HIE of One

Last updated

HIE of One is a free software project that develops tools for patients to manage their own health records. [1] HIE stands for Health Information Exchange, an electronic network for sharing health information across different organizations, hospitals, providers, and patients. It is one of a growing number of tools for encrypted data exchange within the healthcare sector. [2]

Contents

Journalist Doc Searls claims that a major structural problem with health care in the United States is that it is paid for by insurance companies and not patients, robbing patients of the power they would normally have as customers in a free market. Searls writes: “The best approach I have seen so far to this challenge is HIE of One, a project of two MDs, Adrian Gropper and Michael Chen.” [3] He notes that HIE of One provides a patient-centered toolkit built around open source software and open data exchange standards. [3] Prof. Phillip Windley, former Chief Information Officer of the State of Utah, noted the positive impact that HIE of One could have on privacy and consent. [4]

A proposal [5] for using HIE of One in conjunction with blockchain technology, was reviewed by the US Office of the National Coordinator (ONC), which awarded it for being innovative, viable, and significant. [6]

The project rests on the premise that patients should authorize the sharing of their health data, instead of leaving these decisions up to hospitals and other healthcare providers who offer generic and opaque disclosure forms. The elements of sharing health data can be broken down into storage, authorization, and transmission. HIE of One has decentralization solutions for each of these elements and provides an open platform on which far more capabilities can be built, such as decision support, analytics, public health efforts, and coordinated health care.

Background and name

For most of their medical histories, doctors shared minimal information about patients. Before the computer age, a doctor might have a phone conversation with a specialist before sending over a patient or send a few pages of a Continuity of Care Document (CCD) to the next healthcare provider or nursing facility. Many important aspects of treatment were dropped along the way, leading to suboptimal outcomes and duplication of work.

The advent of electronic records theoretically enabled much better care coordination, and the field of health information exchange (HIE) grew up around electronic records. Data sharing currently revolves around large, expensive organizations called Health Information Exchanges and industry-led efforts such as CommonWell. However, such data exchanges have made slow progress, as found in a literature survey by the Agency for Healthcare Research and Quality. [7] Studies cited by that survey found the HIEs hard to use. An official 2016 government study [8] found uneven progress, with a few states succeeding and many lagging.

HIE of One, in contrast, dispenses with these middlemen by allowing each patient to direct the data flow using an automated policy-driven authorization server. Data sharing is carried out through protocols run by the patient and the people to whom she wishes to grant access (doctors, clinical researchers, family members, etc.).

OpenID HEART project developed the protocols forming the basis of HIE of One. HEART grew out of a pair of meetings at the MIT Media Lab in 2014 designed to charter work on adding a healthcare-specific authorization layer to a RESTful API. Once the scope and charter were defined, the workgroup began under the rules of the OpenID Foundation, with industry and government representatives as co-chairs.

Storage

HIE of One's success relies on moving patient data sharing from doctors' offices to patient authorization servers. Most patients use cloud computing for robust data backup and security. However, authorization servers can also be on a stand-alone computer or dedicated appliance at the patient's home, such as a FreedomBox.

Authorization

Patient control over access to her own data is the central goal of HIE of One, so authorization is the key feature. HIE of One employs standard technologies, including the OpenID OAuth and OpenID Connect standards, and User-Managed Access (UMA) from the Kantara Initiative.

Both the patient and the person requesting access to the data authenticate and provide an identity. The patient delegates control over personal data held by a hospital system or other resource server using a typical OAuth flow. [9] The requesting party authenticates and provides identity claims to the HIE of One authorization server specified by the patient. The HIE of the One authorization server can accept direct login (username/password or multi-factor), federated identity, and even self-sovereign identity. [5]

Transmission

HIE of One theoretically can use any RESTful (Representational state transfer) standard available for data transmission, as long as it is controlled by a supported authorization standard such as OAuth2. Fast Healthcare Interoperability Resources (FHIR) is emerging as the healthcare industry's choice for formatting data and transmitting it over the Web.

