be-health as a driving force of electronic cooperation in the belgian health care sector, based on...
TRANSCRIPT
Be-Health as a driving forceof electronic cooperation
in the Belgian health care sector,based on the experience
in the social sector
Frank RobbenGeneral manager Crossroads Bank for Social SecurityCEO SmalsSint-Pieterssteenweg 375B-1040 BrusselsE-mail: [email protected] CBSS: www.ksz.fgov.bePersonal website: www.law.kuleuven.ac.be/icri/frobben
2Frank Robben 30th January 2008
Structure of the presentation• objectives• building blocks• what Be-Health will NOT do• intended Be-Health platform• existing Be-Health platform
– network– basic services
• existing validated authentic sources and added value services
• possible new added value services• critical success factors
3Frank Robben 30th January 2008
Objectives• what ?
– optimize the quality and the continuity of health care delivery– optimize patient safety– avoid unnecessary red tape for all actors in the health care
sector– support studying and policymaking in health care
• how ?– through a well organized electronic information exchange
between all actors in the health care sector– with the necessary guarantees with regard to information
security and privacy protection
4Frank Robben 30th January 2008
Building blocks• a cooperation platform for secure electronic exchange of
information about patients, provided care and the results of the provided care, and for the exchange of electronic care prescriptions between all relevant actors in the health care sector– network– basic services– functional and technical interoperability standards
• adequate access channels for the users
5Frank Robben 30th January 2008
Building blocks• an institution, called Be-Health, managed by
representatives of several actors in the health care sector that– manages the cooperation platform– organizes electronic services and information exchange
between the actors in the health care sector– develops functional and technical interoperability standards
• a Sectoral Committee of the Privacy Commission that regulates (electronic) exchange of personal health data in cases not regulated by law
• an appropriate legal framework
6Frank Robben 30th January 2008
What Be-Health will NOT do• change the actual division of tasks between the actors in
the health care sector
• store information in a central way
• monopolize electronic service delivery to the end users
• carry out studies or deliver policy support with regard to health care
• be driven by technology, rather than by creation of added value for the actors in the health care sector
7Frank Robben 30th January 2008
Existing legal basis• artikel 4 wet van 27 december
2006 houdende diverse bepalingen
“Binnen de Federale Overheids-dienst Volksgezondheid, Veiligheid van de Voedselketen en Leefmilieu wordt voor het beheer van het elektronisch dienstenplatform ten bate van de uitwisseling van gezondheidszorggegevens, een Staatsdienst met afzonderlijk beheer zoals bedoeld in artikel 140 van de wetten op de rijkscomptabiliteit, gecoördineerd op 17 juli 1991, “Be-Health” genaamd, opgericht.
De Koning bepaalt, bij een besluit vastgesteld na overleg in de Ministerraad, de opdrachten en de nadere regelen voor het beheer en de exploitatie van deze Staatsdienst voor afzonderlijk beheer.”
• article 4 de la loi du 27 décembre 2006 portant des dispositions diverses
“Un service de l'Etat à gestion séparée, tel que visé à l'article 140 des lois sur la comptabilité de l'Etat, coordonnées le 17 juillet 1991, dénommé "Be-Health" est créé au sein du Service public fédéral Santé publique, Sécurité de la Chaîne alimentaire et Environnement en vue de la gestion de la plate-forme électronique de services relative à l'échange de données de soins de santé.
Le Roi détermine, par arrêté délibéré en Conseil des ministres, les missions et les modalités de gestion et d'exploitation de ce Service de l'Etat à gestion séparée.”
