va-samhsa ds4p pilot demonstrations data segmentation for privacy initiative veterans health...

VA-SAMHSA DS4P Pilot DemonstrationsData Segmentation for Privacy Initiative

Veterans Health AdministrationHealthcare Information Governance

Emerging Health Technologies Advancement Center (EHTAC)HIMSS 2013 Interoperability Showcase Demonstrati on PlaybookDuane DeCouteau Senior Soft ware Engineer (Edmond Scienti fi c)

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013Table of Contents

VA-SAMHSA DS4P Pilot HIMSS 2013 DemonstrationData Segmentation for Privacy Initiative

Section Slides

Demonstration Overview 3-6

Demonstration How-To 7-14

Use Case: Emergency Treatment 15-20

Use Case: Share Partial 21-25

Use Case: Share All 26-28

Use Case: Patient Changes Mind (Modifying Patient Consent)

29-35

An Unexpected Interop: VA-SAMHSA and NetSmart

36

Things to Consider 37

Tablets #1-3 (Primary)SAMHSA – VA Exchange• VA Prototypic Portal• Mitre Patient Consent• FEIsystems REM• Jericho PDP• Emergency Use Case

VA Direct – Third Party• VA Prototypic Portal• Mitre Patient Consent• FEIsystems REM• Jericho PDP• VA Repository• No Redisclosure

Tablet #4VA Direct – Third Party• VA Prototypic Portal• Jericho Patient Consent• VA Repository• Jericho PDP

Tablet #5VA Direct – Third Party• VA Prototypic Portal• HIPAAT Patient Consent• VA Repository• HIPAAT Policy Engine

[ Bull Pen ]Kiosk 11-1• FEISystems REM (EHR)• Clinical Rules Manager• Privacy Rules Manager• Security and Privacy Administration• Security Labeling Service (SLS)• Document Orchestration• Detailed Access Control Information

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013Demonstration Platforms

Mobility Primary Presentation Station


Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013Supporting Patient Consent Management Systems

Jericho Systems Patient Portal Mitre Corporation DS4P GUI

MyConsentMinder


Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013Clinical and Use Configuration(s)

PUI100010060001 Asample Patientone, 42 Male

Active ProblemsType 2 DiabetesAsthmaCononary Atery AtheromaHyperlipidemiaHypertensionAcute HIVSubstance Abuse

Active MedicationsBupropion HydrochlorideZidovudine

PUI100010060007 Asample Patienttwo, 32 Male

Active ProblemsPsychotic DisorderPersistent Alcohol AbuseDiabetes mellitus type 2Sickle Cell Anemia

Active MedicationsThorazineMetformin Hydroxyurea

PUI100015060013 Asample Patienthree, 27 Female Active ProblemsAnorexia nervosa (disorder)Obsessive compulsive personality disorder (disorder) Active MedicationsSertraline 20 MG/ML Oral Solution [Zoloft] [861066]

PUI100015060014 Asample Patienfour, 42 Male Active ProblemsAcute stress disorder (disorder)Major depressive disorder (disorder) Active MedicationsSertraline 20 MG/ML Oral Solution [Zoloft] [861066]

DrDuane/DrBurak/DrMike/DrMichael/DrDavid/DrKel – Asample PatientoneUse CasesShare PartialEmergency Treatment

DrMike/DrDuane - Asample PatienttwoUse CasesShare All

DrDavid/DrMichael - Asample PatientthreeUse CasesPatient Changes Mind

DrKel/DrBurak - Asample Patientfour

Patients


User/Use Case Assignments Additional PatientsJERICHO TEST – Patient Consent Only

HIPAAT TEST – Patient Consent Only

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013Demonstration Basics


Login Screen(Username and PasswordProvided by VA Development Team)

Logout Option(System will automatically logout User after 30 minutes of inactivity)



Tablet Navigation Bar

Test Patient Selection

eHealth ExchangeVA – SAMHSA

Document Query and Document Retrieve

eHealth DirectVA – SAMHSA – Third Party

Providers Inbox of Processed Documents

(Note: XDM Packages must be processed via Reference Model)

Access Control DecisioningView: Policy Decision, Obligations,

Generated Annotated Rules, Executed Rules

User Profile/Credentials/Workflow(For Demonstration only Purpose of Use (POU) is allowed to be modified)

Not Implemented

Logout(End User Session)



Select and set contextTo Veteran patient

Patient Selection

Execute Document Query



View Request SAML Assertion

View Meta data

Document Search



Document Retrieve

RetrieveSelectedDocument

DecryptDocumentPayload

DecryptMasked Entries

ViewTransformedCDA Document

ViewDocumentRetrieveSAML Assertion

ViewDocumentMeta data

(For Demonstration Purposes Only)(For Demonstration Purposes Only)

Select Document to retrieve



Access Control Decisioning Log

View Obligation(s) fromPatient ConsentUSPrivacyLawOrganizational Policy

View Rules executed based oncontents of documentbeing retrieved

View Annotation Rules derived fromClinical Facts and Organizational Policy



Setting Purpose of Use (POU)



Providers eHealth Direct Inbox

Note: Due to time limitationsthis capability was not implemented please utilize Reference Model test harness to load and process XDM packages.

