201801 Consumer Centered Data Exchange
Track Name
Consumer Centered Data Exchange (CCDE)
Submitting WG/Project/Implementer Group
FHIR Project Director, in association with the National Association For Trusted Exchange (NATE)
Justification
The justification for this track is to continue to develop an understanding of what the main specification of the US core IG should say about enabling consumer-centric use cases. This will be the second CCDE connectathon. The inaugural connectathon spurred significant interest and participation in San Diego followed by voluminous post-connectathon discussion.
Key topics to continue to examine in relation to the Consent Resource and Scopes include opportunities to:
- Increase understanding of Scopes currently being deployed across data sources.
- Increase consumer’s trust by transparently conveying how their choices, driven by Scopes, may differ from what may be perceived in the language of an Authorization interface.
- Increase understanding of the impact of Scope variances across data sources on the applications that receive data from data sources when authorized to do so by the consumer.
- Increase understanding of how a Distribution Service utilizes the Consent Resource to evaluate permitted end-points to share data with.
At the first CCDE connectathon, participants predominantly focused on three architectures : Architecture (1) Consumer Access Use Case: using the OAuth pattern and RESTful API’s to transport released data to the app of the consumer’s choosing; Architecture (2) Consumer Initiated Exchange (Proxy) Use Case (“Set it and forget it”): capturing the consumer’s privacy preferences in a computable fashion via a FHIR Consent Resource, whereby in subsequent operations after consent was granted, “Scopes” are used to determine what to share; Architecture (3) extended the Consumer Initiated Exchange paradigm by employs a distribution service – such as an HIE – which, informed by the consumer’s direction given in a Consent Resource, drives the decision of which Provider Organizations known to the HIE data should be distributed.
Note that Scopes were integral to all of the transactions performed at the connectathon regardless of the architecture.
The Consumer Access via OAuth Use Case (architecture 1) coupled the app and flow used to capture the consumer’s authorizations such that data is only distributed to the consumer controlled. The Consumer Initiated Exchange Use Case (Architectures 2 & 3 – or aka ‘on-behalf-of-the consumer’) de-couples the capture of the consumer’s sharing preferences so to enable sharing with one or many Organization’s end-points (and subsequently 1 or many individuals within that Organization).
Regardless of the architecture employed the role of the scopes as defined by the data holder must be well understood by both the Consumer and the Application receiving the data.
In the OAuth use case consumers are presented with human readable descriptions of what they are authorizing be shared, either with their app or on their behalf by a Provider or an HIE. Since the Scopes are not directly accessible to the consumer and the match between what the Scope allows to be shared and the consumers perception of what it expects is being shared may be imperfect there is an emerging need to examine the gap that may exist between what Scopes are able to support and what consumer’s perceive they are authorizing in the OAuth (or similar) flows.
We will explore what the Gaps are and what – if anything – the FHIR specification may have to say about addressing them. We aim to understand at a minimum the various scenarios where there are no Gaps (when a consumer authorizes a data holder to share all of their data with a consumer controlled app of their choice is there any gaps between what the consumer might expect and what the Scopes may actually be able to deliver?) and explore what if anything can be done to alert the consumer to these gaps in the cases when they do exist (if a security labeling mechanism is used to mark sensitive data but it is known to the implementer that in some cases there are risks of Type I and Type II errors how can this be conveyed to the consumer in a standard way?). Would a standard set of Scopes and standard consumer facing language that speaks to these potential gaps benefit the community and consumers in understanding the potential risks?
From the perspective of app Developers that receive data, it would be beneficial if standard Scopes were employed across data sources as well. As Scopes vary across data sources the burden on app developers increases – separate methods of ingestion must be built for each unique Scope in order to properly handle receipt of the data being shared. If complex Scopes vary in the mechanisms by which they attempt to satisfy Consumer’s preferences the impact on App Developer burden may increase as well.
Finally, when a consumer is directing an entity to share on their behalf they are required to designate which end-points they are authorizing to receive their data. Unlike in the consumer access use case (Architecture 1) where there is only one end-point that data is shared with (the consumer controlled app) both Architecture 2 and Architecture 3 may require the consumer to indicate which end-points they are permitting data to be shared with.
As more implementations that support this kind of multi-end-point sharing on behalf of a consumer are developed a better understanding of how existing standards may need to be enhanced or defined is required.