8Frank Robben 30th January 2008
Sectoral Committee to be installed• composed of
– representatives of the Privacy Commission– independent health care specialists appointed by the House of
Representatives
• mission– authorizing (electronic) exchange of personal health data in
cases not regulated by law– defining information security policies related to the processing of
health data– delivering advise and recommendations related to information
security and privacy protection issues related to health data– handling complaints with regard to violation of security or privacy
protection related to health data
9Frank Robben 30th January 2008
Be-Health platform
Patients andPatients andcare providerscare providers
Platform with basic servicesPlatform with basic servicesBe-Be-HealthHealth
VASVAS VASVASVASVAS
Suppliers
Users
PortalPortalBeHealthBeHealth
PortaHealthPortaHealth
SVASVASVASVASVASVAAVSAVSPortal RIZIVPortal RIZIV
SVASVASVASVASVASVAAVSAVSMyCareNetMyCareNet
SVASVASVASVASVASVAAVSAVS
Portal SSPortal SS
SVASVASVASVASVASVAAVSAVSFPS SSFPS SS
SVASVASVASVASVASVAAVSAVS
VASVASVASVASVASVAS
10Frank Robben 30th January 2008
Be-Health platform• basic service
– a service that has been developed and made available by Be-Health and that can be used by the supplier of an added value service
• added value service (AVS)– a service put at the disposal of the patients and/or the health
care providers– the entity that develops and offers an added value service can
use the basic services offered by Be-Health for this purpose
• validated authentic source (VAS)– a database containing information used by Be-Health– the administrator of the database is responsible for the
availability and (the organization of) the quality of the information made available
11Frank Robben 30th January 2008
Existing platform and basic services• use of the existing network infrastructure (internet, social
security extranet, FedMAN, ...) with end-to-end encryption of the information (concept of virtual private network - VPN)
• actual basic services– integrated user and access management– orchestration of electronic processes– portal environment including a content management system and
a search engine (https://www.behealth.be)– personal electronic mailbox for each health care provider– logging
• basic services being developed– time stamping– coding and anonymizing– reference directory
12Frank Robben 30th January 2008
User and access management• authentication of the identity: according to the security
level required– electronic identity card– user number, password and citizen token– user number and password
• verification of characteristics and mandates : access to validated authentic sources
• authorization to use an added value service: management by service supplier
• elaborated on the basis of a generic policy enforcement model
13Frank Robben 30th January 2008
Policy Enforcement Model
User
Policy
Enforcement
(PEP )
Application
Policy Decision
(PDP)
Action on
application Decisionrequest
Decisionreply
Actionon
applicationPERMITTED
Policy Information
(PIP )
Informationrequest/
reply
Policy Administration
( PAP )
Policyretrieval
Authentic source
Policy Information
(PIP )
Informationrequest/
reply
Policy
repository
Actionon
applicationDENIED
Manager
Policymanagement
Authentic source
14Frank Robben 30th January 2008
APPLICATIONS
AuthorisationAuthen-tication PEP
Role Mapper
USER
PAP‘’Kephas’’
RoleMapper
DB
PDPRole
Provider
PIPAttributeProvider
RoleProvider
DB
UMAF
PIPAttributeProvider
DBXYZ
WebAppXYZ
APPLICATIONS
AuthorisationAuthen -tication PEP
Role Mapper
USER
WebAppXYZ
PIPAttributeProvider
PAP‘’Kephas’’
RoleMapper
DB
PDPRole
Provider
RoleProvider
DB
ManagementVAS
PIPAttributeProvider
DBXYZ
PIPAttributeProvider
DBGerechts-deurwaar-
ders
PIPAttributeProvider
DBMandaten
Be-Health
APPLICATIONS
AuthorisationAuthen -tication PEP
Role Mapper
USER
PAP‘’Kephas’’
RoleMapper
DB
PDPRole
Provider
PIPAttributeProvider
RoleProvider
DB
RIZIV
PIPAttributeProvider
DBXYZ
WebAppXYZ
ManagementVAS
PIPAttributeProvider
DBMandaten
Social sector(CBSS)
Non social FPS(Fedict)
ManagementVAS
DBXYZ
Architecture
15Frank Robben 30th January 2008
Reference directory• content
– indicates, on demand of the patient, which type of information with regard to the patient, the provided care and the results of the provided care is available at what places
– on the one hand, table with fixed care relations between health care providers and their patients, the nature of the relation, the starting date and final date of the relation
– on the other hand, a table indicating the places where, without a fixed care relation, electronic information is available about patients
– preferably a multi-stage and decentralised implementation: a general reference directory that refers to specific reference directories for each group of health care providers or each health care institution
– no personal information !!!