View contents ofMETADATA.xml

Decrypt DOCUMENT.xmlfile if necessary(SAMHSA patients only)

View HTML version ofDOCUMENT.xml CDA file.

Test/ValidateNo redisclosurewithout consent.

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013Demonstration Use Case: Emergency Treatment (Break-the-glass)


Use Case Scenario: The “test” Patient, a Veteran, is being seen at a VAMC Emergency Room for non-specific abdominalpain. The “test” Patient is also receiving un-related treatment at a 42CFRPart2 constrained organization. That patient has chosen to participate in eHealth Exchange and has created a Consent Directive authorizing participation as well are constraining specific components of their clinical record. Specifically the “test” patient wishes to REDACT Substance Abuse, Mental Health related observations, and MASK (for intended recipient eyes only) all findings related to HIV. The Emergency Room attending performs aneHealth Exchange document query and retrieve.

Expected Outcome:Annotation of Document will occur with Document, Section, and Entry security labels being applied, NO actions of REDACTION or MASKING will be performed when Purpose of Use (POU) is Emergency Treatment (ETREAT). Authorization for disclosure is determined by POU, Organizational policy, and trust relationship betweenexchanging organizations (exchange of certificates). Document, in its entirety, is delivered for viewing to Emergency Room attending (requestor) with 42CFRPart2 WARNING and heightened auditing.



Step #1: From your tablet login to DS4PMobilePortal

Step #2: Touch your profile button, “DrName” and changeyour POU to Emergency(this is normally a workflow event).

Step #3: Touch “Patient List” and then select “Asample Patientone”from drop-down list.

Step #4: Touch “eHealth Exchange” then touch “Search” buttonto perform cross-enterprise document query (VA-SAMHSA). Available documents are returned and visible for selection in table. Note: that no document annotation has occurred at this point only 1) an authorization to release to recipient and 2) available documents and meta data are returned.

Step #5: Touch row of interest “Consult Notes” and then touch the “Retrieve Document” button.



Step #6: Note that the documenthas been delivered to the requestorin the Emergency Room in its Encrypted form per sending organizationsDS4P policy.

Step #7: Touch “X” button or anywhereto close “Document Retrieve Response”window.

Step #8: Touch “Decrypt Document”to decrypt document payload. This stepis for demonstration purposes only.

Step #9: Note that contents of document arenow revealed (in XML form) to requestor. Againthis is a step is for demonstration purposes only.



Step #10: Touch the “View Clinical Document” buttonthe 42CFRPart warning is displayed as well asthe document. Note the document and sectionlevel tagging of “R” for restricted. And theentry level tag related to applicable policies.Substance Abuse (ETH), Mental Health Related(PSY), and HIV information is visible.

Step #11: Touch the “Access Control Decisioning”button. In table touch most recent event related to your “Provider Id” and “Document Retrieve” service request.



Step #12: Touch the “Obligations” button, in theXACML Response window we see patient consentdirectives to REDACT ETH and PSY, and too MASKHIV. Additionally the organization is constrained byUS Privacy Laws 42CFRPart2, Title32Section7332, andrequires document handling of encryption.

Step #13: Touch the Security Labeling Service “SLSRules Generated” button. A list of all applicable/available rules is shown, DRL is Drools Rule Language.The rules and the decomposed C32 are sent to theDrools Rule Engine for processing.



Step #14: Touch the Security Labeling Service “SLSRules Executed” button. A list of all the rulesthat executed and results in a label beingapplied to a specific observation. Note: all disregardpatient directives to REDACT and/or MASK.

Step #15: RESET you session by setting your Purpose of Use (POU) in your user profile to“Treatment” see step #2 for further instructions.

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013Demonstration Use Case: Share Partial


Use Case Scenario: The “test” Patient, a Veteran, has been referred for a Monday morning follow up appointment with “DrName”. Over the weekend our “test” patient updates their consent directive to include “DrName” as an authorizedrecipient. Remember our patient’s consent directive constrains specific components of their clinical record. Specifically the “test” patient wishes to REDACT Substance Abuse, Mental Health related observations, and MASK (for intended recipient eyes only) all findings related to HIV. Prior to seeing our test patient “DrName” performs aeHealth Exchange document query.

Expected Outcome:Annotation of Document will occur with Document, Section, and Entry security labels being applied, Actions of REDACTION or MASKING will be performed. Authorization for disclosure is determined by, provider ID, POU, Credentials,Sensitivity Permissions, Organizational policy, and trust relationship between exchanging organizations (exchange of certificates). Document, fully annotated (REDACT/LABEL/MASK/ENCRYPT) is delivered to “DrName”.


