorial changes were made to this document. Removed boilerplate text for simplification. The term actor was replaced with interface.
Upon approval by the HITSP Panel on July 8, 2009, this document is now Released for Implementation.
[1]
The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information (PDF)
http://healthit.hhs.gov/portal/server.pt/gateway/PTARGS_0_10731_848088_0_0_18/NationwidePS_Framework-5.pdf
[2] There are interactions between two or more constructs that ensure the ability to meet security and privacy requirements. For example, in order to ensure entities are authenticate to assure that the entity is the person or application that claims the identity, HITSP/C19 Entity Identity Assertion and HITSP/C26 Nonrepudiation of Origin work together to support this requirement. Similarly, to guarantee or assure authenticity of data transmitted, these same two constructs, along with HITSP/TP13 Manage Sharing of Documents (with Document Integrity inserted as an option) work together to support this requirement.
[3] Good Samaritan Act - To trigger the protection of such an act, two conditions must be satisfied: it must be a volunteer act, and the actions must be a good faith effort to help. In the medical sense, a Good Samaritan is a medical care professional who volunteers to help someone in need of emergency medical care. The act must be done without there being any duty to care for the patient and without any expectation of compensation.
[4] ISO/IEC Guide 73:2002 definition 3.1.1 Risk management Vocabulary Guidelines for use in standards.
[5] ISO 14971:2000, Application of Risk Management to Medical Devices definition 2.18.
[6] This discussion follows the ISO 22600 Health Informatics Privilege Management and Access Control and the current working draft of that standard.
[7] In November, 1999, President Clinton signed the Financial Services Modernization Act, more commonly known as Gramm-Leach-Bliley or GLB, after the Congressional sponsors of the Act. The main purpose was to overhaul the financial services industry. But privacy provisions were added to GLB near the conclusion of Congressional proceedings giving consumers new rights to notice and consent regarding the information-sharing practices of financial institutions. Title V of GLB gives consumers a right to opt-out, that is, to prevent sharing or other disclosures of personal information to third-party non-affiliates.
|
Return to detail page at www.hitsp.org | HITSP/TN900 |
| Prev TOC |