Privacy on FHIR Demo at HIMSS!5

Privacy On FHIR®

Enabling Patient Controlled Privacy Using Emerging Technology

DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.

Johnathan Coleman, ONC

Duane DeCouteau, VA

Adrian Gropper MD, PPR

We are on the cusp of a sea change in interoperability, population management, and clinical decision support. CCD led to CCDA which leads to FHIR® for content summary exchange. The Direct protocol will evolve to a RESTful interface using OAuth/OpenID for trust fabric creation.

However, we're not going to make the move to FHIR® and REST unless pilots (followed by agile development of implementation guides) are funded to enable incremental progress. FHIR® is too new and REST has too many industry skeptics. The pilots will create a tipping point which mitigates risk and enables progress. Dr. John Halamka

Privacy on FHIR® Vision

Introduction

The Office of the National Coordinator (ONC), in

collaboration with Department of Veterans Affairs (VA),

Health Level Seven® and other stakeholders, has initiated

the first pilot/demonstration project of HL7® and Health

Information Technology Standards Committee (HITSC)

recommended standards to support patient mediated

exchange and patient consent. The effort is called Privacy

on FHIR® (PoF) and is the underlying effort behind the

HIMSS demonstrations that you can see here today.

It was a Very Good Year… • In 2014, HL7® approved New, Core Security and Privacy Standards for:

– Privacy and Security Healthcare Classification System (HCS)

– Privacy and Security Services: Security Labeling Services

– Privacy and Security Ontology

– Data Segmentation for Privacy Implementation Guide

– Patient Friendly Consent Directive (Draft in progress for May 2015 ballot)

• Health Information Technology Standards Committee (HITSC) made Recommendations that:

– OpenID Foundation’s OpenID Connect,

– Internet Engineering Task Force’s OAuth 2.0, and

– HL7® ’s FHIR® comprised a reasonable and appropriate set of standards to use as building blocks for more complicated healthcare applications

• Kantara User Managed Access V1.0 approved as Kantara recommendation March 26, 2015

• ONC Nationwide Interoperability Roadmap

• ONC Meaningful Use Certification Criteria NPRM

• PCAST: “Realizing the Full Potential of Health Information Technology to Improve Healthcare for Americans: The Path Forward”

• AHRQ Jason Report: “ A Robust Health Data Infrastructure“

FHIR® Pilot Technical Drivers : Embrace FHIR®, JSON, REST, Oauth and Kantara UMA

ONC/VA Privacy on FHIR® Pilot: Summary

1. What is it? On-Demand bi-directional exchange of Health Information with your

selected Apps…What, When and How You Want it

2. Why do it? Test technical feasibility of using FHIR® and associated privacy and

security protocols to provide Patients with meaningful access, management and

use of their own information.

3. Deliverables? • ONC sponsored HIMSS 2015 Interoperability Booths,

• Post-Conference Open Source Reference Model for implementers.

4. Who will do it? Collaborative of stakeholders dedicated to demonstrating the

benefits of HIT cloud capabilities for consumers and providers including:

ONC, VA, HL7®, SAMHSA, Patient Privacy Rights, Jericho Systems Corp,

MITRE, MIT

ONC/VA Privacy on FHIR® Pilot [PoF]: What is HL7® FHIR® ?

Fast Healthcare Interoperability Resources

• FHIR® defines a set of "Resources" that

represent granular clinical concepts managed

in isolation, or aggregated into complex

documents.

• FHIR® is designed for the web:

― Simple XML or JSON structures,

― http-based RESTful protocol,

― Each resource has a predictable URL.

• FHIR® Security and Privacy follows HL7®

Security Labeling, Data Segmentation, and

Consent Directive standards

• FHIR® is under development and has not yet

reached full standard status

http://hl7.org/fhir/2015May/

Applying User Managed Access (UMA)-Oauth 2.0 Profile

Patient controls Who gets What

PoF Architecture leverages cloud Privacy and Security Services that Patients use

daily as Online Consumers

User Managed Access

(UMA)

OpenID Connect / OAuth 2.0

Privacy on FHIR® Share Health Information Among Your Providers, Organizations, Apps, and Individuals.

