FHIR Use Case: Difference between revisions

From IDESG Wiki
Jump to navigation Jump to search
 
(15 intermediate revisions by the same user not shown)
Line 2: Line 2:
Carequality FHIR Use Case Proposal
Carequality FHIR Use Case Proposal
==Context==
==Context==
* [https://s3.amazonaws.com/ceq-project/wp-content/uploads/2018/12/10195830/FHIR-Use-Case-Proposal.pdf FHIR Use Case Proposal]
* [https://s3.amazonaws.com/ceq-project/wp-content/uploads/2018/12/10195830/FHIR-Use-Case-Proposal.pdf FHIR Use Case Proposal] was the source of the material. It has been modified as noted in the interests of [[Patient Choice]].
===Goal===
===Goal===
Release of PHI can only occur if the record holder has trust not only that it can accurately identify the requester, but that the request itself, and the requester’s policies and practices around the information once it is released, are appropriate. Such trust is straightforward to establish for an individual connection between two partner organizations, by relying on new or existing contractual relationships bolstered by negotiation of security and other technical details. Such an approach is not scalable, however, as the healthcare industry discovered in the context of document exchange via SOAP-based web services. Carequality’s governance framework can provide a “single on
Release of PHI can only occur if the record holder has trust not only that it can accurately identify the requester, but that the request itself, and the requester’s policies and practices around the information once it is released, are appropriate. Such trust is straightforward to establish for an individual connection between two partner organizations, by relying on new or existing contractual relationships bolstered by negotiation of security and other technical details. Such an approach is not scalable, however, as the healthcare industry discovered in the context of document exchange via SOAP-based web services. Carequality’s governance framework can provide a “single on
Line 8: Line 8:


===Actors===
===Actors===
In the FHIR spec a EHR is considered to be a data responder. Here we dstinguish between two types, the source and receiver, which can dynamically switch multiple time during a single session.
#Data Source = data goes from point A to point B. The source is where the data is coming from. Relative to this document, a data source can be a Query Responder or a Push Initiator.
#Data Source = data goes from point A to point B. The source is where the data is coming from. Relative to this document, a data source can be a Query Responder or a Push Initiator.
#Data Receiver I=data goes from point A to point B. The receiver is where the data is going to. Relative to this document, a data receiver can be a Query Initiator or a Push Recipient.
#Data Receiver = data goes from point A to point B. The receiver is where the data is going to. Relative to this document, a data receiver can be a Query Initiator or a Push Recipient.
#Record Locator Service(RLS) = provides the ability to identify where records are located based upon criteria such as a Person ID and/or record data type, as well as providing functionality for the ongoing maintenance of this location information.
#[[Record Locator Service]](RLS) = provides the ability to identify where records are located based upon criteria such as a Person ID and/or record data type, as well as providing functionality for the ongoing maintenance of this location information.
#Provider =  A clinician or organization that is directly engaged in treatment services.
#Provider =  A clinician or organization that is directly engaged in treatment services.
#Patient  = A person who is the subject of health records, or an authorized representative acting on such a person’s behalf.
#Patient  = A person who is the subject of health records, or an authorized representative acting on such a person’s behalf.
#Transaction = Per the HL7 website; an interaction that submits a set of actions to perform on a server as a single atomic action. Multiple actions on multiple resources of the same or different types may be submitted, and they may be a mix of other operations (e.g. read, search, create, update, delete, etc.)
#Transaction = Per the HL7 website; an interaction that submits a set of actions to perform on a server as a single atomic action. Multiple actions on multiple resources of the same or different types may be submitted, and they may be a mix of other operations (e.g. read, search, create, update, delete, etc.)
#Research = Work done to improve healthcare costs, outcomes, quality, safety, and innovation via systematic investigation and structured data analysis.
#Research = Work done to improve healthcare costs, outcomes, quality, safety, and innovation via systematic investigation and structured data analysis.
===FHIR Taxonomy===
* Patient = the subject of the data (A profile)
* Observation = an entry into a data base (A profile)
* Conformance Package will assume the US Core and CMS regulations.
* Manifest = list of the available profile definitions
* Implementation Guide = description of profiles in use


==Preconditions==
==Preconditions==
*The Consumer has acquired a late binding token from any provider at all.
* The patient has a primary care provider with up-to-date medical conditions, prescriptions and allergies.
*The Consumer has registered an over-21 claim with verifier using token.
* The PCP uses an EHR which is part of the US Healthcare Assurance Framework.
*The Consumer has established an account with supplier using a DID or other persistent ID.
* All of the parties to data flow are using the US Core profile of the latest FHIR specification.


