slide1
Download
Skip this Video
Download Presentation
User Story Example (1)

Loading in 2 Seconds...

play fullscreen
1 / 26

User Story Example (1) - PowerPoint PPT Presentation


  • 139 Views
  • Uploaded on

Report to the HITPC Security and Privacy Tiger Team S&I Framework Data Segmentation for Privacy Initiative Pilots 3/10/2014. User Story Example (1).

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' User Story Example (1)' - akio


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Report to the HITPC Security and Privacy Tiger TeamS&I Framework Data Segmentation for Privacy Initiative Pilots 3/10/2014

user story example 1
User Story Example (1)

 The Patient receives care at their local hospital for a variety of conditions, including substance abuse as part of an Alcohol/Drug Abuse Treatment Program (ADATP).

 Data requiring additional protection and consent directive are captured and recorded. The patient is advised that the protected information will not be shared without their consent.

user story example 2
User Story Example (2)

 A clinical workflow event triggers additional data to be sent to Provider/Organization 2. This disclosure has been authorized by the patient, so the data requiring heightened protection is sent along with a prohibition on redisclosure.

 Provider/ Organization 2 electronically receives and incorporates patient additionally protected data, data annotations, and prohibition on redisclosure.

hl7 implementation guide data segmentation for privacy ds4p release 1
HL7 Implementation Guide: Data Segmentation for Privacy (DS4P), Release 1

DS4P Standard

  • Completed Normative Ballot in Jan 2014 and was successfully reconciled in Feb 2014. HL7 approved the final standard for publication and are processing with ANSI.
  • The standard uses document level tagging to convey confidentiality levels and obligations.
  • The standard uses vocabularies to convey specific meanings, such as “Do not re-disclose without consent” or “This document is restricted”.
hl7 implementation guide data segmentation for privacy ds4p release 11
HL7 Implementation Guide: Data Segmentation for Privacy (DS4P), Release 1

DS4P Standard

  • Contains three volumes:
    • Content Specification
    • DS4P with Direct
    • DS4P with Exchange
volume 1 cda r2 and privacy metadata reusable content profile
Volume 1: CDA R2 and Privacy Metadata Reusable Content Profile

DS4P Standard

  • Contains templates and reusable building blocks for the transport specifications.
    • The reusable building blocks may be applied to other information exchange standards
  • Enables the association of information object (e.g. document) with security labels, which can be linked to privacy policies.
  • Supports the requirement to specify the provenance of clinical data contained in the structured content of a clinical document.
volume 2 nwhin direct transport profile and volume 3 nwhin exchange transport profile
Volume 2 : NwHIN Direct Transport Profile, andVolume 3: NwHIN Exchange Transport Profile

DS4P Standard

  • Transport Profiles containing transport specific constraints based on the reusable building blocks.
  • The constraints are applied to the transport-specific metadata (e.g. Document Sharing /XDS Metadata used by Exchange, and XDM Metadata used by Direct).
  • The generic transport-specific metadata were added to the underlying technical framework (i.e. IHE ITI Vol. 3)
selected standards
Selected Standards

Selected Standards

va samhsa pilot
VA/SAMHSA Pilot:

Pilot Accomplishments

  • The pilot was successfully tested and demonstrated in multiple venues, including the Interoperability showcase at HIMSS 2013 and the HL7 Plenary meeting in Baltimore, September 2013.
  • VA have extended the DS4P capabilities to demonstrate utilization of FHIR for DS4P (demonstrated at HL7 in Jan 14, in real time, using resources from Australia, Canada and USA).
netsmart pilot
NETSMART Pilot:

Pilot Accomplishments

  • The pilot was successfully tested and demonstrated in multiple venues, including the Interoperability showcase at HIMSS2013.
  • The Netsmart DS4P Part 2 solution has been implemented with the community services referral network in Tampa Bay (2-1-1 system), helping them manage restricted data associated with programs regulated by 42 CFR part 2.
jericho systems university of texas conemaugh pilot
Jericho Systems / University of Texas/Conemaugh Pilot:

Pilot Accomplishments

  • Utilized an external patient consent repository to provide machine readable consent directives that can be processed according to various privacy policies as part of any automated release of PHI on the eHealth Exchange. 
  • The pilot used standards based message formats, consistent with current healthcare standards to support patient consent over released PHI, including segmented data. 
slide14
CERNER BH (Formerly SATVA Pilot):Included Cerner Anasazi, Valley Hope Association, Defran Systems, Inc. and HEALTHeLINK

