Benefits for Veterans Mike Franks Accredited Veterans Service Officer.
24 Oct 2014 John “Mike” Davis Department of Veterans Affairs [email protected].
-
Upload
ronald-snow -
Category
Documents
-
view
217 -
download
1
Transcript of 24 Oct 2014 John “Mike” Davis Department of Veterans Affairs [email protected].
24 Oct 2014
John “Mike” DavisDepartment of Veterans [email protected]
We are on the cusp of a sea change in interoperability, population management, and clinical decision support. CCD led to CCDA which leads to FHIR for content summary exchange. The Direct protocol will evolve to a RESTful interface using OAuth/OpenID for trust fabric creation. However, we're not going to make the move to FHIR and REST unless pilots (followed by agile development of implementation guides) are funded to enable incremental progress. FHIR is too new and REST has too many industry skeptics. The pilots will create a tipping point which mitigates risk and enables progress. Dr. John Halamka
ONC/VA Privacy on FHIR Pilot Drivers :Vision
• Recommendations in the ONC 10 year plan “Connecting Health and Care for the Nation: A 10-Year Vision to Achieve an Interoperable Health IT Infrastructure" and on the MU 2017 Roadmap
• PCAST: “Realizing the Full Potential of Health Information Technology to Improve Healthcare for Americans: The Path Forward”
• AHRQ Jason Report: “ A Robust Health Data Infrastructure “
ONC/VA Privacy on FHIR Pilot Drivers :Embrace FHIR, JSON, REST and OAuth
ONC/VA Privacy on FHIR Pilot:Summary of Pilot Project Plan
1. What is it? On-Demand bi-directional exchange of Health Information with Selected Apps…What, When and How You Want it
2. Why do it? Test technical feasibility of using FHIR and associated privacy and security protocols to provide Patients with meaningful access, management and use of their own information.
3. Deliverables? Incremental pilot milestone demonstrations, Several ONC sponsored HIMSS 2015 Interoperability Booths, Open Source Reference Model for implementers
4. Who will do it? Collaborative of Stakeholders dedicated to demonstrating the benefits of HIT cloud capabilities for consumers and providers including:
ONC, VA, DoD, Vendors, Patient Privacy Rights, HL7 Standards Development Organization
ONC/VA Privacy on FHIR Pilot [PoF]:What is HL7 FHIR?
Fast Healthcare Interoperability Resources
• FHIR defines a set of "Resources" that represent granular clinical concepts managed in isolation, or aggregated into complex documents.
• FHIR is designed for the web: ― Simple XML or JSON structures, ― http-based RESTful protocol,― Each resource has a predictable URL.
• FHIR Security and Privacy follows HL7 Security Labeling, Data Segmentation, and Consent Directive standards
• FHIR is under development and has not yet reached full standard status
http://www.hl7.org/implement/standards/fhir/summary.html
ONC/VA Privacy on FHIR Pilot (PoF):Applying User Managed Access (UMA)-Oauth 2.0 Profile
Patient controls Who gets What
PoF Architecture leverages cloud Privacy and Security Services that Patients use daily as Online Consumers
User Managed Access (UMA) OpenID Connect / OAuth 2.0
7
ONC/VA Privacy on FHIR Pilot [PoF]:Introducing the Actors
Assumptions: The resource owner must be and is capable of labeling information with an arbitrary collection of sensitivity categories designated by the patient (e.g, the system must be capable of applying sensitivity labels for the patient designated categories).
Initial Conditions:• The patient creates their own personal list of sensitivities (HIV, ETH, Other, …) for Apps on FHIR • The RS will not share any of these categories without a clearance for that label in the App token• The patient grants Application clearances to sensitivities in #1 as desired via the AS• The AS issues tokens to Apps according to patient policy containing both authorizations to resources and clearances to sensitivities
Request/provide Authorizations:• App A requires IMMUZ including IMMUZ tagged with HIV; App B requires IMMUZ but not HIV and the patient does not want to share
HIV or any other category on their sensitive information list with App B• Based on patient authorizations, App A is provided a token for IMMUZ and clearance for HIV; APP B is provided a token for IMMUZ
Response:• App A receives IMMUZ including HIV tagged IMMUZ but no other sensitivities on the restriction list• App B receives IMMUZ but none tagged with sensitivities on the restriction list
PbD• The system is privacy protecting by default since RS does not share information designated sensitive by the patient without a token
containing the appropriate clearance• The patient chooses to share sensitive information, sharing is the patient’s choice
ONC/VA Privacy on FHIR Pilot (PoF):MY Apps on FHIR Workflow
My Privacy on FHIRShare Health Information Among Your Providers…Organizations, Apps, and Individuals…
IOTIOT
My Health Information Exchange on FHIRShare Health Information Among Your Providers…Organizations, Apps, and Individuals…
IOT
Verify TokenLabel/Transform Data9
Requ
estin
g O
rg.
Prov
ider
Org
.
