Uploaded image for project: 'FHIR Specification Feedback'
  1. FHIR Specification Feedback
  2. FHIR-30867

Purpose of use for a Direct Query must be conveyed in some manner.

    XMLWordPrintableJSON

Details

    • Change Request
    • Resolution: Persuasive with Modification
    • Highest
    • US Da Vinci CDex (FHIR)
    • current
    • Patient Care
    • Specification [deprecated]
    • 8.2.1
    • Hide

      Change to:

      Purpose of Use: In some cases, it may be important to transmit the Purpose of Use when soliciting data.  Specifically, if the "purpose of use" differs from the 'default' purpose of use for that data consuming system (generally 'payment and operations' for payers and 'treatment' for providers), the data source needs to be able to make decisions about whether to provide the information at all or whether/how to filter the information.

      When using the Task mechanism to solicit information, the purpose of use can be conveyed in Task.reason.  When using standard RESTful queries, such information cannot be conveyed directly in the query.  There is work in progress ([link to SMART fine-grained access project]) on standardizing how purpose of use can be conveyed using OAuth.  Once a suitable approach has been agreed upon and published, it will be referenced in a future version of this guide.  In the interim, implementers should consult with their compliance department to determine what requirements exist and how best to satisfy them, whether with in-band or out-of-band communications.

       

      Show
      Change to: Purpose of Use: In some cases, it may be important to transmit the Purpose of Use when soliciting data.  Specifically, if the "purpose of use" differs from the 'default' purpose of use for that data consuming system (generally 'payment and operations' for payers and 'treatment' for providers), the data source needs to be able to make decisions about whether to provide the information at all or whether/how to filter the information. When using the Task mechanism to solicit information, the purpose of use can be conveyed in Task.reason.  When using standard RESTful queries, such information cannot be conveyed directly in the query.  There is work in progress ( [link to SMART fine-grained access project] ) on standardizing how purpose of use can be conveyed using OAuth.  Once a suitable approach has been agreed upon and published, it will be referenced in a future version of this guide.  In the interim, implementers should consult with their compliance department to determine what requirements exist and how best to satisfy them, whether with in-band or out-of-band communications.  
    • Eric Haas/Jay Lyle: 5-0-8
    • Clarification
    • Non-substantive

    Description

      Purpose of use for a Direct Query, where the Payer directly queries the EHR for specific data using the standard FHIR RESTful search, must be limited to HIPAA Operations/Payment purposes of use. This signals to the provider system that only the minimum necessary information may be disclosed. Unlike the Treatment purpose of use, which does not require minimum necessary restrictions on the disclosure, for these queries, it must be made clear that the purpose of use is limited to Operations//Payment.

      Existing Wording:

      Purpose of Use: In some cases it may be important to transmit the Purpose of Use in the Authorization Framework (OAuth) when querying for data. The details of incorporating the reason for a query into OAuth is an area of active discussion. Once a suitable approach has been agreed upon and published, it will be referenced in a future version of this guide.

      Proposed Wording:

      The details of how to convey the level of confidentiality protection required to be afforded information being queried using OAuth is an area of active discussion.
      Once a suitable approach has been agreed upon and published, it will be referenced in a future version of this guide.
      Until that time, a CDex query requester should consult with legal counsel on how to convey the requester's intent to access confidential information by whatever means available, e.g., following the OASIS XSPA SAML IG, out-of-band communications, a trust agreement, or by pre-adopting the yet to be balloted SMART Fine Grain Access approach for conveying confidentiality in conformance with the HL7 Privacy and Security Healthcare Classification System.

      (Comment 65 - imported by: Jean Duteau)

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              k.connor Kathleen Connor
              Kathleen Connor
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: