Reminder: Do not include any PHI or PII in Confluence. If you require 508 accessibility assistance or any other support for this system, then please send an email to onc-jira-questions@healthit.gov
- What are the minimum set of requirements that allow patient driven requests be supported by both EMR vendors and Surescripts?
- A clear and auditable way to ensure the patient made/approved the request
- What data is being requested; active, inactive medication orders
- The format and transport mechanism to be supported
- What is the comprehensive set of accessibility requirements and definitions? (i.e. rules, permissions and other parameters that can be implemented by all the participants determined?)
- Similar to above
- What are requirements for accessibility to EMR medication lists?
- Similar to above; clear the request is legitimate, what data is requested, the format and delivery mechanism
- What are requirements for accessibility to Surescripts medication history feeds?
- What are the definitions of accessibility requirements (rules, permissions (time and expiration limits), other parameters, etc.) used by your organization or other organizations you contract with?
- What are your rules? Do you have many different rule sets?
- What are the certain constraints that often exist for the more restrictive timeframes or issues? What type of request permissions are they? Do they fall typically under a particular category?
- For example, permissions do not carry over if employers change for a patient. Is this always the case? Maybe the case?
- Similar might be who can make a request; for example a parent might make a request for a child, but only until the child is a specific age or specifically ops out of allowing a parent to access their information
- For example, permissions do not carry over if employers change for a patient. Is this always the case? Maybe the case?
- What is a business associate (BA) really allowed to do?
- The nuance here… a BA might have access to data for billing, but to pull prescription information for other reasons, even at a patient’s request, would probably not be covered under the existing agreements.
- What is the most confining access requirement for the covered entity (CE)? Does it differ?