Executive Summary - Data Segmentation-v5

advertisement
Data Segmentation for Privacy Initiative –
Technical Approach Executive Summary
Highlights
 Use existing and evolving
standards and profiles to
enable data segmentation
The Challenge of Data Segmentation
This executive summary is targeted at members of the HITSC
Privacy and Security Workgroup and healthcare executives
with a good understanding of how to implement standardsbased interoperability solutions
Summary of Technical Approach
 Use of controlled value sets for
computability of privacy
metadata
 Structure patient consent in a
machine-readable format that
is easy to understand and
exchange
The S&I Framework Data Segmentation for Privacy Initiative
Technical Approach, developed with an open-community and
consensus-approved, focused on the use of privacy metadata
to segment patient data. By reusing existing standards and
allowing for a gradual escalation in granularity at the patient’s behest, mechanisms are put into place
that allow for both the healthy exchange of patient information and a level of control on how that
information can be used and disclosed. Our approach looked to ensure that Direct and eHealth
Exchange, formerly NwHIN Exchange, would be immediately supported as transport approaches for
privacy metadata, with future focus on implementation support for REST.
Several existing and proposed Federal regulations are used as reference points for defining our
requirements and technical solution. These regulations are intended to provide tangible examples of the
types of policies that must be addressed, e.g., 42 CFR Part 2 for Federally assisted alcohol and drug
abuse treatment programs, Section 7332, Title 38, USC for sharing of healthcare data collected by the
Veterans Administration, and Proposed Rule 45 CFR Part 164.522(a)(1)(iv) allowing the patient to restrict
the sharing of data with payers for self-pay services. Our implementation guidance is intended to be
broad and flexible enough to address other legal and regulatory requirements should they become
applicable in the future. For further detail about supported uses cases and system requirements please
refer to the Use Case document.
The technical approach is also intended to be supportive of multiple standards and technologies, in
accomplishment of the following objectives:

Support for pushing of segmented patient data through support for secure email (Direct) and
the persistence of segmented data through the use of pull-based implementation models (as
defined by the eHealth Exchange)


Use of structured vocabularies to deliver unambiguous meaning to receiving systems about
privacy metadata, such as obligations, confidentiality, and refrain policies.
Extensibility to allow for application of controls to patient data, down to uniquely-defined
granular privacy controls for data, such as lab results and medications.
In the following visual, an example of the Data Segmentation for Privacy Technical Approach is shown:
Figure 1 – Data Segmentation Approach Overview
The Data Segmentation for Privacy Technical Approach is focused on the use of existing and evolving
standards to support the need for segmentation of patient data. The use of standards in this approach is
intended to leverage existing successful efforts within the health information technology community.
Specific to reuse, the Data Segmentation for Privacy Technical Approach is designed to support multiple
architectures, including use of SMTP and S/MIME through the Direct Project (with additional IHE XDR
support) and use of SOAP architectures that support IHE XD* metadata. REST is also supported, with
further discussion on the REST approach evolving as piloting results evolve.
Standards Used in this Technical Approach
The standards selected for implementation were reviewed by the S&I Framework to ensure they aligned
to the following factors, as expressed by the Office of the National Coordinator (ONC) and the Health IT
Standards Committee (HITSC):



