Authorized Release of Informationto a Trusted Entity
and the NwHIN Exchange
July 11, 2012
SSA Background
• Over 3 million initial disability applications a year• Over 15 million requests for medical evidence each
year (3-4 medical records per case)• 500,000 sources: doctors, hospitals, etc• SSA is not a HIPAA covered entity• Require a patient’s authorization to obtain medical
records• Initial Federal Agency on the Nationwide Health
Information Network (NwHIN) Exchange
2
SSA and the NwHIN Exchange
3
August, 2008 - Partnered with Beth Israel Deaconess Medical Center to build a prototype
February, 2009 - Partnered with MedVirginia, a Health Information Exchange, to become the first to exchange medical information over the NwHIN Exchange
February, 2010 - 12 contracts awarded to medical networks and providers using Recovery Act funds to expand the health IT project to 13 states
2011 - 2013 – Recovery Act partners in production, pilots with VA / DoD and Kaiser Permanente, and targeted recruitment of new partners and expansion of existing
In 2012, we will continue efforts to expand out to new partners
for Social Security’s health IT initiative
Where are we today
4
Partners in Production:• Beth Israel Deaconess Medical Center• MedVirginia / MedVirginia Centra• Oregon Community Health Information Network• EHR Doctors• Douglas County Individual Practice Association• Marshfield Clinic• Inland Northwest Health Services• Community Health Information Collaborative• Wright State University• HealthBridge• LCF/New Mexico Health Information Collaborative• Regenstrief / Indiana Health Information Exchange• Southeastern Michigan Health Association
Production Locations:
In Production in 2012 -2013:• VA/DoD Pilot• Kaiser Permanente Pilot• Additional Partners
SSA receives health IT data from 13 states with additional plans of expansion
Partners in Production
Partners Pending Production
Authorized Release of Informationto a Trusted Entity Use Case
• Use Case Scenario– Social Security Administration requests medical
documentation from a healthcare provider with the patient’s authorization
5
ClaimantClaimant SSA/DDSSSA/DDS ProvidersProviders
File Disability ClaimFile Disability Claim Request EvidenceRequest Evidence
Claim DeterminationClaim Determination Medical EvidenceMedical Evidence
Patient Authorization Patient Authorization
SSA – 827 (Patient Authorization)
• Requestor• Responder• Purpose• Effective Date• Effective Timeframe• Type of Information
Requested• Signed
6
NwHIN Specifications & Standards• Content Structure
– HL7 CDA Release 2 CCD – HITSP C32– HITSP C62– Unstructured Documents (pdf,
txt, doc, rtf, tif, jpg, gif, png)
• Vocabulary & Code Sets– ICD-9-CM– Systematized Nomenclature of
Medicine--Clinical Terms (SNOMED-CT)
– Logistical Observation Identifiers names and Codes (LOINC)
7
• Consent Structure– IHE Basic Patient Privacy
Consents
• Transport and Security– Messaging Platform – Authorization Framework – Web Services Registry– Patient Discovery – Query for Documents– Retrieve Documents– Access Consent Policy
NwHIN Exchange Transaction Flow
8
SSAHealth IT Partner
(NHIE)
1. Patient Discovery Request
9. Query for Documents Request (Clinical Document)
11. Retrieve Document Request (Clinical Document)
12. Retrieve Document Response (Clinical Document)
10. Query for Document Response (Clinical Document)
8. Patient Discovery Response
3. Query for Documents Request (Access Consent)
5. Retrieve Document Request (Access Consent)
6. Retrieve Document Response (Access Consent)
4. Query for Document Response (Access Consent)
2. Access Control
Decision
7. Access Control
Decision
PatientAuthorization
ClinicalDocuments
Standards per Transaction# Transactions
Vocabulary & Code Set
Content & Structure
Transport & Security
Access Services
Cross Functional
