blockchain healthcare application development: Reference Architectures for Claims, Consent, and Credentials

---

Why this matters now: the policy and standards window just opened

So, on January 17, 2024, CMS finished up the Interoperability and Prior Authorization rule. Alright, so here’s the deal: By January 1, 2027, payers are going to need to launch their Patient Access, Payer-to-Payer, and Prior Authorization APIs. Just a heads up! Also, they really need to quicken their decision-making process. We're talking about a 72-hour turnaround for urgent cases and a typical 7-day timeline for everything else. So, mark your calendars! Starting January 1, 2026, we’ll be seeing public reporting get underway. Here’s some good news for you! Thanks to HIPAA’s enforcement discretion, we can now use FHIR-only prior authorization APIs--so say goodbye to the old X12 278 standard. This change really opens things up, giving developers the flexibility to dive into the Da Vinci Implementation Guides from beginning to end. If you want to dive into all the details, just head over to cms.gov. It's all there waiting for you!

Guess what? TEFCA is actually happening! Can you believe it? The first Qualified Health Information Networks, or QHINs, got their official nod in December 2023. Exciting stuff! By 2025, TEFCA is expected to see millions of documents exchanged, along with an increasing number of QHIN designations. They're also rolling out some governance standard operating procedures and adding more purposes for the exchange. The idea is to link up with QHINs, either by reaching out to them directly or going through some participants, to create a national exchange. Want to dive into the details? Just click here to get all the info you need!

The ONC’s HTI-1 Final Rule really lays the groundwork by rolling out USCDI v3 and US Core IG 6.

1. By January 1, 2026, you need to be up to speed with ICD-10, and have the SMART on FHIR v2 certification as your baseline. Hey, quick note for you! There's been some recent changes regarding enforcement discretion, and now developers have a bit more breathing room. The new deadline to submit updates has been pushed back to March 1, 2026. You know, it's really smart to kick off your API design with these goals in mind. It’ll help you stay focused and on track! If you want to dive deeper into the details, swing by healthit.gov for all the info you need.

Hey there! Just a heads up that the HHS has updated 42 CFR Part 2. This new update kicks in on April 16, 2024, and everyone will need to be compliant by February 16, 2026. Mark your calendars! This update makes it easier by letting you give just one consent for Treatment, Payment, and Operations (TPO). Plus, it aligns with HIPAA when it comes to redisclosure. This is really crucial for making consent easier to manage and for streamlining workflows across various networks. If you want to dig a little deeper into this, check out the details here.

Hey everyone, I've got some exciting news to share about verifiable credentials! The W3C has just rolled out the VC Data Model version 2. I'm excited to share that by 2025, 0 has officially hit Recommendation status! Oh, and by the way, we also got the green light for OpenID for Verifiable Presentations 1! Hey there! Just wanted to chat about how Zero Knowledge Proofs (ZKPs) and OpenID can be used together for issuing verifiable credentials. It's pretty cool stuff! It's all set for the final specs this year at 0. This means we can expect a seamless and easy experience when it comes to issuing and sharing information. Take a look at this link: w3.org. You'll find some interesting info there!

So, here’s the scoop: in the EU, the European Health Data Space Regulation is set to launch in March 2025. It’ll be introduced in phases and should be fully rolled out by around 2031. Exciting times ahead for health data! If you’re working in the U.S. and juggling multiple tasks... If you're in the EU, it's definitely a smart move to get your consent and credentialing sorted out sooner rather than later. This way, you'll have a smoother time with cross-border data sharing down the road! Take a look at this link: (consilium.europa.eu). It's got some interesting info!

Basically, this means you can really provide real value while staying compliant by using blockchain as your go-to for trust, auditing, and credentials. At the same time, you can keep your data exchange solidly grounded in the FHIR, SMART, and TEFCA standards.

---

Architectural principles we use at 7Block Labs

• Focus on FHIR first, and keep the blockchain stuff minimal: Store your protected health information (PHI) in FHIR servers or health information exchanges (HIEs). Then, attach hashes, attestations, consents, and credentials to a permissioned ledger. Make sure to avoid having any on-chain PHI. Just a heads up--make sure everything aligns with the HL7 FHIR R4/R5 resources. It’s especially important to pay attention to Consent, Provenance, and AuditEvent. (hl7.org).
• Consent and credentials that meet standards: It’s important to think of consent not just as a formal FHIR Consent resource that you can use in workflows, but also as a W3C Verifiable Credential, which we can think of as a kind of “consent receipt.” This makes it super portable and easy to check across different networks. When it comes to issuing and presenting, go ahead and use W3C VC v2. You're set up with data up until October 2023, which includes details on OpenID OID4VCI and OID4VP. If you’re looking for more details, you can check it out here.
• Revoking access while keeping things private and efficient: Use the VC Status List from 2021 to manage revocations or suspensions with those handy bitstrings. Whenever it's needed, go ahead and use BBS+ selective disclosure to make sure we’re keeping data exposure as low as possible. (w3.org).
• Regulatory alignment: Make sure your workflows line up with those CMS prior authorization timelines and the Da Vinci CRD/DTR/PAS IGs. Don’t forget to follow the 42 CFR Part 2 consent rules by using those DS4P labels! It’s super important to keep everything in line. (cms.gov).
• TEFCA-savvy setup: Link up with a QHIN or Participant to easily share information across the country. Also, make sure to keep solid proof of exchanges as notarized on-chain events. This will really help with audits and make sure no one can deny their transactions later on. If you're curious and want to dive deeper into the topic, just click here to explore more!
• Wallet Strategy: We’re planning to support both user-controlled wallets and custodial options for businesses, so we can meet the needs of both providers and patients. We'll be using OIDC credential flows to simplify the process of issuing credentials within the existing identity frameworks. This should make everything a lot easier! If you’re curious and want to dive deeper, you can find more info here.

---

Reference Architecture 1: Prior Authorization and Claims Eventing

Goal

The goal here is to reduce the number of denials and waiting times by making a few important processes more efficient. Our goal is to streamline coverage discovery, make capturing documentation super easy, and simplify the whole prior authorization process. Also, we'll make sure that all decisions and approvals are documented in a way that can't be altered later on.

Core Components

When we chat about core components, we're really getting into the nitty-gritty of what makes up a system or framework. These are the essential building blocks that everything else relies on. Alright, let’s dive into the key points you need to grasp:

1. Data Management

Managing data effectively is super important. It really comes down to how we gather, save, and make use of data. Take a look at these resources for more info:

• Check out this awesome guide on Best Practices for Data Management. It's packed with useful tips!
• Data Governance Essentials

2. User Interface (UI)

So, the user interface is basically the way people engage with your system. It really needs to be easy to use and look great at the same time. A good UI can really elevate the user experience and truly change the game. Check out these really solid UI design principles:

• Keep it simple
• Ensure consistency
• Provide feedback

3. Backend Infrastructure

This is where all the magic takes place behind the curtain! So, the backend setup is made up of servers, databases, and APIs. Here’s why it matters:.

• Handles business logic
• Manages data flow
• Ensures system performance

4. Security Measures

You know, security really shouldn’t just be an afterthought. It's super important to keep it top of mind.

