slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
VA-SAMHSA DS4P Pilot Demonstrations PowerPoint Presentation
Download Presentation
VA-SAMHSA DS4P Pilot Demonstrations

Loading in 2 Seconds...

play fullscreen
1 / 37

VA-SAMHSA DS4P Pilot Demonstrations - PowerPoint PPT Presentation


  • 130 Views
  • Uploaded on

Veterans Health Administration Healthcare Information Governance. Emerging Health Technologies Advancement Center (EHTAC) HIMSS 2013 Interoperability Showcase Demonstration Playbook Duane DeCouteau Senior Software Engineer (Edmond Scientific). Data Segmentation for Privacy Initiative.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'VA-SAMHSA DS4P Pilot Demonstrations' - callia


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Veterans Health AdministrationHealthcare Information Governance

Emerging Health Technologies Advancement Center (EHTAC)

HIMSS 2013 Interoperability Showcase Demonstration Playbook

Duane DeCouteauSenior Software Engineer (Edmond Scientific)

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot Demonstrations

slide2

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Table of Contents

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide4

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Platforms

Primary Presentation Station

Mobility

  • Tablets #1-3 (Primary)
  • SAMHSA – VA Exchange
  • VA Prototypic Portal
  • Mitre Patient Consent
  • FEIsystems REM
  • Jericho PDP
  • Emergency Use Case
  • VA Direct – Third Party
  • VA Prototypic Portal
  • Mitre Patient Consent
  • FEIsystems REM
  • Jericho PDP
  • VA Repository
  • No Redisclosure
  • Tablet #4
  • VA Direct – Third Party
  • VA Prototypic Portal
  • Jericho Patient Consent
  • VA Repository
  • Jericho PDP
  • Tablet #5
  • VA Direct – Third Party
  • VA Prototypic Portal
  • HIPAAT Patient Consent
  • VA Repository
  • HIPAAT Policy Engine
  • Kiosk 11-1
  • FEISystems REM (EHR)
  • Clinical Rules Manager
  • Privacy Rules Manager
  • Security and Privacy Administration
  • Security Labeling Service (SLS)
  • Document Orchestration
  • Detailed Access Control Information

[ Bull Pen ]

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide5

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Supporting Patient Consent Management Systems

Mitre Corporation DS4P GUI

Jericho Systems Patient Portal

MyConsentMinder

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide6

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Clinical and Use Configuration(s)

Patients

PUI100010060001    

AsamplePatientone, 42 Male

Active Problems

Type 2 Diabetes

Asthma

CononaryAtery Atheroma

Hyperlipidemia

Hypertension

Acute HIV

Substance Abuse

Active Medications

Bupropion Hydrochloride

Zidovudine

PUI100010060007

AsamplePatienttwo,  32  Male

Active Problems

Psychotic Disorder

Persistent Alcohol Abuse

Diabetes mellitus type 2

Sickle Cell Anemia

Active Medications

Thorazine

Metformin 

Hydroxyurea

PUI100015060013            

AsamplePatienthree,   27           Female                

Active Problems

Anorexia nervosa (disorder)

Obsessive compulsive personality disorder (disorder) 

Active Medications

Sertraline 20 MG/ML Oral Solution [Zoloft] [861066]

PUI100015060014            

AsamplePatienfour,      42           Male     

Active Problems

Acute stress disorder (disorder)

Major depressive disorder (disorder)   

Active Medications

Sertraline 20 MG/ML Oral Solution [Zoloft] [861066]

User/Use Case Assignments

Additional Patients

JERICHO TEST – Patient Consent Only

HIPAAT TEST – Patient Consent Only

DrDuane/DrBurak/DrMike/DrMichael/DrDavid/DrKel–

AsamplePatientone

Use Cases

Share Partial

Emergency Treatment

DrMike/DrDuane - AsamplePatienttwo

Use Cases

Share All

DrDavid/DrMichael - AsamplePatientthree

Use Cases

Patient Changes Mind

DrKel/DrBurak - AsamplePatientfour

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide7

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Basics

Login Screen

(Username and Password

Provided by VA Development Team)

Logout Option

(System will automatically logout User

after 30 minutes of inactivity)

