Health IT Record Location Service (Data Aggregation)

From IDESG Wiki
Revision as of 23:54, 23 March 2020 by Tomjones (talk | contribs) (→‎Use Case Details)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Full Title

Health IT Record Location Service Use Case

Use Case Description

A relationship location service (RLS) that allows patients to control discovery of encounters aggregated across a system. This patient may authenticate to the system with a trusted identity, authenticate to the system with pseudonymous identity, segment encounters using multiple personas within the system and/or verify attributes with privacy protection. (RLS has also been used to indicate a record locator service on the assumption that relationship discovery will typically be associated with a record at that location. Although often true, this need not be the case since discovery of actual records may be subject to additional constraints and authorizations by the record holder. For clarity, this Use Case adopts the Relationship Locator Service definition.) The RLS is intended for use by authorized Healthcare stakeholders.

A brief discussion of multiple IDs in healthcare is here: https://www.idecosystem. Unverified IDs in Healthcare

Use Case Category:

Contributor: Heathcare WG

Use Case Details


  • Provider
  • Patient
  • Electronic Health Record Service (EHR)
  • Record Locator Service (RLS)
  • Authorized Healthcare stakeholders

Goals: Patient managed control of access to aggregated data


  • Backend system information is out of scope.
  • All touch points between RLS and Providers available via accessible APIs
  • There is an existing Particpation and/or Federation agreement between Provider and RLS
  • RLS may support a Master Person Index (MPI) with one or many personas for each identity contained within the MPI
  • RLS provides optional identity audit service so patient can manage relationships reported for different personas


  • Patient Consent for Provider to send relationship information to RLS
  • Patient portal or other means for patient to audit and submit corrected information in the RLS
  • Digital, real-time fulfillment of HIPAA Accounting of Disclosures and related public disclosure laws

Process Flow:

  • Insert Record
* Patient has an encounter with Provider
* Provider requests consent to add and/or search for encounters in the RLS
* Patient is offered the option to provide a Persona/Identity
* Provider logs on to the EHR that has a relationship with the RLS
* Provider generates a record that includes the following information:
* EHR location (scope of EHR patient ID uniqueness)
* Patient ID in the EHR
* Date of encounter
* Consent (this may be implied in the transfer of encounter info to the RLS)
* Persona ID (if provided)
* Name (optional)
* Birthdate (optional)
* DL info for (optional)
  • Query RLS
* Provider authenticates to RLS
* Provider queries RLS using Persona and evidence of consent provided by Patient
* RLS returns a list of encounters which the Provider uses to query actual sources for information (additional Provider authentication and authorization may be required by the data holders)
* Query Results may include the following:
* EHR location information
* EHR patient ID
* Date of encounter
* Persona ID (if available)
* Name (optional)
* Birthdate (optional)
  • Patient Access
* Patient authenticates to RLS (choose one of the 4 methods)
* Patient first registers in-person with RLS by providing acceptable credentials that match the credentials and Persona presented to EHR Provider (assumes Provider can get adequately strong credentials prior to sending info to RLS)
* Patient first self-registers with RLS and RLS uses knowledge-based authentication to issue Patient credentials (assumes Provider has communicated sufficient Patient attributes to enable reliable KBA)
* Patient signs-in to Provider who authenticates patient based on trust relationship between Provider and RLS
* Provider and RLS both accept third-party IDP linked to Patient's Persona
* Patient queries RLS to review encounter history and who has requested access to personal data
* Query Results may include the following:
* Persona (if specified, may be modified by Patient)
* Date of encounter
* Provider Location
* Provider name (may be encoded to protect Provider's privacy)
* Current consent status (may be modified by Patient)

Success Scenario:

  • Physician is able to see a subset listing of patient encounters based on patient consent
  • Patient can log into the RLS and view an Accounting of Disclosures
  • Potential for privacy preserving Pseudonoymous Login
  • Authorized Users are able to log in with a federated Login
  • Potential ability for patient segmentation of data via Persona
  • Compatibility of Idenity Managment with Data Exchange Participation agreements
  • Enables Delegation of access as allowed by law


  • Data holders unwilling to share data - often directed against competitors
  • Dependent on State and Local policies
  • Difficulty in patients understanding their privacy rights to restrict release and determine how their PHI is managed
  • Difficulty in patients understanding how to access the RLS
  • The willingness of data holders (as opposed to individual providers) to adopt federated identity management
  • Multiple credentials required to access information

Error Conditions:

  • Patient unable to access data
  • Inadvertant and/or intentional merging or spliting of data contrary to patient wishes
  • Entire, unrestricted, record history available to all who are authorized to search the RLS


  • Extended by:
  • Extension of:
    • Authentication Person
    • Authentication Service
    • Secure Anonymous Digital Credential

References and Citations