On 4/09/2014, AHRQ released the
The JASON Report
3. The report suggests that all data be encrypted at rest and in motion. Meaningful Use already requires encryption of data in motion. HIPAA requires compensating controls for data at rest, one of which is encryption of client devices.
4. The report describes separation of key management from data management. The Direct protocol, which is a required part of Meaningful Use Stage 2, implements certificate management to ensure security and data integrity from point of data origin to point of use. The report describes highly granular consent, enforced with certificates. That principle is similar to the S&I framework Data Segmentation for Privacy work, which has been codified in HL7 standards.
5. The report notes that data should be surrounded with corresponding metadata, context, and provenance information. EHRs typically include time/date stamps, authorship information, and other contextual information with most transactions, so the suggestion is reasonable.
6. The report suggests that EHR data be represented as discrete data elements (atomic data) with associated metadata. The Meaningful Use Common Data set for Stage 2 already requires that.
7. The report recommends adoption of the “robustness principle”: be liberal in what you accept and conservative in what you send. The 2015 Notice of Proposed Rulemaking suggests that certification in 2015 include testing of that principle.
8. The report identifies a need to support clinical trials and clinical research while also protecting patient privacy. The I2B2 project, which has been further generalized by the ONC QueryHealth project, is a good start.
My implementation suggestions for ONC and the Standards Committee to implement JASON recommendations are summarized as
1. Evolve CCDA transition of care documents to FHIR
2. Replace Direct with a RESTful approach for “pushing” records
3. Adopt a query/response RESTful approach for “pulling” records
4. Adopt a simple HL7 2.x admit/discharge/transfer message that records patient consent preferences for disclosing data from an institution
5. Adopt I2B2 to support a learning healthcare system
I want to thank the JASON group for re-emphasizing the importance of the trajectory we’re already on, identifying milestones for success we can use to evaluate our progress.
