470 likes | 672 Views
“ Jericho / UT Austin Pilot”. Privacy with Dynamic Patient Review. Presented by: David Staggs, JD, CISSP Jericho Systems Corporation. Agenda. Administrative issues Pilot scope Pilot data flow Test scenarios Discussion Pilot Timeline Plan of Action. Pilot Administrivia.
E N D
“Jericho / UT Austin Pilot” Privacy with Dynamic Patient Review Presented by: David Staggs, JD, CISSP Jericho Systems Corporation
Agenda • Administrative issues • Pilot scope • Pilot data flow • Test scenarios • Discussion • Pilot Timeline • Plan of Action
Pilot Administrivia • This pilot is a community led pilot • Limited support provided by the ONC • JohnathanColeman (Security Risk Solutions) • Zachary May (ESAC) • Penelope Hughes (ONC) • LibbieBuchele (ONC Sponsor) • In conjunction with DS4P bi-weekly return of an All Hands meeting • Access to DS4P Wiki, teleconference, and calendar • Meeting times: Tuesdays 11AM (ET) • Dial In: +1-650-479-3208Access code: 662 197 169URL:https://siframework1.webex.com/siframework1/onstage/g.php?t=a&d=662197169
Scope of the Pilot • Define the exchange of HL7 CDA-compliant PCD between a data custodian and a PCD repository that includes a report on the outcome of the request to the healthcare consumer (subject). • Additional goal: use identifiers to identify the subject/ PCD repository for use in reporting the outcome of the “secondary user” request use case to subject by subsequent EHR custodians. • Stretch goal: mask and/or redact the clinical document based on data segmentation and PCD choices retrieved from the PCD repository.
Pilot Data Flow , = Clinical data A,B = PCD data = audit record 1st Requestor And Subsequent Custodian of Data being Provided at B Custodian of Data being Provided at PCD Repository 2nd Requestor Patient
Test Approach Sections included in each test scenario in the DS4P Pilot Execution Script: • Scenario • Actors • Preconditions • Test steps • Test results • Log Capture • Data Set Verification
Test Cases DS4P Pilot Execution Script: • Consent To Patient Discovery : 1st Requestor (1st) • Consent To Patient Discovery : 2nd Requestor(2nd) • Consent To Patient Discovery : No Consent • Consent To Document Query : 1st To PC - Allow • Consent To Document Query : 2ndTo PC - Deny • Consent To Document Query : 2ndto SC - Deny • Consent To Document Query : No Consent • Consent To Document Retrieve : 1stto PC - Allow • Consent To Document Retrieve : 2ndTo PC - Deny • Consent To Document Retrieve : 2ndto SC - Deny • Consent To Document Retrieve : No Consent • Consent To Document Retrieve : With Segmentation
Test Cases (Visual Representation) PC = Primary Custodian SC = Secondary Custodian
Patient Discovery: 1stRequestor Scenario #1: Arrives at 1stHC facility and records are requested Actors: Primary Custodian (PC), 1st Requestor, PCD Repository Preconditions: No correlations between the PC and the 1st Requestor. PCD allows access by 1strequestor, denies access by 2nd requestor. Test steps: Search for “Gallow Younger” in the 1st Requestor universal client. Select Gallow Younger in the list. Click on the Patient Correlation tab. Click “Discover Patient.” Test results: Single correlation with the PC displayed in the “Patient Correlation” tab for “Gallow Younger” in the 1st Requestor universal client. ATNA db shows “allow” for the patient discovery from the 1st Requestor.
