• What are the minimum set of requirements that allow patient driven requests be supported by both EMR vendors and Surescripts?
    • A clear and auditable way to ensure the patient made/approved the request
    • What data is being requested; active, inactive medication orders
    • The format and transport mechanism to be supported
  • What is the comprehensive set of accessibility requirements and definitions?  (i.e. rules, permissions and other parameters that can be implemented by all the participants determined?)
    • Similar to above
  • What are requirements for accessibility to EMR medication lists?
    • Similar to above; clear the request is legitimate, what data is requested, the format and delivery mechanism
  • What are requirements for accessibility to Surescripts medication history feeds?
  • What are the definitions of accessibility requirements (rules, permissions (time and expiration limits), other parameters, etc.) used by your organization or other organizations you contract with?
  • What are your rules?  Do you have many different rule sets? 
  • What are the certain constraints that often exist for the more restrictive timeframes or issues? What type of request permissions are they?  Do they fall typically under a particular category?
    • For example, permissions do not carry over if employers change for a patient.  Is this always the case?  Maybe the case? 
      • Similar might be who can make a request; for example a parent might make a request for a child, but only until the child is a specific age or specifically ops out of allowing a parent to access their information
  • What is a business associate (BA) really allowed to do?
    • The nuance here… a BA might have access to data for billing, but to pull prescription information for other reasons, even at a patient’s request, would probably not be covered under the existing agreements.
  • What is the most confining access requirement for the covered entity (CE)? Does it differ?
  • No labels