The guides need to be clearer on guardrails that will protect patient privacy rights. - DTR #80

XMLWordPrintableJSON

    • Type: Change Request
    • Resolution: Persuasive with Modification
    • Priority: Medium
    • US Da Vinci DTR (FHIR)
    • STU3
    • Clinical Decision Support
    • (profiles) [deprecated]
    • 4.4.9
    • Hide

      If DTR is executed using an app, the app will only have access to data specifically authorized by the organization as appropriate for use.

      We will add language to the specification that indicates that when meeting DTR requirements using a distinct app (i.e. not within the EHR), the app SHALL have a distinct client id for when it's being invoked purely as a mechanism to supplement EHR data vs. when it's being invoked to potentially share data back to the payer.

      This will allow the scopes to be different depending on whether data might flow to the payer. It will also allow the EHR to appropriately audit data accesses where data might flow external to the EHR.

      As well, there is a requirement that the data passed to a payer SHALL also be stored in the EHR where it can be audited for appropriate use.

      Show
      If DTR is executed using an app, the app will only have access to data specifically authorized by the organization as appropriate for use. We will add language to the specification that indicates that when meeting DTR requirements using a distinct app (i.e. not within the EHR), the app SHALL have a distinct client id for when it's being invoked purely as a mechanism to supplement EHR data vs. when it's being invoked to potentially share data back to the payer. This will allow the scopes to be different depending on whether data might flow to the payer. It will also allow the EHR to appropriately audit data accesses where data might flow external to the EHR. As well, there is a requirement that the data passed to a payer SHALL also be stored in the EHR where it can be audited for appropriate use.
    • Bob Dieterle / Rachael Foerster: 7-0-1
    • Clarification
    • Non-substantive

      Comment:

      As technology continues to break down previous access barriers to patient data, particular care needs to be shown to ensure that providers are only sharing RELEVANT, appropriate data. This is particularly important given the forthcoming information blocking/EHI regulations from ONC. There is a growing concern from medical professional organizations that some entities may leverage information blocking as a tool to open up a physician's EHR and extract more info than necessary. Monitoring controls must be established and built into the inherent design of technology to limit potential abuse. This is especially important given the impact on patients' privacy rights.

      Summary:

      The guides need to be clearer on guardrails that will protect patient privacy rights.

            Assignee:
            Unassigned
            Reporter:
            Terrence Cunningham
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: