Back to: CBCC Main Page > CBCC Use Cases

See also: Glossary of Consent Terms for defintion of acronyms and terms.

Introduction

The following use cases describe requirements for the creation and use of consent directives.

Use Cases

Grant for Protected Health Information to Consumer

Pre-condition

The right/license to control one's medical information is assigned by jurisdiction to the Patient.

Basic Scenario

Based on the current regulation, the Jurisdictional Authority assigns the right to control personal health information to the Patient who is its subject or to their designated Substitute Decision Maker (SDM) that acts on behalf of the Patient.

Actors

See also: Actor definitions

• Jurisdictional Authority
• Patient
• Substitute Decision Maker(SDM)

Consenter Manages Consent Directives

This use case assumes that the Consenter has access to a CDMS through some type of portal (e.g. web) and manages consent directive rules intended to be shared with a variety of providers, payers, etc.

Pre-condition

Basic Scenario

Consenter uses the portal provided by the CDMS to set the privacy consent directives for their medical record information. By default, the CDMS will include the protection specified by CFR 42, Part 2. The user will not be able to disable the directives derived from CFR 42, Part 2 for Alcohol and Substance Abuse information.

Actors

See also: Actor definitions

• Consenter
• Consent Directives Management Service (CDMS)

Provider Requests Consent Directives for a Patient

Basic Scenario

• The Consenter supplies the Provider with a reference to the consent directives already specified by the patient and maintained by the patient's CDMS.
  • Implementation Note: The reference may be a URL that references a set of user-readable rules and computer-readable consent directive rules.
• The Provider retrieves the consent directives and compares them with the privacy consent directives currently supported in the organization.
• If the local consent directive rules contradict the local rules, the Consumer has the option to decline the medical services. Otherwise, the Consumer agrees with the local consent directive rules.

Post-condition

The Provider's Information System stores a copy of the Consumer's Consent Directives.

Actors

See also: Actor definitions

• Provider
• Provider's EMR System (EMRS)
• Consent Directives Management Service (CDMS)

Provider Looks up Protected Health Information (PHI)

When a healthcare provider looks up a patient's PHI, that patient's consent directives must be retrieved and used to filter the data before returning or displaying results to the provider.

Basic Scenario

• The Provider's EMRS uses the patient's identity to query the CDMS Registry and discover location of the patient's CDMS.
• Query the CDMS and retrieve the patient's consent directives.
• Merge patient's directives with organizational and jurisdictional consent rules.
• Query the PHI Repository to retreive patient's medical record.
• Use the consent directive rules to filter PHI, allowing only content appropriate for clinician involved in care, administration, and payment.

Alternate Flow

• There are no consent directives for the patient, or no registered CDMS.
• Apply only the organizational and jurisdictional consent rules.

Post-condition

The Provider's EMRS stores a copy of the patient's consent directives.

• Question: Is it required that EMRS queries CDMS for current consent rules upon each new clinician session?

Actors

See also: Actor definitions

• Provider's EMR System (EMRS)
• CDMS Registry
• Consent Directives Management Service (CDMS)
• PHI Repository

Consent Directives Filter Health Record Information

Filtering mechanisms and algorithms are required that apply consent directive rules to an individual's health record content. Consent directives may include restricted access filters that are applied to a category of health information (e.g., all HIV related information) or to a particular data element (e.g., filter all instances of a provider's name). A consent directive may also require that personally identified health information is "masked" to hide the patient's identity.

Pre-condition

• The patient has completed entry of consent directive rules.

Basic Scenario

Depending on whether the information is structured or unstructured, filtering may be applied at the record or document level, or on subsections. Structured information, which is encoded data, can be filtered at the data element level. Unstructured information, which is unencoded data that may be transmitted, e.g., as an image or bit map, can only be filtered at the document or document section level.

Actors

See also: Actor definitions

• Consent Directives Management Service (CDMS)
• Consent Requestor

Flag Filtered Health Record Information

If Consenter decides to restrict certain information, he may have the option of deciding whether to permit PHI Repository to send a flag to an authorized party alerting the Consent Requestor that restricted information is available upon Consenter's approval or by "breaking the glass" in an emergency. "Breaking the glass" occurs when a provider who is authorized by organizational policy or jurisdictional law overrides a consent directive.

Pre-condition

• The Consumer has completed entry of consent directive rules.

Basic Scenario

Authorize a specified type of provider to access all restricted health information, and to receive a flag that restricted information may be accessed, following Consenter's approval. A provider's use of restricted information is limited to read-only for a specified time period, after which the consent approval will expire.

Actors

See also: Actor definitions

• Consenter
• Consent Requestor
• Consent Directives Management Service (CDMS)
• PHI Repository