Skip to main content

Key Concepts

HealthEx Users: Healthcare Organizations and Data Requestor Organizations

Both types of HealthEx organizations can add studies and create project consent flows through the HealthEx platform in order to collect consent from patient participants.

Healthcare organizations can access their own patient data once the patient has given consent. Data requestor organizations, on the other hand, do not have direct access to patient data and instead receive it through HealthEx’s connection to public data networks after patient consent has been collected.

As a HealthEx API user, you must be an authorized member of either a healthcare organization or a data requestor organization.

Projects

Projects are a key element within the HealthEx system. Projects within HealthEx represent a purpose that requires patients data (identified or de-identified) and may require informed consent. Organizations are required to add a project to HealthEx before they are able to create informed consent workflows, request patient consent, or inform patients of their data being used.

When adding a project in HealthEx, we collect details about the project along with any required information related to informed consent.

Some examples of project details we capture include but are not limited to:

  • Project title and description
  • Diseases or conditions being studied (for research projects only)
  • Expected outcomes (for research projects only)
  • Target number of patients
  • Project completion date

Some examples of consent specific information include but are not limited to:

  • Patient friendly title and description (usually simplified relative to similar fields in formal documents)
  • Risks and benefits to the patient
  • Interventions (if applicable)
  • Timelines
  • Whether the patient will receive compensation for participation

For projects requiring informed consent, patients must provide consent before participating. In the HealthEx system, this consent is represented by a consent record that is stored in a publicly auditable way.

The consent record captures:

  • Who (which patient) consented.
  • What the consent decision was. HealthEx records both when patients give consent and when they refuse it.
  • What they consented to. This is captured by linking the specific project with the consent type (see more below)

One of the primary functions of the HealthEx APIs is to enable consumers to check for the existence of consent records.

As a HealthEx API user, you will only be able to see consent records that are relevant to projects your organization has created.

HealthEx supports a number of consent types which represent what kind of action the patient is consenting to. The following consent types are supported:

  • Data Authorization - Permits project users to access the patient's health care record via a healthcare organization.
  • Patient Directed Data Exchange - Permits project users to access the patient's health data via public data networks.

All of the above consents are consented to on a per-project basis.

To avoid an "all or nothing" approach to data disclosure, HealthEx allows project users to select exactly which types(s) of patient data they need access to, and in turn, patients only consent to the release of those specific type(s) of data. This is captured in a consent record as a list of consent data scopes.

A consent data scope is a pair (tuple) of two different values. The first value is a resource scope, which indicates what type of data is allowed to be accessed. For example, a patient might allow access to their lab results, but not their list of visits. The second value is a sensitivity scope, which indicates what sensitive instances of that data type are allowed. For example, a patient might allow access to non-sensitive lab results, but wish not to permit access to HIV-related or substance abuse-related lab results.

When actually disclosing data, the API consumer should make sure to check the permitted consent data scopes in the consent record to ensure only authorized data is released.

Patient Reference IDs

HealthEx assigns a unique identifier to each patient, referred to as a reference ID. Reference IDs are the default mechanism for querying a patient's consents. Organization are also allowed to assign an external ID to a patient when adding them to HealthEx, allowing you to supply your own ID (such as an MRN, member ID, or other MPI identifier).