1-8 Use Case Working Session Materials
advertisement
The Patient Choice Project Use Case Working Session January 8th, 2016 Call Logistics • If you are not speaking, please keep your phone on mute • Do not put your phone on hold – if you need to take a call, hang up and dial in again when finished with your other call • This meeting is being recorded • Feel free to use the “Chat” feature for questions, comments or any items you would like the moderator or participants to know 2 Agenda Topic Time Allotted General Announcements 5 minutes Patient Choice Use Case Development • Use Case Timeline • In/Out of Scope, Assumption, Scenarios • Introduction to User Stories 50 minutes Next Steps/Questions 5 minutes 3 General Announcements • The Patient Choice project will meet weekly on Fridays @ 11 am ET » The working group meeting on Friday, January 15th, 2016 has been CANCELLED due to HL7 » The next working group meeting will be on Friday, January 22nd, 2016 at 11 am ET 4 5 General Use Case Outline • 1.0 Preface and Introduction • 2.0 Initiative Overview » 2.1 Initiative Challenge Statement • 3.0 Use Case Scope » 3.1 Background » 3.2 In Scope » 3.3 Out of Scope » 3.4 Communities of Interest • 10.0 Scenario: Generic Provider Workflow – 10.1 User Story 1, 2, x, … – 10.2 Activity Diagram o 10.2.1 Base Flow o 10.2.2 Alternate Flow – 10.3 Functional Requirements o 10.3.1 Information Interchange Requirements o 10.3.2 System Requirements – 10.4 Sequence Diagram • 4.0 Value Statement • 5.0 Use Case Assumptions • 6.0 Pre-Conditions • 7.0 Post Conditions • 8.0 Actors and Roles • 11.0 Risks, Issues and Obstacles • 12.0 Dataset Requirements • Appendices – Related Use Cases – Previous Work Efforts – References • 9.0 Use Case Diagram 6 Proposed Use Case & Functional Requirements Development Timeline Week Target Date Working Session Tasks Review and Provide Comments via Confluence (due Thursdays @ 11 am ET) 1&2 12/28 Use Case Process Overview Introduce: In/Out of Scope, Assumptions, Scenarios, User Stories Review: In/Out of Scope, Assumptions, Scenarios, and User Stories 3 1/8 Review: In/Out of Scope, Assumptions, Scenarios, User Stories Review: In/Out of Scope, Assumptions, and User Stories 4 1/15 CANCELLED for HL7 Review: In/Out of Scope, Assumptions, and User Stories 5 1/22 Review: Finalized In/Out of Scope, Finalized Assumptions, and User Stories Introduce: Pre/Post Conditions, Actors and Roles, Activity Diagram and Base Flow Review: User Stories, Pre/Post Conditions, Actors and Roles, Activity Diagram and Base Flow 6 1/29 Review: Finalized User Stories, Finalized Pre/Post Conditions, Finalized Actors and Roles, Activity Diagram and Base Flow. Introduce: Functional Requirements & Sequence Diagram Review: Activity Diagram and Base Flow, and Functional Requirements & Sequence Diagram 7 2/5 Review: Finalized Activity Diagram and Base Flow, and Functional Requirements & Sequence Diagram Introduce: Data Requirements and Risks & Issues Review: Functional Requirements & Sequence Diagram, Data Requirements, and Risks & Issues 8 2/12 Review: Finalized Functional Requirements & Sequence Diagram, Finalized Data Requirements, and Finalized Risks & Issues End to End Review 7 Use Case Development Process 8 Section Review • 1. Discuss and review the following sections: 1. Scope Items 2. Assumptions Click the icon to open the Word Document 3. Activity Diagram • 2. Introduce and review the following sections: 1. Draft User Stories 9 Phase 1: In-Scope • Semantic understanding of a Basic Choice consent decision and the corresponding information that comprises a privacy consent directive • Information that must be available a the time of a query for patient data to enable a data source to determine if the requester is authorized to receive a response • Demonstrate the use of computable consent to enable privacy policy implementation and information access control decisions 10 Phase 1: Out of Scope • Methods for Capturing Consent • Patient Interfaces • Mechanisms for managing a consent directive » Policies surrounding information that has already been shared when a patient changes their privacy consent directive to “Do not share” » Mechanisms to update privacy consent directives • Maintenance and updating of consent registries • Maintenance and updating of consent repositories 11 Use Case Assumptions • The requirements of the use case can be implemented in a variety of architectures • Patients who are consumers of healthcare services are aware of their ability to complete Consent Directives and do offer such direction to the clinicians and organizations which they engage to provide them healthcare services • Electronic systems have the capability to manage and update consent registries/repositories • Electronic service information is known • All parties in the exchange comply with applicable Federal privacy and security rules • The use case includes systems where the additionally protected information is integrated with other data within an EHR or other systems that manages Patient health information • Policy is in place for handling missing or not yet recorded Patient preferences for data sharing • All parties commit to having the capability to comply with Patient privacy preferences and subsequent handling instructions. is in place for handling information that has already been shared when a patient changes their privacy consent directive to “Do not share” • Disclosures are appropriately updated in the system to be reflected in accounting for disclosures that may be requested by the Patient • Appropriate security audit mechanisms are in place • Appropriate methods for capturing consent are in place • Appropriate patient interfaces are in place • Consent Directives are based on the most current and up to date Patient privacy preferences 12 Scenario 1: Query for Consent Directive (Pull) Provider/ Healthcare Provider Organization Data Holder/HIO Consent Directive Registry Consent Repository Start 1. Determines that Patient data should be requested 2. Sends query for Patient data to the HIO 3. Receives query for Patient data 4. Determines if consent is required to share Patient data 5. Sends query to Consent Directive registry for Privacy Consent Directive location 7. Sends query to Privacy Consent Directive Repository 9. Review Privacy Consent Directive to determine the data that may be disclosed. 