Patient Choice: Difference between revisions

From IDESG Wiki
Jump to navigation Jump to search
Line 23: Line 23:
* The computer industry has learned that security cannot be a choice and has taken the responsibility to assure that their software does not expose the user to exploits that are launched regularly from any site that has access to the internet.i
* The computer industry has learned that security cannot be a choice and has taken the responsibility to assure that their software does not expose the user to exploits that are launched regularly from any site that has access to the internet.i
* If the patient is to have a choice about the release of their private health information (PHI), they must be able to rely on the software that is installed on the healthcare providers computers as well as any software that they use on their own computers.
* If the patient is to have a choice about the release of their private health information (PHI), they must be able to rely on the software that is installed on the healthcare providers computers as well as any software that they use on their own computers.
* To enable real patient choice, the healthcare community must create a trust registry of web sites and applications that are to be trusted with patient healthcare information (covered HIPAA entities). In other words enabling patient choice on access to their data, the patient must be limited to the use of secure sites and applications that can be trusted to maintain the security of that information.
* To enable real patient choice, the healthcare community must create a trust registry of web sites and applications that are to be trusted with patient healthcare information (covered HIPAA entities). In other words, enabling patient choice on access to their data, the patient must be limited to the use of secure sites and applications that can be trusted to maintain the security of that information.
* The healthcare community must prevent any sites or apps that are not in the registry from downloading patient data.
* The healthcare community must prevent any sites or apps that are not in the registry from downloading patient data.
* The healthcare community should prevent any user app from uploading data is not from a trusted site or app into the patients EHR.
* The healthcare community should prevent any user app from uploading data is not from a trusted site or app into the patients EHR.

Revision as of 14:42, 28 October 2019

Full Title

The options that a patient has in accessing and sharing their Protected Health Information (PHI) with trusted medical providers.

Context

  • This pattern is a sub-set of the User Choice Pattern which covers the general user choice issues. It contains the general context and should be read in conjunction with this page.
  • For a long time patient choice was ignored, now that more people have found the patients will not use products that they don't like, every company is wrapping their products with patient choice.
  • To understand what patients want, we cannot rely on companies trying to sell products, we need to ask the patients.

Problems

  • Patients have all expressed a desire to control what and where they share their Protected Health Information (PHI).
  • Patients also ask to have control of the applications that run on their smart phones.
  • If the patient chooses an application for their smart phone that downloads PHI, then that application has complete control over where that data goes.
  • If the healthcare community decides to allow any smart phone application that the patient chooses to install on the smart phone, then the patient is at risk to loose control of their PHI.
  • If the patient chooses to upload their PHI to just any web site without knowledge of that sites' controls, then the patient is at risk to loose control of their PHI.
  • The patient must be given the tools to assure that their PHI remains under their control. The healthcare community will loose the patient's trust if they don't enforce that.
  • The biggest problem for the covered HIPAA entity is what level of assurance of patient intent do they require to:
  1. Release data to the user, especially in machine readable form.
  2. Accept data input from the user to be added to the patient's permanent EHR.
  3. Accept medical directives from the patient, especially POLST directives.
  • All computer application software that is running on internet connected computers is subject to a daily barrage of attacks trying to exploit vulnerabilities in that software or the gullibility of the people operating those computers.

Solutions

  • The computer industry has learned that security cannot be a choice and has taken the responsibility to assure that their software does not expose the user to exploits that are launched regularly from any site that has access to the internet.i
  • If the patient is to have a choice about the release of their private health information (PHI), they must be able to rely on the software that is installed on the healthcare providers computers as well as any software that they use on their own computers.
  • To enable real patient choice, the healthcare community must create a trust registry of web sites and applications that are to be trusted with patient healthcare information (covered HIPAA entities). In other words, enabling patient choice on access to their data, the patient must be limited to the use of secure sites and applications that can be trusted to maintain the security of that information.
  • The healthcare community must prevent any sites or apps that are not in the registry from downloading patient data.
  • The healthcare community should prevent any user app from uploading data is not from a trusted site or app into the patients EHR.

References

Other Material

The following use cases contain details about Patient Choice among other issues in a Trustworthy Healthcare Ecosystem.

  • The Remote Attestation Use Case wiki page describes a user with a Smart Phone going though a series of actions that will provide subsequent statements from that user on that phone with a higher level of assurance.
  • The User Agent in the Cloud wiki page describes a user with a modern browser on a internet connected computing device establishing an agent on a trustworthy web site to allow access to information on their behalf.