Wednesday, February 5, 2014

Enabling Patients to Delegate Healthcare Information Access Authority

In the USA there is interest in defining goals to improve Patient ability to delegate personal representatives, specifically regarding accessing through the internet to the patient's healthcare information.:
The Health IT Policy Committee’s Privacy and Security Tiger Team is considering potential privacy and security policy issues that could arise when a family member, friend or legal designee is given access to patient information through the Certified EHR Technology “view/download/transmit” (V/D/T) capabilities. More from the HealthIT.Gov Blog

Here is my perspective given the current state of Privacy and Security standards and policy:

Set a Privacy Authorization Horizon Goal

I think that HHS/ONC needs to set a clear horizon that includes a reasonable yet powerful concept of what controls a patient should have regarding delegation and accessibility. However this horizon should be seen as something achievable in 12-15 years. This should be a detailed horizon that privacy advocates can agree with. This should meet the needs of special interests. This should be internationally friendly. This should  embody what Privacy really means. Defining Privacy

Define Stepping Stones to that Horizon

Backing back from that there should be a set of reasonable stepping stones that get us to that horizon. Each step should include a spec benefit over the previous step. Privacy Consent State of Mind. Each step should be expected to be 'state-of-the-art' for at least three years. Too small of a step and there is going to be resistance, too large a step and there will similarly be resistance. Many facilities will find it easy to hit these stepping stones, and might choose to take two steps; but the majority as a whole (median) would find each step reasonable and useful. The reason to have a detailed horizon is to make sure that we all agree to the destination and that by whatever pathway taken end up in the same place. Without a detailed horizon we will have very unclear results, some might say we will get no results without a clear horizon.

I think the biggest problem HHS/ONC has is the various state laws/regulations, and the various levels of special health topics. This makes it very hard to have an initiative driven at the federal level. Which might mean that at best they can set guidelines for technology, and not practice. It is not likely they can, through this horizon, get harmonization of regulations over the 10-15 years; but it might be a side benefit of having a well-defined horizon that is privacy advocate approved and internationally acceptable.

Simple is a good place to start

I expect the first step to be very blunt authorizations that use paper to authorize electronic access to all data, a proxy. Clearly would need to recognize state and federal rules that force the issue. These forced exceptions are handled at a high-level policy and thus don't need special call out in patient-by-patient authorization rules. This first step addresses cases where delegation of rights is rather complete: Like medical guardian, deceased, parent of minor. This first step would not support cases where the delegator has some medical conditions or medical history that they want to keep from the delegate. This needs to be made clear is a horizon desire, but not a first step goal. This first step is not unlike the blunt 'consent' for patient treatment, so it is similar except the 'authorization' is to a non-provider for assistance with care decisions. This 'authorization' would be similar to the blunt authorization the patient gives to others for business reasons, like insurance payment from automobile accident.

Break-Glass must be written into Consent Authorization Policies

Often I hear about 'break-glass'. This MUST be build into the policy. This is not an afterthought. The policy must be very clear what access is allowed and what is not. Inside this detail is the specifics about what kinds of glass is allowed to be broken, and what kind of cleanup will be done when the glass is broken. Simple and Effective HIE Consent

Quilting the details from different perspectives

I think the second step is to allow the patient to segment data by some vector. I am not sure what is the most reasonable vector but by this second step this capability should become more clear:
  • date-of-service. That is to identify a date range that is either authorized or not authorized. This doesn't differentiate between kinds of data, but would typically be able to segment specifically sensitive episodes of care.
  • broad categories of data. Discharge Summary, History & Physical, Consultation Reports, ER Reports, Lab Reports, EKG, AIDS/HIV Test/treatment, Alcohol/Drug abuse, Mental Health, Development Disabilities, Team Conference Reports, Therapy Evaluations, X-Ray Reports, X-Ray Films.
Likely another functionality is to put limitations on the purposes for which the data could be used: Further medical care, Application for insurance, Disability determination, legal investigation, vocational rehab, payment of claims, or for the patient own consumption.

Electronic Authorizations will take many years

Third step is when electronic authorizations happen. In my view this cannot happen for at least 10 years from now. There are efforts like NSTIC that are helping create a framework for trusted identities in cyberspace, but going from having a trusted identity to legally binding authorization is a big step. This is an important point to be made.There is much to be done before this is fully available: not just standards but policy and social change.

