Health Level Seven (HL7)Electronic Health Record Special Interest Group
EHR Functional Hierarchy and DecompositionDRAFT v0.90, 20 July 2003
Gary L. DickinsonManager, Health Care StandardsPer-Se Technologies, Inc.R&D268 W. Hospitality Lane, #300San Bernardino, California USA 92408Tel: (+1) 909-888-3282email:
EHR Functional Model[See EHR Functional Model, v10.2]
Horizontal axis - EHR Function - Two Tier
Infrastructure Functions
Care Delivery Functions
Vertical axis - EHR Use - One per
Use Setting: EHR Setting Profile
User, Use Case: EHR Use Profile
EHR Function Specification Triplet
1. WHAT - Statement of Function(ality)
2. WHY - Rationale
3. Conformance Criteria
How: Implementation - OUT OF SCOPE
EHR Glossary
EHR - Electronic Health Record
IDN - Integrated Delivery Network
PHI - Protected Health Information
Per HIPAA, individually identifiable health information
SOA - Service Oriented Architecture
acts = actions = health service events =work tasks (work flow)
EHR Functional Perspectives
Front-end user functions
Explicit functions
Extrinsic - externally invoked process/action
Embedded functions
Implicit functions
Intrinsic - bound to internal process
Service Oriented Architecture functions
Horizontal, invoked back-end services
(GLD Note: SOA mediators)
Interface functions
e.g., HL7 v2.x trigger events, query/response
In and outbound data streams
Reporting and notification functions
Outbound data streams
EHR Stakeholder DomainExamples:
Personal Health Record
Care record, health status
Per patient/subject of care
PHI
Provider Operations (Business) Record
Record of care delivery
Per organization and business unit
PHI
Personal Practitioner Healthcare Delivery Record - Professional Service Record
Record of care delivery
Per practitioner
PHI
IDN Health Record
Record of care delivery
For multiple healthcare delivery settings
PHI
Population Health Record
Identifiable PHI or not
Local, Regional or National Health Record
Centralized EHR stores or logical linkages
PHI
Clinical Research Extract
Identifiable PHI or not
EHR References
ISO 18308 - Reqt's for an EHR (Record) ArchitectureFinal Draft ready for publication
ISO 17799, 18307, 21089…
ASTM E1762, E1769…
IOM Reports: 1991 on…
International: CEN, GEHR, OpenEHR, NHS (UK)…
Regulatory: DHHS, HIPAA, FDA…
Accreditation: JCAHO, NCQA, URAC…
Public Health: CDC…
Research, Quality, Advisory: AHRQ, NCVHS, IOM…
…
EHR Interoperability
EHR Interchange Paradigms
Homogeneous - common, uniform
Heterogeneous - disparate
Homogeneous
Interchange, among and between systems with
Common architecture
Common EHR model basis[See EHR Model Basis]
(Typically) single common datastore
Logically integrated
Even if physically distributed
FULL INTEROPERABILITY DUE TO COMMON ARCHITECTURE
Heterogeneous
Interchange, among and between systems with
Disparate architectures
Disparate EHR model basis
Multiple disparate and distributed datastores
(Often) interchange via interface mediator
e.g., interface engine, hub, router
De facto common denominator (CD)
Of information: content subset in common between systems
Of functions (e.g., HL7 trigger events): function subset in common between systems
(Often) enforced by interface mediator
Interchange scenarios
Identical content/function
Within CD
1:1 mapping
Equivalent (but not identical) content/function
Within CD
Mapping or translation possible
Disparate content/function
Beyond CD
Mapping or translation not possible
INTEROPERABILITY CONSTRAINT - INTEROPERABILITY LIMITED TO DATA/ FUNCTION WITHIN COMMON DENOMINATOR
EHR Infrastructure FunctionsBusiness Focus: Health Record/PHI Management
EHR Patient (Person) RegistryMaster Patient (Person) Index
PHI
Patient Dataset
Identifiers
Name, alias(es) and demographics
Location and contact information
Next of kin
Usual practitioners
Health plan, insurance, billing details
…