==Scenarios==
==Scenarios==
Primary Scenario:
Primary Scenario:
#Consumer signs into supplier and has never purchased liquor from this site.
#Patient is traveling, has a shoulder injury and seeks care at local rural care facility.
#Consumer selects to purchase liquor item
#Physician examines patient and wants to provide a pain medicine, patient cannot provide exact medicines or allergies.
#Supplier asks user for over 21 proof with a nonce.
#Phisician queries patient Medical [[Record Locator Service]] and determines appropriate prescription.
#Consumer sends verifiable claim of over 21 they acquired from verifier.
#Supplier asks verifier for proof. (This would be by redirect to verifier through user browser)
#Verifier supplies validated claim (or statement of non-revocation) bound to nonce by redirect to Supplier, if this VC is bound to the user’s session with supplier, it can have a lifetime of the duration of bound session.
#Monetization is by direct micro payment (on the order of $.05) from supplier to verifier.
 


Alternative Paths:
Alternative Paths:
#Consumer selects to purchase liquor item.
# The Primary Care Physician has placed the patient records in an EHR that regularly performs scans of all patients in the EHR for health conditions.
#Supplier asks user for over 21 proof with a nonce.
# The patient is informed that health concerns are indicated and requests consent from the user to scan other health care records. (This step was missing from the original.)
#Consumer asks verifier directly for proof with nonce from Supplier.
# When indications from the scan show possible areas of concern, the EHR reaches out to all providers of care to the patient using the Medical [[Record Locator Service]]
#Verifier asks consumer to enter token for proof of presence.
# The patient is always informed when such a scan occurs and what the results were found. (This step was less informative in the original.)
#Verifier send validated claim with nonce of supplier with short expiration time (10-20 mins - alternate life time of duration of session).
#Consumer sends verified claim to supplier.
#Monetization is by advertising from verifier to consumer.


A different path using biometrics:
A different path using biometrics:


#Yoti, a London-based startup which wants to become the “world’s trusted identity platform”, is one of many attempts to provide such a service. Its system stores government id documents and biometrics. If a user wants to buy a bottle of wine at a supermarket self-check-out and needs to prove their age, they scan a qr code and take a selfie using Yoti’s app. The retailer can be sure of their age, but no one has seen their name or nationality. From the Financial Times.
 


Failed Paths:
Failed Paths:
#User does not get verified claim for some reason.
#Patient not found in MRLS.
#Verified claims fails validation at supplier.
#Wrong record returned from MRLS
#Verified claims are false.
#Data is not sufficient to allow doctor confidence in prescribing.


==Results==
==Results==
Accepted Risks:
Accepted Risks:
#The consumer is not over-21 and has buddy’s token to enter into computer.
# The patient data is incorrect and unknowingly creates more harm that would have occured without the extra (erroneous) data.
#Session hijacking mitigated with HTTPS and session cookies.
#MitM attacks mitigated by hardware token bound to origin URL of verifier.
#Note that the late binding token could be bound to supplier as well as needed.
#The identity of the verifier/validator is discoverable by the supplier.
#User makes choices on which attributes are trusted for sharing with the supplier.


Post Condition:
Post Condition:
#If validation accepted, and consumer completes payment, the restricted goods are shipped to the consumer by the supplier.
#I Patient outcomes are improved and dangerous conditions are avoided.
#Note that at the end of the process of validating the user’s age, the state issued license to sell alcoholic beverages will determine which path to use. The penalty for the supplier using the wrong path is loss of the license to sell alcohol.


Examples:
Examples:
#Late binding token - FIDO U2F token, TEE  TPM VSC, etc.
#
#Client side code - javascript in a browser, native app, etc.


Dependencies::
Dependencies::
#Web Sites must be trusted before any user information is released.
#Web Sites must be trusted before any user information is released.
#Trust federations can be used to help users make informed decisions.
#Trust federations can be used to help users make informed decisions.
#User consent and trust must begin with no user information transferred.
#User consent and trust must begin before any user information is transferred.
#Standards exist to collect needed attributes where-ever they may be.
#Standards exist to collect needed attributes where-ever they may be.