Relevant background
Prior Connectathon track 201709 Consumer Centered Data Exchange
- HL7 blog - HL7 FHIR Connectathon 16: Patient Consent Forms: Redundant in the world of OAuth2? Part 1 of 2
- HL7 blog - HL7 FHIR Connectathon 16: Patient Consent Forms: Redundant in the world of OAuth2? Part 2 of 2
- John Moehrke blog - Remedial FHIR Consent Enforcement - note this is a different model than this track is following, but was used for alternative track.
- Grahame/Josh blog - Sharing Information with a Patient Case Manager
email discussion list
- mailto privacyconsent@lists.hl7.org
- archive of discussion
- signup at http://www.hl7.org/myhl7/managelistservs.cfm
- You do not need to be an HL7 member to signup for mailing lists
Proposed Track Leads
Aaron Seib and John Moerhke
Expected participants
- NATE
- John Moehrke (HL7 Security co-chair) SME on FHIR Consent
- http://test.fhir.org/r3
- HSS IDEA Lab Authors of the POET specification Mark Scrimshire & Alan Viars
(others: email aaron.seib@nate-trust.org if you are interested in getting involved)
Architectures
All three Architectures involve the following Actors:
Consumer - Gives ceremony instantiating authorization rules for an end-point (Consumer Controlled App in the case of the Consumer Access scenario); designated end-points in the Consumer Initiated Use Case) access to the resource service managed data [Patient who provides their privacy preferences - via the OAuth interaction in the Consumer Access scenario; via the Consent Service in the Consumer Initiated scenario]
Authorization Service (AuthZ) - makes authorization decisions on how an end-point access to specific data at specific Resource Service(s) according to rules (Privacy Preferences indicated by the Consumer)
Resource Service - holds data that is controlled by Consumer's Privacy Preferences (Such as an EMR, an HIE or a Payer)
End-point - the "Application" (including a Consumer App; a 3rd Party end-point indicated by the Consumer such as their PCP's EMR or their Payer's care management team; a Research Repository; etc.) that is given rights to access data on a Resource Service at the direction of the Patient.
The Consumer Initiated Scenario involves the Consent Service actor.
Consent Capture (CC) - a stand alone Service that captures the privacy preferences of the Consumer (which performs a similar function to the SMART OAuth interaction where the consumer indicates their privacy preferences interactively with the Authorization Service)
Architecture 1) Consumer Access via OAuth
- A consumer, such as a medicare beneficiary, wishes to authorize the sharing of their health information from a Data Provider, such as CMS, with a consumer controlled app of their choice. The Data Provider wishes to capture audit information to be able to report a complete accounting of disclosure for the consumer.
- Action: Consumer Authorizes the sharing of their Health Information with an App of their choice using the SMART OAuth pattern to authenticate
- Precondition: Consumer App is registered with the disclosing system (any FHIR based system that holds PHI about the consumer such as an EMR or Payer)
- Success Criteria: Without any special effort of the part of the consumer the disclosing system retains all required information to satisfy regulatory and audit requirements
- Bonus point: Being able to handle a consumer's rescinding of their authorization to disclose
Description of Transactions
- 0 – Ceremony where Patient gives rules they want enforced (OAuth Ceremony where Consumer interacts with OAuth flow to convey their sharing preferences)
- 0’ – Saving of rules into FHIR Consent resource (may be optional in Architecture a? Where is audit trail captured?)
- 1 – Request by App for authorization to access specific data (scope) at Resource Service (target) resulting in an authorization (token+scope)
- 2 – Request by App for access to data given the token+scope received in 1
Anchor Connectathon Participant: CMS Blue Button API Team
Architecture 2) Consumer Initiated Exchange - sharing 'on behalf of'
- A consumer, such as a patient being treated by a Provider that belongs to a Hospital, wishes to authorize the Hospital to share their health information with other providers attributed to them in the Hospital. Data is shared, on-behalf of the consumer, among the authorized providers at the network without the consumer necessarily receiving a copy of the record themselves. The Hospital wishes to capture audit information to be able to report a complete accounting of disclosure for the consumer.
- Action: Via a user friendly interface a consumer captures their privacy preferences in a computable way
- Precondition: Data holders are subscribed to the services that enable the capture of the consumer's privacy preferences and can electronically share with end-points indicated by the consumer.
