“ jericho / ut austin pilot”
DESCRIPTION
“ Jericho / UT Austin Pilot”. Privacy with Dynamic Patient Review. Presented by: David Staggs, JD, CISSP Jericho Systems Corporation. Agenda. Administrative issues Pilot scope Data flow diagram Masking / Redaction Data Labeling HL7 Security Observation Vocabulary - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/1.jpg)
“Jericho / UT Austin Pilot”
Privacy with Dynamic Patient Review
July 9, 2013
Presented by:David Staggs, JD, CISSP
Jericho Systems Corporation
![Page 2: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/2.jpg)
207/9/2013
Agenda• Administrative issues • Pilot scope• Data flow diagram• Masking / Redaction• Data Labeling• HL7 Security Observation Vocabulary • HCS in the J-UT Pilot• Identifiers in Clinical Documents• Questions• POA&M
![Page 3: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/3.jpg)
307/9/2013
Pilot Administrivia• This pilot is a community led pilot
– Limited support provided by the ONC• Apurva Dharia (ESAC)• Jeanne Burton (Security Risk Solutions)• Melissa Springer (HHS)
• In conjunction with DS4P bi-weekly return of an All Hands meeting• Access to DS4P Wiki, teleconference, and calendar • Meeting times: Tuesdays 11AM (ET)
– Dial In: +1-650-479-3208Access code: 662 197 169URL:https://siframework1.webex.com/siframework1/onstage/g.php?t=a&d=662197169
![Page 4: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/4.jpg)
407/9/2013
Scope of the Pilot• 1. Define the exchange of HL7 CDA-compliant PCD between a
data custodian and a PCD repository that includes a report on the outcome of the request back to the healthcare consumer.
• 2. Additional goal: use of identifiers that can uniquely identify the healthcare consumer and PCD repository used to report the outcome of the request back to the healthcare consumer by healthcare consumer’s provider and subsequent EHR custodians.
• 3. Stretch goal: use of the PCD repository as a proxy allowing direct authentication by the healthcare consumer to the provider, subsequently reducing correlation errors.
• 4. Stretch goal: mask and/or redact the clinical document based on PCD choices retrieved from the PCD repository.
![Page 5: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/5.jpg)
507/9/2013
Pilot Data Flow
Custodian of Data being Provided at
Patient
PCD Repository2nd Requestor
1st Requestor
B
, = Clinical data
A,B =PCD data
= audit record
And Subsequent Custodian of Data being Provided at
![Page 6: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/6.jpg)
Data Segmentation (6/25/2013)
• Patient’s consent over release of certain clinical data:– What information is available and necessary to filter the
PCD (attributes from the clinical document)– Requires segmentation (data tagging) of the clinical
document being requested• HL7 CDA r2 Confidentiality codes (e.g., ETH) in header• HL7 HCS Sensitivity codes (in data segments)
• If data tags are passed in the request for a PCD, only the patient’s restrictions on those data tags need be sent– Custodian already knows the existence of the data
segment because it sees it in the clinical document
07/9/2013 6
![Page 7: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/7.jpg)
Document Masking/Redaction• Document masking and redaction
– Redaction: Remove information– Masking: Limit access to information (encrypt)
• Prerequisites– Clinical document must be segmented and labeled
• Previous masking and redaction DS4P pilot demonstrations– September 9-14, 2012 at HL7 WGM – March 3-7, 2013 at HIMSS Interoperability Showcase
• Data labeling used in VA/SAMHSA DS4P pilot– HCS Security Labels conform to NIST FIPS PUB 188
Standard Security Label structure
07/9/2013 7
![Page 8: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/8.jpg)
VA/SAMHSA Pilot Overview
07/9/2013 8from: HIMSS 2013 Interoperability Showcase Demonstration Playbook
![Page 9: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/9.jpg)
Data Labeling Scope
07/9/2013 9
from: Guide to the HL7 Health Care Privacy and Security Classification System
![Page 10: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/10.jpg)
HCS Security Labels Detail
07/9/2013 10
from: Guide to the HL7 Health Care Privacy and Security Classification System
![Page 11: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/11.jpg)
HCS Security Labels • Document masking and redaction using HCS Tags
– Can be at CDA header, sections, and/or entries– Requires data segment information
• Binding elements to consent directive – Includes Clinical Facts, Clinical Attributes, Provenance
Attributes, and Security Label Attributes – Examples:
• Medications: RxNorm• Clinical Terms: SNOMED CT• C32 sections: Logical Observation Identifiers Names
and Codes (LOINC) codes• C32 document: CDA header
07/9/2013 11
![Page 12: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/12.jpg)
Security Observations Vocabulary
07/9/2013 12from: Informative Example of HL7 Healthcare Privacy and Security Classification System Release 1 Using HL7 Security Observation Vocabulary
![Page 13: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/13.jpg)
HCS Security Observations Detail
07/9/2013 13
from: Guide to the HL7 Health Care Privacy and Security Classification System