Patient Discovery: 1st Requestor Scenario #1: Arrives at 1stHC facility and records are requested Log Capture: Primary Custodian CONNECT log 1st Requestor CONNECT log & screenshots ATNA log PCD Repository log Exchanged consent directive Data Set Verification: Verify PCD request message in accordance with § 2.2.1 Verify PCD audit message in accordance with § 2.3.2 Verify PCD content in accordance with § 3.2
Patient Discovery: 2nd Requestor Scenario #2: Arrives at 2nd HC facility and records are requested Actors: Primary Custodian (PC), 2ndRequestor, PCD Repository Preconditions: No correlations between the PC and the 2nd Requestor. PCD allows access by 1strequestor, denies access by 2nd requestor. Test steps: Search for “Gallow Younger” in the 2nd Requestor universal client. Select Gallow Younger in the list. Click on the Patient Correlation tab. Click “Discover Patient.” Test results: No correlation with the PC displayed in the “Patient Correlation” tab for “Gallow Younger” in the 2ndRequestor universal client. ATNA db shows “deny” for the patient discovery from the 2nd Requestor.
Patient Discovery: 2ndRequestor Scenario #2: Arrives at 2ndHC facility and records are requested Log Capture: Primary Custodian CONNECT log 2nd Requestor CONNECT log & screenshots ATNA Log PCD Repository log Exchanged consent directive Data Set Verification: Verify PCD request message in accordance with § 2.2.1 Verify PCD audit message in accordance with § 2.3.2 Verify PCD content in accordance with § 3.2
Patient Discovery: No PCD Scenario #3: Arrives at 1stHC facility and records are requested Actors: Primary Custodian (PC), 1st Requestor, PCD Repository Preconditions: No correlations between the PC and the 1st Requestor. No PCD registered at the PCD Repository for patient. Local policy allows access by 1st requestor when no consent specified. Test steps: Search for “Gallow Younger” in the 1st Requestor universal client. Select Gallow Younger in the list. Click on the Patient Correlation tab. Click “Discover Patient.” Test results: Single correlation with the PC displayed in the “Patient Correlation” tab for “Gallow Younger” in the 1st Requestor universal client. No ATNA db record for the patient discovery from the 2nd Requestor. .
Patient Discovery: No PCD Scenario #3: Arrives at 1stHC facility and records are requested Log Capture: Primary Custodian CONNECT log. 1st Requestor CONNECT log & screenshots. ATNA log. PCD Repository log. Exchanged consent directive. Data Set Verification: Verify PCD request message in accordance with § 2.2.1. Verify PCD audit message in accordance with § 2.3.2. Verify PCD content in accordance with § 3.2.
Document Query: 1st→PC - Allow Scenario #4: Arrives at 1st HC facility and records are requested Actors: Primary Custodian (PC), 1stRequestor, PCD Repository Preconditions: Patient discovery performed between the PC and the 1st Requestor. PCD allows retrieve by 1strequestor, denies retrieve by 2nd requestor. Gallow Younger test document only present in PC repository. Test steps: After discovery for “Gallow Younger” in the 1st Requestor universal client. Select Gallow Younger in the list. Click on the Documents tab. Click “Document Query.” Test results: There should be a list of documents identifying the patient. ATNA db shows exchange
Document Query: 1st→PC - Allow Scenario #4: Arrives at 1stHC facility and records are requested Log Capture: Primary Custodian CONNECT log. 1st Requestor CONNECT log & screenshots. ATNA log. PCD Repository log. Exchanged consent directive. Data Set Verification: Verify PCD request message in accordance with § 2.2.1. Verify PCD audit message in accordance with § 2.3.2. Verify PCD content in accordance with § 3.2.
Document Query: 2nd→PC - Deny Scenario #5: Arrives at 2nd HC facility and records are requested Actors: Primary Custodian (PC), 2ndRequestor, PCD Repository Preconditions: Patient discovery performed between the PC and the 2ndRequestor PCD allows retrieve by 1strequestor, denies retrieve by 2nd requestor. Gallow Younger test document only present in PC repository. Test steps: After discovery for “Gallow Younger” in the 2nd Requestor universal client. Select Gallow Younger in the list. Click on the Documents tab. Click “Document Query.” Test results: There should be no list of documents identifying the patient returned. ATNA db shows exchange.
