The Patient Choice Technical Project Dataset Considerations Candidate Standards Mapping Companion Document April 12 th, 2016.

Slides:



Advertisements
Similar presentations
September, 2011What IHE Delivers Cross-enterprise Workflow Management (XDW profile) IT Infrastructure Planning Committee Luca Zalunardo, Arianna Cocchiglia.
Advertisements

What IHE Delivers Basic Patient Privacy Consents HIT-Standards – Privacy & Security Workgroup John Moehrke GE Healthcare.
September, 2005What IHE Delivers 1 Basic Patient Privacy Consents (BPPC) IHE Vendors Workshop 2006 IHE Patient Care Coordination Education
A Plan for a Sustainable Community Behavioral Health Information Network Western States Health-e Connection Summit & Trade Show September 10, 2013.
Texas Consent Management: A Case Study in the Use of IHE Profiles Eric Heflin Chief Technology Officer Texas Health Services Authority.
Electronic Submission of Medical Documentation (esMD) Face to Face Informational Session esMD Requirements, Priorities and Potential Workgroups – 2:00pm.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
EsMD Harmonization WG Meeting Wednesday, June 13 th, 2012.
Organizing IHE Integration Profiles related to the Electronic Health Record Input to the IHE ITI Tech Committee November 2002 Charles Parisot, GE Medical.
EsMD Background Phase I of esMD was implemented in September of It enabled Providers to send Medical Documentation electronically Review Contractor.
Consumer Privacy using HITSP TP30 John Moehrke – GE Healthcare Co-Chair HITSP Security/Privacy/Infrastructure Co-Chair HL7 Security Workgroup Member IHE.
Cross Domain Patient Identity Management Eric Heflin Dir of Standards and Interoperability/Medicity.
E-Referral enabled collaborative health care Opportunities and considerations Presented by: Sasha Bojicic Emerging Technology Group Canada Health Infoway.
Presentation to HL7 S&I Framework Data Segmentation for Privacy Initiative 9/25/2013 Johnathan Coleman, CISSP Initiative Coordinator, Data Segmentation.
IHE Radiology –2007What IHE Delivers 1 Christoph Dickmann IHE Technical Committee March 2007 Cross Domain Review PCC.
1 Health Information Security and Privacy Collaboration (HISPC) National Conference HISPC Contributions to Massachusetts HIE Privacy and Security Progress:
September, 2005What IHE Delivers 1 ITI Security Profiles – ATNA, CT IHE Vendors Webinar 2006 IHE IT Infrastructure Education Robert Horn, Agfa Healthcare.
What IHE Delivers Security and Privacy Overview & BPPC September 23, Chris Lindop – IHE Australia July 2011.
Standards Analysis Summary vMR – Pros Designed for computability Compact Wire Format Aligned with HeD Efforts – Cons Limited Vendor Adoption thus far Represents.
“ Jericho / UT Austin Pilot” Privacy with Dynamic Patient Review April 9, 2013 Presented by: David Staggs, JD, CISSP Jericho Systems Corporation.
Data Access Framework (DAF) S&I Initiative Update June 19 th,
“ Jericho / UT Austin Pilot” Privacy with Dynamic Patient Review April 23, 2013 Presented by: David Staggs, JD, CISSP Jericho Systems Corporation.
Sharing Value Sets (SVS Profile) Ana Estelrich GIP-DMP.
Data Segmentation for Privacy Agenda All-hands Workgroup Meeting May 9, 2012.
HIT Policy Committee Privacy & Security Workgroup Update Deven McGraw Center for Democracy & Technology Rachel Block Office of Health Information Technology.
Public Health Data Standards Consortium
Public Health Data Standards Consortium
HIT Standards Committee Privacy and Security Workgroup: Privacy and Security Workgroup: Update Dixie Baker, SAIC Steve Findlay, Consumers Union March 24,
Consent Directive Management Adding patient privacy support to OpenHIE Derek Ritz, P.Eng., CPHIMS-CA Architecture Virtual Meeting, August 2015.
Dynamic Document Sharing Detailed Profile Proposal for 2010 presented to the IT Infrastructure Technical Committee Karen Witting November 10, 2009.
