Verb Categorization by Record-Entry Events

EHR Interoperability-Privacy and Security Work Groups

Verb Harmonization InitiativeWork-in-Progress Notes

Steve Hufnagel, facilitator, 2September 2014DRAFT-P

INTRODUCTION[1]: Privacy and Security can provide authorization and access controls to EHR system operations and information exchanges, which result in record-entry lifecycle state transitions; where,

  • CRUDEA (Create, Read, Update, Delete, Execute, Append) are underlying computer operations
  • Record entries go through a sequence of lifecycle events (aka state transitions)
  • EHRS FM operation verbs are “triggers” to the record-entry state transitions
  • Security audit log and/or provenance metadata may be captured,at the record-entry state transitions, as Fast Healthcare Interoperability Resources (FHIR).
  • The goal of this initiative is to align EHR, Security and Privacy terms.
  • The objectives / approachof this initiative are to iteratively
  • categorize the verbs by the Record-Entry lifecycle events they trigger
  • align events and their trigger verbs in the context of each Record-Entry lifecycle event
  • alignlifecycle events,Privacy and Security controls, and EHR operational verbs.
  • The products of this initiative are:
  • Domain Analysis Model (DAM) (e.g., State Transition Model of record-entry events)
  • Vocabulary, taxonomy (abstract hierarchy) and glossary of “terms”; where,
  • term implies classes or objects containing record-entry nouns and operation verbs.

REFERENCE: See companion Excel workbook “EHRS-FM Verb triggers mapped to Record-Entry Lifecycle Events Harmonization-Matrix and Definitions.xlsx”, which also contains the glossary of terms.

REQUESTED ACTION: Please pose questions and provide suggestions for improvement.

ASSUMPTIONS: Lifecycle Event State Transition Diagram (below)

  1. Foundational Events need full provenance metadata resource; while, derived events may only need privacy & security metadata resource; where,
  • Events/States are adjectives for Record-Entries (e.g., originated/ retained and encrypted record-entry)
  • One-or-more verbs can trigger one-or-more events/states
  • (e.g., Export record-entry results-in an exported and disclosed record-entry)
  1. Within an EHRS-FM profile, this Notional Record-Entry-Lifecycle State-Transition-Diagram should be adapted to define "fit-for-purpose" state-transitions and state-transition metadata according-to scope-of practice, organizational-policy and jurisdictional-law.
  • e.g. business Rules may change the “Final State” from “Destroyed” to “Archived” and/or remove “Destroyed”.

SUGGESTIONS / ISSUES:

  1. 7/29/14 MvdZ – CRUDEA needs Query and Search [Michael Van Der Zel]
  2. 7/29/14 TW – Categorizations/ hierarchies based-on policy (e.g., read access of sensitive data).
  3. 7/30/14 SH – What provenance is associated with ABAC access to sensitive data
  4. 7/29/14 RDG - “Disambiguate”verb may be merited. [Reed Gelzer]
  5. 7/29/14 RDG - The EHR FM R2 glossary definition for Attest/Attested may or may not line up entirely with its use here.
  6. 7/29/14 RDG - The EHR FM R2 Glossary does not have Verify as a noun or verb.
  7. 7/29/14 RDG - Consider the concept that there are undoubtedly transition events that are aggregations of simultaneous transition types. For example, when executing an amendment on a Record Entry, a common scenario will include retaining the original as an immutable entry AND executing the amendment transition to an Amended record AND retaining the amended record entry as an immutable entry? Presumably “aggregated transition events” would be designed in and “hard coded” or configurable.

Figure 1 Notional State Transition Machine for Record-Entry Lifecycle Events

  • State Transition from Archived to Destroyed was added.
  • Direct transition from originate receive to destroy was added for non-retained information
  • Immutable record transition from Originated / Retained or Received / Retained was added
  • RBAC & ABAC added as managing record-entry state-transitions

Legend

  • Record-Entry Lifecycle Event
  • EHRS-FM Verb
  • Privacy & Security verb

Manage an EHR

  1. CRUDEA (Create, Read, Update, Delete, Execute, Append)

(1)ISSUE: What about Query and Search [Michael Van Der Zel]

(2)Control Access(Privacy & Security) applies to all operational verbs

(a)Authenticate

(b)Authorize

(c)NOTE: RBAC is at the CRUDEA level, ABAC is at the operational verb level [Steve Hufnagel]

(3)Metadata, with each type of CRUDEA (Create, Read, Update, Delete, Execute, Append)

(a)Provenance

(b)Privacy & Security Track

(i)Log (Logging typically means the recording of implementation level events that happen as the program is running (methods get called, objects are created, etc.). As such it focuses on things that interest programmers)

(ii)Audit (Auditing is about recording domain-level events: a transaction is created, a user is performing an action, etc. In certain types of application (Banking) there is a legal obligation to record such events.)

