Friday, May 19, 2017

Clarification of Affinity Domains

The Question: I've worked with the XDS.b and XCA profiles for a few years now, but am no means an expert. I've never understood exactly what an affinity domain is. Could someone give an explanation of an affinity domain?

XDS Affinity Domain

Affinity Domain is more properly an "XDS Affinity Domain". The term is specific to XDS. It does not apply to XCA, as XCA uses the term "Community" in a rather similar but more expansive.

an XDS Affinity Domain -- derived from the word "affinity". Which among the many definitions has these -- These from Merriam-Webster definition for "affinity"
  • sympathy marked by community of interest : 
  • an attraction to or liking for something 
    • people with an affinity to darkness — Mark Twain 
    • pork and fennel have a natural affinity for each other — Abby Mandel
  • an attractive force between substances or particles that causes them to enter into and remain in chemical combination
  • a person especially of the opposite sex having a particular attraction for one
In the IHE Glossary
  • A group of healthcare enterprises that have agreed to work together using a common set of policies and which share a common infrastructure of repositories and a registry.
Essentially it is a term we use in XDS to encompass all the actors, systems, technology, policy, procedure, people, and ether. A set of XDS Metadata codes that the Registry will enforce. A set of document types that are considered acceptable by the Affinity Domain. Agreement on how Authorization will be done, including Consent, Role-Based-Access-Control, and Break-Glass.

See section 10.4.8 of volume 1 "Concept of an XDS Affinity Domain"

An XDS Affinity Domain is an administrative structure made of a well-defined set of Document Source Actors, set of Document Repositories, set of Document Consumers organized around a single Document Registry Actor that have agreed to share clinical documents.

Note: Document Sources, Repositories and Consumers may belong to more than one XDS Affinity Domain and share the same or different documents. This is an implementation strategy and will not be further described.

Note: The XDS Profile does not support the federation of XDS Affinity Domains directly, but the Cross-Community Access (XCA) Profile addresses the cooperation of multiple Document Registry Actors serving different XDS Affinity Domains.

A number of policies will need to be established in an XDS Affinity Domain in order to ensure effective interoperability between Document Sources and Consumers. Some of the key technical policies include (A more extensive list of policy agreements that need to be made by XDS Affinity Domains is discussed in ITI TF-1: Appendix L):

1. The document formats that will be accepted for registration

2. The various vocabulary value sets and coding schemes to be used for the submission of metadata of document, submission set and folders registration.

3. The Patient Identification Domain (Assigning Authority) used by the Document Registry.

See ITI TF-1: Appendix K for a detailed discussion of the concepts of XDS Affinity Domain.

For which the Handbook on XDS Affinity Domain planning is important.

XCA Community

The difference between "XDS Affinity Domain" and the XCA "Community" is that IHE has much less to say about the requirements of a Community. There are cases where a Community is an XDS Affinity Domain; but XCA allows for many other forms of Community. Common variant of a Community is a large hospital system (like the VA where I now work). In those cases the Community is understood only as the stuff behind the XCA gateways. There is no mandate about code validation by a Registry, no mandate about use of ATNA, no mandate about use of CT, etc. There is no defined way to create registry entries. There is no requirement to support folders, associations, and extensions.

The additional difference is that a Community can contain other Communities. IHE is rather silent on this. This silence was driven more by the desire to get experience with nested communities, routing communities, proxy communities, etc. We have heard of some interest in resolving this, and I would encourage a new work item.

In the IHE Glossary
  • A community is defined as a group of facilities/enterprises that have agreed to work together using a common set of policies for the purpose of sharing health information via an established mechanism. Membership of a facility/enterprise in one community does not preclude it from being a member in another community

Some more background articles

Thursday, May 18, 2017

Consent to deny Sharing for Treatment and Emergency Break-Glass

We have discussed in years past that Australia had a Privacy Consent where break-glass was not allowed. We understand that has changed to allow break-glass. Thus we didn't know of a case where a Consent forbid break-glass... I have been made aware of Utah HIE that has a checkbox on their Consent to forbid break-glass. This is a consent only for HIE, not for within a hospital environment; but it is relevant to our FHIR consent (and CDA consent) work. Thus I think it is useful for us to provide it as an example, and work through how it might be expressed.