Document Query: 2nd→PC - Deny Scenario #5: Arrives at 2nd HC facility and records are requested Log Capture: Primary Custodian CONNECT log. 2nd Requestor CONNECT log & screenshots. ATNA log. PCD Repository log. Exchanged consent directive. Data Set Verification: Verify PCD request message in accordance with § 2.2.1. Verify PCD audit message in accordance with § 2.3.2. Verify PCD content in accordance with § 3.2.
Document Query: 2nd→SC - Deny Scenario #6: Arrives at 2nd HC facility and records are requested Actors: Secondary Custodian (SC), 2ndRequestor, PCD Repository Preconditions: Patient discovery performed between the PC and the 2nd Requestor. PCD allows retrieve by 1strequestor, denies retrieve by 2nd requestor. Gallow Younger test document present in SC repository. Test steps: After discovery for “Gallow Younger” in the 2nd Requestor universal client. Select Gallow Younger in the list. Click on the Documents tab. Click “Document Query.” Test results: There should be no list of documents identifying the patient returned. ATNA db shows exchange.
Document Query: 2nd→SC - Deny Scenario #6: Arrives at 2nd HC facility and records are requested Log Capture: Primary Custodian CONNECT log. Secondary Custodian CONNECT log. 2nd Requestor CONNECT log & screenshots. ATNA log. PCD Repository log. Exchanged consent directive. Data Set Verification: Verify PCD request message in accordance with § 2.2.1. Verify PCD audit message in accordance with § 2.3.2. Verify PCD content in accordance with § 3.2.
Document Query: No PCD Scenario #7: Arrives at 1stHC facility and records are requested Actors: Primary Custodian (PC), 1st Requestor, PCD Repository Preconditions: Patient discovery performed between the PC and the 1st Requestor. No PCD registered at the PCD Repository for patient. Local policy allows retrieve by 1st requestor when no consent specified. Test steps: After discovery for “Gallow Younger” in the 1st Requestor universal client: Select Gallow Younger in the list. Click on the Documents tab. Click “Document Query.” Test results: There should be a list of documents identifying the patient. In our RI, ATNA shows the exchange, should it be expected? .
Document Query: No PCD Scenario #7: Arrives at 1stHC facility and records are requested Log Capture: Primary Custodian CONNECT log. 1st Requestor CONNECT log & screenshots. ATNA log. PCD Repository log. Exchanged consent directive. Data Set Verification: Verify PCD request message in accordance with § 2.2.1. Verify PCD audit message in accordance with § 2.3.2. Verify PCD content in accordance with § 3.2.
Get Document: 1st→PC - Allow Scenario #8: Arrives at 1st HC facility and records are requested Actors: Primary Custodian (PC), 1stRequestor, PCD Repository Preconditions: Patient discovery and query performed between PC & 1st Requestor. PCD allows get by 1strequestor, denies get by 2nd requestor. Gallow Younger test document only present in PC repository. Test steps: After retrieve for “Gallow Younger” in the 1st Requestor universal client: Select Gallow Younger in the list. Click on the test document. Test results: The document should display in the browser. ATNA db shows exchange.
Get Document: 1st→PC - Allow Scenario #8: Arrives at 1stHC facility and records are requested Log Capture: Primary Custodian CONNECT log. 1st Requestor CONNECT log & screenshots. ATNA log. PCD Repository log. Exchanged consent directive. Data Set Verification: Verify PCD request message in accordance with § 2.2.1. Verify PCD audit message in accordance with § 2.3.2. Verify PCD content in accordance with § 3.2.
Get Document: 2nd→PC - Deny Scenario #8: Arrives at 2nd HC facility and records are requested Actors: Primary Custodian (PC), 2ndRequestor, PCD Repository Preconditions: Patient discovery and query performed between PC & 2nd Requestor. PCD allows get by 1strequestor, denies get by 2nd requestor. Gallow Younger test document only present in PC repository. Test steps: After retrieve for “Gallow Younger” in the 2nd Requestor universal client: Click on the Documents tab. Click on the test document. Test results: The document should not display in the browser. ATNA db shows exchange.