Viability for implementation within existing and future environments, as Meaningful Use Stage 2
progresses and Meaningful Use Stage 3 begins
Availability of documentation to support implementers who wish to exchange segmented
patient data within their environments, and to support implementation of data segmentation
mechanisms within vendor products, such as electronic health records (EHRs)
Extensibility to support both expected and unplanned improvements to privacy metadata, as
the level of patient control over their data increases
Further information about the standards harmonization for Data Segmentation for Privacy can be found
reference the following link: Standards Harmonization
A summary of the usage of these standards and profiles within this technical approach is provided
below:
Capability
Standard/Profile
Specific Usage
IHE XD* Profiles
IHE XDR and XDM Metadata
IHE XDS Metadata used as the mechanism
to support both SubmissionSet and
Document metadata
Vocabularies
ASC X12 5010
Used to define type of insurance coverage
Capability
Healthcare Facility Type Value Set –
as defined in HITSP C80
Used to define facility types (and used by
systems to determine protected facilities)
HL7 RefrainPolicy
Used to convey specific prohibitions on the
use of sensitive health information
HL7 PurposeofUse
Used to convey a purpose of use
HL7 BasicConfidentialityCodeKind
Used to represent confidentiality codes
HL7 ObligationCode
Used to convey specific obligations
HL7 ActPolicyType
HL7 SensitivityPrivacyPolicy
Used to convey a type of policy
Used to convey the sensitivity level of a
specific policy
SOAP
Transport-level security
Transport
Transport
Transport
Transport
SMTP and S/MIME
S/MIME attributes are bound to SMTP to
provide for the use of secure email as the
transport mechanism for exchanging patient
data
Conveying Identity
- Cross-Enterprise User Assertion
(XUA)
IHE XUA Metadata
SAML Assertion
(SAML Request and Response)
- OASIS SAML Specification Version
2.0
Conveying Identity
X.509 Digital Certificates
PKI to support Direct implementations
Patient Consent
Structure
HL7 CDA R2 Consent Directive
(DSTU)
HL7 CDA Consent Directive DSTU
Table 1 - Applicable Standards for Data Segmentation
Use and Placement of Privacy Metadata
Metadata Definition: A set of data that describes and gives information about other data.
Metadata is applied and processed at various levels of information exchange. The intent of the Data
Segmentation for Privacy Technical Approach is to make the application and processing of privacy
metadata machine-readable and computable, while also ensuring ease of the implementation of
privacy-aware interoperability solutions. The model used for this implementation guidance is to focus on
separation of levels used to exchange protected information sent from one organization to another.
Each level would have specific metadata that would be applicable; with the levels being defined in the
table below describes the privacy at a different level in the transaction (e.g. payload, transport):
Levels of Metadata
Privacy-related metadata
How the Metadata is Used in the Implementation
The metadata associated with the information exchange is
intended to support applicable privacy policies. This
metadata ensures that protected information can be
exchanged in a way consistent with applicable privacy
policies:
 Purpose of Use code
 Obligation Code
 Refrain Code
In addition to the current Confidentiality Code the DS4P
implementation guide defines only interoperability-related
metadata needed to support existing privacy policy; it does
not propose a new privacy policy.
Privacy-related metadata such as confidentiality code,
purpose of use, obligations, and refrain policies may appear
in the “Access Control and Authorization Related Metadata,”
added to a technology-specific “Transport-related
metadata.” The privacy-related metadata may be added to
the payload-metadata to describe not only the information
itself by its privacy-related characteristics to the receiver of
protected clinical information.
While privacy-related metadata accompanies the clinical
payload subject to disclosure, a privacy policy reference is
viewed as a document separate from the clinical payload
that informs the sending or receiving party who it may
disclose privacy-protected information to.
Payload-related metadata
The metadata describes the patient information exchanged
in the payload. It specifies the type of data exchanged its
origin, its current custodian, the intended recipient, the
target patient, etc. This is referred to as the “payload
mechanism” and is placed within the actual content (for
example, in a CDA document or section.
This initiative has proposed additional payload-related
metadata to support the “privacy-related metadata”
described above. This metadata, for instance, allows
implementers to specify the privacy characteristics of an
individual clinical statement in a CDA document.
Access Control and Authorization
The metadata to determine level of access and authorization
of users of EHRS (Electronic Health Record Systems). An
example of this type of metadata would be a SAML
assertion.
Transport
The metadata associated with a specific transport
mechanism or protocol used to exchange protected clinical
information. This is referred to as the “transport
mechanism.” An example of this metadata is IHE XDM
metadata associated with a Direct message or IHE XDR
metadata included in a NwHIN transaction.
Table 2 – Privacy Metadata
The goal is to apply the appropriate amount of metadata that is necessary for a given level, and no
more.
Figure 2 – Privacy metadata may be applied at different levels in the transaction
As seen in Figure 3, the privacy-related metadata identified by the DS4P is used to specify the
responsibilities associated with this data. Similar to other responsibilities related to acknowledging a
transaction, for instance, the receiver must recognize and persist the metadata associated with the
exchange of protected information.
NEW PRIVACY METADATA introduced by this initiative: Obligation and Refrain Codes – to support
specific obligations for disclosure (including refraining from disclosing to other parties) using controlled
vocabularies both as policy references. More detailed obligations, such as the naming of specific parties
that information can only be disclosed to may be accomplished through external references to a
patient’s privacy consent.
Type of Content and Transaction – supports the use of metadata in various levels of content and
transactions, such as the use of privacy metadata “for the metadata” as well as privacy metadata
embedded into patient data that is captured in a format such as CDA.
The following figure summarizes where privacy metadata is intended to be placed:
Figure 3 - Placement of Privacy Metadata in Data Segmentation Approach
The purpose of placement is to ensure that the least revealing metadata is placed in the outer envelope
(the Document Entry XD* Metadata) with the most revealing privacy metadata being placed at the CDA
Entry level. This approach ensures that two implementations are possible:
o
o
Implementation of obligations for restricting disclosures that are implemented through external
references within CDA entry templates
Implementation of obligations for restricting disclosures that are implemented through the use
of XD* metadata (as a policy reference or refrain codes) to reference specific policies.
The following figure summarizes the distinction between “payload” privacy metadata and “transport”
privacy metadata:
Figure 2 - Payload and Transport Privacy Metadata
Segmentation “High Watermark”
The essential premise of the Data Segmentation metadata approach is that metadata is applied at
different levels within patient data. Segmentation works through a “high watermark” approach. In this
approach, the highest level of confidentiality and obligations that is established for the transaction
carries through to the content, and vice versa.