Step #2: Touch your profile button, “DrName” and changeyour POU to Treatment(this is normally a workflow event).

Step #3: Touch “Patient List” and then select “Asample Patientone”from drop-down list.

Step #4: Touch “eHealth Exchange” then touch “Search” buttonto perform cross-enterprise document query (VA-SAMHSA). Available documents are returned and visible for selection in table. Note: that no document annotation has occurred at this point only 1) an authorization to release to recipient and 2) available documents and meta data are returned.

Step #5: Touch row of interest “Consult Notes” and then touch the “Retrieve Document” button.





Step #6: Note that the documenthas been delivered to the requestorin its Encrypted form per sending organizationsDS4P policy.

Step #7: Touch “X” button or anywhereto close “Document Retrieve Response”window.

Step #8: Touch “Decrypt Document”to decrypt document payload. This stepis for demonstration purposes only.

Step #9: Note that contents of document arenow revealed (in XML form) to requestor. Againthis is a step is for demonstration purposes only.



Step #10: Touch the “View Clinical Document” button. The 42CFRPart warning is displayed as well as the document. Note the document and section level tagging of “R” for restricted. And that one problem list item, and one medicationhave been MASKED. Substance Abuse (ETH)and Mental Health Related (PSY) findings havebeen REDACTED.

Step #11: Touch the “Decrypt Doc and Entries”button. Assuming your user has necessary permissions you will receive the key and be ableto decrypt the MASKED entries. This step isfor demonstration purposes only. Close the XML display.

Step #12: Touch the “View Clinical Document”button. The two (2) MASKED entries are revealed to the user. In this case Acute HIV, andthe AZT equivalent medication were previously hidden from users view.



Step #12: Touch the “Access Control Decisioning” button.

Step #13: Touch to select most recent “DocumentRetrieve”service request associated with your provider ID in thelog table.

Step #14: Touch the Security Labeling Service “SLS – Rules Generated” button.Note that rules now take into account the patients wishes to REDACT or MASK aspects of their clinical record.

Patient ConstraintSNOMED-CT code

Sensitivity LabelConfidentiality Label Action

US Privacy Law

Refrain PolicyDocument Handling

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013Demonstration Use Case: Share All


Use Case Scenario: The “test” Patient, a Veteran, has been referred to an orthopedic surgeon “DrName” at the VAMC in Helena, MT. The “test” Patient is also receiving un-related treatment at a 42CFRPart2 constrained organization. That patient has chosen to participate in eHealth Exchange and has created a Consent Directive authorizing participation and disclosure to “DrName”. The patient has no concerns in regards to sharing his/herclinical information fully with DrName.

Expected Outcome:Annotation of Document will occur with Document, Section, and Entry security labels being applied, Actions of REDACTION or MASKING will be performed IF REQUIRED. Authorization for disclosure is determined by, provider ID, POU, Credentials, Sensitivity Permissions, Organizational policy, and trust relationship between exchanging organizations (exchange of certificates). Document, fully annotated (REDACT/LABEL/MASK/ENCRYPT) is delivered to “DrName”.




Step #2: Touch your profile button, “DrName” and make sure your POU is set to Treatment(this is normally a workflow event).

Step #3: Touch “Patient List” and then select “Asample Patienttwo”from drop-down list.

Repeat Step #4 thru #10 from Share Partial Use Case

Note when viewing clinical document. No masking is present and PSY, ETH, SICKLE Cell Anemia, disorders and medications are visible.



Step #11: Touch the “Access Control Decisioning” button.

Step #12: Touch to select most recent “DocumentRetrieve” service request associated with your provider ID in thelog table.

Step #13: Touch “Obligations” button. Notethat there are no patient constraints present.

Step #14: Touch the Security Labeling Service “SLS – Rules Generated” button.Note that rules now take into account that no patient constraints arepresent and are entirely based onorganizational policy.

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013Demonstration Use Case: Patient Changes Mind (Modifying Patient Consent)


Use Case Scenario: The “test” Patient, a Veteran, is currently receiving treatment for PTSD from “DrDavid” at the VAMC in Helena, MT. The “test” Patient is also receiving un-related treatment at a 42CFRPart2 constrained organization. That patient has chosen to participate in eHealth Exchange and has created a Consent Directive authorizing participation and disclosure to “DrDavid” with no constraints. The patient initially has no concerns in regards to sharing his/her clinical information fully with “DrDavid” . At some point in the future our “test” patient fells uncomfortableseeing “DrDavid” and is switched to another Mental Health Provider at the VAMC. After some consideration our “test” patient decides to alter their VA consent directive to disallow access “DrDavid” both locally and across the eHealth Exchange.