The Utah HIE Consent Form is
https://uhin.org/wp-content/uploads/2017/01/cHIE_Patient_Participation_Form.pdf

Note, that in the context of a FHIR consent; this URL could be used as the Policy URI...  It is a general form that the Patient has some check boxes they can choose.

So given that we have an example that forbids Treatment but allows Break-Glass  (Note spell check needed)    http://build.fhir.org/consent-example-Emergency.html

We should likely create an example that forbids both Treatment and Emergency (Break-Glass). Something like this:

<Consent xmlns="http://hl7.org/fhir">  <id value="consent-example-No-Emergency"/> 
<text>
<status value="generated"/>
<div xmlns="http://www.w3.org/1999/xhtml">
<p>   Withhold Authorization for Treatment and for Emergency Treatment  </p> <p>     
Patient &quot;P. van de Heuvel&quot; wishes to have no data shared for Treatment or Emergency treatment use.   
An overall consent Directive, with an exception 
&quot;Deny&quot; of purposeOfUse &quot;TREAT&quot; sharing use and
&quot;Deny&quot; of purposeOfUse &quot;ETREAT&quot; sharing use
at &quot;Infoway&quot; HIE.   </p>
</div>
</text> 
<status value="active"/>
<category>
    <coding>
   <system value="http://loinc.org"/>
<code value="57016-8"/>
<display value="Privacy policy acknowledgement Document"/>
</coding>
</category>
<patient>
<reference value="Patient/f001"/>
<display value="P. van de Heuvel"/>
</patient> 
<dateTime value="2017-05-08"/>
<!--   not bound by a timeframe - Consent.period   -->
<!--   I assume the example given is Canada Infoway wide???  AND I assume it is desired to   state that in the Consent.authority element   -->
<organization>
<reference value="Organization/Infoway"/>
<display value="Canada Infoway"/>
</organization>
<!--   the text terms of the consent in lawyer speak   -->
<sourceAttachment>
<title value="The terms of the consent in lawyer speak."/>
<!--   likely use url pointer to common text   -->
</sourceAttachment> 
<!--       this is opt-out - e.g. nothing approved unless otherwise stated.    -->
<policyRule value="https://uhin.org/wp-content/uploads/2017/01/cHIE_Patient_Participation_Form.pdf"/> 
<!-- this policyRule is a multiple use policy. The Patient has expressed       both deny Treatment and deny Emergency  -->
<except>
<type value="deny"/>
<purpose>
<system value="http://hl7.org/fhir/v3/ActReason"/>
<code value="TREAT"/>
</purpose>
</except>
<except>
<type value="deny"/>
<purpose>
<system value="http://hl7.org/fhir/v3/ActReason"/>
<code value="ETREAT"/>
</purpose>
</except>
</Consent> 
I have filed a FHIR Change Request 13420

Other Privacy Consent topics 

Corrected the example to make more clear it is a "Privacy Consent" by specifying the Consent.category.

Wednesday, May 17, 2017

Two new IHE Profiles on #FHIR - Provider Directory and File Management

Public Comment opens for Provider Directory and File Manager --- both using FHIR STU3


IHE IT Infrastructure Technical Framework Supplements Published for Public Comment

The IHE IT Infrastructure Technical Committee has published the following supplements to the IHE IT Infrastructure Technical Framework for public comment in the period from May 17 through June 16, 2017:
  • Mobile Care Services Discovery (mCSD)
  • Non-patient File Sharing (NPFS)
The documents are available for download at http://ihe.net/Public_Comment. Comments submitted by June 16, 2017 will be considered by the IHE IT Infrastructure Technical Committee in developing the trial implementation version of the supplements. Comments can be submitted at IT Infrastructure Public Comments.


Wednesday, May 10, 2017

FHIR OAuth scope proposal using FHIR query parameters

In FHIR STU3 there are now some common query parameters. I propose that these common query parameters can be used to advance the OAuth scopes that are defined today. The current SMART scopes are based on simple vectors:

  1. Patient vs 'user' -- 
    1. Where a scope of 'patient' means all results must be from that one patient
    2. Where scope of 'user' means all results are relative to that user rights to data
  2. fhir-resource --
    1. Where a FHIR Resource named will limit results to only that Resource type
    2. This is a valueset of fixed strings (e.g. "Observation", etc)
  3. REST operation


Expressed in EBNF notation, the clinical scope syntax is:

clinical-scope ::= ( 'patient' | 'user' ) '/' ( fhir-resource | '*' ) '.' ( 'read' | 'write' | '*' )

To understand the current OAuth scope see a few other articles:
So, if the OAuth authority authorizes the user to access the patient requested, as defined in the launch context, for only Observations, and only read operations. This would be a scope of
patient/Observation.read
A problem with this is that the actual identifier of the "Patient" is undefined. For SMART this is handled by the 'launch context'.