HIE on FHIR (detail)
Resource Server(Receiving)
FHIR
Clie
nt
Authorization client
CDMS
GUIApprove
CD
1
Submit CD
07
Set Resource Authz Policy3
Resource Server
(Providing)
Protectionclient
FHIR API
10 Provide Data
Out of Band:
UMA Protection Flow:
UMA Authz. Flow:
Data Access Flow:
2 Acquire Protection Access Token (PAT) a
Register Resources & Scopesb
Acquire Authorization Access Token (AAT) a
Request Requesting Party Token (RPT)b
Issue and send RPTc
ACS
PPS/
SLS
Request for Data + Authz Token8RPT
Check Overarching Policies5
Redirect to AS6
Authorization API
Authorization Server
Prot
ectio
nAP
I
GUI
Request for Data4
Patient
AAT
a7
AAT
b7
RPT
c7PAT
b2
PAT
a2
Use your Information for Healthy Living, Wellness Management and Talking to Your Doctor Online
• My Personal Health Record• My Travel App (Immunizations)• My Diet Planner App (Diabetic)
My Apps on FHIRShare Health Information with Your Selected Apps…
What, When and How You Want it…All 24/7
Smart Phone ----- Tablet ----- Personal Computer
IOT
Use your Information for Healthy Living, Wellness Management and Talking to Your Doctor Online:
• My Personal Health Record
• My Travel App (Immunizations)
• My Diet Planner App (Diabetic)
My Apps on FHIRShare Health Information with Your Selected Apps…
What, When and How You Want it…
Smart Phone ----- Tablet ----- Personal Computer
all 24/7, wherever there is Internet access.IOT
EHR/
PHR
My Apps on FHIR
FHIR
Clie
nt
Authz Client
ApproveCD
1
Submit CD0
Provide Claims and Acquire Authz Token
6
Register Resources and Scopes
2
Authorize App3
Request for Data3
Resource server
Protectionclient
FHIR API
Provide Data9
Out of Band:
UMA Protection Flow:
UMA Authz. Flow:
Data Access Flow:
Authz Token + Request for Data7 ACS
PPS/
SLS
Verify TokenCheck Overarching Policies
Label/Transform Data8
Redirect to AS5Authorization
API
Authorization Server
Prot
ectio
nAP
I
GUI
CDMS
GUI
PatientMobile
App
Apply Resource
Privacy Marks
invokes
Privacy & Security Protective Services
Apply Resource
Protections
invokes
Request Policy
Submit Policy
Policy Management
Policy Management
invokes
Policy Enforcement Point
Policy Enforcement Point
Enforce Resource
Obligations
My “Apps on FHIR” Policy
ONC/VA Privacy on FHIR Pilot (PoF):MY Apps on FHIR Enforcement
Restrictions enforced by Resource Server Privacy Protective Service
Resource Server
(e.g.,Redact, Mask, Anonymize, Pseudononymize)
Patient creates their own personal sensitivities list (e.g., HIV, ETH, Other, …)
Privacy Protected
Privacy…Share Only What You Want. Your Sensitive Healthcare Information Stays Secure.
My Consent Directives on FHIR
IOT
RESTRICTED
My “HIE on FHIR” Policy
· Fine-grained restrictions on FHIR Resources· “Do Not Share” Organizations · Information restricted by clinical specialty· Certain named individuals
My “Apps on FHIR” Policy
· Fine-grained restrictions on FHIR Resources
Shar
eD
on’t
Shar
e
My Consent Directive
MarketingResearchEmergencyTreatment
NORMALNon-sensitive healthcare information shared for
treatment or other purposes
RESTRICTED
· Fine-grained restrictions on FHIR Resources
Don
’t Sh
are
My “Apps on FHIR” Policy
Auth
oriz
ation
s
RESTRICTED
· Clearances for specified sensitive information
NORMAL
Permissions that allow or disallow access to FHIR Resources provided by Resource Servers
IOT
Privacy…Share Only What You Want. Your Sensitive Healthcare Information Stays Secure.
Simple one-stop management of your privacy choices from one place for all your providers and Apps. Get a report of all disclosures
• Privacy by Design• Manage Your Apps• Choose what to Share
My Consent Directives on FHIR
IOT
RESTRICTED
My “HIE on FHIR” Policy
· Fine-grained restrictions on FHIR Resources· “Do Not Share” Organizations · Information restricted by clinical specialty· Certain named individuals
My “Apps on FHIR” Policy
· Fine-grained restrictions on FHIR Resources
Shar
eD
on’t
Shar
e
My Consent Directive
MarketingResearchEmergencyTreatment
NORMALNon-sensitive healthcare information shared for
treatment or other purposes
RESTRICTED
· Fine-grained restrictions on FHIR Resources
Don
’t Sh
are
My “Apps on FHIR” Policy
• Consent Directive Policy– Resource Authorizations– Restrictions
• Organizational restrictions• Role-Data Sensitivity Restrictions• Specific individual restrictions
– My Apps on FHIR Policy• Patient selected sensitivity restrictions(e.g. HIV, ETH, Other…)
• “Pre-Approved” policies to preserve automated workflow
• HL7 FHIR Consent Directive (Under Development)
ONC/VA Privacy on FHIR Pilot (PoF):My Consent Directive on FHIR Policy
Consent Directive Management Service 1/2
Application Authorization
ONC/VA Privacy on FHIR Pilot (PoF):My Consent Directive on FHIR Policy
Authorizations as Tokens, meeting App Information Requirements
and patient’s approval
Authorization Server 2/2
Authorization Server
Auth
oriz
ation
s
RESTRICTED
· Clearances for specified sensitive information
NORMAL
Permissions that allow or disallow access to FHIR Resources provided by Resource Servers
END