Presentation is loading. Please wait.

Presentation is loading. Please wait.

Proposed Technical Architecture for California HIE Services Walter Sujansky Sujansky & Associates, LLC Presentation to NHIN-Direct Security and Trust Work.

Similar presentations


Presentation on theme: "Proposed Technical Architecture for California HIE Services Walter Sujansky Sujansky & Associates, LLC Presentation to NHIN-Direct Security and Trust Work."— Presentation transcript:

1 Proposed Technical Architecture for California HIE Services Walter Sujansky Sujansky & Associates, LLC Presentation to NHIN-Direct Security and Trust Work Group April 29, 2010

2 2 Core Cooperative Shared HIE Services Entity Registry Service Provider Directory Service Provider Identity Service Identity management for legal entities Laboratory Physician IPA Physician IDN Hospital Legal Entity Solo Practice Hospital IDN Group Practice Proposed Technical Architecture Physician

3 3 Entity Registry Service 1.A Certificate Authority that provisions legal entities in a widely trusted manner Certifies legitimacy of the entity and its conformance to security/privacy policies “Revokes” certification for entities when appropriate Legal Entity = Physician practice, hospital, pharmacy, lab, immunization registry, etc. Not individual physicians, administrative staff, or consumers 2.Repository of valid, active certificates for legal entities that wish to exchange health information using the CS-HIE resources

4 4 Entity Registry Service HIE CERTIFICATE AUTHORITY (C.A.) Public Key: 3D78EB4A58F2 Meaning: The Certificate Authority has validated that this legal entity: Legitimately exists and has the attributes listed Complies with the designated policies for provisioning and authenticating its users and safeguarding electronic health information Has possession of a private key that corresponds to the listed public key Entity Certificate Montrose Internist Group 746 Professional Circle La Jolla, CA Type: Outpatient Med Facility Public Key: H58GKXF894D8 Entity Registry C.A. Signs

5 5 Responsibilities of a Registered Legal Entity (1)  Maintain internal registry of its providers, including minimum descriptive attributes (name, location, type, role, etc.) I.e., Providers may be provisioned locally by their entities => no requirement for a centralized user registry  Reliably authenticate these providers when they “log in” within the entity’s domain I.e., Providers may be authenticated locally by their entities  When providers exchange health information outside of the entity’s domain, include the following with each transaction: 1.An “authentication assertion” signed by the legal entity that (a) validates the identity of the provider and (b) substantiates that the provider was authenticated appropriately 2.An “authorization assertion” signed by the legal entity that documents (a) the role of the provider with respect to the patient and (b) the purpose of the health information exchange 3.Copy of payload signed by the legal entity to confirm data integrity

6 Entity Certificate Montrose Internist Group 746 Professional Circle La Jolla, CA Type: Outpatient Med Facility Public Key: H58GKXF894D8 6 Entity Registry Service HIE CERTIFICATE AUTHORITY (C.A.) Public Key: 3D78EB4A58F2 Entity Registry C.A. Signs Authentication Assertion Authenticated NPI 5893859073 Jacob Hill MD – Internal Medicine Login: 2010-03-28 14:35:50 Credential: password-only Entity: Montrose Internist Group Entity Signs Authorization Assertion Authorized NPI 5893859073 Jacob Hill MD – Internal Medicine Role: Patient’s PCP Purpose: Transfer of Care Entity: Montrose Internist Group Entity Signs Sent to recipient in the transaction Payload Joe Patient, DOB, Gender, etc… Problem List, Med List, etc… Entity Signs Entity Certificate Montrose Internist Group 746 Professional Circle La Jolla, CA Type: Outpatient Med Facility Public Key: H58GKXF894D8

7 7  Provide an electronic directory of the providers within the legal entity The directory must be accessible in a standard format as a “web service”, available to all other entities with access to the Entity Registry Service The directory need contain only those providers whose information the legal entity wishes to publish Each directory entry must include –The provider’s descriptive attributes (to enable lookups) –The HIE transactions that the provider supports (to determine whether a transaction is supported) –For each supported transaction, the electronic address(es) and protocol(s) (to determine how a transaction is supported) Responsibilities of a Registered Legal Entity (2)

8 8 Provider Directory Entries  Entity + Provider + Transaction Type => Network Address + Protocol E.g., Dr. Hill at Montrose Internist Group can be sent hospital discharge summaries at ehr.montrose.com/InBox/DischargeSummary using the Level-2 CCD document format  Network address may be provider’s own EHR or it may be a 3 rd party system E.g., an HIO routing service, an EHR hosted by an IPA, an HISP, etc.  Entries are created and certified (signed) by legal entities, which are responsible for their veracity

9 Entity Certificate Montrose Internist Group 746 Professional Circle La Jolla, CA Type: Outpatient Med Facility Public Key: H58GKXF894D8 9 Entity Registry Service Entity Certificate Montrose Internist Group 746 Professional Circle La Jolla, CA Type: Outpatient Med Facility Public Key: H58GKXF894D8 HIE CERTIFICATE AUTHORITY (C.A.) Public Key: 3D78EB4A58F2 Entity Registry C.A. Signs Retrieved by potential sender of a transaction Directory Entry Montrose Internist Group Jacob Hill, MD Trans: Discharge Summary Addr: montroseIG.com/hie/discharge Protocol: Level 2 CCD Directory Entry Entity: Montrose Internist Group Provider: Jacob Hill, MD Transaction: Receive Discharge Summary Addr: ehr.montrose.com/Inbox/DcSummary Protocol: Level 2 CCD Entity Signs Provider Directory For looking up the recipient For formulating the transaction