It’s super important to put strong security measures in place to keep sensitive information safe. Consider these strategies:. Make sure to encrypt your data. It's a smart way to keep it safe!

• Regularly update software
• Implement multi-factor authentication

5. Integration Capabilities

In our modern world, it's super important for systems to communicate with one another. Integration features make it so that different apps can easily work together without any hiccups. Let me share a couple of integration methods with you:

• APIs
• Webhooks
• SDKs

6. Scalability

As you start to need more from your system, it’s important that it can evolve right along with you. Scalability is all about making sure your setup can easily manage more work when you need it to, without any problems. Just a little something to remember right from the start!

Conclusion

When you're working on building or assessing a system, make sure to keep these key components in mind. Think of them as the building blocks for a strong foundation that can really back up your goals and shift as your needs evolve. If you’re looking for more in-depth info, be sure to check out the linked resources I've included! They really have some great details.

• FHIR Layer Hey there! Just a quick heads up--we've got a US Core/Da Vinci-aligned FHIR server all set up and running, and it's using R4. Pretty neat, right?

0. This system, which uses a baseline of 1, is designed to manage clinical data along with bundles for prior authorizations. Take a look at this: hl7.org. I think you'll find it pretty interesting! Oh, and there's this SMART v2 authorization server that really has all the features you need. It supports stuff like Patient Standalone and Clinician EHR Launch, which is pretty great! Feel free to check out all the details right here: (build.fhir.org). It's all laid out for you!

• Da Vinci Orchestration
• CRD Service (CDS Hooks): Think of this as your helpful sidekick when you're placing orders. It checks the payer rules to make sure everything's in line. If you’re looking for more details, you can check it out here.
• DTR SMART App: This super convenient app helps out by automatically filling in payer questionnaires with CQL and SDC. Check it out here.
• PAS Gateway: This is your go-to spot for submitting and keeping tabs on prior authorizations. You can totally go with FHIR↔X12 as a middleman if you want, but here’s the good news: CMS is totally fine with you just sending in FHIR-only submissions. If you want to dive deeper into the details, just click here!
• Consent and Provenance We're diving into FHIR Consent resources and DS4P security labels to tackle the requirements of 42 CFR Part 2 segregation. So, there's this thing called a VC "consent receipt" that’s stored on the blockchain. It basically has a link to the Consent.id and a hash of the PDF consent document. Pretty neat, right? Take a look at this: (build.fhir.org). You might find it interesting!
• Ledger and audit In a permissioned ledger, we keep track of some key details. First off, there are hashed IDs for the bundles of authorization requests and responses from before. We also note the timestamps when decisions were made, along with credential proofs from all parties involved--think of it like the digital IDs of both the provider organization and the payer. It's a neat way to ensure everything is secure and traceable! So, here’s the deal: whenever there’s a change in state--like when something gets submitted, put on hold, approved, denied, or even extended--an event pops up on the blockchain. This event is linked directly to the versionId of the FHIR resource, so you can easily track everything back.
• TEFCA integration Hey there! Great news - you can now access patient longitudinal data through TEFCA networks, but just a heads up, you'll need their consent to do so. Oh, and don’t forget to jot down those correlation IDs from the QHIN transactions in the on-chain audit trail. It’s super important to keep track of them! Take a look at this link: (rce.sequoiaproject.org). You might find it interesting!

Data Flow Example: MRI Lumbar Spine Prior Authorization

Let’s break down how the process works for getting prior authorization for an MRI of the lumbar spine. It’s a bit of a journey, but I’ll walk you through it! I know this process might feel a little overwhelming at first, but don’t worry! Let’s take it step by step and make it a lot easier to understand.

Step 1: Initial Request

1. Patient Visit: The patient goes to see their doctor, who suggests getting an MRI for their lower back. 2. Gathering Clinical Info: The healthcare provider gets all the essential clinical details, including your symptoms and medical history.

Step 2: Sending the Request

3. Submitting Your Request: The provider sends the prior authorization request over to the insurance company. Most of the time, they do this online, which really helps speed things up. 4. What You’ll Need: When you send in your request, don't forget to toss in any supporting documents, like:

• Patient's medical history
• Explanation of symptoms
• Previous treatments tried

Step 3: Insurance Review

5. Insurance Review Process: So, once the insurance company receives your request, they dive right into their review process.
Here’s what happens:. They’ll look into whether it's really necessary from a medical standpoint.

• They might check out some clinical guidelines for advice. If they need any more details, they might get in touch with the healthcare provider.

Step 4: Decision

6. Authorization Decision: After going through all the details, the insurance company comes to a decision.
They’ll either:.

• Go ahead and give that request the green light (woohoo!).
• Just go ahead and deny it; it’s not that impressive anyway.
• Just hang tight for a moment while I grab some more info for you!

Step 5: Communication

7. Heads up: The healthcare provider will be informed about the decision. Once it gets the green light, they’ll set up the MRI appointment. If their request gets denied, they can chat with the patient about what to do next. This might involve considering a few different options like:

• Appealing the decision
• Trying alternative treatments

Summary

Getting a grip on the data flow for an MRI lumbar spine prior authorization can really make the whole process a lot easier to handle. Having all your important documents close by and maintaining communication with your healthcare provider and insurance company can really make things a lot smoother. Trust me, it can save you a ton of hassle down the road!

Alright, so here’s how it goes down: the clinician starts things off by ordering an MRI, and that’s when the EHR springs into action. It reaches out to the CRD, which is basically the order-select part of the CDS Hooks. Next, it retrieves the coverage rules along with any prior authorization requirements you might need to know about. (hl7.org).

1. Alright, now it’s time to roll out the DTR! The app grabs the payer's Questionnaire(s) and automatically fills in whatever info it can pull from FHIR. All the clinician needs to do is fill in the gaps. (hl7.org).
2. After that, the PAS shoots over a FHIR Bundle to the payer. So, the system keeps track of some key info right on the chain. We're talking about stuff like the bundle hash, the payer endpoint, and a VC proof that highlights the clinician's role. If the payer needs any extra information, don’t worry! Each step is hashed and anchored to ensure everything is secure. (hl7.org).
3. Lastly, the payer needs to make a decision within a week--so that’s 7 days. If things are urgent and it’s an expedited case, they’ve got 72 hours to get it sorted. So, that decision payload is going to be hashed and anchored too. And just a heads up, the Patient Access API is set to get an update for better transparency by January 1, 2027. (cms.gov).

Implementation Tips

When it's time to turn your plans into reality, there are a few strategies that can really help you out. Sure! Here are some handy tips to kick things off and keep you moving in the right direction:

1. Kick Things Off with a Solid Game Plan. Before you jump in, it's a good idea to spend a little time figuring out what you want to accomplish. Take a moment to jot down your goals! It’s super helpful to outline what you want to achieve, along with a timeline for when you’d like to get it done. Don’t forget to list out any resources you might need along the way. Whether it’s books, tools, or support from others, having everything in one place can really keep you on track. That way, you won't end up getting sidetracked!