(4)Privacy & Security Modify_Status These areat the CRUDEA level [Steve Hufnagel]

(a)Abort

(b)Activate

(c)Cancel

(d)Complete

(e)Hold

(f)Jump

(g)Nullify

(h)Release

(i)Resume

(j)Suspend

  1. Maintain

(a)Foundational Lifecycle Events/States and associated Trigger Verbs

(i)CRUDEA, FHIR: Provenance & Security Event, RBAC access controls

  1. Originate/ RetainEvent-State may be triggered by the following verbs.
  2. Originate
  3. Capture
  4. Enter
  5. Retain
  6. Store
  7. Save
  8. Receive/ RetainEvent State-transition may be triggered by the following verbs:
  9. Exchange (needs definition!)

(i)Receive

  1. Import Import

(ii)Retain

  1. Store
  2. Save
  3. Auto Populate
  4. Copy
  5. Duplicate
  6. Reproduce

(ii)CRUDEA, FHIR: Provenance & Security Event, [if Attest is done separately from Originate],

  1. AmendEvent State-transition may be triggered by the following verbs:
  2. Amend [deprecated to edit in glossary action required!]
  3. Update [top level verb] RECOMMENDATION:Change Amend Event to Update Event
  4. Edit, [Definitions refer to amend, action required!]
  5. Redact
  6. Replace [Out of place?]
  7. Annotate Annotate
  8. Append
  9. Integrate
  10. Tag [aka flag, does not require re-attest, out of place? Where does this belong?, EHRS Definition is flag for follow-on action] ACTION: Security definition of Tag
  11. AttestEvent State-transition may be triggered by the following verbs:
  12. Sign (includes a digital signature) =? Attest (does attest include a signature?)
  13. VerifyEvent State-transition may be triggered by the following verbs:
  14. Verify Verify

(iii)CRUDEA, FHIR: Provenance & Security Event

  1. DestroyEvent State-transition may be triggered by the following verbs:
  2. Purge Purge (specific type of delete where recovery is NOT possible))
  3. Delete (recovery is potentially possible)

(b)Derived Lifecycle Events/States and associated Trigger Verbs

(i)CRUDEA, FHIR: Security Events

  1. View/ AccessEvent State-transition may be triggered by the following verbs:
  2. Access(privacy permission … ability to read) =? Read (data operation)
  3. Collect
  4. Use
  5. Transmit , Exchange
  6. Harmonize
  7. Determine
  8. Analyze
  9. Decide
  10. Privacy permissions constrain or require logging of the data operations
  11. FHIR: Security Event
  12. DiscloseEvent State-transition may be triggered by the following verbs: (Deprecated verb)
  13. Disclose (privacy operation?)
  14. Export (deprecated) Export
  15. Exchange (send and receive  recommend deprecation of Exchange)
  16. Render
  17. Print
  18. Present
  19. Forward
  20. Transfer
  21. FHIR: Security Event
  22. Output/ ReportEvent State-transition may be triggered by the following verbs:
  23. Transmit
  24. Export Export
  25. Exchange
  26. Render
  27. Print
  28. Present
  29. Forward
  30. Transfer
  31. Disclose (based on Privacy & Security policy)
  32. FHIR: Security Event
  33. NOTE: This may result in a Receive/ Retain event for the recipient
  34. TransmitEvent State-transition may be triggered by the following verbs:
  35. Transmit
  36. Export Export
  37. Exchange
  38. Render
  39. Print
  40. Present
  41. Forward
  42. Transfer
  43. Disclose (based on Privacy & Security policy)
  44. FHIR: Security Event
  45. NOTE: This may result in a Receive/ Retain event for the recipient
  46. ISSUE: What is the difference between Output/Report and Transmit?
  47. ExtractEvent State-transition may be triggered by the following verbs:
  48. Extract
  49. Excerpt
  50. Derive
  51. FHIR: Security Event
  52. NOTE: This may result in a Create/ Retain event for a new record-entry