- Success Criteria: The designated recipient that the data holder is disclosing to on behalf of the consumer receive all data except that which the consumer's privacy preferences indicate should not be shared it.
- Bonus point: Demonstrate how the solution set will allow the recreation of the consumer's privacy preferences at any point in time in the past following one or more changes in preference settings.
Description of Transactions
- 0 – Ceremony where Consumer interacts with the Consent Service to convey their sharing preferences
- 0’ – Saving of rules into FHIR Consent resource
- 1’ – Authorization service uses rules from FHIR Consent resource
- 1 – Request by App for authorization to access specific data (scope) at Resource Service (target) resulting in an authorization (token+scope)
- 2 – Request by App for access to data given token+scope
Architecture 3) Consumer Initiated Exchange with Distribution Service
- A consumer, such as a patient being treated by a Provider that belongs to an HIE, wishes to authorize the HIE to share their health information with other providers attributed to them in the HIE. Data is shared, on-behalf of the consumer, between the providers on the network without the consumer necessarily receiving a copy of the record themselves. The HIE wishes to capture audit information to be able to report a complete accounting of disclosure for the consumer.
- Action: Via a user friendly interface a consumer captures their privacy preferences in a computable way
- Precondition: Data holders are subscribed to the services that enable the capture of the consumer's privacy preferences and can electronically share with end-points indicated by the consumer.
- Success Criteria: The designated recipient that the data holder is disclosing to on behalf of the consumer receive all data except that which the consumer's privacy preferences indicate should not be shared it.
- Bonus point: Demonstrate how the solution set will allow the recreation of the consumer's privacy preferences at any point in time in the past following one or more changes in preference settings.
Description of Transactions
- 0 – Ceremony where Consumer interacts with the Consent Service to convey their sharing preferences
- 0’ – Saving of rules FHIR via Questionnaire\Questionnaire Response into Consent Resource and others (*)
- 1’ – Authorization service uses rules from FHIR Consent resource
- 1 – Request by App for authorization to access specific data (scope) at Resource Service (target) resulting in an authorization (token+scope)
- 2 – Request by App for access to data given token+scope
(*) The provider/organizations/actors that the consumer is authorizing sharing with captured in the consent resource. The Questionnaire and QuestionnaireResponse resources hold all the other data.
Bundle {
Consent (Defines the Actors, Providers, Orgs, etc for whom the patient is giving consent to) Questionnaire (Defines the Questions) QuestionnaireResponse (Captures the Question Answers) }
Considerations regarding Commonality of Scopes regardless of Architecture
Although both of the architectures were developed independently with the intent of enabling different objectives both rely on the implementation of clearly defined Scopes.
To date Scopes have been developed independently as driven by the specific project's needs.
From the perspective of a developer, it is important that the behavior of a Scope is known regardless of the architecture as it impacts the requirements of how the application must be developed.
If every data source developed Scopes unique to them an App Developer would have to modify their application to account for the differences among data sources.
It is an objective of this track to ascertain the degree to which a standard set of scopes may be defined and the impact on the underlying standards with regards to differences among Data Source Type (are different scopes required among Payer and Provider systems - are any scopes common among the two?) and to begin the process of expounding on what those scopes may entail based on those being used by participants.
Similarly - with regards to population of the Consent Resource we intend to explore differences if any in how this resource is populated depending on the Architecture being employed.
Prioritization regarding track focus on Consent Resource v. OAuth Scope
FHIR Consent resource exists, and FHIR has Profiling capability
- *Profiling of existing FHIR Consent is possible
- *Profiling of FHIR Consent helps with those that have needs for creating rules, and patterns of rules
- *Profiling of FHIR Consent ties the CC and AuthZ actors in a way that assures that a Consent that is captured can be enforced. And prevents giving the patient a perception that they can have rules that can’t be enforced.
Oauth scope transactions (1, 2) are required regardless of architecture
- *Current SMART scopes are only sufficient for PERMIT/DENY
- *Any quilted consent requires more capable Oauth scopes
Many multiples more Endpoints and Resource Svrs exist than CC.
- *Endpoints and Resource Svrs would be developed to interact in many architectures.
- *CC and AuthZ would be paired and specific to policies (patterns) and expectations
Architecture (a) simply groups CC + AuthZ into one system, and thus is not constrained to the complexity or fidelity of the Consent Resource.