Key Issues of Interoperability in eHealth Asuman Dogac, Marco Eichelberg, Tuncay Namli, Ozgur Kilic, Gokce B. Laleci IST RIDE Project.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.
Structured Data Capture (SDC) UCR to Standards Crosswalk Analysis July 11, 2013.
“ Jericho / UT Austin Pilot” Privacy with Dynamic Patient Review May 7, 2013 Presented by: David Staggs, JD, CISSP Jericho Systems Corporation.
Clinical Collaboration Platform Overview ST Electronics (Training & Simulation Systems) 8 September 2009 Research Enablers  Consulting  Open Standards.
1 Healthcare Information Technology Standards Panel Care Delivery - IS01 Electronic Health Record (EHR) Laboratory Results Reporting July 6, 2007.
This material was developed by Duke University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information.
Testing Procedures for DS4P Summary testing approach, addressing requirements traceability, and Scenario 4 update.
Data Access Framework (DAF) Relationship to Other ONC Initiatives 1.
1 IHE ITI White Paper on Authorization Rough Cut Implementation Opportunities for BPPC Dr. Jörg Caumanns, Raik Kuhlisch, Olaf Rode Berlin,
Structured Data Capture (SDC) Gap Mitigation July 18, 2013.
September, 2005What IHE Delivers 1 Basic Patient Privacy Consents IHE Educational Workshop 2007 John Moehrke GE Healthcare Lori Fourquet e-HealthSign LLC.
The Patient Choice Project Project Kickoff December 14 th, 2015.
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
Discussion - HITSC / HITPC Joint Meeting Transport & Security Standards Workgroup October 22, 2014.
Dynamic/Deferred Document Sharing (D3S) Profile for 2010 presented to the IT Infrastructure Technical Committee Karen Witting February 1, 2010.
Cross-enterprise Basic eReferral Workflow Definition (XBeR-WD) Brief Profile Proposal for 2011/12 presented to the PCC Technical Committee Luca Zalunardo,
September, 2005What IHE Delivers 1 Basic Patient Privacy Consents IHE Educational Workshop 2007 John Moehrke Lori Forquet.
The Patient Choice Project Use Case Working Session February 12 th, 2016.
September, 2005What IHE Delivers 1 Basic Patient Privacy Consents IHE Educational Workshop 2007 John Moehrke GE Healthcare Lori Fourquet e-HealthSign LLC.
Public Health Data Standards Consortium
What IHE Delivers Basic Patient Privacy Consents HIT-Standards – Privacy & Security Workgroup John Moehrke GE Healthcare.
“ Jericho / UT Austin Pilot” Privacy with Dynamic Patient Review April 30, 2013 Presented by: David Staggs, JD, CISSP Jericho Systems Corporation.
September, 2005What IHE Delivers 1 Patient Index and Demographic Implementation Strategies IHE Vendors Workshop 2006 IHE IT Infrastructure Education Rick.
PIX/PDQ – Today and Tomorrow Vassil Peytchev Epic.
XDS Security ITI Technical Committee May, XDS Security Use Cases Prevent Indiscriminate attacks (worms, DOS) Normal Patient that accepts XDS participation.
Table of Contents. Lessons 1. Introduction to HIPAA Go Go 2. The Privacy Rule Go Go.
Ad-hoc Lists / Opt-In Problem Definition Access rules for many applications and services cannot be derived from an authoritative source and must therefore.
DAF Phase 3-Data Access for Research Frequently Asked Questions DRAFT VERSION
NAACCR CDA Pilot Project - Overview, Status, and Findings 2009 NAACCR Conference Ken Gerlach, Co-Chair, NAACCR Clinical Data Work Group; Health Scientist,
Project Proposal to IHE IHE ITI Representational State Transfer (REST) Transport Implementation Guide for Data Segmentation for Privacy (DS4P) Submitted.
IT Infrastructure Plans
Saturday, January 27 & Sunday, January 28
Current Privacy Issues That May Affect Your Credit Union
Basic Data Provenance April 22, 2019
US Core Data for Interoperability (USCDI): Data Provenance IG
Presentation transcript:

