PRIVACY ON FHIR POF STORYBOARD - VA ESC KATHLEEN CONNOR FEBRUARY 2015 HEART NOTE - ACRONYM LIST IN APPENDIX
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Privacy on FHIR [PoF]
Storyboard
Kathleen Connor
VA [ESC]
February 2015 HEART
NOTE – Acronym List in Appendix
Privacy on FHIR, the Leaning Health System, and the
Health Internet of Things
• Privacy on FHIR [PoF] is a project jointly sponsored by the Office of the
National Coordinator [ONC] and the Veterans Affairs [VA] and multiple other
partners that exercises emerging standards, architectures, frameworks, and
information technology being deployed to enable the Learning Health
System.
• The Learning Health System is in many ways an ecosystem of symbiotic
health entities that create “a closed loop between health care and health
and wellness, each of which is supported by a set of data and institutions.”
• JASON Data for Individual Health page 19
2Purpose – PoF Storyboard Walk-Through
• PoF Demo Focus is a Patient-centric Health Internet of Things [HIoT] Ecosystem
• Patient Alice is a veteran RN with a complex health history
• Alice’s HIoT is an ecosystem of FHIR Resource based interactions
• Alice is HIoT savvy; nevertheless, her HIoT management requires the support of a variety of
mechanisms, including
• The ability to control which Resources are made available
• The ability to control HIoT Client access and use of her Resources
• A single point of access from which to control how HIoT Resource Servers and Clients interact
• A single point from which to manage her consent directives
• Key take-away –
• How UMA can enable patient control of how health information is accessed and used
• UMA interactions are very dependent upon the Privacy/Security Domains in which it is deployed
3PoF Assumptions
• Patient HIoT participants include [0…*]:
• Provider supplied MU patient portals
• Patient selected PHRs
• Provider selected Apps
• Patient selected Apps
• Patient selected User Managed Access Authorization Server [UMA AS] by which Patient
can delegate requests to Access Patient controlled Resource Servers
• Consent Directive Management Service [CDMS] by which the Patient is able to
manage access and use per governing privacy policies, i.e.,
• 42 CFR Part 2 [Substance Abuse information] and Title 38 Section 7332 [Veteran sensitive
information] – Require Patient Consent for Disclosure
• HIPAA requires authorization and consent under some circumstances such as disclosure to HIE,
but generally permits covered entities [CE] to access for Treatment, Payment, and Operations
[TPO]
• Patient Right of Access – once the Patient takes possession of a copy of a HIPAA record, the
patient has total control of disclosures
4Alice’s Health History
• Alice is an enlisted RN who was
discharged by MHS after serving in
combat to VA care.
• Prior to enlisting, Alice underwent • During her deployment, she sustained a
substance abuse treatment for service-related injury, which requires
alcohol abuse in a 42 CFR Part 2 ongoing pain management.
facility.
• In addition, she was diagnosed with
• She continues to see a counselor at PTSD for which she continues to receive
that facility who monitors her counseling and medications.
ongoing sobriety, and coordinates
with the VA pain management • The VA now provides her post-
specialist to ensure her deployment service-related injury care,
compliance. including pain management, physical
therapy, and counseling and
• When she first joined the military medications for PTSD.
and began receiving care through
MHS, Alice was diagnosed with
Type 2 Diabetes. 5Alice’s Health History
2004 2006 2011 2013 2014
• Like all VA patients, she was offered HIV testing as part Providers
of VA standard of care. Alice was diagnosed with HIV, A
which she likely contracted while caring for wounded Substance abuse
service personnel. She is in remission and continues to ETH
Providers B
receive HIV treatment from the VA. Substance abuse
• For her preventive and general health care, Alice sees MHS
Diabetes, pain management, PAIN, ETH,
her Tricare PCP for Diabetes and high blood pressure. PTSD counselling, PTSD med
PSY
Her PCP is aware that Alice is being treated for service-
related injuries in the VA, including pain management. VA
However, Alice has not shared her HIV, PTSD, or DIA PSY PAIN Pain management, physiotherapy, PTSD counselling, PTSD
med, HIV treatment, HPV immunization
substance abuse conditions with her PCP.