Pilot Accomplishments

  • Cerner recently reported their Behavioral Health solution will have DS4P (using Direct) incorporated into full production for release in April of this year.
  • At HIMSS 2014 Cerner demonstrated marked-up CCDs being sent from the Cerner BH solution to the Cerner Millennium (large scale, general medical) solution.
  • Demonstrated ability to send notice of prohibition on re-disclosure (as required by 42 CFR part 2)
  • The Cerner Millennium solution design teams have begun work to recognize and process the DS4P marked-up data received from the Cerner BH solution.  Their expectation is to include this functionality in a production release later this year.
conclusion1
Conclusion:
  • Data segmentation standards are readily available, normative standards. They utilize widely adopted vocabularies to allow BH systems to better control how the information is handled.
  • Pilots have demonstrated ability to mark data and to accompany data with requisite notice at the document level.
  • One major vendor expects to include sending, receiving and processing BH information, using DS4P functionality, in a production release later this year (BH to general EHR)
contact information
Contact Information

Thank you!

Johnathan Coleman, CISSP, CISM

Initiative Coordinator, Data Segmentation for Privacy

Principal, Security Risk Solutions Inc.

698 Fishermans Bend,

Mount Pleasant, SC 29464

Email: [email protected]: (843) 647-1556

Ioana Singureanu, MS

Standards SME, Data Segmentation for Privacy

Principal, Eversolve LLC

8 Woodvue Road, Windham, NH 03087

Email: [email protected]

Tel: (603) 548 5640

Julie Chua, PMP, CAP, CISSP

Office of the Chief Privacy Officer

Office of the National Coordinator for Health Information Technology

Department of Health and Human Services

Email: [email protected]: (202) 690-3911

17

layered approach for privacy metadata
Layered Approach for Privacy Metadata

Technical Approach

  • “Russian doll” concept of applying metadata with decreasing specificity as layers are added to the clinical data.
  • Privacy metadata uses standards to convey:
    • Confidentiality of data in clinical payload
    • Obligations of receiving system
    • Allowed purpose of use
types of privacy metadata used by ds4 p
Types of Privacy Metadata used by DS4P

Technical Approach

  • Purpose of Use:
    • Defines the allowed purposes for the disclosure (e.g. Treatment, Emergency Treatment etc).
  • Obligations:
    • Refrain Codes: Specific obligations being placed on the receiving system (e.g. do not re-disclose without consent)
  • Confidentiality Codes:
  • Used by systems to help convey or enforce rules regarding access to data requiring enhanced protection. Uses “highest watermark” approach.
system behavior
System Behavior

Technical Approach

Process privacy metadata associated with health information received from other organizations

Identify Information that is further restricted

Identify third-party protected information before re-disclosure

Verify the patient’s privacy consent allows the disclosure of protected information

Verify patient’s consent before re-disclosure of protected health information

Add privacy metadata to health information to be disclosed to other organization

RECEIVING SYSTEM: Provider/Healthcare Organization B

SENDING SYSTEM: Provider/Healthcare Organization A

requirements of sending system
Requirements of Sending System

Technical Approach

- LOINC Document Type/Datatype for CDA

- ASC X12 4010/5010 for Healthcare Provider & facility types and Healthcare Coverage Type

- SNOMED-CT for Protected diagnoses/problems

Identify Information that is further restricted

Verify the patient’s privacy consent allows the disclosure of protected information

  • Query for consent directive location (optional)
  • Query for consent directive (optional)
  • Check HL7 CDA R2 PCD
  • - HL7 Confidentiality Code: for CDA (N,R,V)
  • HL7 Refrain Code: (e.g. prohibition on re-disclosure without consent)
  • HL7 Purpose of Use: The purpose for the information disclosure (e.g. support treatment, payment, operations, research, etc.)
  • URL or XACML Pointer for Policy Reference if needed

Add privacy metadata to health information to be disclosed to other organization

SENDING SYSTEM: Provider/Healthcare Organization A

response to hitsc s p wg
Response to HITSC S&P WG

Excerpt from 6/29/2012 Report

*The Policy Pointer can be included in the IHE XD* metadata or in the Patient Consent Directive.

response to hitsc s p wg1
Response to HITSC S&P WG

Excerpt from 6/29/2012 Report

* DS4P approach uses HL7 confidentiality codes as metadata to describe sensitivity.

* Initial approaches recommended for piloting focus on using either the Patient Consent Directive as expressed using CDA or by specifying a confidentiality code within the IHE XDS/XDR/XDM metadata.

response to hitsc s p wg2
Response to HITSC S&P WG

Excerpt from 6/29/2012 Report

ad