Wednesday, January 25, 2017

Enabling Point-Of-Care Consent

Gathering Privacy Consent is never easy. A Patient, when they are healthy, has no interest in giving Consent for future actions. Mostly because they don't want to admit they might get sick in the future. Secondarily because they don't want to do unnecessary paperwork. Realistically, they just want healthcare to work, and not get in the way of them getting the best treatment. This is why many exchanges are moving toward an 'implied consent' that allows a patient to explicitly withdraw their authorization, but in the absence of any action by the Patient the data would be shared for "Treatment" purposes. This default behavior is only applied to "Treatment", not "Research" or other.

That said, Consent is still sometimes needed. It might be needed because the organization uses a Default of not sharing. It might be because the patient has sensitive health topics that require explicit consent to release. It might be because the patient has Withdrawn their authorization, but now wishes to enable one provider organization access for a visit, careplan, or episode of care.

Given XDS and XCA interactions that are often used in an Health Information Exchange (HIE), or a National Health Information Exchange (NHIE); there is no standards/profiled way to enable a
point-of-care consent gathering workflow. So today, if Consent is not already captured, and needed, then data access is blocked. Today the patient must go to the custodian organization and fulfill their consent workflow needs. This might be easy, through a web tool or phone call, but no matter how easy it is difficult when the Patient is not feeling well.

Consent Negotiation

So... there is a need to enable negotiation between a Custodian that needs a consent, and the Requesting organization that is at the Point-Of-Care... This is the problem that CareQuality is trying to enable. My understanding is that much of this comes from the experience of Epic in their CareEverywhere system. This is getting designed in CareQuality now. The approach should become a standard that anyone can use, hopefully through IHE XDS/XCA/XUA.

The basics are shown in the following interaction diagram. It starts with a normal XCPD or XCA request. The Responding Gateway will check if Authorization(AuthZ) is already enabled. In this case everything is okay, except that a Consent is needed. I say 'everything else is okay' because one needs to make sure the requesting organization is authorized to even ask, and are authorized to get point-of-care consent.

The new thing, highlighted in YELLOW, is that the Responder can inform the Requester that getting specific consent types would allow more information to be exposed. This can be detected by the Requesting organization, it is also backward compatible so that a Requesting organization that doesn't know about this new capability can continue as today with no data available. A Requesting organization can look at the policy choices offered, it can get one of them from the patient, it stores the result locally, and tries the same transaction again with an Assertion that they have achieved the specific consent. The Responding gateway would now see the Assertion and allow disclosure of the data according to the asserted policy. From that point forward that partner would include this Assertion in all requests, and the Responder would continue to disclose under that policy.

Closing the Loop

This works on a Partner-by-Partner basis. This also relies on the Partner that gets a consent to maintain that consent onbehalf of the Responding organization.

An augmentation being discussed is to somehow get the Consent paperwork back to the Responding organization. This might be through the exchange, this might be by postal mail or FAX.  CareQuality is going to enable a the exchange based pathway, through adding additional elements to indicate that the paperwork is available online. This additional element might be false to begin, and change to true a day or a week later.

It also easy to Query for consent documents. The Provider X might set a timer and query each day until it appears.

Once this is received by the Responding organization it is possible for that organization to record the consent and have it affect ALL partners. This is not part of the CareQuality system, but rather is a potential policy decision a Responding organization could make.

This is a developing system, so it is not fully defined. I expect it to continue to develop this winter and spring. I would hope it is then brought to IHE for standardization next year.

Past articles on Patient Privacy controls (aka Consent, Authorization, Data Segmentation)

Tuesday, January 24, 2017

FHIR Connectathon has changed and it is good

I have been unable to attend HL7 WGM for a year, a problem that is now better.  This means that when I attended the FHIR Connectathon 14, prior to the HL7 Workgroup Meeting in San Antonio TX, I was shocked to experience the new FHIR Connectathon. This is good change on many levels. The others from the FHIR core-team have seen the changes over-time, so the transition is not as shocking as it was for me.

In past years, FHIR connectathon was more focused on people trying to use the core FHIR specification. This resulted in discussions to help understand the core concepts, core interaction models, core vocabulary, core data-types, and core Resources. This also resulted in corrections to the FHIR specification, so that future people would understand right from the specification. Other discussions were on toolkits, and how to make the toolkit better. There were discussions on how to implement a general purpose FHIR server. There were discussions on how to implement clients, starting from general concepts. The rumbling within the room was very focused on the FHIR core, and basic understanding.