Expected Outcome:Annotation of Document will occur with Document, Section, and Entry security labels being applied, Actions of REDACTION or MASKING will be performed IF REQUIRED. Authorization for disclosure is determined by, provider ID, POU, Credentials, Sensitivity Permissions, Organizational policy, and trust relationship between exchanging organizations (exchange of certificates). Initially the Document, fully annotated (REDACT/LABEL/MASK/ENCRYPT) is delivered to “DrDavid”.

After the “test” patient changes their consent directive to disallow “DrDavid” access, “DrDavid” Is no longer able to receive necessary authorizations to request or view the patients record.

Note: This use case example of patient changes mind has had its scope minimized. Only Jericho was ableto provide a patient effacing Consent Tool, services, XDS.b repository, and integrate prior to HIMSS. And Consent Directives stored in SAMHSA XDS.b repository were actually generated by VA services without benefit of a patient tool. There are still some issues to be worked out between VA/SAMHSA and Jericho in regards to this portion of the demonstration.



Step #1: From your tablet login to DS4PMobilePortal as “DrDavid”

Step #2: Touch your profile button, “DrDavid” and make sure your POU is set to Treatment(this is normally a workflow event).

Step #3: Touch “Patient List” and then select “Asample Patientthree”from drop-down list.

Repeat Step #4 thru #10 from Share Partial Use Case

Note when viewing clinical document, that maskedentries exists in both ProblemList and Medications.



Step #11: Touch the “Decrypt Doc and Entries”. Masked entries are decrypted and XML document is displayed. This step is for demonstration purposes only. Close window.

Step #12: Touch “View Clinical Document” button. Note thatEHT and PSY findings are now visible to “DrDavid”.

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013Demonstration Use Case: Patient Changes Mind


Step #11: Touch the “Access Control Decisioning” button. Note that authorization decisions occurred for DocumentQuery, DocumentRetrieve, DocumentEntryUnMask, and DocumentView.

Change Asample Patientthree’s VA Consent DirectiveStep #12: Login into Jericho Systems Patient Portal as “Asample Patientthree”.Note that Dr. David has been authorized to view our test patients records with no constraints.



Step #13: Click on the “Update” button next to “Dr. David”

Step #14: Click on “Block all personal health information.”Then click on “Continue” button.

Step #15: Click on “Authorize & Sign” button.



Step #16: Sign the draft consent directive making itauthoritative by entering in username and passwordand selecting an end date.

Step #17: Click on “Sign Draft” button.

Step #18: Note the access for Dr. David is now blocked.Logout of Jericho Systems “Patient Portal”.



Step #19: From the DS4PMobilePortalTouch the “eHealth Exchange” buttonthen Touch “Search” button.

DrDavid receives a “You do not havethe necessary authorization privilegesto perform this operation”.

Step #20: Touch “Access ControlDecisioning” button. Note the DrDavid’s DocumentQueryOutrequest have been denied.

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013An Unexpected Interop: VA-SAMHSA and NetSmart


Should we be concerned?

During the HIMSS InteroperabilityShowcase the VA-SAMHSA teamwas asked to perform an impromptuInterop with the NetSmart DS4PPilot. VA-SAMHSA team provided NetSmarttheir Direct HealthVault (development sandbox) email address, requirements for an XDM attachment, and a example of the METADATA being produced by SAMHSA(FEISystems).

The first attempt to process the XDM packagefailed due to the structure of the zip file.

NetSmart delivered a new direct message thefollowing day. The direct xdm package wasable to be received by the VA developed XDMProcessingService (web service) butfailed the Collection phase as it was unableto identify intended recipient to determinepermissions for persisting the data. This implied there was a disconnect in METADATAbeing asserted. The interop was set asideuntil after the conference.

Upon my return home I disabled the permissioncheck during collection phase and manuallypersisted the intended recipient info afterthe fact. Allowing the document and itsMETADATA to be stored. To the right is the CCD received from NetSmart.

Data Segmentation Using Healthcare Privacy and Security Labels HIMSS 2013Things to Consider….


Need to revisit METADATA being exchange between organizations.

Cart before the horse problem, should HCS be engaged during DocQuery? This isonly an issue when an organization annotates the document in real-time.

XACML is good for enforcing obligations and refrain policies. But not for determiningthem.

Key exchange between organizations.

The OASIS XSPA standards and IHE XUA++ need to be updated to reflect outcomes of pilot.

When embedding an XACML policySet in the CDA R2 Consent Directive, which the VA-SAMHSA pilot relied heavily on, a minimum set of policies and resources needs to berecommended.

va-samhsa ds4p pilot demonstrations data segmentation for privacy initiative veterans health...

Documents

healthcare privacy

demonstrationdata segmentation

security labels himss

patient consent29

male active problemstype

mgml oral solution zoloft

share partial21

share all26