NSTIC – Electronic Health Records and Patient ID

From IIW

Session Topic: NSTIC HER & Patient ID

Wednesday 3D

Convener: Justin Richer

Notes-taker(s): Nicholas Crown

Tags for the session - technology discussed/ideas considered: NSTIC, IDESG, OAuth, Trust, Privacy, EHR

EHR & NSTIC

Moderator: Jim Sheire

ONC - Office of the National Coordinator for HC technology

  • Responsible for the standards, technology, framework for digitizing HC stuff
  • Push is for 2016 push
  • Working to understand the privacy requirements/standards necessary to participate in exchanges, etc.
  • Advisory committees are working to understand these requirements
  • If you are patient, how do you interact with your EHR/Data Holder to view records, etc.
  • Letter is available online with the recommendations for the what the credentials should look like to comply with meaningful use
  • Issue is that the data holder will always look for any possible loophole to avoid sharing your data
  • Working to eliminate the loopholes to avoid no action
  • What about delegation when the patient is unable to access on their own?
  • Justin Richer:
    • Blue Button + initiative
      • Developing a RESTful API for moving HC records between parties
      • Using OAuth for protecting the API
      • Interesting work around dynamic registration amongst parties
      • Moving away from traditional pre-configured trust-based systems and using OAuth to make this more dynamic
      • This allows them to build systems that use patient consent and support interop at the authZ level
      • The NSTIC recommendations need to be applied to Blue Button
      • NSTIC can then use policy to ensure that the right things are happening at the technology level
  • Trying to workout a framework for what FIPPs would look like when applied to patient ID
    • From the patient ID perspective, FIPPs would like:
    • Don't ask for more than you need (Data Limitation/Purpose Limitation, etc.)
    • Recommending three levels:
      • 1. Consultation (patient can be anonymous at this point)
      • 2. Bilateral payment confirmation (primarily between the HC provider and insurer)
      • 3. Aggregation (non-coercively in a voluntary way)
        • B. Need strong ID and aggregation to avoid prescription fraud (getting narcotics at multiple providers for recreation use)

From the letter under the FICA Community via a hearing focused acquiring advice from the patient/provider communities to understand how to alleviate "identity" issues:

  • "NSTIC... Should provide a more scalable solution for patient authentication in the future"
  • Could see this a recommendation for using the NSTIC Identity Ecosystem as an identity layer to solve the challenges
  • Presents a nice alignment between the problems in HC and the solutions being worked in NSTIC
  • ONC is telegraphing what they want to see happen prior to regulating to force the work to occur
  • The tiger team that "testified" before the hearing made the following recommendations:
    • Identity Proofing
    • Authentication
    • Best Practices:
      • Usable
      • Voluntary/Flexible
      • Scalable/NSTIC
      • Federation/Re-use
      • KBA
      • Out-of-band AuthN
      • Go Beyond Passwords
      • M2M
      • ...