1. Break It Down
   Tackling big projects can be pretty daunting, right? To make things easier on yourself, try breaking them down into smaller, bite-sized tasks. It’ll help you stay organized and make the whole process feel a lot more doable! Take it one step at a time and don’t forget to give yourself a pat on the back for those small wins! Celebrate the little victories--you deserve it! It keeps motivation high!.
2. Stay Flexible
   You know, things don't always turn out the way we expect, and that's perfectly fine! If something's not clicking, don’t be afraid to switch things up and try a different route. It's all part of the journey! Being flexible can really open up new doors and lead to even better results.
3. Collaborate with Others
   Don’t be afraid to reach out to your team or community for support. They’re there to help you out! When you bounce ideas around and get some feedback, it can really ignite new perspectives you might not have thought of otherwise.
4. Keep Communication Open
   Staying in touch with your team or stakeholders through regular updates and check-ins can really help everyone stay on the same page. Being open and honest really helps prevent mix-ups and creates a sense of trust between people.
5. Track Your Progress
   Go with whatever tools or methods suit you best! Whether it’s a spreadsheet, some project management software, or just a good old-fashioned notebook, find what clicks for you. Keeping an eye on your progress is a great way to stay on track and really appreciate how much you've achieved.
6. Learn from Setbacks
   Let’s be real--things aren't always going to go according to plan, and that’s totally normal! It’s all part of the journey. Whenever you hit a bump in the road, take a breather and really think about what went sideways and how you can do better next time. It's all part of the learning process!
7. Celebrate Achievements
   Hey, don’t overlook those little wins! Seriously, taking a moment to celebrate even the smallest successes can really boost your mood and keep you motivated to keep going. It’s all about building that positive vibe!

If you keep these tips in mind, you’ll not only get better at implementing things, but you’ll also have a lot of fun while doing it! Happy implementing!.

• Timelines: Alright, folks, we’ve got some ambitious goals ahead of us! First up, let’s work towards having our publish metrics ready to roll by March 31, 2026. And then, we’re aiming to achieve API compliance by January 1, 2027. Let’s make it happen! For more info, swing by cms.gov. You’ll find all the details you need there!
• Standards: We're going to be using Da Vinci PAS v2 for this project.

1. 0 (R4), CRD v2.

1. 0+, and DTR v2.

1. 0+. Hey, just a quick reminder to keep an eye out for any updates on the ballots, especially the PAS 2. You don’t want to miss anything important! 2. 0-ballot. For more details, you can check out hl7.org. They’ve got a lot of great information over there!

• Enforcement discretion: Great news! You can totally roll out FHIR-only PAS and still be in line with HIPAA Administrative Simplification enforcement discretion. If you're looking for more info, check out cms.gov for all the details!
• On-chain schema: Just remember to keep it straightforward with on-chain schemas. Let's keep it simple and stick to these basic event structures that don’t include any personal health information (PHI).

{
  "subjectRef": "...",
  "resourceType": "...",
  "resourceId": "...",
  "versionId": "...",
  "sha256": "...",
  "ts": "...",
  "actorCredentialId": "..."
}

KPIs to Track

Staying on top of your Key Performance Indicators (KPIs) is really crucial for figuring out how well your business is doing. Here are a few key KPIs that you definitely want to keep an eye on:

1. Revenue Growth Rate

Keep an eye on how your revenue shifts over time. This gives you a clear idea of whether your business is heading in the right direction. You can figure it out using:

Revenue Growth Rate = ((Current Period Revenue - Previous Period Revenue) / Previous Period Revenue) * 100

2. Customer Acquisition Cost (CAC)

Understanding what you shell out to bring in a new customer is super important. The smaller this number is, the better it is! Just follow this formula:

CAC = Total Costs of Sales and Marketing / Number of New Customers Acquired

3. Customer Lifetime Value (CLV)

This metric shows you the total value a customer brings to your business throughout the entire time they stick with you. It's calculated like this:.

CLV = Average Purchase Value × Average Purchase Frequency × Average Customer Lifespan

4. Net Promoter Score (NPS)

NPS is a great way to get a feel for how loyal your customers are and how satisfied they really are with your service. To figure out your score, just ask your customers how likely they are to recommend your product or service, using a scale from 0 to 10. It’s a straightforward way to gauge their feelings!

5. Churn Rate

It’s really important to keep track of how many customers you’re losing. Having a high churn rate can definitely raise some eyebrows. You can track it down by using:

Churn Rate = (Customers Lost in a Period / Total Customers at Start of the Period) * 100

6. Website Traffic

Keeping an eye on your website traffic is super important for getting a grip on how you’re doing online and seeing how well your marketing is working. If you're looking for some help, tools like Google Analytics are a great place to start.

7. Conversion Rate

Keep an eye on how many people who visit your site actually end up buying something or doing what you want them to do. Here’s how the formula works:

Conversion Rate = (Number of Conversions / Total Visitors) * 100

Keeping an eye on these KPIs will really help you get a better sense of how your business is doing and where to direct your energy. Make sure to check in on them regularly so you can tweak and make things even better!

• We're looking at how quickly initial submissions get the green light, the average time it takes to get through authorization cycles, how many electronic prior authorizations (ePA) are handled via API, and the appeal rates.
• Let's chat about how thorough the denial reason coding is and how well the DTR pre-population covers different payers. Let’s dive into success rates when it comes to reconciling on-chain versus off-chain, focusing particularly on those hash matches.

---

Reference Architecture 2: Computable Consent that travels

Goal

The goal here is pretty straightforward: we want to lay out the patient permissions in a clear and detailed way just once. After that, we need to make sure those permissions are applied consistently, whether we're talking about FHIR, TEFCA, or reusing any data. Also, we want to present these permissions as verifiable credentials for anyone who might need to count on them.

Core Components

When we chat about core components, we're really getting into the basics that keep everything running smoothly. No matter if you’re diving into software, hardware, or just the way things are done, these pieces are super essential for how everything works. Alright, let’s dive into some of the main parts here.

1. Functionality: So, this is basically what the component is all about! At the end of the day, can it actually do its job and really meet what users are looking for? That’s what really matters.

2. Compatibility: So, how well does it get along with everything else? A solid component should fit right in with whatever systems or setups you already have in place.

3. Reliability: It's super important that your components can be counted on to do their job. So, that means they should be able to work reliably, no questions asked!

4. Scalability: So, as your requirements expand, can this component keep up? Scalable components are designed to handle more workload or add new features without breaking a sweat.

5. Usability: Making sure that the component is easy to use is super important. If things get too complicated, it's just going to lead to frustration instead of actually simplifying stuff.

Examples

• Software Libraries: You know those libraries like React or TensorFlow? They’re super handy tools that developers use to build awesome stuff. They offer ready-made functions that make it super easy for developers to whip up applications quickly.
• Microcontrollers: When it comes to hardware, devices like Arduino or Raspberry Pi make it super easy to turn your ideas into reality.

Why It Matters

Getting a good grasp on these key components is super important for anyone who wants to design, build, or enhance a system. Figuring out what to focus on can really help you save time, money, and a bunch of stress.

If you're looking for more info, take a look at this resource. You might find it really helpful!

