NSTIC – Electronic Health Records and Patient ID

Session Topic: NSTIC HER & Patient ID

Wednesday 3D

Convener: Justin Richer

Notes-taker(s): Nicholas Crown

Tags for the session - technology discussed/ideas considered: NSTIC, IDESG, OAuth, Trust, Privacy, EHR

EHR & NSTIC

Moderator: Jim Sheire

ONC - Office of the National Coordinator for HC technology
 * Responsible for the standards, technology, framework for digitizing HC stuff
 * Push is for 2016 push
 * Working to understand the privacy requirements/standards necessary to participate in exchanges, etc.
 * Advisory committees are working to understand these requirements
 * If you are patient, how do you interact with your EHR/Data Holder to view records, etc.
 * Letter is available online with the recommendations for the what the credentials should look like to comply with meaningful use
 * Issue is that the data holder will always look for any possible loophole to avoid sharing your data
 * Working to eliminate the loopholes to avoid no action
 * What about delegation when the patient is unable to access on their own?
 * Justin Richer:
 * Blue Button + initiative
 * Developing a RESTful API for moving HC records between parties
 * Using OAuth for protecting the API
 * Interesting work around dynamic registration amongst parties
 * Moving away from traditional pre-configured trust-based systems and using OAuth to make this more dynamic
 * This allows them to build systems that use patient consent and support interop at the authZ level
 * The NSTIC recommendations need to be applied to Blue Button
 * NSTIC can then use policy to ensure that the right things are happening at the technology level
 * Trying to workout a framework for what FIPPs would look like when applied to patient ID
 * From the patient ID perspective, FIPPs would like:
 * Don't ask for more than you need (Data Limitation/Purpose Limitation, etc.)
 * Recommending three levels:
 * 1. Consultation (patient can be anonymous at this point)
 * 2. Bilateral payment confirmation (primarily between the HC provider and insurer)
 * 3. Aggregation (non-coercively in a voluntary way)
 * B. Need strong ID and aggregation to avoid prescription fraud (getting narcotics at multiple providers for recreation use)

From the letter under the FICA Community via a hearing focused acquiring advice from the patient/provider communities to understand how to alleviate "identity" issues:
 * "NSTIC... Should provide a more scalable solution for patient authentication in the future"
 * Could see this a recommendation for using the NSTIC Identity Ecosystem as an identity layer to solve the challenges
 * Presents a nice alignment between the problems in HC and the solutions being worked in NSTIC
 * ONC is telegraphing what they want to see happen prior to regulating to force the work to occur
 * The tiger team that "testified" before the hearing made the following recommendations:
 * Identity Proofing
 * Authentication
 * Best Practices:
 * Usable
 * Voluntary/Flexible
 * Scalable/NSTIC
 * Federation/Re-use
 * KBA
 * Out-of-band AuthN
 * Go Beyond Passwords
 * M2M