Clinical Fact Clinical Attribute Provenance Security Label
(HL7*)
Diagnosis
<Patient Name > N Source=<Organization> N 111880001 Acute HIV infection (disorder)
hadPrimarySource: SNOMED Code
Restricted, HIV
wasAttributedTo: <Attending>
Medications
<Patient Name > N
11413 Zidovudine (AZT) hadPrimarySource: RxNorm
wasDerivedFrom: Diagnosis
Restricted, HIV
Allergies <Patient Name > wasDerivedFrom:
Encounter N
91936005 (Penicillin) hadPrimarySource: SNOMED CT N
Laboratory Report
8053 (Lipid Panel)
hadPrimarySource: LOINC N
8320 Total Cholesterol
8316 Triglyceride
8429 HDL 7973 LDL
Procedure 86689.Z7 (HIV-1 Western Blot) hadPrimarySource: CPT Restricted,
HIV
![Page 14: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/14.jpg)
Using HCS in the J-UT Pilot• Document masking and redaction scope
– Can be at CDA header, sections, and/or entries– Requires data segment information– Requires shared concept of clinical document content
• Options– Use simple clinical document (C32, Patient Summary)– Apply to segmented and labeled clinical document – Interface with Security Labeling Service as “black box”
• Challenge– Incorporate HCS-required vocabulary and semantics in our
data exchange (both to and from PCD repository)
07/9/2013 14
![Page 15: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/15.jpg)
DS4P Integration• Expectation of being a DS4P pilots:
– Provide integration with other DS4P pilots– Participate in “end-to-end” demonstrations
• Benefits of being a DS4P pilot:– VA/SAMHSA pilot members have agreed to support the
use of the HCS infrastructure in the J-UT pilot– We have access to several Subject Matter Experts (SMEs)
• DS4P pilots explore new approaches– We do not have to boil the ocean
07/9/2013 15
![Page 16: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/16.jpg)
Functional Requirements Summary• Precondition Functional Requirements
– Document format for establishing authentication exchange *– Document format for exchange of repository account holder
and HIO identifiers? (in proxy) *– Document format for clinical data request (NwHIN)
• Functional Requirements – Document format for requesting consent directive– Document format for returning consent directive – Document format for sending result of decision to consent
directive repository • Post-Condition Functional Requirements
– Document format for exchange of repository location and account holder identifier to 2nd requestors associated with data
06/18/2013 16
![Page 17: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/17.jpg)
Identifiers• Problem: use of identifiers that can uniquely identify the
healthcare consumer and PCD repository • Correlation of the PCD?
– Correlation error results in another’s PCD applied – Identifying (correct) subject of clinical document at multiple
PCD results in conflicts • No correlation of the PCD?
– Subject of clinical document may have moved – Repositories may have moved– Can use correlation as a fall back
07/9/2013 17
![Page 18: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/18.jpg)
Assumptions• Identifier embedded in a clinical document:
– Identify the subject– Identify the Repository
• Registry• Repository Note: two repository SOAP endpointsNote: no issues with distributed XDS.b repositories
– Be compatible with CDAr2 document– Provide access to the audit endpoint
07/9/2013 18
![Page 19: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/19.jpg)
Proposed Construct
07/9/2013 19
<ClinicalDocument> … <authorization>
<templateId … /> <consent> <templateId … /> <id root=”patient id root OID” extension=”232342^1.2.3.4.5.5.66.6&ISO”/> <id root=”audit service reference oid” extension=”atna01.mypcddomain.com”/> <id root=”XDS.b registry service oid” extension=”xds01.mypcddomain.com”/> <id root=”XDS.b repository service oid” extension=”xds01.mypcddomain.com”/> <id root=”XDS.b repository unique id oid” extension=”1.2.3.4.5.56.6.6.77.7.7”/> </authorization> … </ClinicalDocument>
![Page 20: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/20.jpg)
UT Student Contribution• "Definition of Data Sets Exchanged During Request for
Patient Consent Directive (PCD) on e-Health Exchange" – UT Students: Johnny Bender and Adrian Tan
• Current summary:– Ability to mask PCD based on:– Data types, restrictions:
• Normal, Restricted– Specific restrictions – Classifications of data
• Health system planning• Communicable test results
07/9/2013 20
![Page 21: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/21.jpg)
2107/9/2013
Pilot Timeline• General Timeline, conditioned on agreement of stakeholders
![Page 22: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/22.jpg)
22
Relevant Standards• Standards from previous discussions:
• XCA and/or XDS.b (IHE)• XUA (IHE) – IHE profile includes SAML (OASIS) • XCPD (IHE) – not fully integrated into DS4P IG• ATNA (IHE) in ISO 12052 format – returned access decision log• CDA r2 (HL7) – for PCD location in released clinical document
– for format of the directive (includes XACML)• XACML (OASIS) – specifically to PCD• NwHIN specification• ODD (IHE) - On-Demand Documents (Trial) Supplement
Note: PCD (HL7) – just updated last WGM, will re-ballot06/18/2013
![Page 23: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/23.jpg)
2307/9/2013
Questions?
