HL7_IG_DS4P_R1_CH1_CONTENT

Introduction: Data Segmentation for Privacy Implementation Guide

This Implementation Guide (IG) is about segmenting clinical records so that personally identified information (PII) can be appropriately shared as may be permitted by privacy policies or regulations. The idea is that patients are more likely to consent to share their sensitive PII, and providers are more likely to share their valuable business records, if both are given meaningful choices about who can see and use which data, and for what purpose. The privacy policies on which this IG is based do not explicitly address the clinical implications of giving patients control over the disclosure of their sensitive records. Standards development organizations such as HL7 do not weigh in on the appropriateness of a privacy policy but develop technical infrastructure specifications. As specified here, segmentation first requires adoption of standard clinical document architecture, including the way data are laid out within a record and also how data are encoded. Privacy policies are defined as limits on disclosure and use. These policies are translated into computerized rules, and these rules are then applied to each record and data element. Disclosure and use restrictions may originate from a patient, a service provider, or from jurisdictions where healthcare is delivered. Our goal is interoperability, assuming a broad range of potential policy restrictions. We want to automate adjudication of any policy differences, transparently; and then to enforce the resultant composite policy during the exchange of records. The IG does not address the understanding, interpretation, or enforcement of privacy directives. In brief, this Implementation Guide shows how the privacy policies established at a record’s source can be understood and enforced by the record recipient. Looking forward, the context for interoperability is likely to be a Health Information Exchange (HIE). Eventually, HIEs will be responsible to assure that PII is appropriately shared and used for:

We expect that HIEs will use the privacy annotations and metadata specified in this IG to protect the information exchanged from an unauthorized redisclosure.

US Realm Considerations

This IG is driven by United States realm eHealth Exchange (formerly Network Health Information Exchange (NwHIN) Authorization Framework specifications. Throughout reference is made to this and other U.S. centric eHealth Exchange specifications. It originated from and is in response to U.S. Office of the National Coordinator for Health Information Technology (ONC) Standards and Interoperability Framework, Data Segmentation for Privacy initiatives. Furthermore, this specification draws upon and cites specific instances of U.S. law such as 42 CFR Part 2, 38 CFR Part 1, etc. These specific references are intended to profile this IG for a specific set of users operating under realm specific law and goals. Nothing in this IG is intended to prevent adoption or customization to meet the needs of other realms. In fact, this IG is intended to be an exemplar for other realms who may choose to adopt the data segmentation for privacy conformance criteria for their own use. In this regard, none of the selected standards involve U.S. realm profiles. In many cases, reference to U.S. realm law is for example only. In other cases, such as Facility codes invoking U.S. realm law, the sections have been clearly identified (or moved to a U.S. Realm specific policy section). The intent is to allow implementers to replace these U.S. realm specific sections with their own to facilitate easy profiling of this IG for other realms.” The only elements specific to the US realm are the business rules, the interoperability specifications in this Implementation Guide may be applicable in other realms.

This IG is based on artifacts and the findings of pilot implementations of the Data Segmentation for Privacy (DS4P) S&I Framework Initiative, specifically on the Use Cases developed by the stakeholder community . The pilot implementations of the DS4P underwent inspection testing and demonstrated support for the user stories; therefore the project was deemed ready for its first Normative ballot in September 2013.

Content Introduction

This Implementation Guide is organized into three documents:
  • CDA R2 and Privacy Metadata Reusable Content Profile (HL7_IG_DS4P_R1_CH1_CONTENT) including document template, clinical statements templates, and reusable building blocks for the transport specifications. This document introduces the requirements and the technical approach to addressing unmet needs:
    • Introductory Material to specify the scope, approach, organization of the Implementation Guide, conventions, and other implementation guidance to the implementers. These are not testable or normative requirements but they are intended to inform the end-users of the IG on the use cases, technical requirements (including functional requirements), and best-practices related to data segmentation.
    • To represent specific privacy metadata the HL7 DS4P IG introduces reusable privacy building blocks are described as UML classes in an implementation-neutral way. These building blocks intended to be reused by current and future technology and transport bindings as well as applied to CDA R2 and C-CDA documents. The privacy annotations building blocks describe how to constraint the underlying document sharing and transport specification to exchange Segmented Documents in a way consistent with the requirements of the S&I Framework Initiative DS4P project. This part of the Implementation Guide enables the association of information object (e.g. document, section, entry) with security labels, which can be linked to privacy policies. This specification does not require fine-grained (e.g. section-level or entry-level) data tagging, but supports that capability where appropriate. Similarly the guide supports the requirement to specify the provenance of clinical data contained in the structured content of a clinical document (i.e. section level, entry level).
    • Using CDA Templates the HL7 DS4P IG enables the association of information object (e.g. document, section, entry) with security labels, which can be linked to privacy policies. This specification does not require fine-grained (e.g. section-level or entry-level) data tagging, but supports that capability where appropriate. Similarly the IG supports the requirement to specify the provenance of clinical data contained in the structured content of a clinical document (i.e. section level, entry level).
  • Two Transport Profiles containing transport specific constraints based on the reusable building blocks. The project constraints represented in the reusable building blocks are applied to the transport-specific metadata (e.g. Document Sharing Metadata/XDS Metadata, XDM Metadata used by Direct) intended for implementation (e.g. SOAP. NwHIN Direct, REST). Currently two transport specification profiles are available to implementers.