Privacy Considerations need to updated to match CMS guidance

XMLWordPrintableJSON

    • Type: Technical Correction
    • Resolution: Persuasive
    • Priority: Highest
    • US Da Vinci Drug Formulary (FHIR)
    • 1.0.0
    • Pharmacy
    • Home
    • Privacy Considerations
    • Hide

      The proposed resolution is to replace the language in the Privacy Considerations section on the IG Home page from:

      "Privacy Considerations

      Access to the formulary service should not require authentication, and the server should not maintain any records that could associate the consumer with the medication list that was queried.

      A conformant payer formulary service SHALL NOT require a formulary mobile application to send consumer identifying information in order to query for the list of health plans provided by that payer and the medication costs for each plan, specific to the consumer's set of medications.

      A formulary mobile application SHALL NOT send consumer identifiable information when querying a formulary service."

      to

      "Privacy Considerations

      The formulary service can potentially be accessed two different ways:

      1) Authenticated API: Access to the formulary service when integrated with protected health information (PHI) or personally identifiable information (PII) as part of the Patient Access API SHALL be protected through an authorized, authenticated transaction as described in the Da Vinci Health Record Exchange (HRex) FHIR Implementation Guide for the September 2020 Ballot (reference to Da Vinci HRex page).

      2) Unauthenticated API: When exchanging formulary data exclusively, which is public information without any PHI or PII, the formulary service MAY also be accessed through an API that does not require authentication or authorization. The formulary server SHALL NOT maintain any records through the unauthenticated API that could associate the consumer with the medication list that was queried.

      When accessing data through an unauthenticated API, the conformant payer formulary service SHALL NOT require a formulary mobile application to send consumer identifying information in order to query for the list of health plans provided by that payer and the medication costs for each plan, specific to the consumer's set of medications.

      An unauthenticated API to the formulary service is needed to implement the 'Shopping for Health Plans' use case detailed in this implementation guide."

      Show
      The proposed resolution is to replace the language in the Privacy Considerations section on the IG Home page from: " Privacy Considerations Access to the formulary service should not require authentication, and the server should not maintain any records that could associate the consumer with the medication list that was queried. A conformant payer formulary service SHALL NOT require a formulary mobile application to send consumer identifying information in order to query for the list of health plans provided by that payer and the medication costs for each plan, specific to the consumer's set of medications. A formulary mobile application SHALL NOT send consumer identifiable information when querying a formulary service." to " Privacy Considerations The formulary service can potentially be accessed two different ways: 1) Authenticated API: Access to the formulary service when integrated with protected health information (PHI) or personally identifiable information (PII) as part of the Patient Access API SHALL be protected through an authorized, authenticated transaction as described in the Da Vinci Health Record Exchange (HRex) FHIR Implementation Guide for the September 2020 Ballot (reference to Da Vinci HRex page). 2) Unauthenticated API: When exchanging formulary data exclusively, which is public information without any PHI or PII, the formulary service MAY also be accessed through an API that does not require authentication or authorization. The formulary server SHALL NOT maintain any records through the unauthenticated API that could associate the consumer with the medication list that was queried. When accessing data through an unauthenticated API, the conformant payer formulary service SHALL NOT require a formulary mobile application to send consumer identifying information in order to query for the list of health plans provided by that payer and the medication costs for each plan, specific to the consumer's set of medications. An unauthenticated API to the formulary service is needed to implement the 'Shopping for Health Plans' use case detailed in this implementation guide."
    • Correction
    • Non-substantive
    • 1.0.1

      Clarification from CMS indicates that authentication and authorization is required for the API if formulary data is combined with PHI and PII.  The existing guidance on Privacy Considerations indicates that the formulary data is public and therefore no authentication and authorization is required.  The current language has created some confusion in the community with relation to the Patient Access API requirements.  The language needs to be updated to help avoid this confusion for implementers.

            Assignee:
            Unassigned
            Reporter:
            David Hill
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: