Page Comparison

...

The Protecting Privacy to Promote Interoperability (PP2PI) Workgroup is a national multidisciplinary interest group of expert stakeholders across the industry assembled to address the problem of how to granularly segment sensitive data to protect patient privacy and promote interoperability and care equity. Stakeholders include more than 160 representatives from health care organizations, professional societies, standards development organizations, health IT vendors, Health Information Exchanges (HIEs) and Interoperability Frameworks, payers, government, government and nongovernment contractors, privacy law and ethics experts, and patient advocates, among others. (Shorten this, or move to the 'about this paper' section: Eve) 

Recognizing that the problem is complex, PP2PI has organized into multiple collaborating working groups as indicated below.

...

Can we move the 'what is pp2pi' 'what is kantara' to an end section? or an 'about this paper' 

2. Adolescent User Story

Nancy will add more about what is included and what is not. Note:  I will pull some details that we do not want to address in the body of the paper into appendices.

(Description of concrete use-case (Julie))

Julie Adams is an adolescent girl - 16 years old. Her health journey is unique and complex, however we would suggest that those attributes are typical of many journeys. 

3. Policy that impacts the use-case

"Policy" covers many different elements, (think about bolts) from data privacy and security requirements to the legal landscape the defines how health systems must operate. For example, who is liable to protect health data. Often the implmentation of policy excludes the most important person - the patient who is the subject of the information 

ref 21 century cures act that is driving a lot of current effort to change this outcome by... regulating that patient must have a simple way to access their information to their benefit

• should be mention HIPPA, CMS rule, or other US health laws? Or more general example, eg apple health? user held credentials
• are their international examples also? 

There has been a lot of work to having meaningful consent, however this is meaningful access and control of your information. As there is more digital access, there is more data and less reason to not have the patient be able to be empowered to participate in their care. 

• managing patient risk by letting the patient manage it

Some of the main challenges that limit sharing and control of information by the person are:
- risk-averse policy, to remain secure it's easier to not give access
- the need to respect many levels of policies. one health organization must respect rules from many levels eg federal, state and organizational. In many cases it's hard to respect them all without narrowing the sharing

Interestingly, on the provider side there is often much more open sharing by default. Access to this information is based on the providers need for information to give effective care, and their professional ethic's standards. In some health systems, this leads to many cases of inappropriate access (such as providers looking up celebrity or public figure's information). Sometimes this can be caught though audit and the provider [sure we can find some good reference to this, eg Rob Ford in ontario ~2017?]

In addition to the many levels of policy that must be interpreted, considered and respected by an organization, there are additional challenges around the appropriate implementation and communication with the person who is affected. For example, when a person gives their doctor access to an external health record or document, does that access extend to other providers in the clinic? If that default policy is no, can the doctor share ** Comments in 'Info' boxes are temporary notes to our team and would be removed later.

This is a story about a young female patient.  As a child, her mother, as her guardian, is responsible for overseeing her health.  Julie’s primary care provider provides a system for their patients to securely share their data.  As her guardian, Julie’s mother can share her data while Julie is still a child.  In the state where Julie lives, at the age of 13, Julie is able to make her own decisions about who has access to her data.  With these constraints in mind, our story unfolds.

These are the people involved with this story

• Julie Adams, female, Black, Hispanic, English speaking
• Sue Adams, Julie’s mother and Proxy, 45 years old
• Father does not have access to her clinical data but pays the health bills
• Providers
  • Dr. Erica - PCP
  • Dr. Robert - specialist – asthma
  • Dr. Jones - dermatologist

As a child, Julie visits her PCP annually at a minimum.  At the age of 10, Julie is diagnosed with Asthma. Since Julie is only 10, her mother and guardian, Sue, has the ability to share her health records.  Sue creates a consent to share Julie’s clinical data with Dr. Robert, her asthma specialist.  Using FHIR and HEART, Dr. Robert is able to have immediate access to all of Julie’s data that her mother Sue authorized to share.

In the state where Julie lives, Julie is able to make her own decisions about who has access to her data at the age of 13.  Shortly after her 13^th birthday, Julie visits her PCP.  During that visit, control of her health record is turned over to Julie.  Julie is educated on how to use her portal and has the exclusive right to manage who has access.

Normally in a HEART/UMA system, the patient, or subject, has control of their own data.  There is a process called ‘delegation’ which transfers control to others.  In the case of a young child, that control is typically transferred at birth to one or more parents.  In the case of an adolescent coming of age, we use this ‘delegation’ process again, to return control back to the patient, Julie.  If Julie had the need to see another provider, she could easily share her data as needed.

