What IHE Delivers

Basic Patient Privacy Basic Patient Privacy Consents Consents

HIT-Standards – Privacy & Security WorkgroupHIT-Standards – Privacy & Security WorkgroupJohn Moehrke GE HealthcareJohn Moehrke GE Healthcare

2

What do Standards Define?What do Standards Define?PolicyPolicy Driven by business goalsDriven by business goals Informed by Risk AssessmentsInformed by Risk Assessments Defines Defines rightsrights and and responsibilitiesresponsibilities Defines punishmentDefines punishment

ProcessProcess Enforces policy Enforces policy How people or organizations actHow people or organizations act who / what / where / when / howwho / what / where / when / how

TechnologyTechnology Enforces policy Enforces policy How equipment should actHow equipment should act Algorithms and data formatsAlgorithms and data formats

Policy Process

Technology

3

Before (2006)Before (2006)

One Policy for the XDS Affinity Domain (HIE)One Policy for the XDS Affinity Domain (HIE)

Patient doesn’t agree Patient doesn’t agree Don’t publish Don’t publish

VIP Patient VIP Patient Don’t publish Don’t publish

Sensitive Data Sensitive Data Don’t publish Don’t publish

Research Use Research Use No Access No Access

4

Basic Patient Privacy ConsentsBasic Patient Privacy ConsentsHuman ReadableHuman Readable

Machine ProcessableMachine Processable

Characteristics of a CDA “Document”Characteristics of a CDA “Document”

Multiple Consent Types and Documents (e.g., Multiple Consent Types and Documents (e.g., HIPAA)HIPAA)

Wet Signature Capture (i.e. XDS-SD)Wet Signature Capture (i.e. XDS-SD)

Digital Signature Capture Possible (i.e. DSG)Digital Signature Capture Possible (i.e. DSG) Provider, Witness, Patient or Legal RepresentativeProvider, Witness, Patient or Legal Representative

ExtensibleExtensible

5

Document Content & Modes of ExchangeDocument Content & Modes of Exchange

Document Exchange Integration Profiles

Document Sharing

XDS

MediaInterchange

XDM

ReliableInterchange

XDR

Document Content ProfilesConsent

BPPCEmergency

EDRPre

Surgery

PPH P

Scanned Doc

XDS-SD

Laboratory

XD*-LabPHR

Exchange

XPHR

Discharge &Referrals

XDS-MS

Imaging

XDS-I

Cross-CommunityAccess

XCA

6

Value PropositionValue PropositionAn XDS Affinity Domain (RHIO, HIE) An XDS Affinity Domain (RHIO, HIE) Develop a set of privacy policies, Develop a set of privacy policies, Each policy is given a number (OID)Each policy is given a number (OID) Implement them with role-based or other access Implement them with role-based or other access

control mechanisms supported by EHR systems.control mechanisms supported by EHR systems.

A patient canA patient canBe made aware of the privacy policies. Be made aware of the privacy policies. Have an opportunity to selectively acknowledge Have an opportunity to selectively acknowledge

the from the policies presented the from the policies presented Have control over access to their healthcare Have control over access to their healthcare

information.information.

7

Written Policy ExampleWritten Policy Example

The patient agrees to share their healthcare data to be accessed only by doctors wearing a chicken costume.

8

BPPC supportable ConsentsBPPC supportable Consents

Explicit Opt-In is required which enables HIE allowed document useExplicit Opt-In is required which enables HIE allowed document useExplicit Opt-Out that would prevent all use of their documentsExplicit Opt-Out that would prevent all use of their documentsImplicit Opt-In allows for document useImplicit Opt-In allows for document useExplicit Opt-Out of any document publicationExplicit Opt-Out of any document publicationExplicit Opt-Out of sharing outside of local event use, but does Explicit Opt-Out of sharing outside of local event use, but does allowing emergency overrideallowing emergency overrideExplicit Opt-Out of sharing outside of local event use, and without Explicit Opt-Out of sharing outside of local event use, and without emergency override emergency override Explicit authorization that would allow specific research project Explicit authorization that would allow specific research project Change the consent policy (change from opt-in to opt-out) Change the consent policy (change from opt-in to opt-out) Allow direct use of the document, but not re-publishingAllow direct use of the document, but not re-publishingEnable use of document retrieval across communities using XCA Enable use of document retrieval across communities using XCA Explicit individual policy for opt-in at each clinic Explicit individual policy for opt-in at each clinic Explicit individual policy for opt-in for a PHR choiceExplicit individual policy for opt-in for a PHR choiceExplicit Opt-In for a period of time (episodic consent)Explicit Opt-In for a period of time (episodic consent)

9

HHS Whitepaper on Consent HHS Whitepaper on Consent (March 2010)(March 2010)

No consent. Health information of patients is automatically included—patients cannot opt out;

Opt-out. Default is for health information of patients to be included automatically, but the patient can opt out completely;

Opt-out with exceptions. Default is for health information of patients to be included, but the patient can opt out completely or allow only select data to be included;

Opt-in. Default is that no patient health information is included; patients must actively express consent to be included, but if they do so then their information must be all in or all out; and

Opt-in with restrictions. Default is that no patient health information is made available, but the patient may allow a subset of select data to be included.