Related Research Articles

Medical privacy, or health privacy, is the practice of maintaining the security and confidentiality of patient records. It involves both the conversational discretion of health care providers and the security of medical records. The terms can also refer to the physical privacy of patients from other patients and providers while in a medical facility, and to modesty in medical settings. Modern concerns include the degree of disclosure to insurance companies, employers, and other third parties. The advent of electronic medical records (EMR) and patient care management systems (PCMS) have raised new concerns about privacy, balanced with efforts to reduce duplication of services and medical errors.

Health Level Seven, abbreviated to HL7, is a range of global standards for the transfer of clinical and administrative health data between applications with the aim to improve patient outcomes and health system performance. The HL7 standards focus on the application layer, which is "layer 7" in the Open Systems Interconnection model. The standards are produced by Health Level Seven International, an international standards organization, and are adopted by other standards issuing bodies such as American National Standards Institute and International Organization for Standardization. There are a range of primary standards that are commonly used across the industry, as well as secondary standards which are less frequently adopted.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

Identity management (IdM), also known as identity and access management, is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access.

<span class="mw-page-title-main">Electronic health record</span> Digital collection of patient and population electronically stored health information

An electronic health record (EHR) is the systematized collection of patient and population electronically stored health information in a digital format. These records can be shared across different health care settings. Records are shared through network-connected, enterprise-wide information systems or other information networks and exchanges. EHRs may include a range of data, including demographics, medical history, medication and allergies, immunization status, laboratory test results, radiology images, vital signs, personal statistics like age and weight, and billing information.

<span class="mw-page-title-main">OpenID</span> Open and decentralized authentication protocol standard

OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites using a third-party identity provider (IDP) service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log in to multiple unrelated websites without having to have a separate identity and password for each. Users create accounts by selecting an OpenID identity provider, and then use those accounts to sign on to any website that accepts OpenID authentication. Several large organizations either issue or accept OpenIDs on their websites.

Health technology is defined by the World Health Organization as the "application of organized knowledge and skills in the form of devices, medicines, vaccines, procedures, and systems developed to solve a health problem and improve quality of lives". This includes pharmaceuticals, devices, procedures, and organizational systems used in the healthcare industry, as well as computer-supported information systems. In the United States, these technologies involve standardized physical objects, as well as traditional and designed social means and methods to treat or care for patients.

Health information exchange (HIE) is the mobilization of health care information electronically across organizations within a region, community or hospital system. Participants in data exchange are called in the aggregate Health Information Networks (HIN). In practice, the term HIE may also refer to the health information organization (HIO) that facilitates the exchange.

A Regional Health Information Organization, also called a Health Information Exchange Organization, is a multistakeholder organization created to facilitate a health information exchange (HIE) – the transfer of healthcare information electronically across organizations – among stakeholders of that region's healthcare system. The ultimate objective is to improve the safety, quality, and efficiency of healthcare as well as access to healthcare through the efficient application of health information technology. RHIOs are also intended to support secondary use of clinical data for research as well as institution/provider quality assessment and improvement. RHIO stakeholders include smaller clinics, hospitals, medical societies, major employers and payers.

The eHealth Exchange, formerly known as the Nationwide Health Information Network, is an initiative for the exchange of healthcare information. It was developed under the auspices of the U.S. Office of the National Coordinator for Health Information Technology (ONC), and now managed by a non-profit industry coalition called Sequoia Project. The exchange is a web-services based series of specifications designed to securely exchange healthcare related data. The NwHIN is related to the Direct Project which uses a secure email-based approach. One of the latest goals is to increase the amount of onboarding information about the NwHIN to prospective vendors of health care systems.

OAuth is an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information on other websites but without giving them the passwords. This mechanism is used by companies such as Amazon, Google, Meta Platforms, Microsoft, and Twitter to permit users to share information about their accounts with third-party applications or websites.

The Office of the National Coordinator for Health Information Technology (ONC) is a staff division of the Office of the Secretary, within the U.S. Department of Health and Human Services. ONC leads national health IT efforts. It is charged as the principal federal entity to coordinate nationwide efforts to implement the use of advanced health information technology and the electronic exchange of health information.

