How to record that the Patient authored FHIR Resources or elements

Lately there has been more groups thinking about how Patient contributions to the medical record might be distinguished from clinician authored data. Also, how AI contributions could be recognized as distinct. This article will cover a couple of methods that exist in FHIR core, but also exist in CDA and HL7 v2. I will only speak about FHIR.

General need

The general need is to express the provenance of a Resource or an element within a Resource. For this we have two different solutions that are related, but distinct. Two solutions as sometimes one needs a lightweight solution, sometimes you need full powerful Provenance.

• Security Tags
• Provenance

As stated above sometimes you want to indicate the whole resource was authored by the Patient, sometimes you just want to indicate one or more elements within the resource was authored by the Patient.

E.g. 

• Patient record of body weights taken at home
• Patient's partner indicated the Patients nickname
• AI produced a CarePlan based on current labs and observations; relative to clinical care guidelines, and care plan definitions.
• AI produced an Observation interpretation code value

Using Tags

All of the FHIR Resource have a meta.security coding element that has a valueSet binding that includes a set of provenance codes that include a set of codes for this usecase. The fact that these are indicated as .security tags does not mean they are exclusively only to be used for security purposes; and note that security is the domain of managing risks to (Confidentiality, Availability, and Integrity). Provenance comes under Integrity and a bit of Availability.

There are some that will see the .meta.tag. The temptation is strong (especially with those in the AI space); but this is not the right element. This is not wrong to use this element, but putting your code here will mean that those looking in meta.security will not find what they are looking for. So we should agree to use the meta.security and the given standardized codes (when they apply). 

The ValueSet available for meta.security covers all of the security space including Availability and Integrity. Most important here are the Provenance sub valueSet, but you should also note that the Integrity valueSet has some very useful codes (highly reliable, reliable, uncertain, unreliable)

Within the Provenance sub valueSet are codes for the distinction of data being reported by or asserted by:

• clinician
• device
• healthcare professional
• patient acquaintance
• patient
• payer
• professional
• substitute decision maker
• artificial intelligence
• dictation (software)

I am not all that clear on what the distinction between reporting vs asserting is; nor do I understand the distinction between a clinician and a healthcare professional. I think these distinctions exist in the core codeSystem so that they can be further profiled and made distinct.

So, use these codes at the Resource.meta.security to indicate that the whole resource is contributed by one of those codes. Here is an example of how a whole Observation would be indicated as contributed by AI.

Using Tags at the element level

Where the FHIR Resource .meta.security with the code of patient would be understood as indicating that the whole of the resource was asserted to by the patient; often this is too blunt of a tag. Sometimes one just wants to indicate an element was contributed to differently. Like the example above where the patient acquaintance indicate their nickname. Thus one wants to tag that only that nickname was contributed by the patient acquaintance. For this we use the extension that is defined in the Data Segmentation for Privacy (DS4P), again pointing out that this IG is broader than just data segmentation and/or privacy.

So, here we show an example of a Patient resource where the nickname was contributed by the patient acquaintance. In this case we need to have the inline code at the Resource.meta.security level to indicate that inline codes are used in this Resource, as inline codes can appear on any element, thus it is expensive to look for inline codes.

    {

      "use": "nickname",

      "given": [

        "Jimmy"

      ],

      "extension": [

        {

          "url": "http://hl7.org/fhir/uv/security-label-ds4p/StructureDefinition/extension-inline-sec-label",

          "valueCoding": {

            "code": "PACQAST",

            "system": "http://terminology.hl7.org/CodeSystem/v3-ObservationValue",

            "display": "patient acquaintance asserted"

          }

        }

      ]

    }

Provenance Solution

The tagging solution, even with the element level capability, often can't convey enough information. Like who is this patient acquaintance, when was that element added, why was it added, who was involved in agreeing to add that to the record, where did that data come from, how was the original data used, etc... All those things that are part of Provenance ( Who, What, Where, When, and Why). Now recording all of this will make the database rather full of Provenance data, where as the tag mechanism is very focused and carried fully by the data. But sometimes one does need to know more provenance detail.