Patient Registry Functions
Create patient record
Assign patient ID
Amend patient record(s)
Merge duplicate patients
Unmerge patients (previously merged in error)
Transmit patient record(s) to external system or entity
Receive patient record(s) from external system or entity
Archive patient record(s)
De-identify or alias patient record(s)
Re-identify patient records (from alias)
Purge/delete patient record(s)
EHR Practitioner (Person) Registry
Not PHI
Practitioner Dataset
Identifiers
Name, alias(es) and demographics
Practitioner roles
Location and contact information
Credentials, licenses
Assignment parameters: location, department, service or specialty, practice group and individual
Notification, reminder and alert parameters
Personal order sets: group and individual
User-based security access clearance(s) - User and Role Based, controlling access to
Access to EHR/PHI functions
Access to EHR/PHI content
Password, access details
Practitioner Registry Functions
Create practitioner record
Create practitioner ID
Amend practitioner record
Activate, inactivate practitioner
Purge/delete practitioner record(s)
EHR Role Registry
Not PHI
Role Dataset
Role
Role-based security access clearance(s), controlling access to
EHR/PHI functions
EHR/PHI content
Role Registry Functions
Create role record
Amend role record
Delete role record(s)
EHR Entity Registry
Not PHI
Entities
Organizations
Business Units
Persons (as above): patients, practitioners
Devices: e.g., instruments, monitors
Software: e.g., applications, interface engines, hubs, routers
Entity Dataset
Entity identifiers
Name, description
Location(s) and demographics
Entity Registry Functions
Create entity record
Assign entity ID
Amend entity record
Delete entity record
EHR Location Registry
Not PHI
Locations, where
Health(care) delivery takes place: healthcare services are performed
EHR records are created, accessed/used
Location examples
Facilities, areas, rooms, beds
Business units: departments, services, specialties
Location Dataset
Location Identifiers
Demographics
Business unit(s): departments, services, specialties
Location Registry Functions
Create location record
Update location ID
Amend location record
Delete location record
EHR - Multiple Person Linkage
Parts PHI
Linkages, e.g.,
Patient to practitioner(s)
Patient to other person/entity: e.g., family member, guarantor, insured, employer
Person Linkage Functions
Create linkage between persons
Activate, deactivate linkage between persons
EHR Chronology (Chronicle of)Health Service Acts, Health Record Acts
PHI
Chronicle of
Health status
Health service acts, actions
Health record acts, actions
Health service acts, actions[See Care Delivery Functions]
Health record acts, actions>Typically trigger audit events
Enable/show record authorship, origination
Enable/show record amendment
Enable/show record verification
Enable/show record access/use
Enable/show record translation
Enable/show record transmittal, including authorized PHI disclosure
Enable/show record receipt, including externally sourced PHI
Enable/show record re-identification, aliasing, re-identification
Enable/show record archival
Enable/show record destruction or loss
Enable/show physical record check-out/check-in: paper, film, tracings
Enable/show record queries and responses
Health record acts -Interchange events (in/out-bound interface triggers)
Enable/show record transmittal, including authorized PHI disclosure
Enable/show record receipt, including externally sourced PHI
EHR Timeline Perspectives
PHI
Prospective - future
Enable/show health services (care delivery) >Planned/scheduled - not yet underway
Include wellness checks and preventative care
Concurrent - now
Enable/show health services (care delivery)>In progress - but not yet complete
Retrospective, historical