<span class="mw-page-title-main">VistA</span> Health information system

The Veterans Health Information Systems and Technology Architecture (VISTA) is the system of record for the clinical, administrative and financial operations of the Veterans Health Administration VISTA consists of over 180 clinical, financial, and administrative applications integrated within a single shared lifelong database (figure 1).

InterSystems Corporation is a privately held vendor of software systems and technology for high-performance database management, rapid application development, integration, and healthcare information systems. The vendor's products include InterSystems IRIS Data Platform, Caché Database Management System, the InterSystems Ensemble integration platform, the HealthShare healthcare informatics platform and TrakCare healthcare information system, which is sold outside the United States.

An identity provider is a system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network.

User-Managed Access (UMA) is an OAuth-based access management protocol standard for party-to-party authorization. Version 1.0 of the standard was approved by the Kantara Initiative on March 23, 2015.

The Fast Healthcare Interoperability Resources standard is a set of rules and specifications for exchanging electronic health care data. It is designed to be flexible and adaptable, so that it can be used in a wide range of settings and with different health care information systems. The goal of FHIR is to enable the seamless and secure exchange of health care information, so that patients can receive the best possible care. The standard describes data formats and elements and an application programming interface (API) for exchanging electronic health records (EHR). The standard was created by the Health Level Seven International (HL7) health-care standards organization.

<span class="mw-page-title-main">Medical image sharing</span> Electronic exchange of medical images

Medical image sharing is the electronic exchange of medical images between hospitals, physicians and patients. Rather than using traditional media, such as a CD or DVD, and either shipping it out or having patients carry it with them, technology now allows for the sharing of these images using the cloud. The primary format for images is DICOM. Typically, non-image data such as reports may be attached in standard formats like PDF during the sending process. Additionally, there are standards in the industry, such as IHE Cross Enterprise Document Sharing for Imaging (XDS-I), for managing the sharing of documents between healthcare enterprises. A typical architecture involved in setup is a locally installed server, which sits behind the firewall, allowing secure transmissions with outside facilities. In 2009, the Radiological Society of North America launched the "Image Share" project, with the goal of giving patients control of their imaging histories by allowing them to manage these records as they would online banking or shopping.

InterSystems HealthShare is a comprehensive healthcare informatics platform designed to serve hospitals, Integrated Delivery Networks (IDNs), and regional and national Health Information Exchanges (HIEs).

References

  1. Center for Democracy & Technology staff. "Patient-Managed Health Information Exchange: An HIE of One". Center for Democracy & Technology (CDT). Retrieved 27 November 2016.
  2. Conn, Joseph (2016-11-05). "Could blockchain help cure health IT's security woes?". Modern Healthcare Magazine. No. 2016–11–05. Crain Communications. Retrieved 27 November 2016.
  3. 1 2 Searls, Doc (2016-11-09). "Consumers can't help health care. Customers can". Doc Searls Weblog (Harvard Berkman Center). Retrieved 27 November 2016.
  4. Windley, Phillip (2016-11-14). "Sovrin Use Cases: Healthcare". Technometria. Retrieved 27 November 2016.
  5. 1 2 Gropper, Adrian. "Powering the Physician-Patient Relationship with HIE of One Blockchain Health IT" (PDF). HealthIT.gov. U.S. Department of Health and Human Services. Retrieved 27 November 2016.
  6. Office of the National Coordinator for Health Information Technology (2016-09-01). "ONC announces Blockchain challenge winners". HHS.gov. HHS.gov U.S. Department of Health & Human Services. Retrieved 27 November 2016.
  7. Hersh; et al. (December 2015). "Health Information Exchange". Evidence Report/Technology Assessment. 220 (15(16)–E002–EF).
  8. Dullabh; et al. (March 2016). "EVALUATION OF THE STATE HIE COOPERATIVE AGREEMENT PROGRAM" (PDF). HealthIT.gov. NORC at the University of Chicago. Retrieved 27 November 2016.
  9. Hardt, D., Ed. (October 2012). Hardt, D (ed.). "The OAuth 2.0 Authorization Framework". RFC 6749 . Internet Engineering Task Force (IETF). doi:10.17487/RFC6749 . Retrieved 27 November 2016.{{cite journal}}: CS1 maint: multiple names: authors list (link)