Care Management Design Best Practices and Considerations

Overview

Microsoft Cloud for Healthcare includes solutions like Care Management app that are built on capabilities within Microsoft Dynamics 365, Microsoft 365, Microsoft Azure, and Microsoft Power Platform.

The patient profile as part of the solution requires careful planning and strategic implementation. In this guide, we will explore the best practices and key considerations for designing a robust patient Profile. By following these guidelines, implementors can unlock the full potential of Microsoft Cloud for Healthcare and reduce the risk of errors and oversights during the design and development process, as it provides a clear set of guidelines to follow.

Design considerations for patient profiles, care plans and care teams

The unified patient profile scenario in Microsoft Cloud for Healthcare provides hospitals with a 360-degree perspective of their patient to enable a more engaged interaction with Care Plans and Care Teams. The solution has Administration, People (Patients and Practitioners), Organizations and Locations, Care Plans, Care Plan activities, Care Plan Goals and templates. This section provides configuration considerations for each of these tabs.

Configuring People (Patient and Practitioners)

The patient profile is the core to the process of identifying and reviewing all the plans and procedures that will apply. These can be reviewed in different ways using the Care management app or Unified patient view. The following describes some areas where you can review or edit the patient information:

Configuring Care Planes, Care Plan Goals, and Templates

Extending Care Management App

If the functional requirements cannot be met with configure-first and low-code approach, each component layer that composes the solution architecture layer can be extended with below design considerations and recommendations.

Data Model Extension

  • Managed solution: Microsoft Cloud for Healthcare data model will be installed as a managed solution. For future compatibility and to avoid and solution segmentation issues, it is suggested;
  • Creating new data elements when you need to change existing managed data elements.
  • Add only solution components that are new or changed. You should not select the Add All Assets while adding an existing entity to your custom solution.
  • New data elements: You can add new fields to existing tables and create new tables to extend data model. You should consider not changing existing fields data types, but you can still add new options to existing option sets such as categories and types or increase the length of text fields. You can access data model details from here.
  • Polymorphic relationships: The industry data model includes polymorphic relationships, such as those found in the Groups table, which involves several lookups. Currently, there are no constraints in place to restrict you from extending these polymorphic relationships. However, it's important to note that such extensions may impact upgradeability and are not advisable.
  • Integration Key: Use the integration key field in the tables for traceability and mapping to master systems.
  • Reference tables: Reference data is data used to classify or categorize other data. Typically, they are static or slowly changing over time.

User Interface Extension

Healthcare institutions may want to bring in existing master system real-time data elements and alerts to extend the existing Patient Profile to complement the need to provide a holistic view of the patient. These user interface extensions can be developed with configuration and customization capabilities of PowerApps.

New Dynamics 365 forms and views

For any changes to existing forms and views, consider not changing them directly. Consider creating a clone of existing and make the desired changes to de-risk solution segmentation issues.

PCF Controls

The PowerApps Component Framework enables developers to create code components that can be embedded in both model-driven and canvas apps. It utilizes client-side TypeScript for data access and CSS for formatting. A specific application of this framework is to present financial data to customers within the Patient Profile interface. This approach is beneficial for users connected via domain-joint devices and corporate networks, as it allows integration with Enterprise APIs without exposing them to the public cloud. Additionally, it eliminates the need to duplicate data to Microsoft Cloud for Healthcare data model.

However, choosing not to copy data to the data model will limit the use of certain built-in controls and customer intelligence prediction models. To address this limitation, a hybrid approach can be considered, where real-time access is achieved through PCF controls while data synchronization procedures still replicate data to the data model for other scenarios.

Security Extension

Microsoft Cloud for Healthcare is using the native security capabilities of Dataverse detailed here. It is recommended to take a configure-first approach as illustrated below to design the security model with these native security components to apply these entitlement rules.

A diagram showing the security feature categories.

Follow the security best practices shared in Dynamics 365 implementation guide and below additional practices:

  • Dataverse Security is designed with ownership, consider not assigning and sharing records with individual users. Instead, consider assigning and sharing records to teams.
  • If there is a system of record that hosts these access rules, consider doing a batch sync process to transform the ownership model to security model in Dataverse.
  • To make your security model performance efficient, consider using owned teams over access-teams and eliminate or at least optimize the sharing of records to different teams.

Data Masking and field level security needs

Healthcare institutions frequently employ additional security measures to protect sensitive data such as Social Security Numbers (SSN), Patient details, and occasionally personal information like mobile numbers and email addresses. These security measures often involve restricting access to specific individuals and even masking sensitive information when displayed.