Enable/show health services (care delivery)>Completed (cancelled, resolved or other terminus state)
EHR/PHI Record Management
Including PHI
Rules and guidelines
Enable EHR/PHI record management based on
Regulatory, statutory guidelines
Accreditation standards
Professional and best practice guidelines
Local or regional conventions
Record retention, persistence>For duration of legal requirement
Retain patient records
Retain supporting records and registries (persons, entities, locations…)
Record indelibility
Ensure and retain record instance as originated, and
Ensure and retain record instance for each successive amendment
Record creation, amendment>Per creation or amendment act/action
Capture/input record: e.g., by keyboard/pointer entry, with formatted input screens
Authenticate record/data source (entity)
Review and approve content: e.g., user display and accept
Audit origination or amendment: who, what created/amended, when, where
Record verification>Per verification act/action
Review, verify and approve record content: e.g., user display and accept
Authenticate verifying entity
Audit verification: who, what verified, when, where
Record translation>Per translation act
Enable record/data translation: e.g., language, code sets
Authenticate translating entity: e.g., interface mediator (interface engine)
Retain original data value + translated value
Audit translation: who (translation entity), what content translated or amended, when, where
Record access/use/view>Per patient record accessed
Access/use/view record/PHI: e.g., user display
Authenticate accessing entity (user)
Audit access: who, what accessed, when, where
Record transmittal>Per transmittal
[See EHR/PHI Outbound Record Transmittal]
Audit record transmittal: who, what, when, where
Record receipt>Per receipt
[See EHR/PHI Inbound Record Receipt]
Audit record receipt: who, what, when, where
Record archival>Retention according to Legal Requirement
Archive record(s): e.g., to external entity or offline storage medium
Enable/show archive log, index for retrieval
Audit archival: who, what archived, when, where
Record purge/deletion>Intentional, meeting legal requirements
Purge/delete electronic record
Audit purge/deletion: who, what purged, when, where
Enable/show purge record log, for later review
Record destruction or loss>Typically unintentional
Notate record destruction or loss
Audit destruction/loss: who, what, when, where
Record de-identification, aliasing
De-identify record: e.g., per HIPAA
Alias record
Audit de-identification: who, what, when, where
Record re-identification
Re-identify record: e.g., for previously aliased records
Audit re-identification: who, what, when, where
Physical record check out/in>Tracking the movement of various physical media>Including paper, film
Check-out physical record media
Audit checkout: who, what, when, where
Check-in physical record media
Audit checkin: who, what, when, where
Record query/response
Query record
Respond to record query
Audit queries, if PHI: who, what, when, where
Record accuracy, consistency
Check algorithmically for record/data accuracy, consistency
Show checks performed, per record instance
Record completeness
Check record completeness
Per encounter or episode of care
Per record instance
Check record completeness, as a function of the completeness of health(care) delivery
Per encounter or episode of care, per set of corresponding health service acts/actions - complete or not
Per record instance, per corresponding health service acts/action(s) - complete or not
Record audit
[See EHR/PHI Chronology - Health Record Acts]
Create/maintain record acts/action audit trails
Provide audit event review tools
Show audit event exceptions, per criteria
Record secure physical storage
Enable physical security controls of EHR/PHI systems, databases, networks and media: e.g., per HIPAAIN/OUT of scope?