• Consent modeling We're getting into FHIR Consent, and I’ve got to say, R5 is the way to go if you’re looking for more detailed fields. It really touches on everything you need--like the scope, time periods, who’s granting and receiving consent, and even computable rules. And hey, don’t overlook those DS4P security labels! They’re super helpful for segmentation, like for sensitive topics such as SUD or mental health. Take a look at this link: (hl7.org). You’ll find some great info there! If you're diving into some pretty complex constraints, you might want to check out the Policy language connection via Consent.policyRule. It's similar to what you'd find with XACML or ODRL, so it's got that level of sophistication. If you want to dive deeper into that, check it out here: hl7.org.
• Credentialization Start by sending out a “Consent Receipt VC” to both the data subject's wallet and the agent wallet of the entity in question. When it’s time to get the info, verifiers can just ask for proof using OID4VP. If you want to dive into the details, you can find everything you need right here: (openid.net). Enjoy exploring! If you need to handle any revocations or suspensions, don't forget to check out the Status List from 2021. It’ll help you get all the consent withdrawals or changes in scope sorted out correctly! If you want to dive deeper into the details, check it out here: w3.org.
• Enforcement points The FHIR API gateway is going to take care of enforcing both Consent and DS4P. So, just a heads up! Beginning February 16, 2026, we’ll need to make sure our rules regarding Substance Use Disorder (SUD) data are in line with the updated 42 CFR Part 2 regulations. This means we’ll be focusing on the new guidelines around redisclosure and how we handle single TPO consent. Just something to keep in mind as we move forward! If you're interested in learning more about this, you can dive into the details here. It’s definitely worth a look! When it comes to the TEFCA participant gateway, the focus is really on respecting consent artifacts, making sure we log the reasons for exchanges, and tracking exchange events on-chain for easy auditing. You can check out more details about this here.
• Privacy tech
  BBS+ VC signatures are a great way to share certain pieces of information while keeping the rest under wraps. For example, you can show that "consent is valid for treatment with this provider" without having to share any details about other areas. Take a look at this link: (w3.org). It’s worth checking out!

Operational Patterns

Operational patterns are basically the typical processes and behaviors that organizations pick up as they go along. Grasping these patterns can really help businesses streamline their processes and boost overall efficiency. Let’s take a look at some key areas you might want to focus on:

1. Standard Operating Procedures (SOPs)

SOPs are essential. They lay out straightforward instructions for daily tasks, which helps keep everything consistent among the different teams. Having clear SOPs in place can really help save time and cut down on mistakes. Here's a straightforward template you can check out:

# SOP Title
## Purpose
Explain why this procedure is necessary.

## Scope
Detail who this applies to and any limitations.

## Procedure
1. Step one
2. Step two
3. Step three

## Responsible Parties
List who is accountable for the procedure.

2. Communication Flow

Good communication is really the heart and soul of any organization. It's super important to set up clear ways for sharing information. Why not think about using tools like Slack or Microsoft Teams for instant messaging? They’re great for staying connected in real time. Plus, it’s a good idea to keep everyone in the loop with regular email updates too!

3. Performance Metrics

Metrics are great for keeping track of how well everything is running in your operations. They give you a clear picture of what's going on and help you figure out what’s working and what might need a little tweaking. Make sure to set clear KPIs (Key Performance Indicators) that really align with what you’re trying to achieve. This could be anything from sales numbers to how happy customers are with their experience. Keeping an eye on these will really help you spot areas that could use a bit of work.

4. Feedback Loops

Setting up chances for feedback really makes a huge difference. It gives team members a chance to share their thoughts and experiences, which can really help improve processes and create a more engaged workforce. Create a space where feedback feels welcome and people know it's taken seriously.

5. Continuous Improvement

Embracing a mindset of continuous improvement is all about being on the lookout for ways to get things done better. It's like having this ongoing drive to grow and enhance everything you do! Foster a culture of innovation and give your team the freedom to try out new ideas. Encourage them to think outside the box and explore different approaches!

To wrap it up: Make sure your SOPs are on point, communicate clearly, keep an eye on how you’re doing, be open to feedback, and always look for ways to get better. By embracing these operational patterns, you can really boost your organization's efficiency and effectiveness.

• Consent lifecycle

1. Capture: The patient gives their consent by signing it off online. This gets saved as a FHIR Consent, and you'll also find it alongside a PDF artifact.
2. The Situation: We put together a Consent Verifiable Credential (VC) that has all the important details, like references to the Consent.id, what it covers, how long it’s good for, and even a hash of the artifact. So, this gets sent through OIDC4VCI. (openid.net).
3. Enforce: Every time there's an API call, we make sure to double-check the VC proof (OID4VP), take a look at the Consent.status, and review the DS4P labels. (openid.net).
4. Revoke/modify: So, if we need to tweak anything, we just go ahead and update the FHIR Consent. We’ll also adjust that status list for the VC and don’t forget--we need to log the revocation event on-chain to keep everything in check. (w3.org).

• Let's tackle those tricky edge cases ahead of time. When it comes to TPO and reusing research, you'll want to sort out a few different consents. Don't forget to set up the various VC types and status lists, too. It’s all about getting everything configured just right!
• Redisclosure Audit for 42 CFR Part 2: Just a quick reminder--make sure you’re logging any redisclosure events with the consent reference instead of the actual data. Keep it neat! (troutman.com).
• Cross-jurisdiction (EU EHDS): We really need to make a clear distinction between primary and secondary use when it comes to the goals of the EHDS. Plus, it could be super helpful to think about making consent verification credentials portable across different countries. (health.ec.europa.eu).

---

Reference Architecture 3: Verifiable Provider and Patient Credentials

Goal:

We're all about rolling out and verifying digital credentials--think licenses, roles in care teams, participation in networks, and age or identity verification. Plus, we’re super focused on making sure that revocation is done in a way that keeps your privacy intact. Oh, and we’re working on these zero-click wallet flows that make everything even smoother!

Credential Types to Prioritize

When it comes to handling your credentials, there are definitely a few types that really catch your eye more than the rest. Here’s a quick rundown of the key ones you should really pay attention to:

1. Security Certifications

If you’re aiming to enhance your credibility in the cybersecurity world, these tips are absolutely essential. Here are a few of the top certifications you might want to consider:

• CISSP (Certified Information Systems Security Professional) - it's a pretty big deal in the cybersecurity world!
• CEH (Certified Ethical Hacker).
• CISM (Certified Information Security Manager) - it's a great credential for anyone looking to level up in the world of information security management.

Having these credentials doesn't just mean you know your stuff; it really gives you an edge when you're out there looking for a job.

2. Cloud Certifications

These days, it seems like every business is making the switch to the cloud, right? So, having those cloud-related credentials can really give you an edge. It’s a smart move that can help you stand out in the crowd! Here are some important certifications you might want to think about:

• AWS Certified Solutions Architect: I’ve got the certification that proves I know my stuff when it comes to designing and deploying applications on Amazon Web Services.
• Microsoft Certified: Azure Solutions Architect Expert.
• Google Professional Cloud Architect - this certification really gets you on the map in the cloud world!

