Condition of Certification
This is designed to be the source document for a Service Assessment Criteria for apps that are used in user, patient or delegate apps to allow high assurance access to personally identifiable information.
- The Final Rule for the 21st Century Cures Act include some details on the method that Electronic Health Record (EHR) provides could use to decide if Patient Health Information (PHI) could be related to apps in patient's devices.
- Previous to the release of the Final Rule, the Kantara Work Group on Federated identifiers for Resilient Ecosystems had plan to prosed a solutions based on the wiki for Patient Choice, but was late for funding available at that time.
- See the wiki page Authorized Certification Body for descriptions of the governing body and conditions for health care apps.
This initial pass is based on The CARIN Alliance Code of Conduct which is voluntary. It is proposed that these are mandatory to enable access to PHI.
The Principle of Openness, which provides that the existence of record-keeping systems and databanks containing data about individuals be publicly known, along with a description of main purpose and uses of the data.
The Principle of Collection Limitation, which provides that there should be limits to the collection of personal data, that data should be collected by lawful and fair means, and that data should be collected, where appropriate, with the knowledge or consent of the data subject. The Principle of Disclosure Limitation, which provides that personal data should not be communicated externally without the consent of the data subject or other legal authority..
- Use and Disclosure
The Principle of Use Limitation, which provides that there must be limits to the uses of personal data and that the data should be used only for the purposes specified at the time of collection. The Principle of Disclosure Limitation, which provides that personal data should not be communicated externally without the consent of the data subject or other legal authority. .
- Individual Access
The Principle of Individual Participation, which provides that each individual should have a right to see any data about himself or herself and to annotate any data that is not timely, accurate, relevant, or complete where the application has the ability to do so.
The Principle of Security, which provides that personal data should be protected by reasonable security safeguards against such risks as loss, unauthorized access, destruction, use, modification or disclosure. .
The Principle of Data Quality, which provides that personal data should be relevant to the purposes for which they are to be used, and should be accurate, complete, and timely. .
The Principle of Accountability, which provides that record keepers should be accountable for complying with fair information practices.
Inform users about their personal data disclosure choices and the consequences of those choices.
plus the following which is not part of CARIN, but perhaps could be added to education or transparency.
- User Experience, which means that the user can understand the data. This probably means that semantics of the EHR are translated into terms that users can understand.