Get Document: 2nd→PC - Deny Scenario #8: Arrives at 1stHC facility and records are requested Log Capture: NOTE: clear the logs after the document query has been performed, and save the logs after the document displays in the browser Primary Custodian CONNECT log. 2nd Requestor CONNECT log & screenshots. ATNA log. PCD Repository log. Exchanged consent directive. Data Set Verification: Verify PCD request message in accordance with § 2.2.1. Verify PCD audit message in accordance with § 2.3.2. Verify PCD content in accordance with § 3.2.
Get Document: 2nd→SC - Deny Scenario #9: Arrives at 2nd HC facility and records are requested Actors: Secondary Custodian (SC), 2ndRequestor, PCD Repository Preconditions: Patient discovery and query performed between PC & 2nd Requestor. PCD allows get by 1strequestor, denies get by 2nd requestor. Gallow Younger test document present in SC repository. Test steps: After retrieve for “Gallow Younger” in the 2nd Requestor universal client: Click on the Documents tab. Click on the test document. Test results: The document should not display in the browser. ATNA db shows exchange.
Get Document: 2nd→SC - Deny Scenario #9: Arrives at 2nd HC facility and records are requested Log Capture: NOTE: clear the logs after the document query has been performed, and save the logs after the document displays in the browser Primary Custodian CONNECT log. Secondary Custodian CONNECT log. 2nd Requestor CONNECT log & screenshots. ATNA log. PCD Repository log. Exchanged consent directive. Data Set Verification: Verify PCD request message in accordance with § 2.2.1. Verify PCD audit message in accordance with § 2.3.2. Verify PCD content in accordance with § 3.2.
Get Document: No PCD Scenario #10: Arrives at 1stHC facility and records are requested Actors: Primary Custodian (PC), 1st Requestor, PCD Repository Preconditions: Patient discovery and query performed between PC & 1stRequestor. No PCD registered at the PCD Repository for patient. Local policy allows get by 1st requestor when no consent specified. Test steps: After retrieve for “Gallow Younger” in the 1st Requestor universal client: Select Gallow Younger in the list. Click on the test Document. Test results: The document should display in the browser. In our RI, ATNA shows the exchange, should it be expected?
Get Document: No PCD Scenario #10: Arrives at 1stHC facility and records are requested Log Capture: Primary Custodian CONNECT log. 1st Requestor CONNECT log & screenshots. ATNA log. PCD Repository log. Exchanged consent directive. Data Set Verification: Verify PCD request message in accordance with § 2.2.1. Verify PCD audit message in accordance with § 2.3.2. Verify PCD content in accordance with § 3.2.
Get Document: Data Segmentation Scenario #11: Arrives at 1st HC facility and records are requested Actors: Primary Custodian (PC), 1stRequestor, PCD Repository Preconditions: Patient discovery and query performed between PC & 1st Requestor. A document query performed and a document identifier(s) returned PCD allows get by 1st Requestor, plus redact for PSY sensitivity codes Gallow Younger test document only present in PC repository. Test steps: After retrieve for “Gallow Younger” in the 1st Requestor universal client: Select Gallow Younger in the list. Click on the test document. Test results: The document should display in the browser without PSY data. ATNA db shows the exchange.
Get Document: Data Segmentation Scenario #11: Arrives at 1stHC facility and records are requested Log Capture: Primary Custodian CONNECT log. 1st Requestor CONNECT log & screenshots. ATNA log. PCD Repository log. Exchanged consent directive. Data segmentation log (if any). Data Set Verification: Verify PCD request message in accordance with § 2.2.1. Verify PCD audit message in accordance with § 2.3.2. Verify PCD content in accordance with § 3.2. Verify PSY related data redacted from document.