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide8

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Basics

Tablet Navigation Bar

Test Patient Selection

eHealth Exchange

VA – SAMHSA

Document Query and

Document Retrieve

User Profile/Credentials/Workflow

(For Demonstration

only Purpose of Use (POU)

is allowed to be modified)

Not Implemented

eHealth Direct

VA – SAMHSA – Third Party

Providers Inbox

of Processed Documents

(Note: XDM Packages must be processed

via Reference Model)

Logout

(End User Session)

Access Control Decisioning

View: Policy Decision, Obligations,

Generated Annotated Rules, Executed Rules

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide9

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Basics

Patient Selection

Select and set context

To Veteran patient

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide10

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Basics

Document Search

Execute Document Query

View Meta data

View Request SAML Assertion

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide11

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Basics

Document Retrieve

Select Document to retrieve

View

Document

Retrieve

SAML Assertion

View

Transformed

CDA Document

Decrypt

Masked

Entries

Decrypt

Document

Payload

Retrieve

Selected

Document

View

Document

Meta data

(For Demonstration Purposes Only)

(For Demonstration Purposes Only)

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide12

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Basics

Access Control Decisioning Log

View Annotation Rules derived from

Clinical Facts and

Organizational Policy

View Obligation(s) from

Patient Consent

USPrivacyLaw

Organizational Policy

View Rules executed based on

contents of document

being retrieved

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide13

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Basics

Setting Purpose of Use (POU)

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide14

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Basics

Providers eHealth Direct Inbox

Note: Due to time limitations

this capability was not

implemented please utilize

Reference Model test harness

to load and process XDM

packages.

Decrypt DOCUMENT.xml

file if necessary

(SAMHSA patients only)

View contents of

METADATA.xml

View HTML version of

DOCUMENT.xml CDA

file.

Test/Validate

No redisclosure

without consent.

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide15

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Use Case: Emergency Treatment (Break-the-glass)

Use Case Scenario:

The “test” Patient, a Veteran, is being seen at a VAMC Emergency Room for non-specific abdominal

pain. The “test” Patient is also receiving un-related treatment at a 42CFRPart2 constrained organization.

That patient has chosen to participate in eHealth Exchange and has created a Consent Directive

authorizing participation as well are constraining specific components of their clinical record. Specifically

the “test” patient wishes to REDACT Substance Abuse, Mental Health related observations, and

MASK (for intended recipient eyes only) all findings related to HIV. The Emergency Room attending performs an

eHealth Exchange document query and retrieve.

Expected Outcome:

Annotation of Document will occur with Document, Section, and Entry security labels being applied, NO actions of

REDACTION or MASKING will be performed when Purpose of Use (POU) is Emergency Treatment (ETREAT).

Authorization for disclosure is determined by POU, Organizational policy, and trust relationship between

exchanging organizations (exchange of certificates). Document, in its entirety, is delivered for viewing

to Emergency Room attending (requestor) with 42CFRPart2 WARNING and heightened auditing.

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide16

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Use Case: Emergency Treatment (Break-the-glass)

Step #1: From your tablet login to DS4PMobilePortal

Step #2: Touch your profile button, “DrName” and change

your POU to Emergency(this is normally a workflow event).

Step #3: Touch “Patient List” and then select “AsamplePatientone”

from drop-down list.

Step #4: Touch “eHealth Exchange” then touch “Search” button

to perform cross-enterprise document query (VA-SAMHSA).

Available documents are returned and visible for selection in table.

Note: that no document annotation has occurred at this point only

an authorization to release to recipient and 2) available documents

and meta data are returned.

Step #5: Touch row of interest “Consult Notes” and then touch the

“Retrieve Document” button.

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide17

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Use Case: Emergency Treatment (Break-the-glass)

Step #6: Note that the document

has been delivered to the requestor

in the Emergency Room in its

Encrypted form per sending organizations

DS4P policy.

Step #7: Touch “X” button or anywhere

to close “Document Retrieve Response”

window.

Step #8: Touch “Decrypt Document”

to decrypt document payload. This step

is for demonstration purposes only.

Step #9: Note that contents of document are

now revealed (in XML form) to requestor. Again

this is a step is for demonstration purposes only.

