Condition of Certification

From IDESG Wiki
Jump to: navigation, search

Full Title

Condition of Certification (CoC) and Information Blocking are key to the propagation of Patient Choice solutions in conformance with the Cures Final Act Rule.

Goal

This is designed to be the source document for a Service Assessment Criteria for apps that are used in user, patient or delegate apps to allow high assurance access to personally identifiable information.

Context

  • The Final Rule for the 21st Century Cures Act include some details on the method that Electronic Health Record (EHR) provides could use to decide if Patient Health Information (PHI) could be related to apps in patient's devices.
  • Previous to the release of the Final Rule, the Kantara Work Group on Federated identifiers for Resilient Ecosystems had plan to prosed a solutions based on the wiki for Patient Choice, but was late for funding available at that time.
  • See the wiki page Authorized Certification Body for descriptions of the governing body and conditions for health care apps.

Solution

This initial pass is based on The CARIN Alliance Code of Conduct which is voluntary. It is proposed that these are mandatory to enable access to PHI.

  1. Transparency
    The Principle of Openness, which provides that the existence of record-keeping systems and databanks containing data about individuals be publicly known, along with a description of main purpose and uses of the data.
  2. Consent
    The Principle of Collection Limitation, which provides that there should be limits to the collection of personal data, that data should be collected by lawful and fair means, and that data should be collected, where appropriate, with the knowledge or consent of the data subject. The Principle of Disclosure Limitation, which provides that personal data should not be communicated externally without the consent of the data subject or other legal authority..
  3. Use and Disclosure
    The Principle of Use Limitation, which provides that there must be limits to the uses of personal data and that the data should be used only for the purposes specified at the time of collection. The Principle of Disclosure Limitation, which provides that personal data should not be communicated externally without the consent of the data subject or other legal authority. .
  4. Individual Access
    The Principle of Individual Participation, which provides that each individual should have a right to see any data about himself or herself and to annotate any data that is not timely, accurate, relevant, or complete where the application has the ability to do so.
  5. Security
    The Principle of Security, which provides that personal data should be protected by reasonable security safeguards against such risks as loss, unauthorized access, destruction, use, modification or disclosure. .
  6. Provenance
    The Principle of Data Quality, which provides that personal data should be relevant to the purposes for which they are to be used, and should be accurate, complete, and timely. .
  7. Accountability
    The Principle of Accountability, which provides that record keepers should be accountable for complying with fair information practices.
  8. Education
    Inform users about their personal data disclosure choices and the consequences of those choices.

plus the following which is not part of CARIN, but perhaps could be added to education or transparency.

  • User Experience, which means that the user can understand the data. This probably means that semantics of the EHR are translated into terms that users can understand.

References