16Frank Robben 30th January 2008
Reference directory• functions
– preventive control on the legitimacy of the access to the information regarding a patient
– routing of information requests to the places where the information about the patient is available
– possibility of automatic communication of information to certain health care providers
17Frank Robben 30th January 2008
Existing validated authentic sources• register of health care providers
– administrator: FPS Public Health
– contains information about the diploma and the specialization of a health care provider identified through his social security identification number (SSIN)
• database with recognitions of the National Institute for Sickness and Invalidity Insurance (RIZIV)– administrator : RIZIV
– contains information about the RIZIV recognition of health care providers identified through their SSIN
• database with persons authorized to act on behalf of a health care institution– administrator : NOSS (part of the user management for companies)
– contains information about which persons, identified through their SSIN, are authorized to use which applications on behalf of a health care institution
18Frank Robben 30th January 2008
Existing added value services• in production
– input into and consultation of the cancer register– Medattest: on line ordering of care prescription forms
• being tested– electronic declaration of birth (eBirth)– third party billing
• being developed– Medic-e: entering the evaluation of disabled persons
electronically into the information system of the FPS Social Security
– support of electronic care prescription in hospitals– support of coding and anonymizing for RIZIV and sickness funds
19Frank Robben 30th January 2008
Input in cancer register
• supplier: Cancer Register• users: oncologists in health care institutions and labs• functionality: electronic input of information into the
cancer register and access to the registered information• basic services used
– identification and authentication of the identity of the user (eID)– verification of the status of medical doctor with RIZIV recognition– electronic mailbox (publication of documents)– logging
20Frank Robben 30th January 2008
Medattest
• supplier: RIZIV• users: medical doctors, dentists, physiotherapists,
nurses, speech therapists, orthopedists, health care institutions and their mandataries
• functionality: on line ordering of care prescription forms• basic services used
– identification and authentication of the identity of the user (eID or user number-password-citizen token)
– verification of the status of users– verification of the mandate of users– logging
21Frank Robben 30th January 2008
Third party billing
• supplier: National College of Sickness Funds • users: nurses, their groupings and representatives• functionality: send third party billings electronically to
sickness funds• basic services used
– identification and authentication of the user's identity (eID or user number-password-citizen token)
– verification of the status of users– verification of the mandate of users– electronic mailbox (publication of documents)– logging
22Frank Robben 30th January 2008
Electronic declaration of birth
• suppliers: Fedict, Crossroads Bank for Social Security, National Register
• users: medical doctors, nurses and midwifes in hospitals• functionality: electronic declaration of the birth of a child• basic services used
– portal– identification and authentication of the user's identity
(eID or user number-password-citizen token)– verification of the status of nurse with RIZIV recognition– verification of the mandate of users– logging
23Frank Robben 30th January 2008
Medic-e
• supplier: FPS Social Security• users: medical doctors who evaluate disabled persons• functionality: enter the evaluation of disabled persons
electronically into the information system of the FPS Social Security
• basic services used– identification and authentication of the user's identity
(eID or user number-password-citizen token)– verification of the status of medical doctor with RIZIV recognition– electronic mailbox (publication of documents)– logging
24Frank Robben 30th January 2008
• analysis of required functionalities– functionalities before a prescription can be processed
• authentication of the identity of the person who writes the prescription• verification of the status of the person who writes the prescription • system to ensure that the prescription cannot be modified unnoticeably after
applying the methods to guarantee the integrity and the electronic time stamping
• authentication of the identity, verification of the status of the person who has written the prescription, guaranteeing the integrity and electronic date is needed for each individual prescription
• the time necessary for authenticating the identity, verifying the status and guaranteeing the integrity must not exceed ¼ of a second per prescription
• a person that writes prescriptions must be able to switch between prescription devices without overhead
• local validation that the prescription has not been modified after applying the methods to guarantee the integrity and the electronic time stamping
Electronic care prescription inhealth care institutions
25Frank Robben 30th January 2008