• Alice volunteers with Doctors without Borders [MSF] PAIN
during her leave time from the military, and is ready to Tricare
deploy to a MSF HIV clinic. Diabetes, hypertension, HPV immunization
• Her PCP has referred her to an Endocrinologist, who
practice at a major hospital near that clinic, to treat her
for diabetes while she is deployed. IZ,
DIA
MSF
Diabetes
• She is conscientious about keeping her vaccinations up
to date including those required for deployment, and
general preventive care, e.g., HPV for cervical cancer.
6Alice’s Key Health Information Alice's DX, Meds, and IZ
Alice is aware that
Alice’s DX Alice’s Meds Alice’s IZ substance abuse and HIV
BP: High BP: Lisinopril, Hepatitis A are generally sensitive
DIA: Type2 aspirin Hepatitis B health information, and
Diabetes DIA: Metformin HPV that HIV and HPV
ETH: Alcohol & ETH - Anabuse Influenza
vaccinations are particularly
Drug Abuse HIV – Malaria
controversial in the country
HIV: Remission Antiretrovirals Meningococcal
PAIN: Back PAIN - MMR
to which she is being
injury Oxycodone Tetanus deployed. So she would like
PSY: PTSD PSY - Zoloft TB to sequester that
Small Pox information from those
Yellow Fever who have no need to know. 7PoF Storyboard Scenarios
PoF has several interdependent Storyboards with UMA AS mediated
Authorization
• Apps on FHIR [AoF] – App2Patient, App2Provider, App2HIE
• HIE on FHIR [HoF] – Provider2Provider, Provider2HIE,
Patient2Provider, Patient2HIE, App2HIE
• Consent on FHIR [CoF] – Consent2Provider, Consent2Patient,
Consent2UMA AS
8Alice's UMA Authorization UMA
Server [UMA AS] This part of the storyboard describes the various
ways in which Alice is able to control how a
variety of HIoT are able to share information
among themselves from a single point of
internet contact that solves her multiple portal
problem.
Alice Consents to share MHV some FHIR
Alice as Resources with UMA authorized Apps
resource MHV Alice uses her UMA AS for the following
Account
manage owner
Owner purposes:
control consent • To control requesters access to her consent
directives
protect negotiate
resource
server
authorization
server
requesting
party
• To introduce actors in her HIoT to one another
Alice as
App in order to control the sharing of her
Account
Owner
information
authorize
• To catalog the types of information that these
actors may access and to capture any
access
disclosures orchestrated by her UMA AS
manage
client
• To stipulate Handling Caveats[UMA
Obligations]
Vetted
Vetted
Health
Health App
App
Store
Store
• Possibility of enabling UMA AS to manage
Resource encryption keys to enforce the
permitted uses.
9Alice’s UMA Storyboard
• To orchestrate and control the information flows among her HIoT,
Alice introduces her UMA AS to her HIoT Resource Servers
• Resource Servers registers Alice’s health information Resources,
which may be:
• Registered a more or less granular level depending on custodial policies –
e.g., Alice may register some/all of her PHR Resources at a granular level
while her Provider’s EHR may register Alice’s entire record as a Resource
Bundle
• Registered as opaque identifiers to prevent privacy leakage, e.g., Resource
URL vs. Alice’s HIV test result Resource instance
• Alice authorizes her UMA AS to allow Clients to access her
Resources
• Clients may be specified at the User, Role, Organizational Level
10Alice’s UMA Storyboard
• Clients must be conformant to the UMA Binding Obligations on User-Managed
Access (UMA) Participants clauses in Section 2.2, which include the Clients’
obligations [aka Handling Caveats] to:
• Adhere to any terms it agreed to in order to gain the permission, e.g.:
• Encrypt in transit, in use and at rest
• No collection for purposes other than agreed to
• No redisclosure without consent
• Stand behind any factual representation it makes in order to gain the
permission
• Supply or facilitate access to truthful claims required for access authorization
• Represent the legitimate bearer of the RTP and not to allow others to
impersonate the Requesting Party
11Apps on FHIR [AoF]
• This part of the storyboard describes Alice’s HIoT, and how Alice’s UMA AS
enables their authorized interactions so that Alice can control which Apps
may exchange information among themselves, with authorized HIOs, and
with various repositories of health information under Alice’s control.
• In addition, the content and capabilities of each App is described.