In the Provenance, these same codes from above can be used for the various Agent(s), but there are more nuance available in the participation type codeSystem.  So a Provenance that indicates that the whole Observation was contributed by the Patient would look like this.

{
  "resourceType" : "Provenance",
  "id" : "example1",
  "target" : [{
    "reference" : "Observation/obs2/_history/1"
  }],
  "recorded" : "2021-12-07T12:23:45+11:00",
  "agent" : [{
    "type" : {
      "coding" : [{
        "system" : "http://terminology.hl7.org/CodeSystem/v3-ParticipationType",
        "code" : "INF"
      }]
    },
    "who" : {
      "reference" : "Patient/pat3"
    }
  }]
}

Provenance at the element level

Where as the Patient nickname example would look like (Note the use of the `targetElement` extension). There is also a `targetPath` extension where a path can be used.

{
  "resourceType" : "Provenance",
  "id" : "example2",
  "target" : [{
    "extension" : [{
      "url" : "http://hl7.org/fhir/StructureDefinition/targetElement",
      "valueUri" : "n2"
    }],
    "reference" : "Patient/pat3/_history/1"
  }],
  "recorded" : "2021-12-08T16:54:24+11:00",
  "agent" : [{
    "type" : {
      "coding" : [{
        "system" : "http://terminology.hl7.org/CodeSystem/v3-ParticipationType",
        "code" : "INF"
      }]
    },
    "who" : {
      "reference" : "RelatedPerson/f001"
    }
  }]
}

You can, in Provenance.target, use the extension targetElement or targetPath to indicate that just some of the data within a Resource was patient contributed. See examples 1, 2, and 3 -- in Provenance examples - https://build.fhir.org/provenance-examples.html

Conclusion

The .meta.security and Provenance are not exclusively to be set or used by Security. These values might be populated by a Security Labeling Service (SLS), but that service should not overwrite values that have been explicitly set. Yes, they are used by Security, but security also uses many other elements in the resources that many think are only useful for clinical use. 

Why the IHE Integration Statement is important

The current text on Integration Statement is not complete. I have found that many topics that I associate with an IHE Integration Statement are not well published by IHE.

However I have found that AI/LLM do understand the points. Here is output from Google Gemini that is similar to what I got from chatgpt and co-pilot. These points are that which I associate with an IHE Integration Statement, especially the second part about Product Labling.

References:
https://profiles.ihe.net/GeneralIntro/ch-F.html
https://www.ihe.net/about_ihe/faq/
https://infocentral.infoway-inforoute.ca/en/collaboration/communities-2/ihe
https://www.ihe-europe.net/about-us/faq
https://www.siemens-healthineers.com/en-us/services/it-standards/ihe-integrating-the-healthcare-enterprise
https://www.ihe.net/about_ihe/ihe_process/#:~:text=IHE%20tests%20vendors'%20systems%20at,and%20supervised%20events%20called%20Connectathons.

----------------------------

how do customers use an IHE Integration Statement published by a vendor?

----------------------------
Customers in healthcare organizations use an IHE Integration Statement published by a vendor as a crucial tool during the procurement, planning, and implementation of healthcare IT systems. These statements provide a standardized way for vendors to declare how their products conform to IHE Technical Frameworks.

Here's how customers typically use them:

• System Selection and Procurement: When a healthcare organization is looking to purchase new IT systems (e.g., Electronic Health Records, Picture Archiving and Communication Systems, laboratory systems), they often require interoperability with their existing systems and with systems from other vendors. IHE Integration Statements allow them to quickly assess a product's declared interoperability capabilities. Customers can specify the required IHE Integration Profiles in their Requests for Proposals (RFPs), making it easier to compare offerings from different vendors and ensure that the chosen systems will "speak the same language" as other systems in their environment.
• Integration Planning: Once a product is selected, the IHE Integration Statement helps the customer's IT team understand exactly which IHE Actors and Integration Profiles the product supports. This detailed information is vital for planning the integration of the new system into the existing IT infrastructure. It clarifies how data will be exchanged and what workflows can be supported, minimizing surprises during implementation.
• Validation and Testing: While an IHE Integration Statement is a vendor's self-declaration, it serves as a baseline for validation. Customers can use it to guide their own testing process, verifying that the product indeed performs the integrated functions as stated. This helps ensure that the systems will work together as expected in a real-world clinical setting.
• Troubleshooting and Support: In cases of interoperability issues, the IHE Integration Statement can be a valuable reference point for troubleshooting. It helps identify which specific IHE-defined transactions and profiles are expected to be supported by a product, aiding in pinpointing the source of any communication problems.