This year, FHIR connectathon was more of a 'workgroup' meeting. More specifically, an "Agile" "Open-Workplace". There were a 16 distinct tracks. These are focus areas. All of them are broader concepts than one Resource, most are more of a 'workflow'.
Each of these were centered around one or more round tables. Where the table included various implementers interested in the topic, and a leader for the topic. What happens is very natural, they would discuss what the goal was, and adjust the goal organically as they progressed. They would try the basics that are described in the above links, but they would evolve based on the results. 

What really was a shocker is that Security and Privacy became a topic at most of these tables. 

Historically we have just pointed at SMART for security. SMART is a 'good enough' solution for the purposes of hackathons. SMART is not likely to be a good enough solution for production. This is a topic to be covered in much more detail in the coming months. SMART is now a project within HL7, so it will need some formal recognition, and framing. 

There was also interest in the basics of service discovery, patient data location, policy bridging, service response behavior, etc. All the kind of things that an operational environment will need to figure out. None of these were decided conclusively. BUT the very fact that they were talked about is evidence that FHIR Connectathon has changed... and it is good... 

FHIR has matured, it is growing up. It is not yet ready to fly away from the nest. But it is definitely no longer an infant.

Monday, January 16, 2017


IHE is still relevant in a FHIR world. But FHIR has changed the world, and IHE needs to adjust to this new world.

Profiling is still needed

The concept of profiling FHIR is still needed. The difference today is that FHIR is ready and instrumented to be Profiled. It even has a set of Profiles coming from HL7. This is not a threat, this is an opportunity for IHE.

IHE has a set of 10 profiles today (MHD, PDQm, PIXm, mACM, (m)ATNA, CMAP, GAO, RECON, DCP, MHD-I). These mostly are basic profiles, where a basic profile is not a complex profile, one that simply points to a FHIR Resource as the solution for a defined problem. This is helpful to the audience, but not adding much value. It is this lack of value-add that makes what IHE has done today with FHIR Profiling to seem to conflict with core FHIR.

Given that FHIR needs to be Profiled is a fact. A Profile is fundamentally a set of constraints and interactions applied to a Standard, to achieve a specific purpose. This is just as true with FHIR as with any other standard. 

IHE Needs to focus on Larger profiles. The basics of transaction (http RESTful -- for FHIR) is not helpful. But there are many larger workflows, larger data integrity, larger system-of-systems.

FHIR is Profile Instrumented

FHIR is ripe for being Profiled, and is ---Instrumented--- to be profiled. That is that it has mechanisms built into the specification to make Profiling more easy, effective, repeatable, reusable, and discoverable.

IHE needs to modernize

  • Audience expects use of Conformance resources and tools (see above) 
  • can only publish PDF – FTP is not good 
  • does not have a usable mechanism for creation, publication, and maintenance of vocabulary, value-set, and URL 
  • can’t publish conformance constraints in technical format (XML, JSON) 
  • PDF clunky, not hyper-linked, not helpful with programming tools 
  • Audience can’t find IHE if they start at the FHIR specification 
  • Yet, those Implementation Guides that use FHIR.ORG are found 
  • IHE has little development and deployment community engagement 
  • FHIR has multiple tools to help outreach and interaction with community 
  • IHE has email 
  • IHE workgroups are randomly engaged and acting different 

IHE needs to leverage FHIR 

IHE should not fear HL7, HL7 should not fear IHE. But working together with defined and distinct purpoose is best for both.

IHE supports FHIR.ORG. It is my understanding that FHIR.ORG is where activities outside of the specification will happen. Much of the things IHE does are in this space. This includes the tooling capability and support for profiling, but also involves community engagement.
IHE Profiles of FHIR must be ‘built’ using FHIR “IG Publisher” . They would be Balloted and published by IHE. The normal IHE supplement (pdf) might be okay, or need slight changes to Volume 2 (Volume 1 is good). Possibly a new Volume 5 to “hold” technical pointers from FHIR “IG Publisher”. This because today's format of Volume 2 is overly complex for a FHIR profile, especially http REST transport. Besides the Supplement form, the Technical bits would be published on FHIR Registry with pointers back to the IHE
IHE and HL7 Leadership engagement needed. We have gotten this far based on Individual efforts, but the scale of the solution is to big for individual efforts. We need formal agreements, formal sponsorship, and formal recognition. I think the time is ripe now.

Tuesday, January 10, 2017

FHIR documents in XDS

How does one put a FHIR Document into XDS?
How does one find a FHIR Document in XDS?

Both questions are asking very similar things. The key is the XDS fundamental metadata element mimeType. Let me explain...

XDS, more broadly the whole Document Sharing family, including XDS, XCA, XDR, XDM, and MHD. With a set of more narrow IHE Profiles in DSUB, MPQ, SeR, and MU.

