Friday, June 10, 2016

#CM4H16 – Consent on #FHIR and Patient Choice

Consent on FHIR and Patient Choice

Carol Robinson, Principal, CedarBridge Group

Kathleen Connor, President, Baycliffe Strategies

Privacy on FHIR

Behavioral Health data sharing has been limited by Technology and policy.

The culture will be changing.
Patients will have moe granular options for sharing.

Michigan E-Consent Management System (eCMS)

Use Case Principles:
– Patients should be able to determine when and with whom their sensiive health data is shared.
– Behavioral Health Providers should be able to fully participate in HIE
– MI Regional HIEs should be able to efficiently manage patient consent determinations via a federated model.

Two components:

  • Statewide consent form
  • eCMS

Technical Overview

Standard Consent Directives separate the content from the management:
– ONC Patient Choice
– HL7 v2, v3 and CDA Consent Directive standards
– IHE BPPC and APPC Consents
IHE tracks CD content in XD* Metadata

Metadata reflects whether a consent directive is active

Metadata is included in CON Segment of the ADT. eg. ADT Access Control Restrictions

ONC Data Segmentation for Privacy (DS4P)

  • DS4P Security Labeling
  • Consent Directive Content
  • Consent Tracking Metadata
  • Authentication
  • Exchange Paradigms
  • Access Control/Audit

ONC DS4P Standards

The Stack:
– Content Tagging (CDA R2 Header(
– Content Structure (Consolidated CDA)
– Manifest Metadata ((XDS Metadata)
– User Context
– Push or Query/Retrieve Transport Mechanism
– Foundational Security

Patient Choice:

Three levels of rules:

    1. HIPAA Runs in background
    1. Basic Choice
    1. Granular Choice

Basic Choice: Organizations/States can define Opt-in or Opt-out

FHIR Consent Tracker Resource

Capture Consent Directive Metadata (for workflow)

Standard method for consumer consent information to be stored and managed.

Metadata includes:
– Consent Directive Provenance (author, signer, custodian)
– Consent Directive prescribed DS4P Security Labels for Confidentiality and Security Controls for downstream controtl
– Consent Domain Authority

FHIR Consent Directive Profile

Different states and organizations have differing requirements on what is a signature.

eg. Minnesota requires a “wet signature” i.e. signed in ink on paper.

Consent Directive examples for FHIR:

via WordPress