In essence, IHE Integration Statements empower customers to make informed decisions, reduce integration risks, and accelerate the deployment of interoperable healthcare IT solutions. They contribute to better patient care by facilitating the seamless flow of health information across different systems and departments.

------------------------------

is the IHE Integration Statement considered product labeling? Is that helpful to a customer?

------------------------------

Yes, an IHE Integration Statement is very much considered a form of product labeling in the healthcare IT context, and it is extremely helpful to a customer.

Here's why:

• Formal Declaration of Interoperability: Unlike general marketing claims, an IHE Integration Statement is a formal, structured document published by the vendor. It explicitly states which IHE Integration Profiles, Actors, and Options their specific product version supports. This is a highly technical and precise declaration, akin to a "nutrition label" for interoperability.
• Transparency and Trust: It provides a level of transparency that goes beyond typical product brochures. Customers can review these statements to understand the exact interoperability capabilities a vendor claims, fostering trust and enabling informed decision-making.
• Standardized Language: IHE provides a common, internationally recognized language for interoperability. By stating support for specific IHE Profiles (e.g., XDS.b for document sharing, PDQ for patient demographics query), vendors and customers can speak the same "interoperability language," reducing ambiguity and misinterpretation.
• Basis for Procurement and Contracts: Customers often include requirements for specific IHE Profiles in their Request for Proposals (RFPs) or contracts. The IHE Integration Statement serves as the vendor's official response to these requirements, allowing customers to hold vendors accountable for the declared interoperability.
• Facilitates System Integration: For the customer's IT team, the detailed information in an Integration Statement is invaluable for planning and executing the integration of new systems with existing ones. It helps them understand the expected data flows, supported transactions, and potential integration points, reducing implementation time and costs.
• Risk Mitigation: By clearly outlining supported interoperability features, these statements help customers mitigate risks associated with system integration failures. They provide a common ground for discussing and resolving interoperability challenges.
• Connectathon Verification (Implied): While the Integration Statement is a vendor's self-declaration, it often follows successful participation in an IHE Connectathon, where vendors test their implementations with other vendors. While not a certification, this process adds a layer of confidence in the declared capabilities.

In summary, the IHE Integration Statement serves as essential product labeling that translates complex interoperability capabilities into a standardized, digestible format. It's a cornerstone for healthcare organizations seeking to build and maintain a truly integrated and efficient IT ecosystem.

------------------------------

I then add that as product labeling, the customer has legal standing to compel the vendor to adhere to the product labeling statements they have made. This is to say that if an interoperability statement does not work in the real-world, there is legal standing to force the vendor to fix it.

The AI/LLM did respond to that with nuance as reality is not as bold as I state, but it is very close.

Did something change in the IG I am using?

 IHE and HL7 are writing and revising Implementation Guides at a fervent rate. There are other organizations also writing and revising Implementation Guide, some are regional IHE or HL7 organizations, and many more.  Everyone that writes an Implementation Guide (IG) desires to create a perfect and fully comprehensive specification on the first try. However, that is simply not realistic, and any IG that has had only one version is most likely one that no one is using.

Two very important standards organization mechanisms are critical to the achieving a perfect IG. 

1. Clear indications of the changes that were made and why.
2. Method for the users of the IG to submit comments and improvement requests.

How do you know what has changed?

Within IHE we try hard to produce a human friendly listing of the changes that have happened at each version. These would not include inconsequential changes such as typos. This likely just summarizes some change (e.g. "added examples").  You will find these on the main page (index.html) of the IG, in a pink Note section

You can also get to all the historic versions through the "Directory of published versions" link found on the top of the main page (index.html) in the bright yellow box. On the history page you can find each historic version, and the above mentioned changes should also show up here.