12Alice’s HIoT – UMA Enabled Authorization
HIoT Resource Server HIoT Client UMA Authorized UMA Authorized Shared FHIR
[Apps & other Users] Interaction Type Resource
MHV Tricare Portal PUT/GET DIA|PAIN
IZ App PUT IZ except HPV
MED App PUT/GET HR| DIA|PAIN|OTC
Tricare Portal MHV PUT/GET HR|DIA|MED (BP|DIA| PAIN)
NwHIN HIE HR App PUT HR
DIA App PUT BP|DIA|MED (BP| DIA|PAIN)
IZ App PUT IZ except HPV
HR App DIA App PUT HR
FIT App PUT HR
DIA App Tricare Portal PUT DIA
FIT App MHV PUT ACTIVITY|BMI|BP|HR|OXY
DIA PUT ACTIVITY|BMI|BP|HR|OXY
HR App PUT HR
MED App MHV PUT/GET MED [BP|DIA|PAIN]
DIA PUT MED [BP|DIA|PAIN]
13• UMA Authorization in HoF
HIE on FHIR [HoF] permits Alice to control access
to her records except where her
UMA AZ
Consent Directives override that
VA to share Alice’s
DIA, PAIN via
Authorization by law or
NwHIN HIE with organizational policy
Tricare PCP &
ENDO
• I.e., Alice may authorize a
UMA AZ UMA AZ UMA AZ
UMA AZ
42 CFR Provider
UMA AZ
QSO HIE to share
VA to share Tricare PCP to ENDO to share Provider to access to access her
to share Alice’s Alice’s Records
Alice’s ETH|PAIN
via QSO HIE with
share Alice’s DIA
via NwHIN HIE
DIA
via NwHIN HIE
42 CFR Resources via UMA, but
Records with QSO with other 42 CFR
HIE Provider & VA
specific 42 CFR
Part 2 Provider
with
ENDO
with
Tricare PCP
the QSO HIE would not disclose
Tricare PCP ENDO
if the Provider is not authorized
42 CFR Part 2 Facility QSO HIE VA
per Alice’s Consent Directive
• Alice is able to control Privacy
Consents Consents Consents Consents Consents
42 CFR Provider QSO< => VA
Tricare ENDO DIA
< =>
[ETH|PAIN|MED
[ETH|PAIN|MED
(ETH|PAIN)]
ETH, MED
(ETH|PAIN)|PAIN
DIA to NwHIN
HIE for ENDO
to NwHIN HIE for
Tricare PCP
Leakage by ensuring that her
(ETH|PAIN)]
to QSO HIE
to 42 CFR
Providers & VA
via QSO HIE to 42
CFR Provider Resource Servers only register
Consents
sensitive information by opaque
VA =>
[DIA, PAIN]
identifier or only at a coarse
to NwHIN HIE for grain level – e.g., Alice’s Record,
Tricare PCP &
ENDO not Alice’s ETH Resources
14Consent on FHIR [CoF]
UMA AZ
To Authorized
Clients
UMA Authorization protects access
MHV
to Consent Directives CDMS
Patient Right of Access enables
s
Pat
ces
ien
f Ac
Alice to collect and manage her
tR
Patient Right of
o
igh
ght
FHIR Consent Directives in her
Access
to
t Ri
fA
ien
cce
choice of Patient Controlled
Pat
ss
Resource Server – e.g., MHV
Alice is then able to control access VA 7332 HIE 42 CFR HIE VA HIPAA HIE
Consent Consent Consent
to all of her consent directives via
UMA
UMA AZ
UMA AZ UMA AZ
To Tricare ENDO,
To 42 CFR To VA
PCP
15UMA Authorizations and Obligations Must Align with
Security and Privacy Domain Policies
UMA AS authorizations
More Restrictive than HIPAA Non-HIPAA
and obligations can be
HIPAA
Title 38 Section 7332 | 42 CFR Part 2
Consent
Directive
No CD for CE TPO
CD required for:
Contract of Adhesion
Sharing per Dominate Party,
e.g., Auto/Life Insurer, Worker
more restrictive, but not
| Preemptive State Privacy Laws
CD for:
· TPO
·
·
·
Psychiatric Notes
Research, Marketing
Disclosure to non-CE
HIPAA Auth Comp, or SSA
Patient has no control on less restrictive than the
· HIE sharing
· HCs flow downstream – e.g., no Consent may be
·
·
HIE sharing
Patient Requested & CE
subsequent sharing via CD/HC
S&P Domains in which
they are enacted.
