NSTIC – Electronic Health Records and Patient ID
From IIW
Session Topic: NSTIC HER & Patient ID
Wednesday 3D
Convener: Justin Richer
Notes-taker(s): Nicholas Crown
Tags for the session - technology discussed/ideas considered: NSTIC, IDESG, OAuth, Trust, Privacy, EHR
EHR & NSTIC
Moderator: Jim Sheire
ONC - Office of the National Coordinator for HC technology
- Responsible for the standards, technology, framework for digitizing HC stuff
- Push is for 2016 push
- Working to understand the privacy requirements/standards necessary to participate in exchanges, etc.
- Advisory committees are working to understand these requirements
- If you are patient, how do you interact with your EHR/Data Holder to view records, etc.
- Letter is available online with the recommendations for the what the credentials should look like to comply with meaningful use
- Issue is that the data holder will always look for any possible loophole to avoid sharing your data
- Working to eliminate the loopholes to avoid no action
- What about delegation when the patient is unable to access on their own?
- Justin Richer:
- Blue Button + initiative
- Developing a RESTful API for moving HC records between parties
- Using OAuth for protecting the API
- Interesting work around dynamic registration amongst parties
- Moving away from traditional pre-configured trust-based systems and using OAuth to make this more dynamic
- This allows them to build systems that use patient consent and support interop at the authZ level
- The NSTIC recommendations need to be applied to Blue Button
- NSTIC can then use policy to ensure that the right things are happening at the technology level
- Blue Button + initiative
- Trying to workout a framework for what FIPPs would look like when applied to patient ID
- From the patient ID perspective, FIPPs would like:
- Don't ask for more than you need (Data Limitation/Purpose Limitation, etc.)
- Recommending three levels:
- 1. Consultation (patient can be anonymous at this point)
- 2. Bilateral payment confirmation (primarily between the HC provider and insurer)
- 3. Aggregation (non-coercively in a voluntary way)
- B. Need strong ID and aggregation to avoid prescription fraud (getting narcotics at multiple providers for recreation use)
From the letter under the FICA Community via a hearing focused acquiring advice from the patient/provider communities to understand how to alleviate "identity" issues:
- "NSTIC... Should provide a more scalable solution for patient authentication in the future"
- Could see this a recommendation for using the NSTIC Identity Ecosystem as an identity layer to solve the challenges
- Presents a nice alignment between the problems in HC and the solutions being worked in NSTIC
- ONC is telegraphing what they want to see happen prior to regulating to force the work to occur
- The tiger team that "testified" before the hearing made the following recommendations:
- Identity Proofing
- Authentication
- Best Practices:
- Usable
- Voluntary/Flexible
- Scalable/NSTIC
- Federation/Re-use
- KBA
- Out-of-band AuthN
- Go Beyond Passwords
- M2M
- ...