Electronic care prescription inhealth care institutions
• analysis of required functionalities– functionalities during the processing of the prescription
• the electronic time stamping must be requested immediately after applying the method to guarantee the integrity and must be placed within 30 seconds after the request
– organizational requirements• velocity of replacing an authentication tool when useless• traceability of who has done which processing at which moment for the
creation of a prescription (must be kept during a certain period)• traceability of the content and of the exact date and time of each request and
processing of a request to revoke an authentication tool
– point of special interest• avoid that care institutions have to work with different systems for the
authentication of the identity, the verification of the status, the guarantee of the integrity of documents, electronic time stamping, … for different types of processes
26Frank Robben 30th January 2008
Electronic care prescription inhealth care institutions
• possible solution– the authentication of the identity and the verification of the status are
performed at the local level using at least a user-id, a password [and something one possesses], on condition that each person that writes prescriptions signs a document stipulating that he is responsible for everything that is authenticated in terms of identity and status through his user id, his password [and the possessed element]
– the prescriptions are hashed
– the hashing results (not the content of the prescription itself !) receive an electronic time stamp from Be-Health
– clear organizational rules concerning the management of user-id’s, passwords [and the possessed elements], based on the results of Elodis, are incorporated in an royal decree implementing article 21 of the royal decree n° 78
– a regulation is being elaborated that indicates under which conditions postscriptions are possible
27Frank Robben 30th January 2008
Some possible new added value services • reduction of red tape for health care providers and health care
institutions– electronic access by health care providers and health care institutions to
the insurance status and other relevant administrative information regarding the patient
– well co-ordinated, unique collection, across public services at several government levels and sickness funds, of information necessary for
• getting authorized to provide particular care
• policy support
• a standardized content, format and methods for legally valid electronic care prescriptions in the ambulatory sector
• Be-Health as a trusted third party for coding and anonymizing• gradually, a minimal content of health care files that can be
exchanged electronically and a permanent, decentralized availability and accessibility of the minimal electronically communicable content of health care files
28Frank Robben 30th January 2008
Access channels for the users• several devices
– PC and laptop– PDA– cell phone– …
• for each target group preferably developed by the actual service providers of that target group (no monopoly of Be-Health !)
• for each target group at least one free and generally accessible application for integrated access to the services and the information, if necessary built by Be-Health as a web application
• maximal integrated services across service providers and information sources
29Frank Robben 30th January 2008
Need for an appropriate legal framework• creation of Be-Health as an organization, with an
adequate legal basis determining its mission, its management committee and its user committee and their composition
• possibility to use a common patient identification number• probative value of electronic prescriptions, processes
and information exchange• management of the reference directory• methods for determining functional and technical
interoperability standards• adaptation of specific regulation in function of specific
projects
30Frank Robben 30th January 2008
Critical success factors• cooperation between all actors in the health care sector,
based on a division of tasks rather than on a centralization of tasks
• trust of all stakeholders in the preservation of the necessary autonomy and the security of the system
• firstly the development of the exchange platform and the creation of the necessary institutions (Be-Health and its management and user committees, Sectoral Committee, ...) and then further elaboration of processes between these institutions
• quick wins in combination with a long term vision• legal framework
31Frank Robben 30th January 2008
Some possible useful initiatives of EU
• common and reliable patient identification methods
• cross-border user and access management based on the policy enforcement model
• common functional and technical standards and specifications as a basis for interoperability
• quality standards in health care delivery in order to stimulate cooperation between actors in the health sector
32Frank Robben 30th January 2008
More information• portal Be-Health
– https://www.behealth.be
• website Crossroads Bank for Social Security– http://www.ksz.fgov.be
• personal website Frank Robben– http://www.law.kuleuven.ac.be/icri/frobben
Th@nk you !
Any questions ?