IOT IOT

Privacy…Share Only What You Want. Your Sensitive Healthcare Information Stays Secure. Simple one-stop management of your privacy

choices from one place for all your providers

and Apps. Get a report of all disclosures

• Privacy by Design

• Manage Your Apps

• Choose what to Share

MY Consent Directives on FHIR

IOT

1. Create Consent Directive

2. Submit Consent Directive

3. Create Application Authorization

Provisioning

Use your Information for

Healthy Living, Wellness

Management

and Talking to Your Doctor

Online:

MY Apps on FHIR® Share Health Information with Your Selected Apps…What, When and How You Want it…All 24/7

Smart Phone ----- Tablet ----- Personal Computer

IOT

• Fitness Apps

• Vitals Monitoring

• Your Personal Health Record

Apply Resource

Privacy Marks

invokes

Privacy & Security Protective Services

Apply Resource

Protections

invokes

Request Policy

Submit Policy

Policy Management

Policy Management

invokes

Policy Enforcement Point

Policy Enforcement Point

Enforce Resource

Obligations

My “Apps on FHIR® ” Policy

MY Apps on FHIR® Policy Enforcement

Restrictions enforced by Resource Server Privacy

Protective Service

Resource Server

(e.g.,Redact, Mask, Anonymize, Pseudononymize)

Patient creates their

own personal

sensitivities list (e.g.,

HIV, ETH, Other, …)

Privacy Protected

My Health Information Exchange on FHIR®

Share Health Information Among Your Providers.

IOT

• HL7 Fast Healthcare Interoperability Resources

Specification (FHIR™), Release 2 (Draft)

• HL7 Healthcare Privacy and Security

Classification System (HCS)

• HL7 Implementation Guide: Data Segmentation

for Privacy (DS4P), Release 1

• HL7® Patient Friendly Consent Directive

(Draft)

• HL7 Version 3 Standard: Privacy, Access and

Security Services; Security Labeling Service,

Release 1 (SLS)

• HL7 Version 3 Standard: Security and Privacy

Ontology, Release 1

• Kantara User Managed Access (UMA) V 1.0

• OpenID Foundation OpenID Connect

• IETF RFC 6749 The OAuth 2.0 Authorization

Framework

My Standards on FHIR®

Closing Remarks

• Perspective

– Solve the “Multiple Portals Problem” for Control of Personal Information

– Bridge the gap between HIPAA and non-HIPAA Apps and services

– Promote fair information practice: Data Minimization and Persistence Minimization

– Provide total transparency and accounting for disclosures-no hidden use of personal data

• “Privacy on FHIR” is an enormous step forward in enabling patient control over personal health information.

http://patientprivacyrights.org/

Questions?

UMA Protocol

• Phase 1 of the UMA core protocol involves the resource owner introducing the resource server and authorization server so they can work together.

• Phases 2 and 3 together involve the requesting party, using a client, making an access attempt, being tested for suitability by the authorization server to receive permission, and ultimately succeeding or failing in the attempt by presenting a token with permissions associated with it.

Verify Token

Label/Transform Data 9

Re

qu

es

tin

g O

rg.

Pro

vid

er

Org

.

HIE on FHIR® (detail)

Resource

Server

(Receiving)

FH

IR®

C

lient

Authorization client

CDMS

GUI

Approve

CD

1

Submit

CD

0 7

Set Resource Authz

Policy 3

Resource

Server

(Providing)

Protection

client

FH

IR®

AP

I

10 Provide Data

Out of Band:

UMA Protection Flow:

UMA Authz. Flow:

Data Access Flow:

2 Acquire Protection Access Token

(PAT)

a

Register Resources &

Scopes b

Acquire Authorization Access Token

(AAT) a

Request Requesting Party Token

(RPT) b

Issue and send

RPT

c

AC

S

PP

S/S

LS

Request for Data + Authz

Token 8

RPT

Check Overarching

Policies 5

Redirect to AS 6

Au

tho

riza

tio

n A

PI

Authorizatio

n Server

Pro

tectio

n

AP

I

GUI

Request for Data 4

Patient

AAT

a 7

AAT

b 7

RPT

c 7 PAT

b 2

PAT

a 2