Fix the text around member-authorized sharing. - HRex #95

XMLWordPrintableJSON

    • Type: Change Request
    • Resolution: Not Persuasive with Modification
    • Priority: Medium
    • US Da Vinci HRex (FHIR)
    • Financial Mgmt
    • Profile overview [deprecated]
    • SMART-on-FHIR
    • Hide

      For member-authorized sharing from payer to third-party applications, we are not aware of any regulation requiring the use of consent directives or security labels.  

      We are not able to find information in the ONC or CMS final rules (ONC 21st Century Cure's Act Final Rule 2020 (85FR25642)  and the CMS Interoperability Final Rule 2020 (CMS-9115-F)) that support mandating either consent directives or security labels.

      Because such rules are evolving and can be superseded, we don't feel it's appropriate to refer to specific language in this IG.

       

      We will update the IG to be explicit that all data sharing must adhere to state and federal regulations for consent and protection of data in effect at the time of the sharing.  Kathleen accepts proposed language in new HRex Privacy & Security section

      Show
      For member-authorized sharing from payer to third-party applications, we are not aware of  any regulation requiring the use of consent directives or security labels.   We are not able to find information in the ONC or CMS final rules (ONC 21st Century Cure's Act Final Rule 2020 (85FR25642)  and the CMS Interoperability Final Rule 2020 (CMS-9115-F)) that support mandating either consent directives or security labels. Because such rules are evolving and can be superseded, we don't feel it's appropriate to refer to specific language in this IG.   We will update the IG to be explicit that all data sharing must adhere to state and federal regulations for consent and protection of data in effect at the time of the sharing.  Kathleen accepts proposed language in new HRex Privacy & Security section
    • Bob Dieterle / Russ Leftwich: 8-0-0
    • Correction
    • Non-substantive

      Existing Wording: Member-authorized sharing of information between Payers, or from a Payer to a Third-Party Application, uses the OAuth2.0 Authorization protocol. The methods for this form of connectivity to a Payer's FHIR API endpoint SHALL follow the processes defined for standalone SMART-on-FHIR apps in the SMART App Launch Framework Implementation Guide: http://www.hl7.org/fhir/smart-app-launch/

      Comment:

      If a member authorizes a Payer to share sensitive information governed by laws that preempt HIPAA, and require a consent to share with another payer or 3rd party app and require no further redisclosure without consent [e.g., 42 CFR Part 2 and state HIV/behavioral health laws], then the disclosing Payer must have a consent directive on file; must restrict the disclosure per the consent directive, and communicate via security labels on the disclosed information the governing law, higher level of confidentiality protections, sensitivity type, permissible purposes of use, obligations and prohibitions. SMART on FHIR does not support adjudicating access decisions based on security labels, so is insufficient unless augmented with json scopes in access tokens.

      Summary:

      Fix the text around member-authorized sharing.

            Assignee:
            Unassigned
            Reporter:
            Kathleen Connor
            Kathleen Connor
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: