Data Segmentation for Privacy InitiativeAll-Hands Meeting

2 May 2014

1

Meeting Etiquette

• Remember: If you are not speaking, please keep yourphone on mute

• Do not put your phone on hold. If you need to take a call, hang up and dial in again when finished with your other call• Hold = Elevator Music = frustrated speakers

and participants• This meeting is being recorded

• Another reason to keep your phone on mute whennot speaking

• Use the “Chat” feature for questions, comments or items you would like the moderator or other participants to know.

08/28/20132

NOTE: This meeting is being recorded and will be posted on the Wiki.

From S&I Framework to Participants:Hi everyone: remember to keep your phone on mute

WELCOME / AGENDA REVIEWJohnathan Coleman, Initiative Coordinator

3

4

Topic Time AllottedAgenda Review 5 minutesSpeaker: Doug Fridsma, M.D., Ph.D. 5 minutesSpeaker: Joy Pritts, JD 10 minutes

Initiative Summary: • Use Case Summary• S&I Artifacts• Pilots

• VA / SAMHSA• SATVA/Cerner• NETSMART• Jericho/UT

20 minutes

Standards • HL7 DS4P IG• IHE DS4P Supplement

10 minutes

Next Steps/Closing 5 minutes

Agenda

OPENING REMARKSDoug Fridsma, M.D., Ph.D., Chief Science Officer & Director, Office of Science & Technology (OST)

5

• The DS4P Initiative launched over two years ago and has been brought to a very successful completion within the Standards and Interoperability (S&I) Framework.

• Sponsored by ONC’s Office of the Chief Privacy Officer (OCPO), and supported by the Office of Science and Technology’s (OST) S&I Framework, the DS4P initiative exemplifies the type of success that is achievable through close collaboration among multiple federal and private industry stakeholders.

6

Opening Remarks

Congratulations!

S&I Framework Coordination

7

ONC Programs & Grantees

Community S&I Framework

FACAs

SDOs

• State HIE Program & CoPs• SHARP Program• REC Program & CoPs• Beacon Program

• Technology Vendors• System Integrators• Government Agencies• Industry Associations• Other Experts

• HL7• IHE• CDISC• NCPDP• ASC X12• ASTM• WEDI

• HIT Standards Committee• HIT Policy Committee• Tiger Team

• ISO/TC 215• IHTSDO• NLM• NQF• Regenstrief• Other health IT

standards related organizations

DATA SEGMENTATIONJoy Pritts, JD - Chief Privacy Officer, ONC

8

• Approximately 350 Participating Individuals• 110 Committed Members• 103 Committed Organizations• 6 Pilots (1 Federal, 5 Industry)

– VA/SAMHSA Pilot– SATVA Pilot– Netsmart Pilot– Jericho/UT Austin Pilot– GNOHIE Pilot– Teradact Pilot

Strong Community Participation

Congratulations to All!

9

• To demonstrate how standards can be used to support existing privacy policies for sharing sensitive healthcare information across organizational boundaries.

• The specifications developed by the DS4P project enable highly sensitive health information to flow more freely to authorized users, while improving the ability of health IT systems to implement existing privacy protection requirements for certain types of healthcare data, such as behavioral health information.

Initiative Goals

10

Why is this important?

11

According to recent estimates posted on healthit.gov:– An estimated 26% of Americans age 18 and older are living with a

mental health disorder in any given year.– 46% will have a mental health disorder over the course of their lifetime. – An estimated 8% of Americans are in need of drug or alcohol abuse

treatment. – Patients suffering from serious mental illness have increased rates of co-

occurring conditions, which results in a reduced life expectancy of 8-17 years.

Protection through the use of data segmentation emerged in part through state and federal privacy laws which address social hostility and stigma associated with certain medical conditions.*

* The confidentiality of alcohol and drug abuse Patient records regulation and the HIPAA privacy rule: Implications for alcohol and substance abuse programs; June 2004, Substance Abuse and Mental Health Services Administration.

USE CASE OVERVIEWData Segmentation for Privacy Initiative

12

User Story Example (1)

The Patient receives care at their local hospital for a variety of conditions, including substance abuse as part of an Alcohol/Drug Abuse Treatment Program (ADATP). Data requiring additional protection and consent directive are captured and recorded. The patient is advised that the protected information will not be shared without their consent.

User Story Example (2)

14

A clinical workflow event triggers additional data to be sent to Provider/Organization 2. This disclosure has been authorized by the patient, so the data requiring heightened protection is sent along with a prohibition on redisclosure.

Provider/ Organization 2 electronically receives and incorporates patient additionally protected data, data annotations, and prohibition on redisclosure.

ACCOMPLISHMENTS/ARTIFACTSData Segmentation for Privacy Initiative

15

DS4P Deliverables:

• Data Segmentation for Privacy Use Case document.• Implementation Guide describing recommended standards

for privacy metadata, organized by transport mechanism:– SOAP: Provides support for NwHIN / eHealth Exchange.– SMTP: Provides support for DIRECT (e.g. S/MIME, or XDR and XDM

Messaging for bridging Direct and Exchange environments).

• Analysis of HITSC recommendations for privacy metadata supporting the PCAST vision for tagged data elements.

• Executive Summary Document (Community Draft)• DS4P IG Test Procedures

Initiative Accomplishments

16

DS4P PILOT ACCOMPLISHMENTSData Segmentation for Privacy Initiative

17

VA/SAMHSA Pilot: • The pilot was successfully tested and demonstrated in

multiple venues, including the Interoperability showcase at HIMSS 2013 and the HL7 Plenary meeting in Baltimore, September 2013.

• VA have extended the DS4P capabilities to demonstrate utilization of FHIR for DS4P (demonstrated at HL7 in Jan 14, in real time, using resources from Australia, Canada and USA).

• VA championed development of the HL7 Healthcare Privacy and Security Classification System (HCS) - now under pilot for VA Identity and Access Management for VISTA Exchange and Evolution.

Pilot Accomplishments

18

NETSMART Pilot:

• The pilot was successfully tested and demonstrated in multiple venues, including the Interoperability showcase at HIMSS 2013.

• The Netsmart DS4P Part 2 solution has been implemented with the community services referral network in Tampa Bay (2-1-1 system), helping them manage restricted data associated with programs regulated by 42 CFR part 2.

Pilot Accomplishments

20

Jericho Systems / University of Texas Pilot:Demonstrated on simulated eHealth (NwHIN) exchange:• Data segmentation used to filter a patient consent directive

(PCD), drawn from a central (external) PCD repository, for redacting clinical documents based on consumer’s privacy choices.

• Defined the exchange of HL7 CDA-compliant PCD between a data custodian and a PCD repository that included a dynamic report on the outcome of the clinical request back to the consumer.

• Defined clinical document notation allowing use of the PCD repository for evaluation of consent upon request of data from subsequent data custodians.

Pilot Accomplishments

21Watch a video of Jericho / UT Austin pilot: https://vimeo.com/77513390/

SATVA Pilot Accomplishments:Included Cerner Anasazi, Valley Hope Association, Defran Systems, Inc. and HEALTHeLINK

• Demonstrated ability to send notice of prohibition on re-disclosure (as required by 42 CFR Part 2)

• Produced the SATVA Ultra-Sensitive Privacy Disclosure IG, an open IG available to all upon request, that follows the DS4P IG for Direct and defines specifics for markup of document and entry level tagging of privacy sensitivity in HL7 CDA derived documents and in IHE XD Metadata.

SATVA Pilot Future Work:• Continue the work of the USPD IG or companion IG, to include guidance for a

common electronic consent representation as a specific implementation of the HL7 Consent Directive. This could be included in requests for disclosure in cases where the mere act of requesting disclosure on behalf of a patient constitutes a disclosure itself under 42 CFR part 2.

Pilot Accomplishments

22

SATVA Pilot Production Implementations:• Valley Hope Association is creating production discharge summary disclosures for a

pilot location according to the specifications in the SATVA USPD IG CCDs. Printed versions of these CCDs are used where electronic transport is not yet available, serving to convey the disclosures with all the required notices in human readable form.