Propose using common "patient" query parameter for patient scope

With the new FHIR STU3 common shared query parameters, we could identify the specific patient within the Scope. There is a common query parameter for "patient" against 35 different Resources. This has an advantage to be specific, but has a disadvantage that the scopes are not made up of static strings. I would like to suggest that this use of shared query parameters would be a replacement form the first part of the SMART scopes.

So, rather than relying on the SMART launch context to hold the patient identifier. The example with a patient of 'http://myserver.example/fhir/Patient/f5c7395'

patient="http://myserver.example/fhir/Patient/f5c7395"/Observation.read
or, we could add it to the end.  I think this more powerful.
Observation.read#patient="http://myserver.example/fhir/Patient/f5c7395"
Which is 

clinical-scope ::= ( fhir-resource | '*' ) '.' ( 'read' | 'write' | '*' ) '#' ( query | '*')

I a proposing this without working out all the issues. I just want the scope to include the patient. 

Scope is Not Query parameters
This is NOT a proposal to force these query parameters and trust server search capability. This might be one thing done to make it efficient, but won't work perfectly as not all. The use of search parameters will just help with positive matches; but will not be perfect against false-positives or false-negatives. It will also fail when the other parts of the query are creatively authored to cause the wrong thing to happen.

The scope does need to be ENFORCED. The Resource server is expected to enforce the scope without fail. This is what I mean by more than just query. Most important is inspecting the resulting Bundle to assure that no content is contained in the Bundle that doesn't fit within the Scope.

More common query parameters

Some of the other common search parameters that might be useful:
  • _id -- when the scope is restricted to exactly ONE resource
  • _tag -- when the scope is restricted generally to some tag
  • _profile -- when the scope is restricted to some specific _profile tag
  • _security -- when the scope is restricted to some vocabulary from the HCS (e.g. confidentiality of "N" normal)
  • encounter -- when the scope is restricted to a specified encounter

Clearly missing but needed

There are some important vectors in Privacy space that are missing:
  • Timeframe for when the data was created - used to hide timeframe or enable a timeframe
  • Authored by - used when policy allows only data authored by some org or user
Note, scope is not everything. Where the user is forbidden, they get no authorization at all.

Also, I don't propose how to use negative scopes. Such as this user (Provider) can see any data but not patient Mary.

Not Done Yet

This is not a final solution. I am just putting this out there for discussion. Simply to bring up options for discussion on how to make improvements to Scope. The unfortunate facts of healthcare is that the needs for scope is a complex of multiple vectors; and failure is severe when not appropriately protected or when not appropriately available. Both false positive and false negative can have severe effects.


See my other FHIR articles

Monday, May 1, 2017

IHE ITI on FHIR

IHE ITI has a set of profiles on FHIR existing in Trial Implementation today. These were written against FHIR DSTU2. These have been updated to STU3, now in ballot for members of the ITI Technical Committee to comment and vote on.  Details and access to the ballot drafts of these documents is available from the ballot.
The IHE ITI Technical Committee is also working on new profiles using FHIR. These will be further discussed in later articles.
  • Mobile Care Services Discovery (mCSD)
  • Non-Patient File Sharing (NPFS)
  • Access to Document-extracted Data-elements (ADD) 
    • Formerly: Patient Centric Element Location
    • This is a profile that combines XDS/MHD and QEDm to describe how a Document Sharing environment can provide more fine grain access (Resource) to data shared as documents. 
    • This profile does rely on creative systems engineering to decompose the documents into the FHIR resources. This might leverage CDA-on-FHIR, or some other methodology. This methodology is not specified.
    • What is specified is that the fine grain details must have Provenance pointing at the Documents from which the data came. This enables a consumer to retrieve using XDS or MHD the document from which the fine grain details came from.
The IHE ITI and PCC are working jointly on one as well:
IHE ITI is also working on one non FHIR Profile
  • Remove Metadata and Document (RMD)
    • This is a profile on XDS for administrative ability to remove metadata entries and remove documents
Lastly IHE Document Digital Signature (DSG) Profile approved for Final Text