Companies really appreciate it when they find people who can effortlessly handle cloud environments.

3. Networking Certifications

Hey, don’t forget how crucial your network credentials are! If you’re looking to get into network management or engineering, these are definitely must-haves! Top picks are:.

• CCNA (Cisco Certified Network Associate).
• CompTIA Network+
• Juniper Networks Certification

These certifications really help build a strong base for your networking skills.

4. Compliance and Risk Management

These days, really understanding compliance is super important, especially with all the regulations out there. Key credentials include:.

• CISA (Certified Information Systems Auditor) - it's a certification that really boosts your credibility in the info systems audit field.
• CRISC stands for Certified in Risk and Information Systems Control.
• ISO 27001 Lead Implementer: This role is all about leading the charge in setting up and managing an information security management system (ISMS) based on ISO 27001 standards. You'll be responsible for ensuring that an organization keeps its information secure and complies with the best practices in data protection. It's a crucial position for anyone looking to step up their game in the world of cybersecurity!

These skills will really help you stand out in roles that are all about compliance and risk management.

5. Programming and Development Certifications

If you're into coding or development, definitely check out:

• AWS Certified Developer
• Microsoft Certified: Azure Developer Associate - I’ve got this certification under my belt!
• Oracle Certified Professional, Java SE Programmer - I’ve got the certification to prove my skills in Java!

Getting these certifications will not just boost your skills; they'll also make you way more appealing to employers.

Conclusion

To put it simply, zeroing in on these types of credentials can really make a difference for your career. No matter if you're passionate about security, cloud computing, networking, compliance, or development, having the right certifications can really help you stand out and create new opportunities. Go ahead and choose what you want, and start leveling up your skills today! It’s a great way to invest in yourself.

• Provider credentials: Make sure they have an active license that's in good shape, an NPI assertion, and a DEA registration if it's necessary. Also, check if they're part of the network and if they have hospital privileges.
• Patient info: Make sure to have details about your relationship or guardian status, age or identity to give consent, and also a copy of your insurance coverage.

Core Components

When we're talking about the core components, it's easier to just break it down into smaller chunks. Let me give you a quick rundown of what you can usually expect to find:

• Functionality: This is what the component is all about! It's its main job and what it does best. So, what’s its purpose? How does it fit into the larger scheme of things?
• Design: Great design isn’t just about looking good; it’s really about how all the parts work together. A smooth design really pulls everything together and makes it all work in harmony.
• Integration: This is all about how smoothly the component can blend into the current system you’ve got going on. Is it easy to plug in?
• Scalability: When things start to ramp up, can these components handle the pressure? Making sure they're scalable is super important for lasting success.
• Performance: It's really all about being efficient, you know? So, how quickly does it run? And how does it deal with heavier workloads?
• Security: Let’s face it, security is something we can't overlook these days. It's super important to make sure that all the components are secure. This helps keep our data safe and ensures everything runs smoothly.

If you keep these key points in mind, you'll find it way easier to get a handle on any system or application you come across.

• Issuance Alright, so here’s the scoop: if you need reliable info, state boards, NPPES, and payer/provider directories are where you want to look. They’re your best bet for getting sorted out. They're getting on board with OIDC4VCI for some easier and more cost-effective issuance, and they're tapping into the current OAuth frameworks. If you want to dive into the details, just click here. You'll find everything you need! Hey, before you go ahead and click that issue button, make sure to grab claims from some reliable sources. Think of using APIs like NPI/NPPES, payer directories, and the CMS esMD FHIR provider registration. These are pretty solid and trustworthy options! Check out how it works here. It's pretty straightforward!
• Verification So, when it comes to RPs--like those EHR apps, payer portals, and TEFCA gateways--they can totally request presentations using OID4VP. It’s definitely smart to have a stash of issuer metadata and trust lists on hand. You never know when you might need them! For more info, feel free to check out the details here. If you need to check the status of your credentials, it's best to use the Status List from 2021. This way, you’ll help keep any call-home privacy leaks down to a minimum. If you want to dig deeper into this, just check out this link.
• Wallets We’ve got you covered with both device wallets and enterprise custodial wallets--super useful for hospitals when they’re handing out credentials to their staff. If you're interested in government identity solutions, you should definitely check out how the TSA is starting to accept state mobile driver’s licenses (mDLs) and handle the REAL ID waiver process. It's a pretty big deal! It might not take the place of official healthcare credentials, but it's super useful for kicking off the identity verification process. For more info, be sure to check this out: (tsa.gov).

Practical Issuance Examples

When you're thinking about issuing certificates, checking out some real-world examples can really make a difference. Let me share a few examples that show you how this process actually works:

Example 1: Course Completion Certificates

Picture this: your local community college is hosting a bunch of awesome workshops. Once students finish a course, they'll get a Course Completion Certificate. It's a nice way to acknowledge all their hard work! This certificate will probably have the student's name, the name of the course, and when they actually finished it. It's a fantastic opportunity for students to showcase all the new skills they've picked up!

Example 2: Employee Recognition Awards

You know, companies really appreciate recognizing the hard work their employees put in. For example, you could set up a monthly Employee of the Month award that comes with a cool certificate showcasing the employee’s accomplishments and what they've brought to the team. Not only does this lift everyone's spirits, but it also really helps to build a strong company culture.

Example 3: Event Participation Certificates

After you wrap up a conference, you might receive a little something called an Event Participation Certificate. It's a nice way to acknowledge your involvement! Typically, this certificate will include the name of the event, the date it took place, and the name of the person who attended. It's such a cool feature that people can throw this on their resumes or post it on social media!

Example 4: Volunteer Service Certificates

Nonprofits love to recognize the amazing people who step up and share their time and talents, so they often hand out Volunteer Service Certificates. It's a great way to say thank you for all the hard work and dedication! These certificates can really highlight all the awesome things the volunteer has done and show just how much of a difference they've made. It’s a fantastic way to express your gratitude and keep everyone engaged.

Example 5: Licensing and Accreditation

In some industries with strict regulations, folks usually have to prove they’re qualified for their jobs. A Professional License Certificate usually includes the holder's name, their qualifications, and the name of the organization that granted it. Having this certificate is super important when you're applying for jobs and making sure you meet industry standards.

These real-life examples really show just how versatile and valuable certificates can be across different fields. Certificates are perfect for all sorts of moments--whether you're celebrating someone's achievements, honoring years of dedicated service, or just trying to add a little credibility to an endeavor. Seriously, there’s pretty much a certificate for everything!

• Provider License VC
• Subject: Practitioner DID and NPI.
• Here’s what you’ll find: license number, board details, the jurisdiction it falls under, current status, and when it expires.
• Proof: Here’s a link to the board registry entry, along with the timestamp.
• Status: Take a look at the Status List from 2021 and see if you can find the “revocation” bit there.
• Presentation: You really need this info for PAS submissions or when you're going through the OR privileges process.
• Joining the network as a VC (Payer).
  • Subject: PractitionerRole/Organization
• Claims: We've got info on product lines, when they kick in, and the different network regions.
• Current Status: Your account has been suspended or terminated, as noted in the status list.

