A consumer health application is an electronic solution that enables the consumer to collect, retrieve, manage, use and share personal information and other health-related data. A consumer health application could include applications commonly known as personal health records and patient portals. If connected to a consumer health platform, the consumer health application provides access to the services provided by the platform and the personal information stored in the platform.
The Infoway pre-implementation consumer health application certification is relevant to those health information technology solutions including:
- Devices provided to users;
- Applications that run on users’ personal computers or Local Area Networks;
- Applications that run, and provide services from, a network-resident location (ASP services); or
- Any combination of the above.
Some of the criteria are not applicable in the case of some application delivery models. For example, an organization that sells a software application designed to be used only on a physician's local office network or a customer's local workstation, will never become the custodian or any patients' personal information, and therefore is not required to comply with a number of the privacy and security requirements which would apply in other cases.
The consumer health application domain is made up of four certification classes:
- Category 1 - dependent solution
- Category 2 - uni-directional solution
- Category 3 - bi-directional solution
- Category 4 - non-transactional
- Category I Consumer Health Application (Dependent Solution)
A Consumer Health Application that is strictly dependent on an Infoway-certified Consumer Health Platform to provide an operational environment with privacy, security, and all interoperability with an EHR
- Category II Consumer Health Application (Uni-Directional)
A free-standing or independent Consumer Health Application (with integral privacy, security and user/client identification functionality) that conducts uni-directional transactions with other information solutions e.g. Electronic Medical Record, Consumer Health Platform, etc.
- Category III Consumer Health Application (Bi-Directional)
A free-standing or independent Consumer Health Application (with integral privacy, security and user/client identification functionality) that conducts bi-directional transactions with other information solutions e.g. Electronic Medical Record, Consumer Health Platform, etc
- Category IV Consumer Health Application (Non-Transactional)
A free-standing or independent Consumer Health Application (with integral privacy, security and user identification functionality) that cannot conduct transactions with other information solutions e.g. Electronic Medical Record , Consumer Health Platform, etc.
The pre-implementation assessment criteria include:
- Generic Criteria, which apply to all classes of health information technology application or service (for example, requirements having to do with privacy and security); and
- Interoperability Criteria, which specifically apply to a consumer health application.
These criteria apply to:
- The consumer health applications or consumer health application-based services provided; and
- The organizations that provide the consumer health applications or consumer health application-based services.
When the criterion states: “Organizations providing applications or services must…” or “applications or services must…” then the criterion applies whether the application is hosted (ASP model) or operated by the end-user.
When the criterion states: “Organizations providing services must…” then the criterion only applies when the organization is providing an ASP model service, and the criterion applies to the organization itself, rather than the application.
The key factor, which in most cases determines the applicability of a criterion, is whether or not the organization seeking certification will become a custodian of consumers’ personal information. If not, then many of the organization-related generic criteria are not applicable.
These criteria use the phrase “personal information” to mean any personal information maintained by the application or service about the subjects of health care. Therefore, even basic demographic information falls into the category of “personal information” and is subject to the requirements of these criteria.
The framework for the assessment criteria is shown in the table below. It consists of two classes of criteria:
Solution – Refers to the aspects of privacy, security and interoperability that need to be assessed.
Management – Refers to how the organization providing the product manages risk, data, system security, as well as third party solutions and services.
|Consumer Health Application Assessment Criteria|
Identifying purposes & limiting collection
Limiting use, disclosure & retention
User identity management
Driven by expectations of a target EHR system at a defined level of maturity
Third party services