The Patient Choice Technical Project Dataset Considerations Candidate Standards Mapping Companion Document April 12 th, 2016

Table of Contents 2 TitleSlide Introduction to detailed mapping and approach3 High-Level Findings11 Candidate Standards Examples

Introduction to detailed mapping and approach 3

Consent Directive Type Scale From “No to All” Patient Choice No consent: Health information of patients is automatically included—patients cannot opt out; Opt-out: Default is for health information of patients to be included automatically, but the patient can opt out completely; Opt-out with exceptions: Default is for health information of patients to be included, but the patient can opt out completely or allow only select data to be included; Opt-in: Default is that no patient health information is included; patients must actively express consent to be included, but if they do so then their information must be all in or all out; and Opt-in with restrictions: Default is that no patient health information is made available, but the patient may allow a subset of select data to be included. Patient Choice: There is no default policy imposed by institution

Patient Choice Data Requirements Candidate Standards Spreadsheet Along the Rows - 4 Use Case Data Requirement Tables: Consent Location Query – Find Metadata Consent Location Response – Return Metadata Consent Directive Query – Request Consent Directive Consent Directive – Content of Returned Consent Directive

Patient Choice Data Requirements Candidate Standards Spreadsheet Across the Columns: 5 Candidate or Affiliated Standards: BPPC [IHE Basic Patient Privacy Consent] APPC [IHE Advanced Patient Privacy Consent HL7 version 2 Consent Segment [Chapter 9 Medical Records] HL7 Consent Directive CDA Implementation Guide HL7 FHIR Consent Directive profile on Contract Resource

Consent Location Query Map 7

Consent Location Response Map 8

Consent Directive Query Map 9

High-Level Findings 11

General Points about Findings All more/less support core elements of Consent Directives[CD]: »Patient, PHI Custodian, CD Requester, PHI Requester, PHI, Purpose of Use, Status [active/revoked], restrictions, exceptions, and handling instructions All can be more/less well transformed into the others with some semantic loss All but FHIR [still under development] are used today within the HIT ecosystems for which they were designed However, the boundaries of those ecosystems are rapidly dissolving, which makes inter-standards interoperability increasingly important

IHE Basic Patient Privacy Consent [BPPC] High adoption rate by XDS HIEs – but likely little adoption elsewhere because architecturally specific Policies are unstructured legal agreements specific to an Affinity Domain, but may be agreed to for Cross Affinity Domain exchanges BPPC Enforcement includes configuring HIE Actors to comply with Domain Patient Privacy Policy obligations, refrains, purposes of use, authorization restrictions, and display of Privacy Marks However, these Domain Privacy Policies are very terse, unstructured legal rules represented as OIDs »A BPPC Consent Directive may contain 1..* policy OIDs »OIDs are not directly computable or adjudicatable »Implementers assign Access Control Rules by hard-coding policy rules to ACS authorization decision and enforcement mechanisms »Number of discrete policies are limited to reduce permutations on the ACS decision and enforcement requirements

IHE Basic Patient Privacy Consent [BPPC]-cont. XD* ebXML Metadata “slots” [aka “fields, elements] are populated with CDA R1 Header data through transform as well as information from local provider and patient directories CDA limits proper modeling – i.e., treated like a clinical episode instead of an agreement Most Document retrievers and disclosers typically do not retrieve a patient’s BPPC »Requesters only check XDS metadata with Patient’s list of Domain patient privacy policy OIDs to make decisions about whether to publish; retrieve; permit access, use, disclosure

IHE Basic Patient Privacy Consent [BPPC]-cont. Downside: Metadata is privacy leaking – especially with DIRECT XDR or XDM – »May indicate that patient sees substance abuse provider, admitted to substance abuse facility, or agreed to disclosure of substance abuse information to authorized requester »Requester may not be authorized to see certain metadata »BPPC recommended mitigation is to either segregate metadata or not include in HIE due to limited ability to control access to the metadata »Privacy leaks mitigated by HL7 Data Segmentation for Privacy by constraining XDS and XDR metadata, but that solution has not been adopted for BPPC, APPC, or HL7 Consent Directive CDA

IHE Advanced Patient Privacy Consent [APPC] Adoption Status: Under IHE/AHIMA development since late 2015 On IHE BPPC roadmap for sometime Goal is to move to structured/computable patient privacy policies »See IHE/AHIMA APPC Project Overview Jan. 2016IHE/AHIMA APPC Project Overview Jan Progress – APPC cochairs are actively involved in FHIR Consent Directive development Upside – With uptake, would improve agility, interoperability of IHE Consent Documents Potential Issues: Entrenched BPPC deployment and difference in exchange patterns and enforcement mechanisms, IHE may not get adoption rate – e.g., lack of uptake for FHIR XD* Document Reference for metadata

HL7 Version 2 Consent Segment Adoption rate within and outside of Enterprise is not clear, but v2 isn’t going away as the source of consent information that may be used to populate interoperable Consent Directive standards Currently use is to push Consent Directive related to a Medical Record within an Enterprise as well as the Enterprise “source of truth” for multiple consent flags used in Orders, Admission, and Financial transactions Some HIEs may use as input to generation of CCDAs with appropriate confidentiality codes With transforms, could be used to populate IHE, CDA, and FHIR Consent Directives

HL7 V2 ADT Access Restriction Value [AVR]Segment Patient privacy preferences may also collected on admission in the ARV segment along with Confidentiality Code from other segments for Access Control throughout the enterprise, and includes: Action Restriction Action Code: Add/Insert, Delete, Update, No Change Access Restriction Values: Specifies the information to which access is restricted. Access Restriction Reason Code: Used to convey the reason for the restricted access. Special Access Restriction Instructions: Used to specify instructions about the release of information to family and friends.