Security and Privacy

When it comes to protecting our data, security and privacy really matter a lot. Alright, let’s break it down and see what that really means and why it's important.

What is Security?

Security is all about the steps we take to keep our data safe from prying eyes and potential threats. Okay, let’s break down some important points:

• Firewalls: Think of these as digital barriers that keep out any unwanted traffic trying to get into our networks.
• Encryption: Think of it like a secret code for our data. It jumbles everything up, so if someone doesn’t have the right key, they can’t make sense of it at all.
• Antivirus Software: Think of this as a safety net for your devices. It helps us spot and get rid of any nasty software that could mess up our tech.

What is Privacy?

Privacy is really about how we manage our personal information. It’s all about having the power to decide what we share and with whom. We totally have the right to choose what info we share and with whom. Important aspects include:.

• Data Collection: It's super important for companies to be open about the data they're gathering from us. We deserve to know what info they're collecting!
• User Consent: It's important for us to have the choice to say yes or no when it comes to sharing our data.
• Data Management: After we collect our data, we should totally be able to access it, make changes if something's off, or even delete it if that's what we decide we want to do.

Why It Matters

These days, getting a grip on security and privacy is super important, especially with how connected everything is online. So, here are a couple of reasons why:

1. Keeping Your Personal Info Safe: With identity theft becoming more common these days, it’s super important to make sure our personal info is protected. 2. Building Trust: When companies take privacy seriously, it really helps to build trust with their users.
You know, we tend to connect better with brands that actually show they care about our data. 3. Compliance: A lot of places have pretty strict laws when it comes to data protection. That means businesses really need to make sure they’re following the rules to stay on the right side of things.

Tips for Enhancing Security and Privacy

Here are some easy tips to help you keep your data safe and private:

Make sure you create strong and unique passwords for every one of your accounts. It’s an easy way to keep your information safe!

• Whenever you can, go ahead and turn on two-factor authentication. It’s a great way to boost your security! Just be careful about what personal info you put out there on the internet. Make it a habit to check your privacy settings on social media every now and then. It's a good idea to stay on top of who can see what you've shared! Make sure to keep your software and devices updated! It’s a simple way to guard against any security issues.

Helpful Resources

If you’re looking for more in-depth info on security and privacy, take a look at these links:

Check out the Electronic Frontier Foundation's page on privacy here. It's a great resource for staying informed on all things privacy-related! Check out the National Cyber Security Centre for some solid advice! You can find it here. They’ve got plenty of tips and tricks to help you stay safe online.

Staying in the loop and taking action is key to keeping our digital lives safe, all while making the most of everything tech has to offer!

With BBS+, you can easily prove you're "licensed-active" without needing to hand over your license number. Oh, and you can also double-check your network connection for a particular plan. Check it out here. Hey, just a heads up--let's keep things under wraps and skip those individual credential status URLs, okay? Why not try out aggregated status lists instead? They can really help! If you're curious and want to dive deeper into it, check it out here!

---

Choosing your ledger stack: what fits healthcare

• Hyperledger Fabric: This platform offers private data collections, which means that only the organizations that need to see the sensitive info can access it. Meanwhile, everyone in the channel still gets to look at the hashes for auditing. It’s a nice balance of privacy and transparency! This really comes in handy when it comes to consortium claims and getting consent locked down. It also has this cool thing called chaincode-level Attribute-Based Access Control (ABAC), which makes it super easy to manage access. Plus, you can create really specific collections tailored to your needs. Check it out here!.
• Hyperledger Besu/GoQuorum paired with Tessera: This setup allows you to dive into EVM smart contracts while keeping some transactions private with the help of privacy groups. It's a great way to balance transparency and confidentiality! You'll be using Tessera to take care of those private payloads and manage the groups. If you’re thinking about using Solidity with enterprise Ethereum tools, you’ve made a solid choice! It's a great way to get the most out of both. Check it out here!.
• R3 Corda: So, Corda is this cool distributed ledger technology that uses a UTXO-style setup. What’s interesting about it is that it doesn’t go for the whole global broadcast thing. Instead, it counts on notaries to make sure everything is unique and has the right timestamps. It's a perfect fit for those back-and-forth workflows, especially when it comes to payer-provider contract situations. Plus, they've made sure to include privacy features right from the start, which is definitely a bonus! If you want to dive deeper into this topic, check it out here. It’s got all the details you need!

Selection Tips

Picking the right option can definitely be a bit of a challenge at times! No need to stress! I've got some great tips to help you make a smart decision.

Know Your Needs

Before you jump into making a choice, take a little time to really think about what you actually need. Ask yourself:.

So, what’s the main goal here?

• Are there any key features that you just can’t live without?
• What’s your budget?

Getting a handle on these points will definitely save you a ton of time and energy!

Do Your Research

Now that you have a clear idea of what you're after, it's time to roll up your sleeves and dive into some research! Consider checking out:.

• Checking out online reviews and ratings.
• Comparison websites
• Check out user forums or social media groups.

Check out these resources--they can really help you get a better understanding of your options!

Create a Shortlist

Now that you’ve got all that info, go ahead and put together a shortlist of your favorites. This really helps when it comes to comparing each option next to each other. You can easily create a table that looks like this:

Consider the Long-Term

Take a moment to consider how your decision might affect you in the future.
You know, there are times when shelling out a little extra cash at the beginning can really pay off in the long run. It often means you're getting something that's better quality and built to last. Ask yourself:.

• So, is there a warranty that comes with it?
• How long does this product usually last?
• Are there any extra fees or surprise costs I should know about?

Seek Advice

Feel free to chat with friends or family who might know a thing or two about your options. They could have some helpful insights! Hearing about their experiences can really give you a lot of valuable information. Plus, they could even bring up some ideas you never even considered!

Trust Your Gut

In the end, just trust your gut! After you’ve done all your homework and weighed the facts, go with what feels right to you. It’s all about finding that balance! You know, there are times when our gut feeling really helps us figure out the right choice to make.

With these tips in your back pocket, you're all set to take on your selection process like a pro! Good luck!.

Are you thinking about rolling out EVM and some flexible tokenized incentives, like those directory data quality bounties? Well, you can't go wrong with using Besu or GoQuorum together with Tessera! On the flip side, if you’re more focused on having strong endorsement policies and solid channel governance, then Fabric is definitely the way to go. If you're dealing with workflows that require tight privacy and need to manage interactions between two parties, then Corda is definitely something you should look into.

Make sure to keep any PHI (Protected Health Information) stored off the blockchain. Just focus on saving the essentials: hashes, timestamps, DIDs, VC IDs, and pointers for the status list. That should keep things simple!

---

Example deployment patterns we’ve delivered

Pattern A: Prior Auth “Audit Spine” for a Multi-Payer Region

Navigating prior authorization (PA) in a multi-payer area can really feel like trying to find your way through a maze. With a solid “audit spine” strategy in place, we can make the whole process smoother for everyone involved. Alright, let’s break it down! Here’s how it all looks:

What’s the Audit Spine?

