24 Oct 2014

John “Mike” DavisDepartment of Veterans Affairsmike.davis@va.go

We are on the cusp of a sea change in interoperability, population management, and clinical decision support. CCD led to CCDA which leads to FHIR for content summary exchange. The Direct protocol will evolve to a RESTful interface using OAuth/OpenID for trust fabric creation. However, we're not going to make the move to FHIR and REST unless pilots (followed by agile development of implementation guides) are funded to enable incremental progress. FHIR is too new and REST has too many industry skeptics. The pilots will create a tipping point which mitigates risk and enables progress. Dr. John Halamka

ONC/VA Privacy on FHIR Pilot Drivers :Vision

• Recommendations in the ONC 10 year plan “Connecting Health and Care for the Nation: A 10-Year Vision to Achieve an Interoperable Health IT Infrastructure" and on the MU 2017 Roadmap

• PCAST: “Realizing the Full Potential of Health Information Technology to Improve Healthcare for Americans: The Path Forward”

• AHRQ Jason Report: “ A Robust Health Data Infrastructure “

ONC/VA Privacy on FHIR Pilot Drivers :Embrace FHIR, JSON, REST and OAuth

ONC/VA Privacy on FHIR Pilot:Summary of Pilot Project Plan

1. What is it? On-Demand bi-directional exchange of Health Information with Selected Apps…What, When and How You Want it

2. Why do it? Test technical feasibility of using FHIR and associated privacy and security protocols to provide Patients with meaningful access, management and use of their own information.

3. Deliverables? Incremental pilot milestone demonstrations, Several ONC sponsored HIMSS 2015 Interoperability Booths, Open Source Reference Model for implementers

4. Who will do it? Collaborative of Stakeholders dedicated to demonstrating the benefits of HIT cloud capabilities for consumers and providers including:

ONC, VA, DoD, Vendors, Patient Privacy Rights, HL7 Standards Development Organization

ONC/VA Privacy on FHIR Pilot [PoF]:What is HL7 FHIR?

Fast Healthcare Interoperability Resources

• FHIR defines a set of "Resources" that represent granular clinical concepts managed in isolation, or aggregated into complex documents.

• FHIR is designed for the web: ― Simple XML or JSON structures, ― http-based RESTful protocol,― Each resource has a predictable URL.

• FHIR Security and Privacy follows HL7 Security Labeling, Data Segmentation, and Consent Directive standards

• FHIR is under development and has not yet reached full standard status

http://www.hl7.org/implement/standards/fhir/summary.html

ONC/VA Privacy on FHIR Pilot (PoF):Applying User Managed Access (UMA)-Oauth 2.0 Profile

Patient controls Who gets What

PoF Architecture leverages cloud Privacy and Security Services that Patients use daily as Online Consumers

User Managed Access (UMA) OpenID Connect / OAuth 2.0

7

ONC/VA Privacy on FHIR Pilot [PoF]:Introducing the Actors

Assumptions: The resource owner must be and is capable of labeling information with an arbitrary collection of sensitivity categories designated by the patient (e.g, the system must be capable of applying sensitivity labels for the patient designated categories).

Initial Conditions:• The patient creates their own personal list of sensitivities (HIV, ETH, Other, …) for Apps on FHIR • The RS will not share any of these categories without a clearance for that label in the App token• The patient grants Application clearances to sensitivities in #1 as desired via the AS• The AS issues tokens to Apps according to patient policy containing both authorizations to resources and clearances to sensitivities

Request/provide Authorizations:• App A requires IMMUZ including IMMUZ tagged with HIV; App B requires IMMUZ but not HIV and the patient does not want to share

HIV or any other category on their sensitive information list with App B• Based on patient authorizations, App A is provided a token for IMMUZ and clearance for HIV; APP B is provided a token for IMMUZ

Response:• App A receives IMMUZ including HIV tagged IMMUZ but no other sensitivities on the restriction list• App B receives IMMUZ but none tagged with sensitivities on the restriction list

PbD• The system is privacy protecting by default since RS does not share information designated sensitive by the patient without a token

containing the appropriate clearance• The patient chooses to share sensitive information, sharing is the patient’s choice

ONC/VA Privacy on FHIR Pilot (PoF):MY Apps on FHIR Workflow

My Privacy on FHIRShare Health Information Among Your Providers…Organizations, Apps, and Individuals…

IOTIOT

My Health Information Exchange on FHIRShare Health Information Among Your Providers…Organizations, Apps, and Individuals…

IOT

Verify TokenLabel/Transform Data9

Requ

estin

g O

rg.

Prov

ider

Org

.