When Julie is 16, she begins to experience sex and also begins using alcohol socially. Julie thinks her mother might not approve, but Julie does share this information with her pediatrician in confidence during her annual visit.  Her pediatrician discusses these details with her during the annual visit and makes notes in her record.  Her pediatrician provides relevant educational information and discusses safe behavior, as part of her overall evaluation for multiple potential risks of adolescents in transition. During their discussion, Julie and her PCP agree she should be using an oral contraceptive and it is prescribed.  Julie is also tested for STI, which comes back positive.  Julie is prescribed Zithromax to clear the infection.

Several months later, Julie experiences troublesome acne.  Her PCP sends her to a dermatologist.  Julie shares her data with the dermatologist but wishes to keep her sensitive information private.  When Julie creates her consent to share with her dermatologist, she requests that two areas of sensitive data not be shared:

• sexuality and reproductive health information sensitivity
• behavioral health information sensitivity

The system Julie is using to share her data is based on FHIR and HEART and supports data segmentation for privacy.  At the FHIR Resource Server, her data is ‘tagged’ with security metadata to indicate which part of her data has what sensitivity.  When her dermatologist, Dr. Jones, accesses her data, based on the computable consent created by Julie, and clinical data that has either a 'behavioral health' or 'sexual and reproductive health' information sensitivity will be redacted before it is sent to Dr. Jones.

3. Policy that impacts the use-case

"Policy" covers many different elements, (think about bolts) from data privacy and security requirements to the legal landscape the defines how health systems must operate. For example, who is liable to protect health data. Often the implmentation of policy excludes the most important person - the patient who is the subject of the information 

ref 21 century cures act that is driving a lot of current effort to change this outcome by... regulating that patient must have a simple way to access their information to their benefit

• should be mention HIPPA, CMS rule, or other US health laws? Or more general example, eg apple health? user held credentials
• are their international examples also? 

There has been a lot of work to having meaningful consent, however this is meaningful access and control of your information. As there is more digital access, there is more data and less reason to not have the patient be able to be empowered to participate in their care. 

• managing patient risk by letting the patient manage it

Some of the main challenges that limit sharing and control of information by the person are:
- risk-averse policy, to remain secure it's easier to not give access
- the need to respect many levels of policies. one health organization must respect rules from many levels eg federal, state and organizational. In many cases it's hard to respect them all without narrowing the sharing

Interestingly, on the provider side there is often much more open sharing by default. Access to this information is based on the providers need for information to give effective care, and their professional ethic's standards. In some health systems, this leads to many cases of inappropriate access (such as providers looking up celebrity or public figure's information). Sometimes this can be caught though audit and the provider [sure we can find some good reference to this, eg Rob Ford in ontario ~2017?]

In addition to the many levels of policy that must be interpreted, considered and respected by an organization, there are additional challenges around the appropriate implementation and communication with the person who is affected. For example, when a person gives their doctor access to an external health record or document, does that access extend to other providers in the clinic? If that default policy is no, can the doctor share access with another physician for a consultation, or when being covered by another doctor while going on an extended leave?

...

5. UMA application to use-case (steady state) *needs a diagram

8. Conclusion

There is more to consider in step with the technology capability of UMA, groups needs to consider all the BOLTS when designing solutions and not 'leave it to the reader' to sort out themselves

Parking Lot

Julie Story - NL will continue to edit

Suggestion

1. Convert this to a user story
2. Make it simpler
3. Start with an overview of PP2PI and share that other groups are addressing policy issues
   1. Insert their diagram
4. Add 2 paragraphs on the fact that there are tensions in the HC community around certain issues. Those need to be addressed and resolved by the Policy WGs.  We will make these assumptions.
5. Discuss patient policy trumping organizational policy
6. Outline simpler story for illustration
   1. Start with Julie as a child and her mother controls access to her record
      1. Demonstrate a simple use case of her mother sharing records with another physician on her behalf (straight UMA)
         1. Note to Eve:  For the first section, when our use case describes basic UMA, I think this will be a good place to explain what UMA has over oAuth and highlight the increased security.  If we can nail that part of the message it may help in all healthcare UMA implementations.
   2. Julie turns 13
      1. She is educated on how to use her portal and has exclusive right to manage who has access.
      2. (For now – skip the issue of multi-subject data in one record. We will assume this is not the case in our user story.)
   3. When Julie is 16, she begins to experience with Sex and also begins using alcohol socially. Julie knows her mother would not approve but does share it with her pediatrician in confidence.  Her pediatrician discusses these details with her during annual visit and makes notes in her record.  Her pediatrician provides relevant educational information, discusses safe behavior, as part of her overall evaluation for multiple potential risks of adolescents in transition.
      1. 1. Add the specifics per the PP2PI user story
      2. Add some policy to the stack - ex default policy sexual status not shared with her mother.  Julies decides either sticking with that or overriding and sharing with her mother
      3. Continue story with her sharing her data, removing sexually and behave health sensitive data
      4. Discuss how UMA/HEART manages the transition from the consent to the protocol
      5. Discuss what gets redacted
      6. Describe the FHIR scope call
      7. Describe what is exchanged.
   4. At the end – transition again to Julie as an adult

Appendix A - User story out of scope details

...