Think of the audit spine as our go-to tool for handling prior authorizations. It's like the backbone that keeps everything organized and running smoothly. It brings together different payers, providers, and patients into one united system, making everything flow a lot easier. Here’s how it works:.

1. Centralized Data: Let’s pull together and keep all the important patient and procedure info in one spot. That way, everything's easy to find! This really helps everyone get to what they need more easily.

2. Standardized Processes: When we set up consistent procedures for all the different payers, it really helps cut down on the confusion and the extra hassle that usually comes from juggling different requirements.

3. Real-Time Communication: Setting up a system for real-time updates is a great way to make sure everyone stays in the loop. This helps prevent any hold-ups and makes sure that everyone is on the same page with the latest info.

Benefits of the Audit Spine

Switching to the audit spine model comes with some pretty awesome benefits:

• Efficiency: By automating certain parts of the PA process, we can save time and cut down on mistakes. This means that healthcare providers can spend more of their energy on what really matters: taking care of their patients.
• Transparency: Patients and healthcare providers can easily see what's going on with their authorization requests, which helps to cut down on stress and frustration.
• Better Relationships: When providers and payers work together more closely, it really boosts communication and understanding. And honestly, that’s great for everyone involved!

Next Steps

Alright, let’s break it down into some simple steps you can take to get started:

• Check Out What's Happening Right Now: Take a moment to really dig into how prior authorizations are being managed in your area. What’s working? What’s not?.
• Make a Game Plan: Put together a solid strategy that lays out how you're going to roll out the audit spine approach. Don't forget to get everyone in the loop--providers, payers, and patients all need to be included.
• Pilot Testing: Before we go all in, let’s give the new system a test run on a smaller scale. This way, we can catch any bugs or issues before everything goes live.

If we adopt the audit spine model, we can really streamline the prior authorization process in our multi-payer area and make it a lot easier for everyone involved. Let’s make it happen!.

• Stack: So, here’s what we’re working with - we’ve got a FHIR R4 server running alongside some cool services like CRD, DTR, and PAS. On top of that, we’re using Besu and Tessera to monitor events. We also have an OIDC provider in the mix, along with a microservice that takes care of issuing VCs. It's a pretty solid setup!
• What we've got on-chain: We're keeping it pretty secure with just the essentials--things like SHA-256 hashes of PAS bundles, some decision metadata, and the DIDs for issuers and verifiers. Oh, and we’ve got URIs for the revocation lists too. Rest assured, there's absolutely no PHI in here!
• What we’re shooting for: We’re looking to speed up our authorization decisions by a solid 30-50%. On top of that, we want to see a significant decrease in appeals. And let’s not forget about creating a secure, cryptographically verifiable audit trail that checks all the boxes for payer reporting requirements--all of this by March 31, 2026. (cms.gov).

Pattern B: Cross-network computable consent

When we chat about cross-network computable consent, we're really exploring an interesting space. It's all about giving users the power to control their consent across various networks. How cool is that? This setup is more than just a checklist item; it’s really about empowering users. It’s like handing them the keys to their own data. They can decide who gets to see or use their info and when, which is pretty cool!

What It Involves

Cross-network computable consent revolves around a few essential concepts:

• Interoperability: It's super important for different networks to team up and communicate smoothly with each other. So, basically, when you make a decision about your consent in one place, it should be acknowledged by everyone else, too.
• User Control: It’s super important for users to have the ability to give or take back their consent whenever they choose. Imagine it like having the power to easily say "yes" or "no" when it comes to sharing your data, and you don't have to start from scratch every single time. How convenient is that?
• Transparency: It's really important for users to understand what they're agreeing to and how their data will be used. Everyone deserves to be in the loop! Basically, this means you'll get straightforward and easy-to-understand explanations instead of getting lost in a bunch of complicated legal terms.

How It Works

Usually, there's some kind of tech involved in this pattern. Let me give you a quick look at how things work:

1. Decentralized Identifiers (DIDs): Think of these as a way for users to take charge of their digital identity. They let you handle your consent with ease, putting you in the driver’s seat when it comes to your online presence. 2. Smart Contracts: Think of these as super useful bits of code that can automatically handle and enforce agreements without needing a middleman. If someone says no, the smart contract makes sure their data stays safe and isn’t accessed. 3. Blockchain: When you use blockchain, it really boosts security and makes everything more transparent. It’s great for keeping track of consent and gives users the freedom to change their minds anytime they feel like it.

Benefits

So, why is this important? Let me give you a few reasons:

• Empowerment: It really gives users control over their own data, letting them take the wheel.
• Trust: When users feel like they’re in control, it really helps build that trust with the services they rely on.
• Flexibility: It's super easy for users to tweak their preferences, leading to a much better experience all around.

Final Thoughts

Cross-network computable consent is a huge leap forward in giving users more control and clarity. At the end of the day, it’s all about building a space where privacy and consent really matter. We want to make sure that when users interact with services, everything flows easily and feels respectful.

If you want to learn more, take a look at these resources:

• Understanding Decentralized Identifiers
• Smart Contracts Explained
• How Blockchain is Changing the Game for Data Privacy.
• Stack: So, we’re working with the R5 Consent service, throwing in some DS4P labeling, and utilizing Fabric to manage those consent disputes, all while keeping our private data collections in check. On top of that, we're rolling out VC "consent receipts" (OIDC4VCI) and making sure to verify OID4VP right at the gateway.
• Outcomes: Patients get to call the shots when it comes to their consent, and everyone involved honors that during the TEFCA exchange. When someone revokes their consent, you'll see the updates show up for all verifiers in just a few minutes. It's pretty quick! If you want more info, just check it out here. It's all laid out for you!

Pattern C: Provider Directory Cleanup with Credential Incentives

Keeping the provider directory clean and accurate is super important. It helps make sure that both patients and providers can find the right info when they need it. One awesome way to get this process rolling is by providing some cool credential incentives. So, here's how this thing can work:

Why It Matters

A well-organized provider directory really benefits everyone involved.

• Patients can quickly connect with the right providers.
• Providers really appreciate having accurate listings that showcase their skills and expertise.
• Health plans can cut down on administrative hassles by reducing mistakes.

How It Works

1. Spot the Gaps: Alright, let’s kick things off by taking a good look at your current provider directory. Keep an eye out for any info that might be missing or a bit outdated. 2. Define What Counts: Nail down some clear rules for what makes credentials “current.” This way, everyone knows what's needed! This could cover things like licenses, areas of expertise, and how to get in touch. 3. Offer Incentives: Get providers to keep their info up to date by throwing in some cool perks, like:

• You can earn financial bonuses for keeping things updated on time!
• You'll get a shout-out in newsletters or during events.

4. Set Up Automated Reminders: Consider using automated systems to help send out reminders to providers. This can really streamline the process! This could come through as emails or texts. 5. Keep an Eye on Progress: Make sure to check in on who’s updating their info and don’t forget to give a shout-out to those who do! It’s all about recognizing the effort. Sharing success stories can really inspire others, don’t you think?

Benefits of Credential Incentives

Setting up credential incentives can really lead to some exciting results. Here’s what you might find happening:

• We’ve made some great strides in making our provider directory more accurate.
• More active involvement from providers.
• Patients are happier because they’re getting more trustworthy information.

