Skip to end of metadata
Go to start of metadata

"Sharing with Protections" are the technical requirements to meet policy requirements to balance patient privacy and patient safety.

As part of the HIMSS 201902 Consumer Centered Care Planning Interoperability Showcase storyboard, "Sharing with Protections" vignette was demonstrated to highlight how balancing patient privacy and safety can be achieved.

HIMSS 201902 "Break the Glass" (BTG) Script

Behavioral Health Specialist (pre-existing care plan)

Amy has a pre-existing behavioral health care plan for PTSD, which includes regular counseling sessions with her therapist and a an anti-anxiety medication prescription for anxiety. These records are also shared with the Digital Health Platform hub but are protected by security labeling. Security labeling of clinical records enables label-based filtering and redaction at an organization/role/purpose level.

Patient visit with Podiatrist

Amy schedules a specialist visit to seek relief for increasing foot pain and her Podiatrist decides to prescribe an opioid pain medication (Tramadol) for short-term relief. However, while entering this prescription, the Podiatrist’s Clinical Decision Support system (CDS) notifies the podiatrist that Tramadol is contraindicated with another medication, which is not being displayed. This happens because Podiatrist’s CDS is able to detect drug-drug interactions based on its clearance claims as a “super user” authorized to retrieve all of the patient’s information, even those labeled as restricted.  

The Podiatrist’s CDS is authorized with a “super user” clearance claim to receive the full set of Amy’s medications available through the shared Care Team Hub. The CDS detects that the podiatrist’s proposed opioid medication prescription is contraindicated given the patient’s current mental health prescription for an anti-anxiety medication and provides an option to “break the glass” (BTG) along with the accountability requirements that may follow. The podiatrist opts to BTG for patient safety to gain full access to these restricted records, but only for use during this visit. The podiatrist now sees that an anti-anxiety medication has been prescribed for Amy’s PTSD condition.

The CDS presents non-opioid medication options for the Podiatrist’s consideration and provides guidance for both non-opioid and opioid medications about negative side effects based on CKD (chronic kidney disease) status, source of pain, and drug-drug interactions with Amy’s an anti-anxiety medication mental health medication. The Podiatrist, in consultation with Amy, decides on a trial use of an alternative pain medication. While the Care Team will receive notifications about her new pain medication prescription, her mental health medication will remain masked to unauthorized Care Team members.

BTG Technical Details


This section discusses two flows for the two cases of access by a physician. The first case is access by a nephrologist in which no safety warning is involved and no break-the-glass takes access place. The nephrologist in this case only views a redacted list of Amy’s medications in which the anti-anxiety medication is redacted. In the second case, access by a podiatrist, a safety warning is issued by the CDS at the time of adding a new opioid prescription, which leads to a break-the-glass access request by the physician. After the break-the-glass access request, the podiatrist can see the complete list of Amy’s medications including the sensitive anti-anxiety medication.

Normal Access by the Nephrologist

The flow of normal access to medication list and adding a new prescription by the nephrologist is shown in Figure 1. The details of each steps are discussed below.

Figure 1. Nephrologist access flow including access to redacted medication list and leveraging CDS hooks.

The nephrologist selects the patient[1] and launches the specialist App with Amy as the patient context.

The App requests a launch from the SMART/FHIR server and fetches the resources required to render the patient summary. This includes a summary of medications. Based on the security labels on the respective FHIR resources and the privacy policies, the list of medications does not include the sensitive anti-anxiety medications.

The App renders the patient summary including the redacted list of medications for the physician.

After interacting with the patient and determining the course of care, the nephrologist requests adding a new prescription for the patient.

The App initiates a request for a CDS hook for prescription analysis. This request includes the patient identifier and the new medication.

Based on this request, the CDS fetches the full list of medications for Amy and conducts a drug-drug interaction analysis by comparing the new prescription with the current list of medications. Since this does not trigger any concerns, no warnings are returned in response.

The App records the new prescription for Amy by posting an update to Amy’s nephrology care plan on the FHIR server.

[1] In the current HSPC flows, selecting the patient identity takes place in the context of the EHR system and before launching the App; in other words, the patient ID must be determined before the App starts.

BTG Access by the Podiatrist

Figure 2 shows the flow in which the podiatrist’s attempt to prescribe a contraindicated opioid prescription triggers the CDS to return a warning cards followed by BTG access to the complete medication list. The details for each step is discussed below.

Figure 2. Podiatrist access flow including CDS warning and BTG access.

The podiatrist selects the patient and launches the App with Amy as the patient context.

The App requests a launch from the SMART/FHIR server and fetches the resources required to render the patient summary including a summary of medications. Similar to the case of the nephrologist, sensitive anti-anxiety medications are redacted based on their security labels and the privacy policies.

The App renders the patient summary including the redacted list of medications.

After a conversation with the patient to determine the course of care, the podiatrist enters a request for an opioid prescription for the patient’s diabetic foot pain.

The App sends a request for the CDS hook for prescription analysis. The request includes the patient identifier and the code for the opioid medication requested in the prescription.

The CDS fetches the complete list of medications for Amy, including the anti-anxiety medication, and conducts a drug-drug interaction analysis. This triggers a patient safety warning based on the rule that anti-anxiety medication cannot be mixed with opioids. A response is sent to the App with a CDS card warning about a patient safety consequences of the prescription in question.

The App renders the warning and the podiatrist takes note of it.

Based on the patient safety warning, the podiatrist issues a BTG requests to see the full list of Amy’s medication, citing the patient safety reasons as the rationale for this request.

The SMART/FHIR server, returns a complete and unredacted list of Amy’s medications based on the BTG context of the request which overrides the protective rules applicable to the sensitive medications.

At this point the podiatrist re-enters the opioid medication to trigger the App call for a CDS hook for suggested non-opioid alternative medication.

The CDS fetches the complete list of Amy’s medications[1], including the anti-anxiety medication, and performs the analysis for determining contraindication and suggestion of alternative. The result is then sent back to the App in the form of a CDS card.

The App renders the CDS card so the podiatrist can take note of it.

Taking note of information regarding contraindication and the suggestion of alternative medication presented by the CDS card, the podiatrist changes the prescription to a non-opioid alternative.

The App records the new prescription for Amy by posting an update to the podiatrist’s care plan on the FHIR server.

[1] Note that the CDS can use a cached copy of this list from the previous steps.



Application Programming Interface




Clinical Decision Support


Electronic Health Record


Fast Healthcare Interoperability Resources


Healthcare Information and Management Systems Society


Health Level 7


Healthcare Services Platform Consortium


Post-Traumatic Stress Disorder


Security Labeling Service

  • No labels