Convert your FHIR JSON -> XML and back here. The CDA Book is sometimes listed for Kindle here and it is also SHIPPING from Amazon! See here for Errata.

Wednesday, March 13, 2013

Navigating Standards and Regulation

Compare four different use cases with me:

From an IHE IUA (Internet User Authentication a.k.a. OAuth) profile discussion: to authorize the patient's application to access health information.

From the ABBI Charter: Allowing a third party application of the consumer’s choosing to privately and securely access personal health data on demand.

From the Omnibus Final Rule:
if requested by an individual, a covered entity must transmit the copy of protected health information directly to another person designated by the individual. In contrast to other requests under § 164.524, when an individual directs the covered entity to send the copy of protected health information to another designated person, the request must be made in writing, signed by the individual, and clearly identify the designated person and where to send the copy of the protected health information.

From the HITECH Act (see subsection (e) at the top of page 7748):
the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific;

In each of the above: individual, patient, consumer also includes in some way their authorized representative, although that may be variously defined (e.g., parent, guardian, holder of a power of attorney, et cetera) and implemented, and may be stated or implied in the use case.

In each use case, we talk about authorizing an application, in others, an entity, and in others, designated person as the recipient of the electronic information.

In the IHE use case I described above (which is really just one example of many similar use cases), it mentions the "patient's application", as if we are discussing an application the patient owns (or licenses).  But in the IHE profile, that could also be an application developed by a third party that the consumer authorizes.  I can see uses where a patient could use this same capability to authorize an application devised by the SSA to access data on a to enable adjudication of disability for example.

In the Omnibus Final Rule, it clearly states: the request must be made in writing, signed by the individual, and clearly identify the designated person 
However, I would note, that writing does not mean "printed on paper", signed by the individual can be represented by some form of electronic signature, and clearly identifying a designated person need not mean "by name", but could also be by role (e.g., privacy officer, licensed healthcare provider, et cetera).

By paying attention, one can navigate all of these use cases to produce one common solution that meets the needs for all of them.  But it truly isn't easy.  Welcome to my world.