11. Receives Patient data End 10. Sends Patient data to requesting Provider 6. Sends Privacy Consent Directive location 8. Sends Privacy Consent Directive to HIO Scenario 1: Query for Consent Directive (Pull) User Story 1: HIE Consent Repository • Context • HIE maintains a consent repository • HIE does not provide data unless request is allowed under recorded consent • User Story • Patient X presents with abnormal heart rhythm at clinic A • Doctor Able recommends taking an exercise stress test from a heart specialist at hospital B • Patient X’s consent is (or has been) sent to the HIE • Doctor Baker at hospital B requests medical record from the HIE • HIE receives request for Patient X record , evaluates request against consent in the repository, and sends the record to Doctor Baker 14 Scenario 1: Query for Consent Directive (Pull) User Story 1: HIE Consent Repository 4 Health Information Exchange Clinical IT System 1a 1b Other IT System 2 Clinical IT System 3 Consent Repository HIE Security Domain • Query for consent (3) upon receipt of request for clinical data (2) 15 Scenario 1: Query for Consent Directive (Pull) User Story 2: HIE / Registry Consent Repository • Context • HIE and state registry both maintain a consent repository • Neither HIE nor state registry provide records unless allowed under consent • HIE is integrated within state registry and can forward consent messages • User Story • Patient Y’s “opt-in” to sharing immunization records from state immunization registry has been sent to the HIE by doctor or patient • Patient Y moves within state and visits pediatrician at new location • Doctor Charlie requests immunization records from HIE • HIE receives request for records, evaluates request against consent in its repository, and sends the request to state registry • State registry receives request, evaluates request against consent in its repository, and sends the record to HIE that is then forwarded to Dr. Charlie 16 Scenario 1: Query for Consent Directive (Pull) User Story 2: HIE/Registry Consent Repository 2b 2a Clinical IT System Immunization Registry Health Information Exchange 4 3 1a Consent Repository Registry Security Domain 1c Consent Repository HIE Security Domain Clinical IT System 1b Other IT System • Query for consent (3, 4) upon receipt of request for clinical data (2a, 2b) 17 Scenario 1: Query for Consent Directive (Pull) User Story 3: Hospital Consent Repository • Context • General Hospital maintains a consent repository • Care teams do not provide records unless request is allowed under consent • User Story • Patient Z receives hip replacement at General Hospital, which is required to follow Comprehensive Care for Joint Replacement (CJR) payment model • Patient Z’s consent is (or has been) sent to General Hospital repository • Patient Z is discharged to a skilled nursing facility (SNF) • Doctor Delta is assigned to follow progress of Patient Z for 90 days post discharge • Later, Doctor Delta requests Patient Z’s medical record from the SNF • SNF receives request for Patient Z record , evaluates request against consent in General Hospital repository, and sends the record to Doctor Delta 18 Scenario 1: Query for Consent Directive (Pull) User Story 3: Hospital Consent Repository 2 4 Clinical IT System Care Team IT System 3 1 Care Team IT System Consent Repository Service Team IT System Hospital Security Domain • Query for consent (3) upon receipt of request for clinical data (2) 19 Scenario 2: Push Consent Directive and Authorization Data Requester Data Holder Start 1. Data Requester sends Privacy Consent Directive and request for Patient data to provider 2 2. Data Holder receives Privacy Consent Directive and request for Patient data 3. Data Holder decides which information to return and assembles response. 5. Data Requester receives response from Data Holder 4. Data Holder sends response to Data Requester End 20 Scenario 2: Push Consent Directive and Authorization User Story 1 SSA receives an electronic and hard-copy of Alice’s SSA-827 Authorization to Disclose Information to SSA. SSA is able to validate Alice’s identify because she authenticated to her MyHealtheVet account when she filled out, digitally signed, and submitted her electronic SSA-827. SSA is also in receipt of her hard-copy version of the same SSA-827 form. SSA attaches her Consent Directive to SSA’s request for all of her VHA records. VHA receives SSA’s request for all of Alice’s records along with her electronic Consent Directive via NwHIN. VHA processes this request through the enterprise VHA access control system, which is connected to all points of external protected health information disclosure. VHA’s access control system determines that VHA is a trusted NwHIN partner. VHA validates that Alice is the author the SSA-827 Form by checking her digital signature, and releases the requested information to SSA via NwHIN. 21 Next Steps • Review and provide feedback to posted materials: User Stories, In/Out of Scope, Assumptions, and Scenarios sections by the following Thursday at 11am ET » http://confluence.siframework.org/display/PATCH/Use+Case+Development • Next meeting is Friday, January 22nd, 2016 at 11 am ET • Reminder: All Patient Choice Announcements, Schedules, Project Materials, and Use Case will be posted on the Patient Choice Confluence page » http://confluence.siframework.org/display/PATCH/ 22 Project Contact Information OCPO-ONC Lead Jeremy Maxwell Jeremy.Maxwell@hhs.gov Project Coordinator Johnathan Coleman jc@securityrs.com Project Manager Ali Khan Ali.Khan@esacinc.com Project Support Taima Gomez Taima.Gomez@esacinc.com Staff SME Kathleen Connor klc@securityrs.com Staff SME David Staggs drs@securityrs.com 23 Thank you for joining! @ONC_HealthIT @HHSONC