To implement these security requirements, you can create new field level security profiles, which specify read, update, and create permissions for specific fields. These profiles can then be assigned to users or teams, granting them controlled access to sensitive data.

Moreover, if there are additional compliance requirements necessitating data masking, you can achieve this by creating a new PowerFX column (preview) or calculated column. This new column will generate a masked version of the original data, providing an extra layer of data protection.

Security automation needs

Security automation is a vital aspect of modern-day organizations, especially when dealing with a multitude of users and complex scenarios. As the user base expands and organizational dynamics evolve, ensuring robust security measures becomes increasingly challenging. From adding new users to handling changes in roles, teams, and business units, to provisioning new environments and identifying system administrators, each scenario demands meticulous attention to safeguard sensitive data and critical systems. In this context, implementing automated security protocols proves indispensable, streamlining processes, mitigating risks, and fortifying the organization's defenses against potential threats. By embracing security automation, businesses can effectively adapt to dynamic user landscapes and maintain an agile and secure environment that safeguards both valuable assets and user privacy.

Below are some scenarios and security implementation approaches for authorization and task automation.

Scenario Security Implementation Approach
When New personas are introduced in the security model Each persona should be represented by a security role in Dynamics with the appropriate functional entitlements. Configure a group team in Dataverse for each persona and assign the security role for the persona. Setup group teams in active directory for the personas and use out-of-the-box integration to manage user membership in the group teams in Dataverse. Eliminate or minimize assignment of security roles to individuals. Change the member's privilege inheritance parameter of the security roles to Team "Privileges Only" so that the records users create with the team as the owner not individuals.
When new environments are provisioned A new security group should be created for each Dataverse environment to control and limit users access to specific environments. Otherwise, whoever has a Dataverse license will be created as a user in the environment.
New users are added to application, or some users will need to be removed from the application Rather than adding / removing users to each environment, you can take a nested group approach and add the group teams (i.e., relationship-manager-group) as child to the environment security group (ucp-production). With this approach, when users are added to the group team for specific role, they will automatically add to the environment as a user and assigned a role. Similarly, when users are removed from the group team, they will be removed from the environment as well if they are not part of any other group teams.
When existing users change their title, role or location that may change their persona. The dynamic membership type Microsoft Entra ID leverages business rules to manage the group membership dynamically. You can use this dynamic membership type to configure the business rules to define which users will be added / removed from the group team created for given persona. As Dataverse is now supporting dynamic membership type, these new or removed members will be automatically synchronized to group teams in Dataverse and the user will get the latest security role assigned for access.
When offboarding users Same as above, use dynamic membership type to add active users to groups. Any user that is not active will be removed automatically. You can leverage the Lifecycle Workflows for offboarding that can be updated and triggered from Azure Portal or Microsoft Graph API.
When organization structures change Not every organization structure change may impact the application security. Consider how data ownership will change based on business unit ownership hierarchy and reflect those changes on environment with the updated business unit configuration.
When users changed their teams or business unit they are working with It is suggested using the dynamic membership type and group teams while assigning security roles to teams and also not direct assigning security roles to users. With this security model, user changing teams will not require any automation to reflect the change as authorization will be based on membership to group teams. If business unit will need to be changed in user profile, you can create a power automate to trigger when business unit is changed in master systems and use the SetBusinessSystemUser action to move the user to a different business unit.
When users change their position or manager The hierarchy security model is an extension to the existing security models that use business units, security roles, sharing, and teams. If this is configured in the security model, make sure the position and manager information in the user record gets updated

Analytics Extension

You can extend the analytics by creating custom Dynamics 365 dashboards, charts and Power BI embedded dashboards similar to the Patient Population Dashboard.

You can find further detailed guidance on how to extend analytics capabilities within the Operational Analytics Data Estate article.

Collaboration Extension

Collaboration controls (preview) helps you to build custom collaborative experiences that can be surfaced right in Teams. There are multiple ways to join a visit based on the preferences of the caregiver. The dashboard and appointment records provide buttons to allow for the caregiver to join the appointment, for more details review Virtual Appointment join experience.

A diagram showing the collaboration controls feature on M365.

These controls enable the application of Microsoft 365 and Microsoft Teams for Approvals, Files, Meetings, Notes, and Tasks to enable contextual collaboration around business processes.

Next steps

Care Management Design Checklist