Conclusion

Cleaning up the provider directory and offering some credential incentives is a total win-win for everyone involved! The key here is to build a system that keeps things fresh and encourages teamwork between healthcare providers and health plans. Plus, when everyone's in sync, it really makes a difference in how we care for patients. Alright, let’s dive in and work on getting those directories spot on and super useful!

• Inspiration: It’s amazing how when different payers come together to share updates on a common ledger, provider data sharing consortia can truly shine and deliver a great return on investment. Mix in a bit of VC issuance for those verified changes, plus some awesome incentives at the app level, and you've got yourself a recipe for success! (synaptichealthalliance.com).

---

Implementation roadmap (180 days)

• Days 0-30: Getting a Grip on Compliance. To really get a grip on those CMS 0057-F obligations, start by diving into the metrics, APIs, and the decision timeframes. It’s all about understanding the details!
• Go with the IG versions (PAS 2).

1. 0, CRD 2.

1. 0, DTR 2.

1. Hey, don't forget to check out the SMART v2 capability sets! And while you're at it, see how TEFCA plays into everything. (hl7.org).

• Days 31-90: Kicking off the Minimum Viable Flows.
• Let’s go ahead and set up the PAS + DTR pathway for one of the top 10 CPT families. We can also connect those events to Fabric/Besu while we’re at it. Let's get started by rolling out the first batch of Consent VCs. After that, we can check them out using OID4VP at the API gateway. (openid.net).
• Days 91-150: It's time to ramp things up and get stronger!
• Let's get some venture capitalists who know their stuff about payer network participation involved. We should also take a look at the Status List from 2021 and make sure we’re sticking to DS4P when it comes to handling SUD data paths. Oh, and don't forget--it's time to jumpstart the TEFCA pilot connectivity! (w3.org).
• Days 151-180: Diving into Governance and Operations. Let's get started on the DID method strategy! We’ll begin with did:web specifically for those regulated issuers. Just a quick reminder to make sure you cover key rotation and the SLAs for issuing them. And don't skip out on putting together those incident playbooks, they're super important! Hey, just a quick reminder to double-check the metrics we’re collecting for CMS reporting. Also, let's make sure we get that on-chain and off-chain reconciliation sorted out. Thanks!

---

Emerging best practices

Make sure to stick with the SMART v2 scopes and check out capability discovery. And hey, don’t forget to share your endpoint metadata following the HTI-1 guidelines! By doing this, you’re making it easier to use those apps and beefing up your security for any third-party apps that are connecting with your FHIR APIs. (himss.org).

Let's make sure to keep the "consent to disclose" stuff (you know, like FHIR Consent and VC) separate from the "identity/age" VC. It’s best we don’t overload a single credential with too much information. Simplicity is key!

How about we think about a “suspension” approach instead of going all out with a full revocation? This could work well for temporary holds, especially when we're in the middle of a board investigation. The Status List from 2021 actually supports both choices. Take a look at this link: (w3.org). It’s got some really interesting info!

If you're looking into licensure and network proof, definitely take a look at the official registries in VC evidence. It's a smart move! Make sure to cache that issuer metadata and double-check those signature suites. I’d recommend going with EdDSA since it has broader support. And if you ever need selective disclosure, then BBS+ is a solid choice. If you’re looking for more info, check it out here: w3.org.

Just a heads up, when you're putting together your QHIN/Participant agreements, it's super important to clearly lay out how you'll deal with on-chain audit artifacts. Also, don't forget to include a plan for how any disputes will be sorted out. It'll save everyone a lot of headaches down the line! Make sure to stick to the TEFCA governance SOPs! It's super important to keep everything aligned. (sequoiaproject.org).

Hey there! If you’re thinking about making a move into the EU market, it might be a good idea to keep partitioning in mind during your design process. Basically, think about how things will be used--like what’s the main purpose versus any secondary uses. This way, you can sync up with the EHDS application schedule. Just a little tip to help you out! It’s definitely a smart move to sketch out your plan for rolling out those acts through 2027. If you want to dive deeper into the topic, feel free to check out more info here. You might find some interesting insights!

---

Risk checklist (and how to dodge them)

• Steer clear of putting any PHI on-chain--trust me, it’s a huge red flag. Instead of saving all the actual data, just save the hashes or pointers. You can keep the real data in FHIR/HIE and tag it with DS4P labels. This way, you maintain security while managing access. Hey, if you want to dive deeper into this, check it out here: (build.fhir.org). It’s got all the info you need!
• When you're dealing with VC revocation, just imagine it like a unique URL for each credential. It's a good idea to switch things up and start using aggregated Status Lists instead. This update really helps us avoid connecting holders and verifiers. It keeps things separate, which is a good thing! For more information, take a look here.

Hey, just a heads-up about 42 CFR Part 2 redisclosure: it's super important to really pay attention to those redisclosure policies. Keep them in check and don’t forget to stay on top of audits. Let’s aim to have your compliance all sorted out by February 16, 2026. You got this! (troutman.com).

When you’re dealing with the PAS/CRD/DTR dialects, it’s really a good idea to stick with the official versions that are out there. By doing it this way, you can avoid those costly rewrites that pop up when regulators start mentioning specific Implementation Guides (IGs). Take a look at it here: hl7.org. It's worth checking out!

• So, there's this Wallet UX challenge where we can really make things better by using OIDC4VCI/OID4VP. By leveraging the existing OAuth/OIDC setup, we can create a way for users to have a much smoother experience. (openid.net).

---

What success looks like

• We’re seeing prior authorization turnaround times hitting those 72-hour and 7-day marks, and on top of that, our initial approval rates are looking really solid! On top of that, the payer metrics are coming out just as planned, and there’s some solid cryptographic audit evidence out there for regulators to check out whenever they need it. (cms.gov).

Patients and healthcare providers have their consent and credentialing verifications (VCs) that can be easily checked across various networks. And on top of that, any revocations get updated in just a matter of minutes thanks to quick status list updates. (w3.org).

Hey there! Just a heads up, your APIs are totally ready to roll with the HTI‑1 SMART/USCDI v3 standards. This is great news because it means you’re all set for some exciting expansion with the TEFCA exchange! This sets your organization up perfectly for strong interoperability programs in the U.S. and the EU is set to continue that trend all the way through 2029 and even further into the future. Take a look at this link: (himss.org). You might find it really interesting!

---

How 7Block Labs can help

We design, build, and manage all the different pieces that make this happen.

• We’re diving into some architecture sprints to connect Da Vinci, SMART, TEFCA, and the Part 2 controls with your setup.
• We've got some reference implementations lined up for PAS, consent VC, and an on-chain audit spine, whether you're using Fabric or Besu/Tessera.
• We offer issuer and verifier services that make use of OIDC4VCI and OID4VP, all while incorporating Status List 2021 to ensure we can scale effectively.
• We're working on some governance packs that cover everything from DID method policies and key management to aligning with TEFCA/QHIN and setting up those CMS reporting pipelines.

Are you excited to jump into one of these reference architectures in just 90 days? Let’s take a closer look at what that involves!