• For example:• What level of control should the subject have over their records?• When does too much control cause confusion?• Would subjects or algorithms be setting the HCS options?
![Page 24: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/24.jpg)
24
Plan of Action
• Upon agreement of the participants the POA is: • Identify the elements available from previous DS4P pilots• Scope level of effort, decide on extended scenario• Determine first draft of functional requirements• Review standards available for returning information on requests• Determine any gaps or extensions required in standards• Stand up information holders and requestors• Create XDS.b repository holding PCD• Identify remaining pieces • Document and update IG with results of our experience
07/9/2013
![Page 25: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/25.jpg)
DS4P Standards Material• Location of DS4P Standards Inventory:
http://wiki.siframework.org/Data+Segmentation+-+Standards+Inventory• Location of DS4P Standards Mapping Issues:
http://wiki.siframework.org/file/view/Copy%20of%20DataMappingsIssues%2005102012.xlsx/333681710/Copy%20of%20DataMappingsIssues%2005102012.xlsx
• General Standards Source List:http://wiki.siframework.org/file/view/General%20SI%20Framework%20Standards%20Analysis.xlsx/297940330/General%20SI%20Framework%20Standards%20Analysis.xlsx
• Standards Crosswalk Analysis http://wiki.siframework.org/Data+Segmentation+for+Privacy+Standards+and+Harmonization (at bottom of page, exportable)
• Implementation Guidancehttp://wiki.siframework.org/file/view/Data%20Segmentation%20Implementation%20Guidance_consensus_v1_0_4.pdf/416474106/Data%20Segmentation%20Implementation%20Guidance_consensus_v1_0_4.pdf
07/9/2013 25
![Page 26: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/26.jpg)
2607/9/2013
DS4P References
• Use Case: http://wiki.siframework.org/Data+Segmentation+for+Privacy+Use+Cases
• Implementation Guide: http://wiki.siframework.org/Data+Segmentation+for+Privacy+IG+Consensus
• Pilots Wiki Page: http://wiki.siframework.org/Data+Segmentation+for+Privacy+RI+and+Pilots+Sub-Workgroup
![Page 27: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/27.jpg)
2707/9/2013
Backup Slides
![Page 28: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/28.jpg)
2807/9/2013
Pilot Data Flow
Custodian of Data being Provided at
Patient
PCD Repository2nd Requestor
1st Requestor
B
, = Clinical data
A,B =PCD data
= audit record
And Subsequent Custodian of Data being Provided at
![Page 29: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/29.jpg)
2907/9/2013
Pilot Data Flow
Custodian of Data being Provided at
Patient
PCD Repository2nd Requestor
1st Requestor
Clinical exchange #
Clinical exchange #
B
, = Clinical data
A,B =PCD data
= audit record
And Subsequent Custodian of Data being Provided at Fetch PCD Fetch
PCD
Send auditSend audit
![Page 30: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/30.jpg)
3007/9/2013
Pilot Data Flow (1)
Custodian of Data being Provided at
Patient
PCD Repository2nd Requestor
1st Requestor
, = Clinical data
A,B =PCD data
= audit record
![Page 31: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/31.jpg)
3107/9/2013
Pilot Data Flow (2)
Custodian of Data being Provided at
Patient
PCD Repository2nd Requestor
1st Requestor
, = Clinical data
A,B =PCD data
= audit record
![Page 32: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/32.jpg)
3207/9/2013
Pilot Data Flow (3)
Custodian of Data being Provided at
Patient
PCD Repository2nd Requestor
1st Requestor
B
, = Clinical data
A,B =PCD data
= audit record
And Subsequent Custodian of Data being Provided at
![Page 33: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/33.jpg)
3307/9/2013
Pilot Data Flow (4)
Custodian of Data being Provided at
Patient
PCD Repository2nd Requestor
1st Requestor
, = Clinical data
A,B =PCD data
= audit record
And Subsequent Custodian of Data being Provided at
![Page 34: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/34.jpg)
3407/9/2013
Pilot Data Flow (5)
Custodian of Data being Provided at
Patient
PCD Repository2nd Requestor
1st Requestor
, = Clinical data
A,B =PCD data
= audit record
And Subsequent Custodian of Data being Provided at
![Page 35: “ Jericho / UT Austin Pilot”](https://reader036.vdocument.in/reader036/viewer/2022062315/5681637d550346895dd45d28/html5/thumbnails/35.jpg)
3507/9/2013
Pilot Data Flow (updated)
Custodian of Data being Provided at
Patient
PCD Repository2nd Requestor
1st Requestor
B
, = Clinical data
A,B =PCD data
= audit record
And Subsequent Custodian of Data being Provided at