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide18

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Use Case: Emergency Treatment (Break-the-glass)

Step #10: Touch the “View Clinical Document” button

the 42CFRPart warning is displayed as well as

the document. Note the document and section

level tagging of “R” for restricted. And the

entry level tag related to applicable policies.

Substance Abuse (ETH), Mental Health Related

(PSY), and HIV information is visible.

Step #11: Touch the “Access Control Decisioning”

button. In table touch most recent event related

to your “Provider Id” and “Document Retrieve”

service request.

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide19

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Use Case: Emergency Treatment (Break-the-glass)

Step #12: Touch the “Obligations” button, in the

XACML Response window we see patient consent

directives to REDACT ETH and PSY, and too MASK

HIV. Additionally the organization is constrained by

US Privacy Laws 42CFRPart2, Title32Section7332, and

requires document handling of encryption.

Step #13: Touch the Security Labeling Service “SLS

Rules Generated” button. A list of all applicable/

available rules is shown, DRL is Drools Rule Language.

The rules and the decomposed C32 are sent to the

Drools Rule Engine for processing.

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide20

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Use Case: Emergency Treatment (Break-the-glass)

Step #14: Touch the Security Labeling Service “SLS

Rules Executed” button. A list of all the rules

that executed and results in a label being

applied to a specific observation. Note: all disregard

patient directives to REDACT and/or MASK.

Step #15: RESET you session by setting your

Purpose of Use (POU) in your user profile to

“Treatment” see step #2 for further instructions.

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide21

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Use Case: Share Partial

Use Case Scenario:

The “test” Patient, a Veteran, has been referred for a Monday morning follow up appointment with “DrName”.

Over the weekend our “test” patient updates their consent directive to include “DrName” as an authorized

recipient. Remember our patient’s consent directive constrains specific components of their clinical record. Specifically

the “test” patient wishes to REDACT Substance Abuse, Mental Health related observations, and MASK

(for intended recipient eyes only) all findings related to HIV. Prior to seeing our test patient “DrName” performs a

eHealth Exchange document query.

Expected Outcome:

Annotation of Document will occur with Document, Section, and Entry security labels being applied, Actions of

REDACTION or MASKINGwill be performed. Authorization for disclosure is determined by, provider ID, POU, Credentials,

Sensitivity Permissions, Organizational policy, and trust relationship between exchanging organizations (exchange of certificates).

Document, fully annotated (REDACT/LABEL/MASK/ENCRYPT) is delivered to “DrName”.

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide22

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Use Case: Share Partial

Step #1: From your tablet login to DS4PMobilePortal

Step #2: Touch your profile button, “DrName” and change

your POU to Treatment(this is normally a workflow event).

Step #3: Touch “Patient List” and then select “AsamplePatientone”

from drop-down list.

Step #4: Touch “eHealth Exchange” then touch “Search” button

to perform cross-enterprise document query (VA-SAMHSA).

Available documents are returned and visible for selection in table.

Note: that no document annotation has occurred at this point only

an authorization to release to recipient and 2) available documents

and meta data are returned.

Step #5: Touch row of interest “Consult Notes” and then touch the

“Retrieve Document” button.

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide23

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Use Case: Share Partial

Step #6: Note that the document

has been delivered to the requestor

in its Encrypted form per sending organizations

DS4P policy.

Step #7: Touch “X” button or anywhere

to close “Document Retrieve Response”

window.

Step #8: Touch “Decrypt Document”

to decrypt document payload. This step

is for demonstration purposes only.

Step #9: Note that contents of document are

now revealed (in XML form) to requestor. Again

this is a step is for demonstration purposes only.

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide24

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Use Case: Share Partial

Step #10: Touch the “View Clinical Document”

button. The 42CFRPart warning is displayed

as well as the document. Note the document

and section level tagging of “R” for restricted.

And that one problem list item, and one medication

have been MASKED. Substance Abuse (ETH)

and Mental Health Related (PSY) findings have

been REDACTED.

Step #11: Touch the “Decrypt Doc and Entries”

button. Assuming your user has necessary

permissions you will receive the key and be able

to decrypt the MASKED entries. This step is

for demonstration purposes only. Close the

XML display.

Step #12: Touch the “View Clinical Document”

button. The two (2) MASKED entries are

revealed to the user. In this case Acute HIV, and

the AZT equivalent medication were previously

hidden from users view.

