Moving Health Data Forward Challenge
Lead Team Members
Resilient Network Systems
Summary of Proposal
This proposal will use the HEART implementation specifications to create a solution that gives consumers the ability to conveniently access and share their own health records on demand, on a national scale. The prototype will incorporate the complete suite of HEART profiles, and will demonstrate a unique nationwide capability for consumers to conveniently verify their identity, locate and electronically request their records, and deliver them to a secure cloud-based personal storage service. The patient record queries will incorporate digitally signed patient record requests that satisfy the requirements for triggering the HIPAA patient mandate.
Each participant brings a robust set of complementary capabilities that, when combined, overcomes each of the key barriers to low-friction patient-directed health record access. Resilient has successfully deployed OpenID Connect and OAuth 2.0 in production deployments, and developed a low-friction and robust cross-organizational access management and policy enforcement model. WebShield has developed a privacy network and unified trust model that makes it possible to pool, link and analyze privacy sensitive, regulated and proprietary data from disparate parties that don’t agree upon policies or trust each other. This in turn makes it possible to authenticate and verify the identities of consumers on a national scale, locate and match records about them from disparate sources, and accurately link disparate sources of data and the online user – all without jeopardizing their privacy. This is being rolled out on national scale with the support of several national healthcare payers, pharma, technology vendors and identity providers.
This unique nationwide privacy preserving identity verification and record linking capability will be integrated with the digital identity and digital signature capabilities of SAFE-BioPharma Association to enable a legally robust mechanism capable of satisfying the diverse regulatory requirements in healthcare. It will also incorporate the healthcare data interoperability, querying, and messaging capabilities of InterSystems HealthShare, and the HIPAA compliant patient-directed record storage, access and sharing capabilities of Carebox, and support for UMA (User Managed Access).
The team offers proven and robust capabilities in their respective domains. Carebox is an active member of NATE (National Associate for Trusted Exchange) and part of the NATE Blue Button for Consumers (NBB4C) Direct Messaging trust bundle that makes it easy for any doctor or hospital with a Certified Electronic Health Record (CEHRT) that meets the US Government requirements of “Meaningful Use” to send anyone their clinical summary, discharge summary, and other medical records directly into Carebox. Carebox has deployed patient-centered exchange solutions as a FHIR Server and FHIR client, incorporating user-managed access design patterns based on OAuth 2.0.
The most unique and compelling aspect of this demonstration is that it offers a comprehensive approach that promises to overcome all of the barriers to information sharing that still inhibit data liquidity even after the latest interoperability standards have been widely adopted. The fundamental barrier to sharing is the lack of a mutually trusted way for disparate organizations and systems to agree when the are talking about the same person, and the resulting inability of the consumer to enforce their legal right to access and share their own health records. This system was designed from the ground up to consider all factors that drive or inhibit data sharing, including but not limited to privacy, security, discoverability, regulatory compliance, technical compatibility and enforcement of commercial terms. The collaboration presented here of healthcare providers, technology vendors, and security and privacy experts has been incubating for years and is ready for rollout to patients in the next 3-6 months. This Challenge could be an excellent vehicle to showcase its potential to improve health data sharing and to promote the HEART standards.
Resilient Access™ is a network-centric real-time workflow engine that interrogates multiple internal/external authoritative sources (e.g., identities, attributes, multifactor authorizations, entitlements, biometrics, roles, access privileges, environmental contexts, etc.) to establish a level of trust between two parties to resolve the requesting user’s access rights based on the defined policies of each involved party. Privacy and confidentiality is maintained to whatever level is desired.
For the critical identity syndication and regulatory compliance steps, the solution will utilize Webshield’s Privacy Network & Unified Trust Model in order to overcome legal, regulatory and commercial barriers to access a diverse network existing nationwide identity and data sources capable of authoritatively verifying patient identities and discovering and matching patient records.
SAFE-BioPharma ® will be digitally signing the patient record requests in order to assure a high standard of trust and security as data moves via the HEART protocols, and to ensure that the patient record requests can be trusted and relied upon by providers that receive them. Specifically, the solution will generate a digitally signed document (signed with the patient’s digital signature) that verifies not only the patient’s identity, but also their patient ID at the provider, their direct address, and the fact that they have requested that a copy of their health records be sent to their direct address.