(ii)CRUDEA, FHIR: Provenance & Security Event

  1. LinkEvent State-transition may be triggered by the following verbs:
  2. Link
  3. Tag
  4. Track
  5. Log
  6. Audit
  7. Sustain (Ops.) [Out of place?]
  8. FHIR: Security Event
  9. UnlinkEvent State-transition may be triggered by the following verbs:
  10. unlink
  11. FHIR: Security Event
  12. TranslateEvent State-transition may be triggered by the following verbs:
  13. Translate
  14. Convert
  15. Encrypt Encrypt
  16. Decrypt Decrypt
  17. (Modify) Data Visibility [Does this belong here?]
  18. De-identify De-identify
  19. Pseudonymize
  20. Anonymize
  21. Mask Mask
  22. Redact
  23. Hide
  24. FHIR: Security Event
  25. NOTE: This may result in a Create/ Retain event for a new record-entry
  26. PseudomynizeEvent State-transition may be triggered by the following verbs:
  27. Pseudonymize
  28. De-identify De-identify
  29. FHIR: Security Event
  30. NOTE: This may result in a Create/ Retain event for a new record-entry
  31. De-IdentifyEvent State-transition may be triggered by the following verbs:
  32. (Modify) Data Visibility [Does this belong here?]
  33. De-identify De-identify
  34. Pseudonymize
  35. Anonymize
  36. Mask Mask
  37. Redact
  38. Hide
  39. FHIR: Security Event
  40. NOTE: anonymize and randomize missing?
  41. NOTE: This may result in a Create/ Retain event for a new record-entry
  42. Re-IdentifyEvent State-transition may be triggered by the following verbs:
  43. (Modify) Data Visibility [Does this belong here?]
  44. Re-identify, Re-identify
  45. Identify
  46. Unmask
  47. Unhide
  48. FHIR: Security Event
  49. NOTE: This may result in a Create/ Retain event for a new record-entry
  50. Place Legal HoldEvent State-transition may be triggered by the following verbs:
  51. Annotate / [Log]
  52. Tag
  53. FHIR: Security Event
  54. NOTE: This may result in a Create/ Retain event for a new record-entry
  55. Remove Legal HoldEvent State-transition may be triggered by the following verbs:
  56. Annotate / [Log]
  57. Tag
  58. FHIR: Security Event
  59. NOTE: This may result in a Destroy event for a copied record-entry, put on legal hold.
  60. EncryptEvent State-transition may be triggered by the following verbs:
  61. Encrypt Encrypt
  62. FHIR: Security Event
  63. NOTE: This may result in a Create/ Retain event for a new record-entry
  64. DecryptEvent State-transition may be triggered by the following verbs:
  65. DecryptDecrypt
  66. FHIR: Security Event
  67. NOTE: This may result in a Create/ Retain event for a new record-entry
  68. ArchiveEvent State-transition may be triggered by the following verbs:
  69. ArchiveArchive
  70. BackupBackup
  71. FHIR: Security Event
  72. NOTE: This may result in a Create/ Retain event for a new record-entry
  73. Restore Event State-transition may be triggered by the following verbs:
  74. Restore Restore
  75. Recover
  76. FHIR: Security Event
  77. NOTE: This may result in a Create/ Retain event for a new record-entry
  78. Deprecate/ RetractEvent State-transition may be triggered by the following verbs:
  79. Remove
  80. Obsolete
  81. Tag [Out of place?]
  82. FHIR: Security Event
  83. NOTE: This may also result in an archive event
  84. Re-ActivateEvent State-transition may be triggered by the following verbs:
  85. Re-activate
  86. Annotate / [Log]
  87. Tag [Out of place?]
  88. Restore Restore
  89. Recover
  90. FHIR: Security Event
  91. NOTE: This may result in a Create/ Retain event for a new record-entry

[1] This Introduction is based on the 2014-07-15 EHR Interoperability Workgroup and Privacy and Security Workgroup PSS discussions.