*needs a diagram

8. Conclusion

There is more to consider in step with the technology capability of UMA, groups needs to consider all the BOLTS when designing solutions and not 'leave it to the reader' to sort out themselves

Parking Lot

Julie Story - NL will continue to edit

Suggestion

1. Convert this to a user story
2. Make it simpler
3. Start with an overview of PP2PI and share that other groups are addressing policy issues
   1. Insert their diagram
4. Add 2 paragraphs on the fact that there are tensions in the HC community around certain issues. Those need to be addressed and resolved by the Policy WGs.  We will make these assumptions.
5. Discuss patient policy trumping organizational policy
6. Outline simpler story for illustration
   1. Start with Julie as a child and her mother controls access to her record
      1. Demonstrate a simple use case of her mother sharing records with another physician on her behalf (straight UMA)
         1. Note to Eve:  For the first section, when our use case describes basic UMA, I think this will be a good place to explain what UMA has over oAuth and highlight the increased security.  If we can nail that part of the message it may help in all healthcare UMA implementations.
   2. Julie turns 13
      1. She is educated on how to use her portal and has exclusive right to manage who has access.
      2. (For now – skip the issue of multi-subject data in one record. We will assume this is not the case in our user story.)
   3. When Julie is 16, she begins to experience with Sex and also begins using alcohol socially. Julie knows her mother would not approve but does share it with her pediatrician in confidence.  Her pediatrician discusses these details with her during annual visit and makes notes in her record.  Her pediatrician provides relevant educational information, discusses safe behavior, as part of her overall evaluation for multiple potential risks of adolescents in transition.
      1. 1. Add the specifics per the PP2PI user story
      2. Add some policy to the stack - ex default policy sexual status not shared with her mother.  Julies decides either sticking with that or overriding and sharing with her mother
      3. Continue story with her sharing her data, removing sexually and behave health sensitive data
      4. Discuss how UMA/HEART manages the transition from the consent to the protocol
      5. Discuss what gets redacted
      6. Describe the FHIR scope call
      7. Describe what is exchanged.
   4. At the end – transition again to Julie as an adult

Appendix A - User story out of scope details

We have based our user story on the PP2PI adolescent use case.  For the purpose of this paper, we intentionally simplified the story so that we could focus on the key value-adds UMA brings to solving this problem.  The intent was to keep the story simple so that the focus was on the solution.  In subsequent updates to this story, it is the intent to expand how additional details can support the more nuanced details.  For this whitepaper, we took the liberty of organizing the story so that we could build on the UMA/delegation functionality in a way that allowed the story to flow.

NL - will expand here.  Include some of the details we skipped.

Appendix B - Additional UMA Features

...

• Meds that are confidential
  1. Oral Contraceptive – may not want parents to be aware
  2. Zithromax for infection as a result of STI
• Lab work
  1. Urine Gonorrhea/Chlamydia
• Conditions
  1. Asthma (not sensitive)
  2. STI management
  3. Chlamydia
  4. Pregnancy prevention - this is not a condition but an intervention
  5. Counseling for risky behavior - this is not a condition but an intervention
• Referrals
  1. Pulmonologist – Assume related to asthma – non sensitive
• Family History (How do we want to handle these re sharing?  Should we ask for policy direction?)
  1. Father, on Lipitor
  2. Mother, hx of fibroids, depression, SUD
• Social History/SDOH elements
  1. The mother has a history of being a victim of domestic violence. Her parents separated with an order of protection for the mother that the patient is unaware of.
  2. Patient does not smoke tobacco but drinks every weekend.
  3. Smokes marijuana three times a week. Occasional vaping.
• Insurance Coverage
  1. Commercial via father’s employment.
  2. Payroll deduction for 20% of premiums for family plan.
  3. Cost sharing of 20%.
  4. Father is the policy holder and receives EOBs and other communication from his insurance company.
     1. Think about what this would look like, for instance there may be lab work – but it certainly would not include lab results. The father already does not have access to the clinical data.  What could be in here that could be harmful?
  5. This plan covers the cost of OCP.

...