Discussion • Open forum for discussing questions: • Problems with the Universal Client? • Problems with communicating use of the PCD repository • Problems with use of OpenATNA Audit Message Viewer • Problems with how PCD is changed and the affects • Unexpected benefits/problems
Pilot Timeline • General Timeline, conditioned on agreement of stakeholders
Plan of Action • Upon agreement of the participants the POA is: • Identify the elements available from previous DS4P pilots • Scope level of effort, decide on extended scenario • Determine first draft of functional requirements • Review standards available for returning information on requests • Determine any gaps or extensions required in standards • Stand up information holders and requestors • Create XDS.b repository holding PCD • Identify remaining pieces, create test procedures • Document and update IG with results of our experience
DS4P Standards Material • Location of DS4P Standards Inventory: http://wiki.siframework.org/Data+Segmentation+-+Standards+Inventory • Location of DS4P Standards Mapping Issues: http://wiki.siframework.org/file/view/Copy%20of%20DataMappingsIssues%2005102012.xlsx/333681710/Copy%20of%20DataMappingsIssues%2005102012.xlsx • General Standards Source List: http://wiki.siframework.org/file/view/General%20SI%20Framework%20Standards%20Analysis.xlsx/297940330/General%20SI%20Framework%20Standards%20Analysis.xlsx • Standards Crosswalk Analysis http://wiki.siframework.org/Data+Segmentation+for+Privacy+Standards+and+Harmonization (at bottom of page, exportable) • Implementation Guidance http://wiki.siframework.org/file/view/Data%20Segmentation%20Implementation%20Guidance_consensus_v1_0_4.pdf/416474106/Data%20Segmentation%20Implementation%20Guidance_consensus_v1_0_4.pdf
DS4P References • Use Case: http://wiki.siframework.org/Data+Segmentation+for+Privacy+Use+Cases • Implementation Guide: http://wiki.siframework.org/Data+Segmentation+for+Privacy+IG+Consensus • Pilots Wiki Page: http://wiki.siframework.org/Data+Segmentation+for+Privacy+RI+and+Pilots+Sub-Workgroup
Pilot Data Flow , = Clinical data A,B = PCD data = audit record 1st Requestor And Subsequent Custodian of Data being Provided at B Custodian of Data being Provided at PCD Repository 2nd Requestor Patient
Pilot Data Flow Clinical exchange # , = Clinical data A,B = PCD data = audit record 1st Requestor And Subsequent Custodian of Data being Provided at B Fetch PCD Fetch PCD Custodian of Data being Provided at Clinical exchange # Send audit Send audit PCD Repository 2nd Requestor Patient
Pilot Data Flow (1) , = Clinical data A,B = PCD data = audit record 1st Requestor Custodian of Data being Provided at PCD Repository 2nd Requestor Patient
Pilot Data Flow (2) , = Clinical data A,B = PCD data = audit record 1st Requestor Custodian of Data being Provided at PCD Repository 2nd Requestor Patient
Pilot Data Flow (3) , = Clinical data A,B = PCD data = audit record 1st Requestor And Subsequent Custodian of Data being Provided at B Custodian of Data being Provided at PCD Repository 2nd Requestor Patient
Pilot Data Flow (4) , = Clinical data A,B = PCD data = audit record 1st Requestor And Subsequent Custodian of Data being Provided at Custodian of Data being Provided at PCD Repository 2nd Requestor Patient
Pilot Data Flow (5) , = Clinical data A,B = PCD data = audit record 1st Requestor And Subsequent Custodian of Data being Provided at Custodian of Data being Provided at PCD Repository 2nd Requestor Patient
Pilot Data Flow (updated) , = Clinical data A,B = PCD data = audit record 1st Requestor And Subsequent Custodian of Data being Provided at B Custodian of Data being Provided at PCD Repository 2nd Requestor Patient