Difference between revisions of "PHI"

Revision as of 15:54, 3 August 2021

Full Title or Meme

• As defined in FHIR Protected Health Information (PHI) must be protected by Secure Node interchanges.
• Note that in some documents this is called Personally Identifiable Healthcare Information or Electronic Health Information(EHI).

Context

The context of an FHIR interaction is the transfer of PHI although other transaction could occur of the interchange so established.

Other abbreviations that might be seen include:

1. ePHI for Electronic Protected Health Information: has the meaning set forth in 45 C.F.R. §160.103 of the HIPAA Rules.
2. EHI for Electronic Health Information” which is any information that identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual and is transmitted by or maintained in electronic media, as defined in 45 CFR 160.103, that relates to the past, present, or future health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. EHI includes information that is accessed, exchanged, used or maintained in the context of the Trusted Exchange Framework and may be developed for an individual, on behalf of an individual, or provided directly from either an individual or from technology that the individual has elected to use. EHI includes but is not limited to ePHI and health information as defined in 45 CFR 160.103. However, unlike ePHI and health information, EHI is not limited to information that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school, university or health care clearinghouse. EHI does not include health information that is de-identified consistent with the requirements

Problems

• FHIR is focused on the data access methods and encoding leveraging existing Security solutions. Security in FHIR needs to focus on the set of considerations required to ensure that data can be discovered, accessed, or altered only in accordance with expectations and policies.
• Privacy in FHIR is focused on the data access methods and encoding leveraging existing Security solutions. Security in FHIR needs to focus on the set of considerations required to ensure that data can be discovered, accessed, or altered only in accordance with expectations and policies.

Information Sharing

• Much of the effort of the HHS Office of the National Coordinator (OHC) for Healthcare IT in directed to towards the elimination of Information Blocking, which is the normal mode for Electronic Healthcare Repositories (EHR) prior to 2020. This is sometime classified as giving the Patient Choice about how to share their data. As that referenced wiki page shows, just dumping the data into the patient's lap is not really giving them control in any meaningful sense of the word.
• A report from the Pew Trusts shows that Most Americans Want to Share and Access More Digital Health Data, A survey can inform federal policies to expand use of electronic health records, protect patient privacy.

Solutions

FHIR taken as a whole is designed to securely exchange PHI in a Privacy preserving manner.

References

• FHIR STU3 version of the Security and Privacy Module has a good overview of protection of health information.
• Health Care Profile in Kartara IDEF documentation.