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide25

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Use Case: Share Partial

Step #12: Touch the “Access Control Decisioning”

button.

Step #13: Touch to select most recent “DocumentRetrieve”

service request associated with your provider ID in the

log table.

Step #14: Touch the Security

Labeling Service

“SLS – Rules Generated” button.

Note that rules now take into

account the patients wishes

to REDACT or MASK aspects

of their clinical record.

Patient Constraint

SNOMED-CT code

US Privacy Law

Action

Sensitivity Label

Confidentiality Label

Document Handling

Refrain Policy

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide26

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Use Case: Share All

Use Case Scenario:

The “test” Patient, a Veteran, has been referred to an orthopedic surgeon “DrName” at the VAMC in Helena, MT.

The “test” Patient is also receiving un-related treatment at a 42CFRPart2 constrained organization.

That patient has chosen to participate in eHealth Exchange and has created a Consent Directive

authorizing participation and disclosure to “DrName”. The patient has no concerns in regards to sharing his/her

clinical information fully with DrName.

Expected Outcome:

Annotation of Document will occur with Document, Section, and Entry security labels being applied, Actions of

REDACTION or MASKINGwill be performed IF REQUIRED. Authorization for disclosure is determined by, provider ID, POU,

Credentials, Sensitivity Permissions, Organizational policy, and trust relationship between exchanging organizations

(exchange of certificates). Document, fully annotated (REDACT/LABEL/MASK/ENCRYPT) is delivered to “DrName”.

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide27

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Use Case: Share All

Step #1: From your tablet login to DS4PMobilePortal

Step #2: Touch your profile button, “DrName” and make sure

your POU is set to Treatment(this is normally a workflow event).

Step #3: Touch “Patient List” and then select “AsamplePatienttwo”

from drop-down list.

Repeat Step #4 thru #10

from Share Partial Use Case

Note when viewing clinical

document. No masking is

present and PSY, ETH,

SICKLE Cell Anemia,

disorders and medications

are visible.

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide28

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Use Case: Share All

Step #11: Touch the “Access Control Decisioning”

button.

Step #12: Touch to select most recent

“DocumentRetrieve” service request

associated with your provider ID in the

log table.

Step #13: Touch “Obligations” button. Note

that there are no patient constraints present.

Step #14: Touch the Security

Labeling Service

“SLS – Rules Generated” button.

Note that rules now take into

account that no patient constraints are

present and are entirely based on

organizational policy.

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide29

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Use Case: Patient Changes Mind (Modifying Patient Consent)

Use Case Scenario:

The “test” Patient, a Veteran, is currently receiving treatment for PTSD from “DrDavid” at the VAMC in Helena, MT.

The “test” Patient is also receiving un-related treatment at a 42CFRPart2 constrained organization.

That patient has chosen to participate in eHealth Exchange and has created a Consent Directive

authorizing participation and disclosure to “DrDavid” with no constraints. The patient initially has no concerns in regards to

sharing his/her clinical information fully with “DrDavid” . At some point in the future our “test” patient fells uncomfortable

seeing “DrDavid” and is switched to another Mental Health Provider at the VAMC. After some consideration our “test” patient

decides to alter their VA consent directive to disallow access “DrDavid” both locally and across the eHealth Exchange.

Expected Outcome:

Annotation of Document will occur with Document, Section, and Entry security labels being applied, Actions of

REDACTION or MASKINGwill be performed IF REQUIRED. Authorization for disclosure is determined by, provider ID, POU,

Credentials, Sensitivity Permissions, Organizational policy, and trust relationship between exchanging organizations

(exchange of certificates). Initially the Document, fully annotated (REDACT/LABEL/MASK/ENCRYPT) is delivered to “DrDavid”.

After the “test” patient changes their consent directive to disallow “DrDavid” access, “DrDavid” Is no longer able to receive

necessary authorizations to request or view the patients record.

Note: This use case example of patient changes mind has had its scope minimized. Only Jericho was able

to provide a patient effacing Consent Tool, services, XDS.b repository, and integrate prior to HIMSS. And Consent Directives

stored in SAMHSA XDS.b repository were actually generated by VA services without benefit of a patient tool. There are still some

issues to be worked out between VA/SAMHSA and Jericho in regards to this portion of the demonstration.