HIE on FHIR (detail)

Resource Server(Receiving)

FHIR

Clie

nt

Authorization client

CDMS

GUIApprove

CD

1

Submit CD

07

Set Resource Authz Policy3

Resource Server

(Providing)

Protectionclient

FHIR API

10 Provide Data

Out of Band:

UMA Protection Flow:

UMA Authz. Flow:

Data Access Flow:

2 Acquire Protection Access Token (PAT) a

Register Resources & Scopesb

Acquire Authorization Access Token (AAT) a

Request Requesting Party Token (RPT)b

Issue and send RPTc

ACS

PPS/

SLS

Request for Data + Authz Token8RPT

Check Overarching Policies5

Redirect to AS6

Authorization API

Authorization Server

Prot

ectio

nAP

I

GUI

Request for Data4

Patient

AAT

a7

AAT

b7

RPT

c7PAT

b2

PAT

a2

Use your Information for Healthy Living, Wellness Management and Talking to Your Doctor Online

• My Personal Health Record• My Travel App (Immunizations)• My Diet Planner App (Diabetic)

My Apps on FHIRShare Health Information with Your Selected Apps…

What, When and How You Want it…All 24/7

Smart Phone ----- Tablet ----- Personal Computer

IOT

Use your Information for Healthy Living, Wellness Management and Talking to Your Doctor Online:

• My Personal Health Record

• My Travel App (Immunizations)

• My Diet Planner App (Diabetic)

My Apps on FHIRShare Health Information with Your Selected Apps…

What, When and How You Want it…

Smart Phone ----- Tablet ----- Personal Computer

all 24/7, wherever there is Internet access.IOT

EHR/

PHR

My Apps on FHIR

FHIR

Clie

nt

Authz Client

ApproveCD

1

Submit CD0

Provide Claims and Acquire Authz Token

6

Register Resources and Scopes

2

Authorize App3

Request for Data3

Resource server

Protectionclient

FHIR API

Provide Data9

Out of Band:

UMA Protection Flow:

UMA Authz. Flow:

Data Access Flow:

Authz Token + Request for Data7 ACS

PPS/

SLS

Verify TokenCheck Overarching Policies

Label/Transform Data8

Redirect to AS5Authorization

API

Authorization Server

Prot

ectio

nAP

I

GUI

CDMS

GUI

PatientMobile

App

Apply Resource

Privacy Marks

invokes

Privacy & Security Protective Services

Apply Resource

Protections

invokes

Request Policy

Submit Policy

Policy Management

Policy Management

invokes

Policy Enforcement Point

Policy Enforcement Point

Enforce Resource

Obligations

My “Apps on FHIR” Policy

ONC/VA Privacy on FHIR Pilot (PoF):MY Apps on FHIR Enforcement

Restrictions enforced by Resource Server Privacy Protective Service

Resource Server

(e.g.,Redact, Mask, Anonymize, Pseudononymize)

Patient creates their own personal sensitivities list (e.g., HIV, ETH, Other, …)

Privacy Protected

Privacy…Share Only What You Want. Your Sensitive Healthcare Information Stays Secure.

My Consent Directives on FHIR

IOT

RESTRICTED

My “HIE on FHIR” Policy

· Fine-grained restrictions on FHIR Resources· “Do Not Share” Organizations · Information restricted by clinical specialty· Certain named individuals

My “Apps on FHIR” Policy

· Fine-grained restrictions on FHIR Resources

Shar

eD

on’t

Shar

e

My Consent Directive

MarketingResearchEmergencyTreatment

NORMALNon-sensitive healthcare information shared for

treatment or other purposes

RESTRICTED

· Fine-grained restrictions on FHIR Resources

Don

’t Sh

are

My “Apps on FHIR” Policy

Auth

oriz

ation

s

RESTRICTED

· Clearances for specified sensitive information

NORMAL

Permissions that allow or disallow access to FHIR Resources provided by Resource Servers

IOT

Privacy…Share Only What You Want. Your Sensitive Healthcare Information Stays Secure.

Simple one-stop management of your privacy choices from one place for all your providers and Apps. Get a report of all disclosures

• Privacy by Design• Manage Your Apps• Choose what to Share

My Consent Directives on FHIR

IOT

RESTRICTED

My “HIE on FHIR” Policy

· Fine-grained restrictions on FHIR Resources· “Do Not Share” Organizations · Information restricted by clinical specialty· Certain named individuals

My “Apps on FHIR” Policy

· Fine-grained restrictions on FHIR Resources

Shar

eD

on’t

Shar

e

My Consent Directive

MarketingResearchEmergencyTreatment

NORMALNon-sensitive healthcare information shared for

treatment or other purposes

RESTRICTED

· Fine-grained restrictions on FHIR Resources

Don

’t Sh

are

My “Apps on FHIR” Policy

• Consent Directive Policy– Resource Authorizations– Restrictions

• Organizational restrictions• Role-Data Sensitivity Restrictions• Specific individual restrictions

– My Apps on FHIR Policy• Patient selected sensitivity restrictions(e.g. HIV, ETH, Other…)

• “Pre-Approved” policies to preserve automated workflow

• HL7 FHIR Consent Directive (Under Development)

ONC/VA Privacy on FHIR Pilot (PoF):My Consent Directive on FHIR Policy

Consent Directive Management Service 1/2

Application Authorization

ONC/VA Privacy on FHIR Pilot (PoF):My Consent Directive on FHIR Policy

Authorizations as Tokens, meeting App Information Requirements

and patient’s approval

Authorization Server 2/2

Authorization Server

Auth

oriz

ation

s

RESTRICTED

· Clearances for specified sensitive information

NORMAL

Permissions that allow or disallow access to FHIR Resources provided by Resource Servers

END