The next level of details is to look at all the closed github issues (or in the case of HL7 the closed jira tickets). Select the "Issues" link in the footer, and navigate to closed issues. Sorry, not going to try to explain github issue tracking here. If you know how to use it, then you know.

If you are really interested in technical conformance resource changes, this also available, although not as easy to find. This you must first go to the footer of the IG, and select "QA Report"

On the QA Report, there is a section "Previous Version Comparison" that will give you very detailed computer generated differences.

How do I submit a comment?

Standards live by comments; they really are the food that makes standards useful. So please submit a comment anytime you have one. Best time to comments is during Public-Comment, as we are planning on addressing comments at that time with the intent to resolve all of the public-comments received. 

Comments can be identifying a typo or bug, something that is not clear to you, something you and a peer argue about, or something you would like the IG to do. All comments are welcome.

You can comment at any time, even after Public-Comment when the IG is Trial-Implementation, or even when it goes Final-Text (normative). Within the Implementation Guide you want to comment on there are two ways. The first way is to submit a github issue, this is the first red circle. The second yellow circle is "Propose a change" which is a web form that anyone (member or not) can use.

Conclusion

As a specification gets more normative, it will change less. In theory normative status (Final-Text) the specification will not get a change that breaks any system that used the previous. But the status of a specification should never stop you from submitting a comment at anytime.

AI privacy controls

AI and privacy are hot topics lately. I have effected some changes in HL7 as well as blog articles about those capabilities that exist. I am also a participant in a few AI initiatives in HL7 and within the VHA. These solutions are most well developed in FHIR, but are fundamental provenance, data tagging, and Consent so can work with most standardized data and datasets.

The main topic areas in AI:

1) Can data be used to train an AI?

Given that there are some data that should be authorized to be used to train an AI, how does one indicate rules that enables some data to be used, while forbidding other data to be used to train an AI?

This needs to be done at the whole dataset (e.g. EHR) level, where one might want to forbid some subset of the data from the teaching. 

This also is needed at the patient specific Consent level. So that a patient can choose to not have their data included.

 https://healthcaresecprivacy.blogspot.com/2023/10/teaching-aimlllm-should-be-distinct.html 

2) How to indicate the data that was used to train an AI model?

Once you have an AI Model, it is important to keep track of what data was used to train that AI Model. This enables knowing what data are used to teach the AI, thus if a concern comes up one knows if that concern impacts your AI model or not.

Provenance of the data used to create the AI Model -- https://healthcaresecprivacy.blogspot.com/2024/01/provenance-use-in-ai.html

3) How can the use of "my data" in an AI decision can be controlled?

How the consent can allow/deny that the patients data can be used in a clinical decision on behalf of the patient outcome (no article yet)

• When an AI retrieves patient specific data to enable payment decisions or treatment decisions, those data accesses use a very specific PurposeOfUse. This enables policy to enable or deny that access. The AI accessing the data is independent from a person accessing for payment or clinical purposes.
• PurposeOfUse: PMTDS (when the AI is acting to aid with payment decisions)
• PurposeOfUse: TREATDS (when the AI is acting to aid with clinical decisions)
• If there is no rule that use these PurposeOfUse values, then their parent term (payment or treatment) takes precedence.
• These can be used in a Consent for patient specific rules, or at Permission for an organization rule. Realistically both, as the overriding policy must be stated so that Consent can accept and/or override it.

4) How to indicate data is the output of an AI?

Once an AI is used to produce a decision or recommendation. How is that recorded into the dataset (e.g. EHR) so that future uses know that it came from AI vs came from a Clinician or other professional. This is simply provenance, enabling knowing where data came from.

On how data can be tagged as having come from an AI - https://healthcaresecprivacy.blogspot.com/2024/09/healthcare-ai-provenance-of-ai-outputs.html 

• Tagging can be at the data resource or element level 
• Tagging can be by simple security tag 
• Tagging can be full Provenance for more details

An important attribute of the Provenance is to know what version of the AI was used, what Model was used, and what data inputs were given (what portion of the patient's chart was input).

Conclusion

We have a lot more than most people that start to talk about AI think we have. I am sure it is not everything we need, but I want to help encourage the use of the methods we already have before we reinvent the wheel.