Results from a pilot for the ONC, released today, shows that patients’ protected health information (PHI) can adhere to patient-designated consent directives throughout the health information exchange process involving multiple stakeholders. The findings are significant because it shows the integrity of the patient directives are not altered after updates to the patient’s file in an HIE organization’s repository, if the appropriate technologies are in place.
Pilot participants included The University of Texas at Austin Health Information Technology Program, Jericho Systems Corporation, and Conemaugh Health System (Johnstown, Penn.).
The pilot simulated HIE scenarios using the eHealth Exchange (formerly NwHIN). Jericho Systems, with support from the U.S. Army Medical Research and Material Command’s Telemedicine & Advanced Technology Research Center, provided EnterSpace Exchange software to authorize requests and secure exchange of data between pilot participants.
According to the participants, the pilot explored 12 exchange scenarios and eight types of data transactions. To test these scenarios, pilot participants performed various roles. Jericho Systems served as primary custodian of the patient’s record and housed the Patient Consent Directive (PCD) repository. The University of Texas at Austin Health Information Technology Program simulated the role of a research university that requests the patient’s record and subsequently acts as the secondary custodian of the information. Conemaugh played the role of a marketing network that becomes the second requestor.
To dive a little deeper on the details of the study, I sent a handful of questions to David Staggs, CTO at Jericho Systems Corporation, and Dr. Leanne Field (Director) and Michael Field (Health IT Project Manager) from The University of Texas at Austin Health Information Technology Program. Special thanks to each for providing some context to the study results.
What were the study results and what were the criteria to determine success? Can you explain the testing process?
Staggs: “Qualitatively, our goal is to develop a consensus architecture that supports the use of a patient HL7-compliant privacy consent directive (PCD) repository shared between multiple document custodians on a simulated eHealth Exchange. The PCD supports fine-grained consent, including data segmentation, allowing the patient’s directive to be automatically fetched and combined with organizational policy during the release of PHI at the eHealth Exchange gateway.
“The test process requires examination of the user story and identification of test cases that sufficiently covers the areas we are addressing. The test cases were selected based on the test points tied to the pilot architecture and designed to provide the identified capabilities using the relevant standards. Special care was taken to cover the data sets exchanged when requesting, returning, and reporting the patient’s PCD. We also capture the extended ATNA audit messages that provide the eHealth Exchange gateway release decision back to the PCD repository for later patient review. In total there are 13 test cases.”
Univ. of Texas HIT Program: “Mr. John Bender, a recent graduate of The University of Texas at Austin Health IT Nine Week Certificate program, participated in the testing process by executing the test cases. Specifically, he used the Jericho patient portal to create the patient PCD and then tested the reference implementation using the pilot software installed on a computer in the Health Information Exchange (HIE) Laboratory in the Health IT Learning Center on campus. The tests were enabled by a standard Internet connection between the computer at the University in Austin, a computer at Jericho Systems in Dallas, and another computer at Conemaugh Health Systems in Pennsylvania.”
How long has the pilot been underway? Is it ongoing? Or does this release conclude the partnership.
Staggs: The Jericho/UT Austin pilot, named “Privacy with Dynamic Patient Review,” started in April 2013 and is part of the Standards and Interoperability (S&I) Framework’s Data Segmentation for Privacy (DS4P) initiative. The pilot workgroup approved the reference implementation and the test results at our last meeting. Once we summarize our findings in an implementation guidance document, the working group will disband. I’m hopeful we will all have a chance to work together again on other projects.
How did you handle PID authentication? Were real-world scenarios, such as multiple IDs for the same patient, tested?
Staggs: “The pilot leverages the tools available for eHealth Exchange, including the CONNECT 4.1 gateway and adapter, the CONNECT Universal Client, and the OHT OpenATNA audit message reader. The test patients had separate medical identifiers that we discovered and correlated using a demographic query, but the real focus of the pilot is on the request for the patient’s PCD from a remote XDS.b data store and the data sets required to convey associated information, including data segments, identified in the clinical document being requested from the document custodian.”
How is the patient informed about requests for their record? What does that message look like?
Staggs: “The patient is informed about requests, and the decision to release them, using an ATNA message. The ParticipantObjectDetail of the ATNA message contains information on the type of request, the release decision at the gateway, the requestor, the purpose of use, and other details.
“The content of the ATNA message is indexed by the patient at the PCD repository for later review. For demonstration purposes, we used the Jericho patient portal product to query and display the requests – but the display step is outside the scope of the pilot.”
Does the second requester (Conemaugh) query the database or the initial requestor (Univ. of Texas)? Is tracking enabled throughout the record’s history/future transactions? If so, how?
Staggs: “Document custodians get the patient’s PCD from the PCD repository. Document requestors issue a document discovery to find the patient record. Sometimes a secondary document custodian might reply to a document request, so there must be a process allowing it to fetch the PCD.
“The location of the PCD is inserted in the clinical document, so that if that part of the record is requested after it leaves the first document custodian, the second document custodian knows were to fetch the PCD to make its release decision. Members of the working group also suggested the subsequent custodian could query for the patient’s PCD using an eHealth Exchange discovery request.
“We demonstrated the use of inserting information into the clinical document because it does not create the potential for a miscorrelation of patients’ PCD or the discovery of multiple PCD for a patient.”
In your testing, can the patient consent to specific scenarios while choosing to opt out of others? Or does it follow the standard choices of “all in” or “all out?”
Staggs: “The patient can consent to specific scenarios using either coarse or fine-grained consent; enabling much more than a single scenario opt in/out capability. The patient can also specify information that should be filtered or redacted from the clinical document before it is released. A consolidated patient PCD is created that defines consent for any number of scenarios.
“When the request for the PCD arrives, the consolidated PCD is filtered specifically to the request in order to prevent information leakage. The alternative representation of the HL7-compatible PCD contains the patient’s authorization decision based on information passed in the PCD request and instructions on how to treat any segments known to be in the requested document. We use the draft HL7 Health Classification System to redact clinical documents based on segments.”
What were the key lessons learned from the pilot project?
Staggs: “An external PCD repository should have a single consent directive for simplicity but it must be filtered on demand to prevent information leakage. Also, the PCD should be requested any time PHI could be exposed (e.g. ITI-55, ITI 38, and ITI-39). Our main lessons were learned in selecting the fields for the data sets required for requesting, returning, and reporting patient consent.”
Univ. of Texas HIT Program: “From an educational perspective, this pilot project validates the concept that students can gain valuable and relevant experience from actively participating in applied research in an important area of health IT—patient’s control over their own medical records.
“In addition, pilot programs such as these underscore the value of the university’s HIE Laboratory as a unique testing facility where faculty and students can participate with industry collaborators in applied research projects that are relevant to future technology implementations at leading health IT organizations.”
What’s next for this pilot? Will the results and data become public and available for discussion?
Staggs: “Now that we have accomplished our goal, the pilot will be winding down. We hope to demonstrate the pilot in the near future. A video of the complete final test and PowerPoint slides from each of our meetings is available on the S&I Framework’s DS4P wiki. We will also be producing a guidance document to augment the original DS4P guidance document currently being standardized at HL7.”
Latest posts by Chad Johnson (see all)
- Will web APIs and HL7 FHIR change our views on data interoperability? - July 11, 2017
- Passing the #HITsm torch - November 10, 2016
- Video recap: #HITsm at #HIMSS16 - March 17, 2016