This digitally signed document (including verified attributes from a FICAM-certified signing authority accepted by the FDA, DEA, EMA and the Federal PKI bridge) removes any reasonable uncertainty as to whether HIPAA covered entities (payers, providers, labs, pharmacies, etc.) are authorized and obligated to send the requested records in accordance with the patient’s request, pursuant to the HIPAA patient mandate.
In addition to delivering the digitally signed patient request, the solution will use InterSystems Healthshare to actually query patient records sources, transform the resulting response into standard interoperable formats, and then send the document as an encrypted Direct message to the specified Direct address.
Finally, the solution will utilize Carebox’s HIPAA-compliant cloud infrastructure to receive and store the patient records, support patient access, and to implement user managed access and sharing via Direct, FHIR, email and other sharing mechanisms
The target consumer population is open ended, with the ability to authenticate and verify on demand the identities of the vast majority of US residents. The eP3 Network (Empowering People with Privacy and Personalization) is a consortium of nonprofits, commercial vendors and individuals dedicated to empowering people with the ability to control who can access information about them, enable unprecedented personalization and process optimization, all rigorously protecting their privacy.
The launch of the eP3 Network and related ecosystem initiatives is being conducted in parallel and on a similar schedule for the Moving Health Data Forward Challenge, and offers numerous opportunities to demonstrate the ability of the HEART WG-based APIs to empower consumers with access to and control of their data in clinical research and personalized care management for payers, providers, pharma and in research settings.
The proposed solution will empower individuals with the ability to exercise their right under HIPAA to access and share protected health information about them, as specified in 45 CFR 164.524, “Access of individuals to protected health information”.
The key is the ability to tap into a diverse network of regulated and proprietary data sources to authoritatively verify the identity of an individual and authenticate them online on demand, and to locate and verify an accurate match with that person’s healthcare records stored in different systems that don’t necessarily have consistent identity attributes or patient IDs. This, combined with SAFE-BioPharma’s universally accepted FICAM-compliant identity credential and digital signature trust framework makes it possible for an individual to independently prove to record holders they are in fact the subject of their health records, and to properly document that a legitimate request has been received.
In addition, the solution will rely upon the HIPAA-compliant Carebox platform as the consumer records repository, using open standards such as FHIR, Direct Messaging, etc.
Lead Team Members
SAFE-BioPharma Association and SAFE-BioPharma Bridge CA (SBCA). SAFE-BioPharma Association (www.safe-biopharma.org) is the non-profit industry coalition responsible for the SAFE-BioPharma® digital identity and signature standard used in the global biopharmaceutical and healthcare sectors. The SAFE-BioPharma Bridge Certification Authority (SBCA) satisfies legal requirements for online trust in the US, the EU and elsewhere, and is accepted by the FDA, DEA and EMA, and is cross-certified with the US Federal PKI Bridge.
Resilient Network Systems is a privately held, venture-backed company based in San Francisco. Our expertise is solving complex multi-organizational access management problems with our distributed, network-based software. The engineering team that will complete this API service is the same team the executed the successful “Patient Centered Care” National Strategy for Trust Identity in Cyberspace - NSTIC grant in 2013-14.
WebShield Inc. is a privately held company that has pioneered the development and launch of the Privacy Network and Unified Trust Model, recruiting a broad-based ecosystem team made of dozens of partners and customers, including non-profit consortia, major national payers and pharma, global identity firms, technology vendors, etc. These organizations (many of whom are in the eP3 Network) are in the midst of a nationwide roll-out of the network.
InterSystems Corporation is the leading health data management and interoperability vendor, whose technology manages 67% of patient records in the US. It has over half a billion in annual revenues, and supports all the major data interoperability and messaging standards.
Carebox is a digital health company that makes it easier for patients to collect, organize, and re-use their clinical data from medical records that patients can access. Carebox partners with a range of healthcare, life sciences, and related organizations that want to make patient-centric healthcare data part of their solutions.Add paragraph text here.