• On April 25th 2014, Cerner released into production enhancements to their Behavioral Health solution that incorporates DS4P metadata tagging of CCD’s and XD Metadata via the SATVA USPD IG.

• At HIMSS 2014 Cerner demonstrated marked-up CCDs being sent from the Cerner BH solution to the Cerner Millennium (large scale, general medical solution).

• Cerner Millennium solution design teams have begun work to recognize and process the DS4P marked-up data received from the Cerner BH solution (or other solutions implementing the USPD IG). This functionality is targeted for production release by the end of 2014.

Pilot Accomplishments

23

STANDARDS ORGANIZATIONSData Segmentation for Privacy Initiative

24

• The HL7 DS4P Project was unanimously approved by the HL7 Technical Steering Committee (TSC) on June 3rd, 2013.

• The project was jointly sponsored by the HL7 Security Work Group and Community Based Collaborative Care (CBCC) Work Group, and built on the Implementation Guides developed by the ONC DS4P S& Initiative.

• The HL7 Implementation Guide: Data Segmentation for Privacy (DS4P), Release 1 completed Normative Ballot in Jan 2014 and was published as an accredited standard.

• The standard uses tagging to convey confidentiality levels and obligations, with vocabularies to convey specific meanings, such as “Do not re-disclose without consent” or “This document is restricted”.

HL7 DS4P Project

HL7 Implementation Guide: Data Segmentation for Privacy (DS4P), Release 1

Contains three volumes: • Volume 1: CDA R2 and Privacy Metadata Reusable Content

Profile• Volume 2 : NwHIN Direct Transport Profile• Volume 3: NwHIN Exchange Transport Profile

HL7 DS4P Standard

26

• While formal project activities may be ending, DS4P is inspiring a new “family of standards” that extend the reach and footprint of the DS4P IG.• HL7 Security and Privacy Classification System

and Guide• HL7 Security Labeling Service• HL7 Security and Privacy Ontology• HL7 FHIR Security Services

Related HL7 Projects

IHE ITI DS4P Supplement: • Integrating the Healthcare Enterprise (IHE) created a DS4P

Supplement which documents an ITI US realm implementation of XDS to align with the HL7 balloted standard (DS4P Exchange profile). The supplement is being addressed this week and is approaching approval.

IHE XDS Metadata Change Proposal (CP):• The CP is being balloted by IHE (Ballot#20) and will enable

consistency with the HL7 Healthcare Classification Scheme (HCS) standard and HL7 DS4P Standard . It conveys handling caveats such as Refrain Policy, Obligation Policy, and Purpose of Use.

IHE Activities

CONCLUSIONData Segmentation for Privacy Initiative

29

Next Steps

• The DS4P project has made an important step towards improving the ability of sensitive electronic healthcare data to flow appropriately, so that patients get the care they need without fear of social hostility or stigma. To that end, we:– Encourage pilots, implementers and SDOs to continue

their efforts to improve on the work started in DS4P.– Look forward to hearing more lessons learned and

Success Stories.

Celebrating our Community

A heart felt and humble:

Thank YouWhile we have achieved tremendous success – getting the chance and the honor of working with each and every one of you was a true highlight.

Pilot Leadership• Mike Davis (VA)• Richard Thoreson (SAMHSA)• Matthew Arnheiter (NETSMART)• David Staggs (Jericho Systems)• Mike Morris (SATVA) • Dan Levene (Cerner)• John Leipold (Valley Hope Assn.)

Special Recognition

32

Extraordinary Contributors• John Moehrke (GE/HL7/IHE)• Harry Rhodes (AHIMA)• Lenel James (BCBS)• Jim Kretz (SAMHSA)• Walter Suarez (Kaiser

Permanente)

Project / Pilot SMEs• Kathleen Connor• Ioana Singureanu• Duane DeCouteau• Bear Polk

ONC Project Leads• Melissa Goldstein, JD• Scott Weinstein, JD• Julie Chua, CISSP

Questions?

DS4P Wiki:http://wiki.siframework.org/Data+Segmentation+for+Privacy