EHR/PHI - Inbound Record Capture/Receipt
Including PHI
Inbound records, including receipt from:
Entities: organizations, business units, individuals
Software systems, devices
Inbound interchange mediation
Inbound interchange often via interface mediators (engines)
If homogeneous record source, assume
Identical record content
Identical context and data relationships
Identical function: "real world" event triggers, communication triggers, HL7 trigger events
Identical data types
No special mapping or translation required
If heterogeneous record source, assume
Disparities (source to receiver) in record content, context, function and data types
Content, per record element: identical, translated, unmappable
Context, per record or acts/action: identical, translated, unmappable
Function, per trigger: identical, translated, unmappable
Data type, per record element: identical, translated, unmappable
If identical: 1:1 mapping, no translation required
If translated (source to receiver representation): single (original value) becomes duple (original + translation)
If unmappable, record element has no source=receiver equivalent
DATA INTEGRITY: impact of unmapped content, context, function or data type
CLINICAL INTEGRITY: patient care/safety impact of unmapped content, context, function or data type
Interface standards>Per interface instance
Use applicable industry standards for inbound messages, including HL7 v2/CDA, DICOM, MIB, X12N, NCPDP
Transmission source authentication>Per connection, session, record or message
Authenticate source (entity): e.g., software system, device, network, interface mediator
Transmission encryption, decryption>If PHI or otherwise confidential>If transmitted over untrusted or public network>Per connection, session, record or message
Decrypt inbound record receipt
Transmission (message) authentication>Per connection, session, record or message
Ensure record/message content integrity: record received equals record sent
Ensure record/message sequence integrity
Source to receiver sequence
Source to interface mediator to receiver sequence
Record origination evidence>Evidence of record source, origin and/or authorship>As represented by record source/transmitter to record receiver>Per record instance
Show record source, origin and/or authorship: who, what, when, where
Record verification evidence>Evidence of record verification>As represented by record source/transmitter to record receiver>Per record instance
Show record verification: who, what, when, where
Record content translation evidence>Evidence of record content translation>As represented by record source/transmitter to record receiver>Per record instance, per record element translated
Show record translation: who, what, when, where
Show translated content: as originated, as translated
Record amendment evidence, history>Evidence of record content, as originated and as amended>As represented by record source/transmitter to record receiver>Per record instance
Show record, as originated
Show record, per each subsequent amendment
Show record audit trail: who, what, when, where
Inbound record re-identification>Per record, per record instance
Re-identify inbound records, i.e., invert previous outbound aliasing
Audit re-identification: who, what, when, where
Inbound record audit>Per connection, session, record or message received
Log record/message as received, unaltered
Audit inbound record receipt: from whom, what, when, where
EHR/PHI - Outbound record transmittal
Including PHI
Outbound records, including transmittal to:
Entities: organizations, business units, individuals
Software systems, devices
Hardcopy output: e.g., print, fax
Softcopy output: e.g., email, pager, PDA
Media output: e.g., magnetic, optical, microfiche
Outbound interchange mediation
Outbound interchange often via interface mediators (engines)
If homogeneous record receiver, assume
Identical record content
Identical context and data relationships
Identical function: "real world" event triggers, communication triggers, HL7 trigger events
Identical data types
No special mapping or translation required
If heterogeneous record receiver, assume
Disparities (source to receiver) in record content, context, function and data types
Content, per record element: identical, translated, unmappable
Context, per record or act/action: identical, translated, unmappable
Function, per trigger: identical, translated, unmappable
Data type, per record element: identical, translated, unmappable
If identical: 1:1 mapping, no translation required
If translated (source to receiver representation): single (original value) becomes duple (original + translation)
If unmappable, record element has no source=receiver equivalent
DATA INTEGRITY: impact of unmapped content, context, function or data type
CLINICAL INTEGRITY: patient care/safety impact of unmapped content, context, function or data type
If unmappable>Due to unresolved disparities between source and receiver
From external source entity (e.g., software system), receive record not fully mapped (and so identified by mapping agent)
Enable/show record status as not fully mapped: e.g., display status to user when accessing record
Interface standards>Per interface instance
Use applicable industry standards for outbound messages, including HL7 v2/CDA, DICOM, MIB, X12N, NCPDP
Transmission receiver authentication>Per connection, session, record or message
Authenticate receiver (entity): e.g., software system, device, network, interface mediator
Transmission content (message) authentication>Per connection, session, record or message
Ensure record/message content integrity: record received equals record sent
Ensure record/message sequence integrity
Source to receiver sequence
Source to interface mediator to receiver sequence
Transmission encryption>If PHI or otherwise confidential>If transmitted over untrusted or public network>Per connection, session, record or message
Encrypt outbound record(s)
Record origination evidence>Evidence of record source, origin and/or authorship>As represented by record source/transmitter to record receiver>Per record instance
Show record source, origin and/or authorship: who, what, when, where
Record verification evidence>Evidence of record verification>As represented by record source/transmitter to record receiver>Per record instance
Show record verification: who, what, when, where
Record content translation evidence>Evidence of record content translation>As represented by record source/transmitter to record receiver>Per record instance, per record element translated