10 Sujansky & Associates, LLC 10 Core Cooperative Shared HIE Services Entity Registry Service Provider Directory Service Provider Identity Service Legal Entity providers* * Physicians, other providers, clerical users, departments, data repositories, etc. Registry Entry Self-Hosted Provider Directory (Web Service) 3 rd -Party-Hosted Provider Directory (Web Service) Publish Directory Entries OR Pointer to Directory OR Proposed Technical Architecture Publishing Provider Directory Entries

11 11 Core Cooperative Shared HIE Services Entity Registry Service Provider Directory Service Provider Identity Service Identity management for legal entities Addressing and formatting information for intended recipients of HIE transactions Laboratory Physician IPA Physician IDN Hospital Legal Entity Solo Practice Hospital IDN Group Practice Proposed Technical Architecture Physician

12 12 Core Cooperative Shared HIE Services Entity Registry Service Provider Directory Service Provider Identity Service Addressing and formatting information for intended recipients of HIE transactions Identity management and authentication for principals in HIE transactions Laboratory Physician IPA Physician IDN Hospital Legal Entity Solo Practice Hospital IDN Group Practice Proposed Technical Architecture Identity management for legal entities Physician

13 13 Provider Identity Service  Centralized, trusted service for provisioning and authenticating providers involved in HIE transactions Intended for entities that are not trusted to authenticate their own providers, despite blessing of certificate authority  Use of Provider Identity Service is entirely optional Entities may provision and authentication their own providers  May or may not prove to be needed…

14 14 Transactions involving CS-HIE Services and using the protocols and standards required by these services Transactions not involving CS-HIE Services and not necessarily using the protocols and standards required by these services Legend Core Cooperative Shared HIE Services Entity Registry Service Provider Directory Service Provider Identity Service Identity management for legal entities Addressing and formatting information for intended recipients of HIE transactions Identity management and authentication for principals in HIE transactions Laboratory Physician IPA Physician Hospital Legal Entity Solo Practice Hospital IDN Group Practice Proposed Technical Architecture IDN Physician * * with TLS encryption and authentication

15 15 Transactions involving CS-HIE Services and using the protocols and standards required by these services Transactions not involving CS-HIE Services and not necessarily using the protocols and standards required by these services Legend Core Cooperative Shared HIE Services Entity Registry Service Provider Directory Service Provider Identity Service Dr. Beth Cramer Dr. Jonah Hill Valley IPA Legal Entity Seaview Hospital Montrose Internist Group Example: Hospital Discharge Summary John Smith’s PCP is Dr. Jonah Hill at Montrose Internist Group Look up Montrose Internist Group Look up Dr. Jonah Hill Legal EntityPrincipalTransactionAddressProtocol Montrose Internist GroupDr. Jonah HillReceive Hospital Discharge Summarywww.valleyIPA.org/InBox/DcSummaryCCD Level 2 Pointer Formulate and Send Transaction * * with TLS encryption and authentication

16 16 Transactions involving CS-HIE Services and using the protocols and standards required by these services Transactions not involving CS-HIE Services and not necessarily using the protocols and standards required by these services Legend Core Cooperative Shared HIE Services Entity Registry Service Provider Directory Service Provider Identity Service Dr. Beth Cramer Dr. Jonah Hill Valley IPA Legal Entity Seaview Hospital Example: Hospital Discharge Summary Formulate and Send Transaction Certificate for Seaview Hospital (with public key) Authentication Assertion for Dr. Beth Cramer (Signed by Seaview Hospital) Authorization Assertion for Dr. Beth Cramer vis-à-vis John Smith (Signed by Seaview Hospital) Discharge Summary as CCD with patient identifiers for John Smith (Signed by Seaview Hospital) Transaction: Deliver to Recipient’s EHR Inspect Transaction Header and Payload Validate Seaview Hosp’s Certificate Make access-control decision based on Header & Payload contents Header Payload Montrose Internist Group * * with TLS encryption and authentication

17 17 Summary  The Core CS-HIE Services are intended to provide 1. A trust infrastructure in which parties can determine the authenticity of HIE transactions that they receive from arbitrary counterparties 2. A directory infrastructure in which parties can determine where and how to direct HIE transactions intended for specific recipients via the internet  Much technical and policy work remains to flesh out the design of these services Define the policies surrounding the HIE certificate authority and the granting of Entity Registry entries Define the technical design of Entity Registry entries and Provider Directory entries Define the technical design of authentication and authorization assertions More…

18 Questions Sujansky & Associates, LLC www.sujansky.com


Download ppt "Proposed Technical Architecture for California HIE Services Walter Sujansky Sujansky & Associates, LLC Presentation to NHIN-Direct Security and Trust Work."

Similar presentations


Ads by Google