Line 77: Line 70:


==References==
==References==
* See the wiki page [[FHIR to the Patient Use Case]] for the specific use case of the patient (or guardian) downloading machine readable data to their own device.


[[Category:Health]]
[[Category:Health]]
[[Category:Use Cases]]
[[Category:Use Cases]]

Latest revision as of 22:49, 26 April 2021

Full Title

Carequality FHIR Use Case Proposal

Context

Goal

Release of PHI can only occur if the record holder has trust not only that it can accurately identify the requester, but that the request itself, and the requester’s policies and practices around the information once it is released, are appropriate. Such trust is straightforward to establish for an individual connection between two partner organizations, by relying on new or existing contractual relationships bolstered by negotiation of security and other technical details. Such an approach is not scalable, however, as the healthcare industry discovered in the context of document exchange via SOAP-based web services. Carequality’s governance framework can provide a “single on ramp” that allows an organization to sign one contract, implement one technical platform, and connect universally to a broad ecosystem of other participants.

Actors

In the FHIR spec a EHR is considered to be a data responder. Here we dstinguish between two types, the source and receiver, which can dynamically switch multiple time during a single session.

  1. Data Source = data goes from point A to point B. The source is where the data is coming from. Relative to this document, a data source can be a Query Responder or a Push Initiator.
  2. Data Receiver = data goes from point A to point B. The receiver is where the data is going to. Relative to this document, a data receiver can be a Query Initiator or a Push Recipient.
  3. Record Locator Service(RLS) = provides the ability to identify where records are located based upon criteria such as a Person ID and/or record data type, as well as providing functionality for the ongoing maintenance of this location information.
  4. Provider = A clinician or organization that is directly engaged in treatment services.
  5. Patient = A person who is the subject of health records, or an authorized representative acting on such a person’s behalf.
  6. Transaction = Per the HL7 website; an interaction that submits a set of actions to perform on a server as a single atomic action. Multiple actions on multiple resources of the same or different types may be submitted, and they may be a mix of other operations (e.g. read, search, create, update, delete, etc.)
  7. Research = Work done to improve healthcare costs, outcomes, quality, safety, and innovation via systematic investigation and structured data analysis.

FHIR Taxonomy

  • Patient = the subject of the data (A profile)
  • Observation = an entry into a data base (A profile)
  • Conformance Package will assume the US Core and CMS regulations.
  • Manifest = list of the available profile definitions
  • Implementation Guide = description of profiles in use

Preconditions

  • The patient has a primary care provider with up-to-date medical conditions, prescriptions and allergies.
  • The PCP uses an EHR which is part of the US Healthcare Assurance Framework.
  • All of the parties to data flow are using the US Core profile of the latest FHIR specification.

Scenarios

Primary Scenario:

  1. Patient is traveling, has a shoulder injury and seeks care at local rural care facility.
  2. Physician examines patient and wants to provide a pain medicine, patient cannot provide exact medicines or allergies.
  3. Phisician queries patient Medical Record Locator Service and determines appropriate prescription.

Alternative Paths:

  1. The Primary Care Physician has placed the patient records in an EHR that regularly performs scans of all patients in the EHR for health conditions.
  2. The patient is informed that health concerns are indicated and requests consent from the user to scan other health care records. (This step was missing from the original.)
  3. When indications from the scan show possible areas of concern, the EHR reaches out to all providers of care to the patient using the Medical Record Locator Service
  4. The patient is always informed when such a scan occurs and what the results were found. (This step was less informative in the original.)

A different path using biometrics:


Failed Paths:

  1. Patient not found in MRLS.
  2. Wrong record returned from MRLS
  3. Data is not sufficient to allow doctor confidence in prescribing.

Results

Accepted Risks:

  1. The patient data is incorrect and unknowingly creates more harm that would have occured without the extra (erroneous) data.

Post Condition:

  1. I Patient outcomes are improved and dangerous conditions are avoided.

Examples:

Dependencies::

  1. Web Sites must be trusted before any user information is released.
  2. Trust federations can be used to help users make informed decisions.
  3. User consent and trust must begin before any user information is transferred.
  4. Standards exist to collect needed attributes where-ever they may be.

Workflow Diagram

TK

References

  • See the wiki page FHIR to the Patient Use Case for the specific use case of the patient (or guardian) downloading machine readable data to their own device.
Retrieved from "https://wiki.idesg.org/index.php?title=FHIR_Use_Case&oldid=15985"