One functionality that I often hear as needed is where the patient can identify those individuals that shall NOT have access to the data. Writing rules in the 'negative' seems easy, enforcing negative rules is very hard. Especially if the negative rule is preventing someone that is very motivated and very capable.

Paper is not always a bad thing

This doesn't mean that the paper authorizations from before are not electronically enacted, they should be. These previous stepping stones should take the paper authorization form, after proper manual processing for legal purposes are converted into electronic 'tokens', such as IHE - Privacy and Security Profiles - Basic Patient Privacy Consents (IHE-BPPC), that are acted upon automatically using an access control rules engine, such as XACML. All the logic that controls the release should be automated, just the step of getting authorization should start purely paper based. The act by the patient of authorizing access doesn't happen very often, so it won't gain that much from automation. Yet failing to capture the authorization properly can do damage, it can offer attackers the ability to set their own rules.

Some Providers will be ahead of the curve

I will note that I went to my healthcare provider patient portal today and found that they have an online a mechanism where I could see the records of those that have been delegated to me. I feel BlueButton advancement. To authorize this delegation of rights does require paperwork, that I can download and print from this portal. My children are old enough that we don't have automatic access anymore. My youngest is in a age range that Wisconsin has some specific restrictions around. My oldest is beyond 18. We have not done any paperwork to gain access. This tells me that delegation in a broad sense is likely to be authorized by old-style-paper, but enabled electronically. My electronic access now includes the ability to download my medical summary (blue-button) in CCD format as part of an XDM bundle. This XDM bundle can be non-encrypted or encrypted. Rather nice experience. I think my experience is more advanced than those of my peers in other states.


Patient Privacy controls (aka Consent, Authorization, Data Segmentation)

Access Control (Consent enforcement)

Audit Control

Tuesday, February 4, 2014

I feel BlueButton advancement

Many of the people I work with in standards world are frustrated at their lack of access to their own health information. My experience here in Wisconsin has been very different. Even before any of this Meaningful Use push, I had access to a patient portal where I could see a summary of my medical record and some of the lab results. I don't go to to doctor that much, so I can't really point out missing information. I have always had some electronic access.

Last year I pulled my medical summary and got a PDF as well as the old style blue-button text file. Both carried the same information. The PDF was simply a more 'pretty' version of the text file. Nothing fancy, but fully available electronically.

Today I went to my patient portal and it was a very different user interface. The new patient portal gives me a nice view of my future appointments, and past visits. It allows me to send a secure message to my doctor. I can view each test result. I can view and pay outstanding bills. For some prescriptions I can request renewal.  I also can delegate access to others, such as my wife; and if delegated I can access others information. The UI is easy enough for me to understand, seems should be easy enough for anyone that is internet savvy.

This time when I asked for my health information I was able to get my health summary in CCD format. The Blue Button Plus. The above diagram shows how they explain this new CCD format. Note that the button to download is not really a 'blue' color, but rather an orange/rust color. This also comes with a PDF version that most people can view, this PDF is a more colorful and seems more readable.

The nice part for me is that the download is also a XDM formatted zip file that contains the CCD in full XML format. As I look at this content it is even nicely formatted. There is nothing else in this XDM but the CCD. I am not sure I have anything else not included in the summary (Lab results) that could be on the XDM.

The same is not as true about the hospital visits, which for me is just emergency room visits. Even my most recent visit for a post automobile accident checkout was not readily accessible. It was accessible, but I first needed to fill out specific paper work to release it. This paperwork was not difficult, and it gave me reasonable choices. Depending on 'why' and 'to where' the release was to happen it was either free or would cost something. I chose to release it with the reason of 'continued healthcare' and released to my general physician. So it was free. This information seems to have shown up at my GP, but it is not fully available to me. I am guessing that because it is not authored by my GP, it is not published to me by my GP.

I expect that the data released from the Hospital to my GP is done through the Wisconsin HIE (WISHIN). This is an XCA based health exchange across all of Wisconsin. I am on their technical standards advisory committee. This has been far more successful than the mandatory (by HHS/ONC) deployment of Direct. I can't figure out how I might use Direct to send my information to someone of my choosing. This Wisconsin wide exchange is now getting connected to the Nationwide Health Exchange (HealtheWay).