10

Characteristic of a CDA documentCharacteristic of a CDA document

PersistencePersistence

StewardshipStewardship

Potential for authenticationPotential for authentication

ContextContext

WholenessWholeness

Human readabilityHuman readability

A CDA document is a defined and complete A CDA document is a defined and complete information object that can include text, images, information object that can include text, images, sounds, and other multimedia content.sounds, and other multimedia content.

11

Capturing the Patient Consent actCapturing the Patient Consent act

One of the Affinity Domain Consent policies One of the Affinity Domain Consent policies

CDA document captures the act of signingCDA document captures the act of signing Effective time (Start and Sunset)Effective time (Start and Sunset) templateID – BPPC documenttemplateID – BPPC document XDS-SD – Capture of wet signature from paperXDS-SD – Capture of wet signature from paper DSIG – Digital Signature (Patient, Guardian, Clerk,System)DSIG – Digital Signature (Patient, Guardian, Clerk,System)

XDS MetadataXDS Metadata classCode – BPPC documentclassCode – BPPC document eventCodeList – the list of the identifiers of the AF policieseventCodeList – the list of the identifiers of the AF policies confidentialityCode – could mark this document as confidentialityCode – could mark this document as

sensitivesensitive

12

•Scanned Document details•Privacy Consent details

•Policy 9.8.7.6.5.4.3.2.1

SSttrruuccttuurreedd CCoonntteenntt wwii tthh ccooddeedd sseecctt iioonnss::

Structured and Coded CDA Header

Time of Service, etc.

Base64 encoded

XDS-MS + XDS-BPPC + XDS-SD

Patient, Author, Authenticator, Institution,

XDS Metadata:

Consent DocumentDigital Signature

IHE-DSG – Digital SignatureSignature valuePointer to Consent document

Consent documentConsent document

13

Standards and Profiles UsedStandards and Profiles UsedHL7 CDA Release 2.0HL7 CDA Release 2.0

IHE - XDS Scanned DocumentsIHE - XDS Scanned Documents PDF/A - ISO 19005-1b PDF/A - ISO 19005-1b

IHE - Document Digital SignatureIHE - Document Digital Signature XML-Digital Signature, XadESXML-Digital Signature, XadES

IHE - Cross Enterprise Document SharingIHE - Cross Enterprise Document Sharing

IHE - Cross Enterprise Sharing on MediaIHE - Cross Enterprise Sharing on Media

IHE - Cross Enterprise Reliable InterchangeIHE - Cross Enterprise Reliable Interchange

IHE - Cross Community AccessIHE - Cross Community Access

14

Using documentsUsing documentsXDS Registry Stored Query TransactionXDS Registry Stored Query TransactionConsumer may request documents with specific Consumer may request documents with specific

policies policies Filtered response Filtered response

XDS Consumer ActorXDS Consumer Actor Informed about confidentialityCodes -- MetadataInformed about confidentialityCodes -- MetadataKnows the user, patient, setting, intention, urgency, Knows the user, patient, setting, intention, urgency,

etc.etc.Enforces Access Controls (RBAC) according to Enforces Access Controls (RBAC) according to

confidentiality codesconfidentiality codesNo access given to documents marked with No access given to documents marked with

unknown confidentiality codesunknown confidentiality codes

15

XDR & XDMXDR & XDMXDR & XDM Same responsibilitiesXDR & XDM Same responsibilities

Should include copy of relevant ConsentsShould include copy of relevant Consents

Importer needs to coerce the Importer needs to coerce the confidentiality codesconfidentiality codes

Need to recognize that in transit the Need to recognize that in transit the document set may have been used in document set may have been used in ways inconsistent (e.g. Physical Access ways inconsistent (e.g. Physical Access Controls)Controls)

16

Informed by Privacy Policy Standards Informed by Privacy Policy Standards

ISO IS22857 Trans-border Flow of Health ISO IS22857 Trans-border Flow of Health Information Information

ISO TS 26000 Privilege Management and ISO TS 26000 Privilege Management and Access Control (Parts 1, 2, draft 3)Access Control (Parts 1, 2, draft 3)

ASTM E1986 Standard Guide for ASTM E1986 Standard Guide for Information Access Privileges to Health Information Access Privileges to Health InformationInformation

17

Active Standards WorkActive Standards WorkOASISOASIS Profile for how to express attributes in cross-organization (SAML, XACML, Profile for how to express attributes in cross-organization (SAML, XACML,

WS-Trust, WS-Federation, WS-Policy)WS-Trust, WS-Federation, WS-Policy)HL7HL7 Standard for Consent Directive DocumentStandard for Consent Directive Document Ontology for Security and Privacy (Permissions, Sensitivity, Healthcare Ontology for Security and Privacy (Permissions, Sensitivity, Healthcare

User Roles, etc)User Roles, etc) Identified Privacy Policy Reference Catalog (opt-in, opt-out, ++) Identified Privacy Policy Reference Catalog (opt-in, opt-out, ++) SOA model for Privacy/Security Access Control as a ServiceSOA model for Privacy/Security Access Control as a Service

IHEIHE White Paper on overall Access Control Model for healthcareWhite Paper on overall Access Control Model for healthcare Updates to XUA profile to recognize user attributes such as role, intended-Updates to XUA profile to recognize user attributes such as role, intended-

use, authentication level of assurance.use, authentication level of assurance.ISOISO ISO14265: Classification of purposes for processing personal health ISO14265: Classification of purposes for processing personal health

information information

What IHE Delivers

Questions?Questions?