A little about NATE…
Policies, practices and technologies…
…that enable and promote trusted exchange…
…within and across state lines...
…among unaffiliated organizations…
…and the consumers they serve.
Who Is NATE?
The
(NATE) is a not-for-profit membership association
focused on enabling trusted exchange among
organizations and individuals with differing
regulatory environments and exchange preferences
NATE is a 501(c)(3) Mission Driven Organization Focused on
Enabling Trusted Exchange that Includes the Patient
NATE’s Membership is Open to Government Entities,
Non-Government Organizations, Associations and Individuals
NATE Members Include…
CONSUMER CONTROLLED
APPS
STATES, NATIONAL ASSOCIATIONS
AND INTERNATIONAL PEERS
Our First Federal Agency Member
“Participating in NATE allows VA to continue to
be a national leader in enabling our Veteran
patients to take control over their health
information and become informed and active
partners in their overall healthcare.”
-- Dr. David Shulkin
U.S. Secretary of Veterans Affairs
Those That Take Consumer Engagement Seriously Join NATE
A little about what we do…
What is the NBB4C?
The
(NBB4C)
Trust Bundle is a trust mechanism that provides, to
HIPAA covered entities that use Direct, a facile
method of exchange with
that must meet or exceed a specific set
of regulatory criteria and user experience
requirements in order to become a NATE-QE
NATE Makes It Easier for Providers to Share Health Information With
Their Patients So That Their Patients Can Do What They Want With It
NATE’s Blue Button Trajectory
NBB4C
Goes Live
VA - NATE Begins
Analysis to Establish
NBB4C2
PHR Ignite
Phase 2 Begins
Call for Comment
on NBB4C Policies
NATE Takes
Over BB+
PHR Ignite
Pilot Award
By ONC
Dec
2013
Jun
2014
Dec
2014
March
2015
August
2016
Oct
2014
BB+
Deprecated
Nov
2015
HIMSS
17
Demonstrate
NATE
Blue
Button
Directory
NATE Blue Button for Consumers
(NBB4C)
Consumer Controlled App Members
2017 Priorities
Refining our 2017 priorities based on advances
made in 2016
• Blue Button Directory for Consumers
• TrustHarbor
BLUE BUTTON DIRECTORY
FOR CONSUMERS
Blue Button
Directory For Consumers
• An out of the box solution to a persistently wicked problem
• Rather than trying to overload the purpose of existing P2P4Tx
Trust Bundles
• What if we tried to bring the consumer’s “Individual Right of
Access” request to the part of the health enterprise responsible
for responding to these requests today?
• Would that result in a win-win for consumers and providers
alike?
Post Registration and Configuration
Direct Portal
–or–
Integrated
EMR
Directory
Copy Direct
Address
C
D
Direct
Message
Search for Org
Consumer
Consumer
App
Consumers are requesting their medical records and providers want to share
them but there is often a workflow disconnect between the two. NATE and
demo participants demonstrated how a simple enabling infrastructure can
alleviate this problem. The NATE Blue Button Directory allows patients to
discover how best to submit their request for health information and
establishes a secure end-point for the covered entity’s staff responsible for
managing these requests. NATE demonstrated the registration of the
organization by the appropriate staff (e.g., medical records department) in a
FHIR-based directory, and showed how the provisioning of a Direct address
enables bi-directional exchange with those consumer-controlled apps
recognized by NATE’s trust community.
TrustHarbor will facilitate
trustworthy exchange at the
intersection of consumer apps,
provider’s APIs and validated
endorsers.