To learn more on Document Sharing, start here:  Eating an Elephant -- How to approach IHE documentation on Health Information Exchange (HIE)

So the Document Sharing family is a Content Agnostic mechanism for sharing Patient specific Documents. Where the only thing that fixed is that this is an exchange for 
  • Patient Specific content -- so all the documents must be about a specified patient
  • Document format -- so it is not a REST server.
Metadata -- all the other metadata in XDS is there to help with searching or navigating through the documents than have been shared to find the right one to retrieve.

Initially Document Sharing was about 'historic' documents. That is a document is published, and in the future it can be discovered and retrieved. Thus the Document is "Shared".  Later it gained support for "On-Demand" documents. That is a document that is created when it is retrieved. An On-Demand document is still a document, it is just created a the time it is retrieved, and thus contains the current knowledge about that patient at the time.  Both of these might still be needed for FHIR Documents.

FHIR is more popularly known for the access model using http REST. That is where there is a server that holds current version of the knowledge. Systems can "Create", "Read", "Update", and "Delete" (CRUD) the knowledge using the https protocol. 

FHIR has a Document model. It is abstractly very similar to CDA, but uses all the more simple Resources and Encoding that FHIR has to offer. A FHIR Document is contained in a Bundle, and has a Composition, and all kinds of other stuff.  There is also a workgroup creating transforms from/to CDA -- CDA on FHIR. I am not here t give a tutorial on FHIR Documents, but need it clear that FHIR has the Document concept.

This is where the question comes from... If I have a FHIR Document, how would I publish that into XDS? If I want FHIR Document, how would I find them in my XDS system?  -- or more broadly any of the Document Sharing, because this applies to XDM (Direct Secure Messaging), and other...

So the FHIR Document, is Patient specific... so it should be clear how the Patient identity is related.

Key to FHIR Documents in XDS

The key is that XDS has a metadata element "mimeType". It is this that is the differentiates CDA from FHIR. So for a FHIR document the mimeType is either going to be:

  • XML: application/fhir+xml
  • JSON: application/fhir+json

FormatCode might be more powerful

The XDS formatCode holds the indicator of the technical format that the document follows. This is most of the time a URN that is defined in an IHE Profile, or other external body. This is very possible with FHIR Documents too.

I expect a set of FHIR specific "Implementation Guide", which is FHIR concept of an IHE Profile. of FHIR Documents to happen, these 'profiles' would have FHIR 'StructureDefinition' based constraints. The unique identifier for that StructureDefinition would go into the formatCode.

All the other metadata simply explain the content. 

All the other metadata is just as applicable to a FHIR Document is it is to CDA, PDF, DICOM, or any other format. Note that XDS is happy to carry proprietary formats like WORD too.

Sunday, January 8, 2017

NIST brings Privacy forward - NIST IR 8062

It is so good to see NIST bring Privacy out of the closet. I promoted the "hints of Privacy" that are deep within NIST 800-53, but always needed to enhance with a harmonized set of  Privacy Principles as a Framework, Privacy Impact Assessment, and Privacy Risk Management.

I lead my previous employer to create a "Design Engineering Privacy and Security Framework". This leveraged the NIST frameworks, especially SP 800-53, but we added an overall framework to bring in Privacy as equal goal to Security and Safety. Then added Privacy Impact Assessment to discover and manage risks to Privacy. Bringing in Safety is important in Healthcare, especially Medical Devices, as balancing the Risk Management plans between the three is important to get all three optimally reduced with all as low as possible.  My Venn is speaking to the kinds of technical controls available to address the risk domains. Nothing is ever clean bright line...

It is great to see NIST bring forward Privacy in the NIST IR 8062 - An Introduction to Privacy Engineering and Risk Management (in Federal Systems) as a distinct, yet related. 

Their stated purpose:
For purposes of this publication, privacy engineering means a specialty discipline of systems engineering focused on achieving freedom from conditions that can create problems for individuals with unacceptable consequences that arise from the system as it processes PII. This definition provides a frame of reference for identifying a privacy-positive outcome for federal systems and a basis for privacy risk analysis that has been lacking in the privacy field.
The great news about this is that their goal is to speak to those developing IT systems. Most of the other Privacy Frameworks are targeting those that are running IT systems. Even Privacy-By-Design, which declares it is 'design', is more about deployment than software or database design. Software engineers have trouble with these frameworks as they are not the prime audience. These other frameworks are speaking toward business management, and business risk. There is a need to speak to the engineering level audience.

NIST writes standards for the USA Federal Government, thus this standard is targeted for IT 'in Federal Systems'. This is more about NIST scope. This has NOTHING to do with the usefulness or global applicability of this specification.

The publication of NIST IR 8062 - An Introduction to Privacy Engineering and Risk Management (in Federal Systems) is just the start. I have hopes that these will refine and get more useful as experience using the NIST Privacy framework happens.