IHE XD* metadata is placed at the Document Entry and Submission Set level , such as a purpose
of use and obligation codes
XUA++ metadata is included in those scenarios where a “pull” approach is employed
Where a CDA approach is used, the Header and Section may include confidentiality codes
o CDA entries may also include an external reference to additional obligations and
restrictions on disclosure
The following is an example of the high watermark approach:
Figure 3 - Defining Segmentation "High Watermark"
A problem observation of “shingles” contains an external reference to a consent document that
establishes restrictions on the disclosure of this observation to only a dermatologist, and only for
purposes of treatment. This restriction includes codes obligating disclosure only in the case of a visit by
the patient to a dermatologist, and also contains refrain codes limiting disclosure beyond that purpose.
The Problem Section holding this observation would include a confidentialityCode of R.
The Dermatologist who receives information from a primary care physician is then able to process the
problem observation and its confidentiality code, by first evaluating the metadata surrounding the
problem observation, and then ensuring that refrain codes contained in the metadata are enforced by
the receiving system and the dermatologist’s organization. For a problem observation of “shingles”, the
external reference is also accessed by the dermatologist’s receiving system to ensure that all aspects of
the patient’s consent are reviewed and enforced.
If this is established within the CDA entry, a “high watermark” is established for the entire transaction.
This means that the IHE XD* metadata must also reflect this confidentialityCode of R. In this example,
the shingles diagnosis is protected, and since the document contains the shingles diagnosis, it is
protected by an “R”. However, if the receiving dermatologist (with the right to access this document)
wanted to incorporate sections into his/her EHR, he/she could incorporate the “N” sections without any
special management necessary.
The Workflow of Data Segmentation
Segmentation is designed to be an internal system activity that a sending system conducts prior to
sending patient data deemed “sensitive” to a receiving system. How to apply privacy metadata to
specific data that have been deemed sensitive is in scope. Determining what is considered “sensitive” is
subject to policy and therefore outside the scope of this initiative (e.g. DS4P is not tasked with
determining what is considered substance abuse data) - this is defined by law and policy at the federal
and state levels. However, DS4P did identify various strategies for systems to use in determining which
data needs to be segmented. The end-goal of the initiative was to produce documented guidance for
implementers around the strategies further detailed in this document, based around three transport
mechanisms – The Direct Project, eHealth Exchange and REST. The Data Segmentation pilots are testing
the approaches outlined in the Reference Implementation Guides to generate clear implementation
guidance for data segmentation workflow.
The following visual summarizes the different workflow activities used to segment patient data:
Figure 6 - Data Segmentation - Conceptual Workflow
This approach to segmentation relies on several responsibilities for the sending system:

Understanding of the information that is restricted/protected


Knowledge of the patient’s consent directive, where required by policy
Ability for an EHR system to apply privacy metadata
The receiving system is also asked to assume several responsibilities:

Ensure that any obligations that are specified by the sending system are followed and persist (
such as purpose of use, prohibition on re-disclosure etc)
How the Exchange of Segmented Patient Data Works
Segmentation is a critical aspect of the technical approach, but is not the only focus. The transport of
segmented patient data in a manner that retains the applied privacy metadata is also crucial. The
technical approach adopted by the S&I Framework Data Segmentation for Privacy initiative is designed
to support different implementation environments where segmented patient data is expected to be
shared. This includes environments called “push”, where a point-to-point exchange occurs, and
environments where a “pull” of the segmented patient data will occur, such as from an HIE.
Push implementations (e.g. using secure email) are based on establishing trust through the use of X.509
digital certificates and then sending a secure email with segmented patient data. In the following
example, a push-based implementation is used to send segmented patient data from a primary care
physician to a specialist. This example shows how XDM metadata is set for non-disclosure of the
information (as an obligation to the receiving system and with a confidentiality code) and the data is
classified as Restricted to allow the receiving system to enforce appropriate obligations defined by law
and by privacy policies defined by reference in the privacy metadata:
Figure 7 - Data Segmentation - Push Approach Example
The Data Segmentation for Privacy Technical Approach also supports the use of XDR metadata. This
allows for segmented patient data to be shared across multiple environments (e.g. a regional HIE, where
a provider may support Direct, but may need to share segmented patient data with an Exchange
partner, such as the Department of Veterans Affairs (VA)). The following visual provides an example of
how this approach would work – privacy metadata is defined using XD* profiles, so that a provider using
the Direct protocol can share privacy obligations and confidentiality codes with a participant on the
NwHIN Exchange:
Figure 8 - Data Segmentation - Combo Example
Finally, there is support for pull implementations, where segmented patient data is made available
through an HIE or other party to a receiving system that has established trust with a sending system. The
pull implementation operates slightly differently than other approaches in that additional metadata,
such as a purpose of use and requested users of the patient data, can be sent by the receiving system
prior to the exchange occurring. This implementation also supports querying for consent directives and
their locations. In this example, similar metadata applies as in the push approach, but additional
metadata is needed to ensure that components such as the HIE Repository and Registry also enforce
obligations and requested purposes.
Figure 9 - Data Segmentation - Pull Based Example
Download