•
Consumer
Apps
Trust
Harbor
•
•
Endorsers register to
TrustHarbor
Apply endorsements
in a verifiable way
•
•
•
Consumer apps
register to
TrustHarbor
Verified endorsers
apply signed
software statements
Access TrustHarbor
via APIs to verify
endorsements
Enable dynamic
registration of
consumer apps that
meet criteria
July 2016 Proposal
Trust Harbor: A Win-Win-Win Solution
Data Holders
• Need to validate
applications
requesting API
access
• Common checks
App
Developers
• Need to be
approved by
each data holder
• Common
responses to
checks
Consumers
• Need a
framework to
help them decide
whether to trust
an app with their
data
The TrustHarbor is a public
registry and API of:
• Consumer controlled apps
• Endorsing bodies
• Application endorsements
It supports registration of
two actors and one action
Two actors, one action;
many relying parties and
supported use cases
Register as an Endorser
•
•
•
•
Endorser – an organization that
provides a certification, accreditation,
“seal-of-approval” or otherwise
endorses consumer applications
Could include entities that provide
technical certification such as those
related to IdM (SAFE-BioPharma;
Kantara)
Or accredit for operational
compliance to a set of evaluation
criteria that include non-technical
policy requirements (EHNAC;
NATE)
Or align with qualitative preferences
such as usability for different
populations (VSO Association for Vet
Friendly Apps; NPWF’s ‘Top 10
Family Friendly Consumer Apps’).
We Make It Easier for Providers and Consumers to Trust
Consumer Applications and Easier for Consumers to Use Them
Register as an Endorser
• What information should be
collected about an endorser?
• What qualifies an organization
to be recognized as an
endorser?
• How do we govern the
removal of endorsers?
• Legal agreement?
• An endorser may have more
than one type of endorsement
that they provide
Meaning of an
Endorsement
• For each endorsement that
an endorser provides,
what information do we
need to make available to
relying parties in order to
determine if they trust
them as a 3rd party?
• Do we define levels of
endorsement? Each higher
level endorsement comes
with more validation
requirements
Register as an
Application
•
•
•
•
•
•
•
What information should be collected
about a consumer app?
What qualifies a vendor to be
recognized as a consumer controlled
app? NBB4C criteria sufficient?
Legal agreement?
How do we govern the approval or
removal of appropriate vendor’s
offerings?
A vendor may have more than one
offering that may support different
endorsements based on target market
and use case
Update the evaluation criteria for the
NBB4C?
What should we require consumer
apps to publish about how they do
business?
Apply Endorsement to
Registered Application
• What guidance do we
provide to relying parties
about frequency of
TrustHarbor verification?
• Should they verify status
of an endorsement for
each transaction? Can
they cache verifications?
• How do we notify relying
parties about endorsement
revocation?
How Does it Work for a
Data Holder?
• Developer brings web
• Relying party queries
token(s) from
TrustHarbor central
endorser(s)
registry to determine
token(s) is still valid
• Validated token(s)
enables consumer app to • Relying party performs
skip some/all data
regular, out-of-band
holder registration
queries to registry to
requirements
identify token(s)
revocation or expiry
• Validated token(s) may
raise throttling limits for
vendor’s use of an API
Defining Safe Harbors using
TrustHarbor – hypothetical
• What endorsements
would be required to
establish a safe-harbor for
consumers to share data
collected by the consumer
from another provider?
• i.e., consumer directed
exchange
• Updates provider
organization’s medical
record with new clinical
information
Endorsements (valid tokens) from
recognized endorsers that cover
following:
• App is consumer controlled
(NATE/CARIN)
• High confidence in identity of
consumer (Kantara|SAFEBioPharma)
• Provenance of data from original
provider is such that receiving
provider is confident it hasn’t
been modified before receipt
(SDO)
• Security certification that data
sent by vendor does not introduce
security risks
(EHNAC|HITRUST)
Defining Safe Harbors using
TrustHarbor – hypothetical
Endorsements (valid tokens) from
recognized endorsers that cover
following:
• App is consumer controlled
(NATE/CARIN)
• High confidence in identity of
consumer (Kantara|SAFEBioPharma)
• Provenance of data from original
provider is such that receiving
provider is confident it hasn’t
been modified before receipt
(SDO)
• Security certification that data
sent by vendor does not introduce
security risks
(EHNAC|HITRUST)
Sign Up on NATE’s Website to Stay Informed:
NATE-trust.org
[email protected]
301-540-2311