Thursday, April 27, 2017

IHE Document Digital Signature (DSG) Profile approved for Final Text

Today the IHE ITI Technical and Planning committees approved the Document Digital Signature (DSG) Profile be moved into Final Text. This Document Profile defines a way to support Digital Signatures, including when those Documents are managed in a Document Sharing infrastructure. This DSG Profile is referenced in many places where adding a Digital Signature to a document would be beneficial, such as Consent, Legal Evidence, etc.

There is more interest in digital signatures driven by some Anti-Fraud use-cases. I think there will be more interest driven by Patient Authored content.

The main problem with Digital Signatures is NOT the standards, it is the Policies and overhead in issuing proper Digital Identity (PKI). Once there are Digital Certificates issued for the purpose of Digital Signatures, then there are many use-cases that can be enabled. However that first justification of the costs is very hard to do, and somehow combining justifications just never seems to happen.

The Document Digital Signature (DSG) profile is a Document Content profile that provides general purpose methods of digitally signing of documents for communication and persistence. This method can be used within a Document Sharing infrastructure (e.g., XDS, XCA, XDM, XDR, and MHD).

Electronic documents are being increasingly relied upon in healthcare. Signatures have been a part of the electronic documentation process in health care and have traditionally been indicators of accountability. Reliable exchange of data between disparate systems requires a standard that implements non-repudiation to prevent document creators from denying authorship and rejecting responsibility.

DSG supports:
  1. An Enveloping Signature is a Digital Signature Document that contains both the signature block and the content that is signed. Access to the contained content is through removing the Enveloping - Digital Signature. Among other uses, this method should not be used with Document Sharing infrastructure.
  2. A Detached Signature is a Digital Signature Document that contains a manifest that points at independently managed content. Detached signatures leave the signed document or documents in the original form. Among other uses, this method is recommended for use with a Document Sharing infrastructure to support Digital Signatures, as this method does not modify the original Document Content. This method uses the Document Sharing “SIGNS” relationship provide linkage.
  3. A SubmissionSet Signature is a Detached Signature Document that attests to the content in a SubmissionSet by: containing a manifest of all the other Documents included in the SubmissionSet, and a reference to the SubmissionSet. The Document Sharing “SIGNS” relationship may be used but is not required.
The digital signature standard is XML-Signature using XAdES-L-T profile, which brings inside the certificate and a timestamp; and we utilize the CommitmentTypeIndication for Purpose Of Signature. Thus we just bind in a vocabulary specific to Healthcare needs.

We did not include the new CDA digital signature. This is not because it isn't useful or interesting, but more because that would have been a very different technology. Those that want this profiled by IHE, should bring a New Work Item Proposal to profile it.

Reflecting FHIR FMM in IHE Profiles

IHE is creating many Profiles using FHIR. Given that FHIR is still "Standard for Trial Use" (STU), and thus there is a "Maturity" concern. This maturity concern is communicated in FHIR STU3 through a "FHIR Maturity Model" (FMM) evaluation number on each Resource and other parts. These FMM number indicate to the FHIR audience a stability and readiness for use. This is an important communication tool.

I am proposing within IHE that they reflect these FMM to the cover page of the IHE Profile so that the reader of the IHE Profile supplement understands the stability and readiness for use evaluation.

These FMM evaluations are only a construct for the STU and "Trial Implementation" phases. The FHIR Resources used must go to Normative, before the IHE Profile can go "Final Text".

So for example PDQm is based on Bundle, OperationOutcome, and Patient. All of which are at FMM level 5. So the title page of PDQm looks like:



Where as MHD is based on a broader set of  FHIR STU3 defined resources --  DocumentReference 3, DocumentManifest 2, List 1, Patient 5, Practitioner 3, OperationOutcome 5, and Bundle 5. FHIR Maturity Level (FMM) range 1-5


These updates to the IHE profiles will soon be seen in a CP ballot, and then published on the IHE web site. Right now they are being worked by the ITI workgroup.