1 1. Patient Discovery RequestMessaging PlatformAuthorization FrameworkPatient Discovery
Web Services Registry
NwHIN Exchange
2
Access Consent
3. Query for Documents Request4. Query for Documents Response
LOINC
Messaging PlatformAuthorization FrameworkQuery for DocumentAccess Consent Policy
Web Services Registry
NwHIN Exchange
3
Access Consent
5. Retrieve Document Request6. Retrieve Document Response
IHE BPPC
Messaging PlatformAuthorization FrameworkRetrieve DocumentAccess Consent Policy
Web Services Registry
NwHIN Exchange
4 8. Patient Discovery ResponseMessaging PlatformAuthorization FrameworkPatient Discovery
Web Services Registry
NwHIN Exchange
5
Clinical Document
9. Query for Documents Request10. Query for Documents Response
LOINCMessaging PlatformAuthorization FrameworkQuery for Document
Web Services Registry
NwHIN Exchange
6
Clinical Document
11. Retrieve Document Request12. Retrieve Document Response
ICD-9-CMSNOMED-CTLOINC
HL7 CCDHITSP C32 & C62Unstructured Documents (pdf, txt, doc, rtf, tif, jpg, gif, png)
Messaging PlatformAuthorization FrameworkRetrieve Document
Web Services Registry
NwHIN Exchange
9
SAML Security Assertion• Subject ID - MEGAHIT• Subject Organization - Social Security Administration• Subject Organization ID - 2.16.840.1.113883.3.184• Subject Role - SNOMED-CT (106328005) – Social
Worker• Purpose of Use - Coverage• Patient Identifier – encoded per the NwHIN
Authorization Framework specification
10
Authorization Decision Statement
• NwHIN Exchange uses a Authorization Decision Statement to allow an entity to assert the requester should be permitted to execute the transaction based on a specific security policy
• Access Consent Policy and Authorization Framework specifications define the format of the policy
11
Access Consent Policy XDS Metadata
XDS Metadata Value
availabilityStatus urn:oasis:names:tc:ebxml-regrep:StatusType:Approved
classCode 57016-8 (LOINC)
classCode DisplayName Privacy Policy Acknowledgement
confidentialityCode N (Normal)
formatCode urn:ihe:iti:bppc-sd:2007
formatCode codeSystem 1.3.6.1.4.1.19376.1.2.3
healthcareFacilityTypeCode 385432009 (SNOMED CT code for Not Applicable)
mimeType text/xml
practiceSettingCode 385432009 (SNOMED CT code for Not Applicable)
serviceStartTime Effective start date of privacy policy (authorization)
serviceStopTime Effective end date of privacy policy (authorization)
Title AUTHORIZATION TO DISCLOSE INFORMATION TO THE SOCIAL
SECURITY ADMINISTRATION12
Questions
13
For Further Information
• Contact– Marty Prahl ([email protected])– Tom Davidson ([email protected])– Bob Hastings ([email protected])
14
Reference Materials• NwHIN Exchange Technical Specifications (all of the specifications can be found at
http://www.nationalehealth.org/technical-specifications • Patient Discovery (requestor only) -
http://www.nationalehealth.org/ckfinder/userfiles/files/Technical%20Specs/Patient_Discovery_Production_Specification_v2_0.pdf
• Query for Documents (requestor only) - http://www.nationalehealth.org/ckfinder/userfiles/files/Technical%20Specs/QueryforDocumentsProductionSpecification_v3_0.pdf
• Retrieve Documents (requestor only) - http://www.nationalehealth.org/ckfinder/userfiles/files/Technical%20Specs/Retrieve_Documents_Production_Specification_v3_0.pdf
• Access Consent Policy (responder only) - http://www.nationalehealth.org/ckfinder/userfiles/files/Technical%20Specs/AccessConsentPoliciesProductionSpecification_v1_0.pdf
• Core Capabilities that support the above transactions Messaging Platform -http://www.nationalehealth.org/ckfinder/userfiles/files/Technical
%20Specs/MessagingPlatformProductionSpecification_v3_0.pdf Authorization Framework -
http://www.nationalehealth.org/ckfinder/userfiles/files/Technical%20Specs/AuthorizationFrameworkProductionSpecification_v3_0.pdf
15