HL7 Consent Directive CDA IG Upside CD policy is encoded so can be computably processed and adjudicated using Rules Engine May include Rules Engine Language representation of policy using XACML, XRML, ODRL, or other Includes Security Labels assigned to Protected Information by Type for: »Confidentiality »Governing Policy »Obligations »Refrains Downside Same XD* metadata privacy leak risks Same BPPC/APPC modeling issues – based on a Clinical Document not an agreement »Clinical ServiceEvent used to record Consent Directive Event with clinician performer Due to commitment to BPPC backward compatibility design principle

HL7 Consent Directive CDA IG CDA limitations on representing CD Types CD CDA represents all types as LOINC Codes: » Release of information consent » Privacy policy acknowledgment Document » Privacy policy Organization Document LOINC codes are less specific than ActConsentDirectiveType codes [e.g., Opt-out, Opt-in with restrictions], which should be used instead or in addition to the LOINC codes CD CDA represents CD effective time as the effective time of a Clinical ServiceEvent rather than the effective time of an agreement

HL7 FHIR Consent Directive Status – under development for September FHIR Ballot Potential Adopters include DAF and SDC in US, and possible as the structured content for IHE APPC Designed to support BPPC/APPC/v2/CDA Consent Directive data elements in line and/or as Attachments – i.e., backward compatible to other major Consent Directive specifications Attachment can be scanned paper Consent Directive Form and the Legal basis for the ConsentDirective – e.g., a statutory citation [42 CFR Part 2 Confidentiality provisions], a Notice of Privacy Practices, or a BPPC set of Patient Privacy Policies Supports Digital and Wet Signature as well as delegation/countersigning FHIR ConsentDirective.terms enable specification of restriction and exception rules

HL7 FHIR Consent Directive FHIR Consent Directive is only one component in the FHIR Privacy Consent Directive Implementation Guide, which is slated to include a FHIR Privacy Consent Questionnaire/Questionnaire Response.FHIR Privacy Consent Directive Implementation Guide A Patient’s FHIR Privacy Consent Questionnaire Response is a Patient Friendly rendering of the choices allowed under a Consent Directive scheme Used to populate the interoperable/computable FHIR Consent Directive, which is what the Access Control Systems use to decide and enforce patient choice May be the right place to capture v2 Consent elements such as use of interpreter and additional information to inform patient consent.

HL7 FHIR Consent Directive Unlike other Consent Directive [CD] standards, designed as a Contract rather than a Clinical Statement, which makes affinities to real world concepts about CDs easier to represent, e.g., effective time is directly related to the CD and any CD terms. Makes Provider Organization the Grantee, which is asking the Patient [Grantor] to either consent or acknowledge the Organization’s privacy policy. Easier to specify whether PHI as a whole is the governed by the entire CD, or whether some subset of PHI is governed as a whole or in a CD restriction or exception term.

Candidate Standards & Pilots Pilots may be interested in scenarios that involve 1..* Candidate Standards. A HIE may want to use FHIR Consent Directive to carry BPPC elements “in line” and/or as an URI/Attachment. A HIE might demonstrate how v2 Consents are used to populate a CDA Consent Directive, and then how the CDA Consent Directive can be mapped into a FHIR Consent Directive “in line” and/or as an URI/Attachment. FHIR Connectathon participants might simply demonstrate the use of FHIR Consent Directive in a Track [Use Case] that reflects possible implementations.

Candidate Standards Examples 25

IHE Basic Patient Privacy Consent [BPPC] 26 Graphical representation of consent with wet signature

IHE Advanced Patient Privacy Consent [APPC] 27

IHE BPPC/APPC/CDA/FHIR + DocumentReference Consent Directive Exchange Interactions 28

HL7 CDA Consent Directive 29

30

Manage Electronic Privacy Policy (ePolicy)

FHIR Consent Directive FHIR ConsentDirective is a profile on FHIR Contract Resource Based on foundational HL7 Privacy and Security ISO 2260 Privilege Management and Access Control Underlying model is more attune to the policy structure of Consent Directives vs. trying to use a Clinical Document structure

HL7 FHIR Consent Directive 33

HL7 FHIR Consent Directive 34

HL7 FHIR Consent Directive 35

FHIR BPPC Example FHIR BPCC Example

FHIR BPPC Example FHIR BPCC Example

Project Contact Information OCPO-ONC LeadJeremy Project CoordinatorJohnathan Project ManagerAli Project SupportTaima Staff SMEKathleen Staff SMEDavid 38

Thank you for joining!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.