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide30

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Use Case: Patient Changes Mind (Modifying Patient Consent)

Step #1: From your tablet login to DS4PMobilePortal

as “DrDavid”

Step #2: Touch your profile button, “DrDavid” and make sure

your POU is set to Treatment(this is normally a workflow event).

Step #3: Touch “Patient List” and then select “AsamplePatientthree”

from drop-down list.

Repeat Step #4 thru #10

from Share Partial Use Case

Note when viewing clinical

document, that masked

entries exists in both Problem

List and Medications.

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide31

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Use Case: Patient Changes Mind (Modifying Patient Consent)

Step #11: Touch the “Decrypt Doc and Entries”. Masked entries

are decrypted and XML document is displayed. This step is for

demonstration purposes only. Close window.

Step #12: Touch “View Clinical Document” button. Note that

EHT and PSY findings are now visible to “DrDavid”.

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide32

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Use Case: Patient Changes Mind

Step #11: Touch the “Access Control Decisioning” button. Note that authorization decisions occurred for

DocumentQuery, DocumentRetrieve, DocumentEntryUnMask, and DocumentView.

Change AsamplePatientthree’s VA Consent Directive

Step #12: Login into Jericho Systems Patient Portal as “AsamplePatientthree”.

Note that Dr. David has been authorized to view our test patients records with no constraints.

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide33

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Use Case: Patient Changes Mind (Modifying Patient Consent)

Step #13: Click on the “Update” button next to “Dr. David”

Step #14: Click on “Block all personal health information.”

Then click on “Continue” button.

Step #15: Click on “Authorize & Sign” button.

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide34

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Use Case: Patient Changes Mind (Modifying Patient Consent)

Step #16: Sign the draft consent directive making it

authoritative by entering in username and password

and selecting an end date.

Step #17: Click on “Sign Draft” button.

Step #18: Note the access for Dr. David is now blocked.

Logout of Jericho Systems “Patient Portal”.

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide35

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Demonstration Use Case: Patient Changes Mind (Modifying Patient Consent)

Step #19: From the DS4PMobilePortal

Touch the “eHealth Exchange” button

then Touch “Search” button.

DrDavid receives a “You do not have

the necessary authorization privileges

to perform this operation”.

Step #20: Touch “Access Control

Decisioning” button. Note the

DrDavid’sDocumentQueryOut

request have been denied.

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide36

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

An Unexpected Interop: VA-SAMHSA and NetSmart

During the HIMSS Interoperability

Showcase the VA-SAMHSA team

was asked to perform an impromptu

Interop with the NetSmart DS4P

Pilot. VA-SAMHSA team provided NetSmart

their Direct HealthVault (development

sandbox) email address, requirements for

an XDM attachment, and a example of the

METADATA being produced by SAMHSA

(FEISystems).

The first attempt to process the XDM package

failed due to the structure of the zip file.

NetSmart delivered a new direct message the

following day. The direct xdm package was

able to be received by the VA developed

XDMProcessingService (web service) but

failed the Collection phase as it was unable

to identify intended recipient to determine

permissions for persisting the data. This

implied there was a disconnect in METADATA

being asserted. The interop was set aside

until after the conference.

Upon my return home I disabled the permission

check during collection phase and manually

persisted the intended recipient info after

the fact. Allowing the document and its

METADATA to be stored. To the right is the

CCD received from NetSmart.

Should we be concerned?

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration

slide37

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013

Things to Consider….

Need to revisit METADATA being exchange between organizations.

Cart before the horse problem, should HCS be engaged during DocQuery? This is

only an issue when an organization annotates the document in real-time.

XACML is good for enforcing obligations and refrain policies. But not for determining

them.

Key exchange between organizations.

The OASIS XSPA standards and IHE XUA++ need to be updated to reflect outcomes

of pilot.

When embedding an XACML policySet in the CDA R2 Consent Directive, which the

VA-SAMHSA pilot relied heavily on, a minimum set of policies and resources needs to be

recommended.

Data Segmentation for Privacy Initiative

VA-SAMHSA DS4P Pilot HIMSS 2013 Demonstration