redisclosure w/o CD approved Restrictions
required · Self-Paid
· VDT
Pat
ien
t Ri
ght
o gh to f Acce
ss Pati
ent
Righ
to
E.g., Even if Patient
f Ac t Ri f Ac
ces
s Pat
ien cess
authorizes a Client to
Patient Controlled Resource
Servers – e.g., PHRs, MU Patient HIoT - Apps
access 42 CFR Part 2
Patient Portals for VDT
Patient Preferences control sharing and
Patient Right
of Access
Contract of Adhesion
Sharing per Dominate Party
Resources, the Resource
HCs via CD – information shared
governed by receiving domain
Future – Control HC via Keys
No Support for Patient CD/HC
Server would not disclose
without the Patient’s
Consent
16Appendix - Acronyms
17Acronym Print Name/Alias Description
164.522(a) HIPAA Self Pay Section 164.522(a)
42 CFR 42 CFR Part 2
Title 38 Title 38 Section 7332
AN Authentication
AoF Apps on FHIR
AZ Authorization
BP Blood Pressure Treated with Aspirin
BP App Blood Pressure App
CD Consent Directive
CDMS Consent Directive Management
System
CoF Consent on FHIR
DIA Diabetes Treated with insulin
DIA App Diabetes App Measures Glucose. Records Glucose, Meds, BP, FIT
ETH Alcohol or Drug Abuse / Treated with Antabuse
Substance Abuse
FHIR CD FHIR Consent Directive
FIT App Fitness App Measures activity, BMI, BP, Heart Rate, Oxygen Level 18
HoF HIE on FHIRHIoT Health Internet of Health Devices, clients and resource servers that enable observation of a person’s health, wellness,
Things and healthcare. Note: Per World Economic Forum - Rethinking Personal Data: A New Lens for
Strengthening Trust the observed data collected and used by the IoT is the fastest growing and least
regulated body of internet information: 2. Observed data “Observed” data is captured by recording
activities of individuals and can be grouped along a continuum of how aware individuals are of its capture and
use. Some observed
data is actively generated with a general awareness of the individual (browser cookies, credit card transactions,
security cameras, location data from mobile device, etc.). Other forms of observational data are more passive
and unexpected (RFID chips on automobiles, facial recognition technologies, WiFi scanners at retail
establishments, etc.). In general, there is a lack of awareness by individuals regarding how much observed data is
being captured about them, how it is being used and
the value that can be extracted in selling (and reselling) it. The rise of mediated information systems (particularly
mobile phone applications which have access to address books and location data) have made it much easier to
observe an array of behaviours and actions. With passively collected data, the sense of ownership and control
tends to shift to the institution which originally captured it. The majority of data generated in an “Internet of
Things” world will be observed data – driven by
sensors that automatically collect as people go about their day.
HIV Human Treated with antiretrovirals
Immunodeficienc
y Virus
IZ Immunization
IZ App Immunization Records and Reconciles IZ List. Provides IZ recommendations by age, exposure, and travel
App requirements. Provides IZ information such as instructions, Alerts for Adverse Interactions and
19
Allergies.MED App Medication App Records and Reconciles Medication List. Provides Medication
information such as instructions, Alerts for Adverse Interactions
and Allergies.
MHV MyHealtheVet VA PHR
NPP HIPAA Notice of Privacy Implied consent for disclosures permitted under HIPAA
Practices
OTC Over the Counter Drugs Alice uses Aspirin for her heart condition. She can also scan and
enter other OTCs through her MED App to upload to her
authorized HIoTs.
PAIN Pain Management Oxycodone
PCP Primary Care Provider
PTSD Post-traumatic stress Treated with Anti-anxiety medication
disorder
Portal Tricare PCP Portal The patient controlled capability to view download and transmit
their Tricare health record in accordance with Meaningful Use
requirements
PRA Patient Right of Access HIPAA Patient right to access own health information. Meaningful
Use requires that participating providers support patient portal
20
that enables patients to view, download and transmit their healthYou can also read
