By Nancy Ferris
A relatively new legal concept could prove to be the grease that keeps the wheels of the Nationwide Health Information Network rolling along friction-free.
A data use and reciprocal support agreement (DURSA) spells out the rights and responsibilities of the participants in a health information exchange. It covers areas such as responding to queries for health records, keeping data secure, handling a privacy breach and complying with technical specifications for interoperability.
A DURSA is being drafted for this year’s trial implementations of a nationwide network.
“The DURSA is really, at its core, a multiparty agreement,” said Steven Gravely, a partner at law firm Troutman Sanders, in a speech to the American Health Information Community in February. “Some folks use the word ‘treaty.’”
“It’s one of the tools that will allow us as a nation to get to health information exchange where individuals are comfortable with how it works,” said Dr. John Loonsk, director of the Office of Interoperability and Standards in the Office of the National Coordinator for Health Information Technology (ONC).
Data-use agreements have been popular for some time, Loonsk said, but DURSAs go beyond those agreements to specify the ways in which the organizations using a network must support one another.
For NHIN, which is a network of networks, the DURSA would establish a chain of trust by getting all participants to comply with NHIN standards and policies. It’s “your assurance that the other party that’s participating [in an exchange of data] is doing due diligence to see that those they connect to are ensuring the data [is] treated properly,” Loonsk said.
Although NHIN will need a governing body — perhaps a privatized version of the American Health Information Community — the DURSA would resolve in advance some of the operational and policy issues that NHIN users might encounter. It could also resolve some of the inconsistencies among state laws that govern the handling of health records.
For the trial implementations, an ONC workgroup is drafting the DURSA in two phases. The first will cover the NHIN test activities planned for this fall, which will only use data stripped of personal identification, “so it’s a little bit easier,” Loonsk said.
The second-phase DURSA will apply to production-level NHIN operations that use live data, scheduled for early 2009. But that is turning out to be a tall order. Issues abound, and many of them concern the hot-button area of patient privacy.
Another issue is indemnification, which means that NHIN participants promise not to sue one another for damages associated with their participation in the network. But the federal government and many state governments cannot legally sign such an agreement. In the absence of an indemnification pledge, some organizations might decide it’s too risky for them to participate in NHIN.
In addition, state laws differ regarding the release of health information in areas such as the need for patient consent or access to records about sexually transmitted diseases. How can a single nationwide agreement accommodate all those variations? It isn’t enough to say that the relevant state law applies because, in most cases, federal agencies cannot be subject to state laws.
The difficulty of creating a DURSA was clear when Gravely said in February: “I must say that in my 30-plus-year career in health care and 24-plus-year career in law in health care, this has been one of the more challenging things that I’ve done — but exhilarating at the same time.”
Whatever the challenges, ONC officials are convinced such an agreement will be necessary to enable NHIN to evolve and become a truly nationwide exchange. Most exchanges of electronic health records are facilitated by data-use agreements between two parties, such as a hospital and a medical practice. But if hundreds or even thousands of hospitals, doctor’s offices and other health care providers want to exchange patient records, such one-to-one agreements won’t be feasible.
“I think [a DURSA is] extremely important and really integral to our ability to move forward with what we all share as a vision for a national health information network,” Gravely said.
Nancy Ferris
Comments (0)
By Brian Robinson
The economic slowdown in the United States has so far not affected states’ plans for health information technology. And it probably won’t if a recession is as short and mild as many economists are predicting.
The salient term is “if.” Most states reported an increase in revenues in 2007, though there was a notable slowing toward the end of the year. The Rockefeller Institute of Government said the 2.3 percent average growth in state tax revenues in the fourth quarter of 2007 was the lowest since the first quarter of 2003.
However, at the beginning of this year, states were still planning for an overall 2.9 percent increase in budgets in fiscal 2008, according to the National Association of State Budget Officers.
Most states recognize health IT’s potential for helping to control and even reduce health care costs while improving the care citizens receive.
At the end of March, Pennsylvania Gov. Ed Rendell signed an executive order establishing the Pennsylvania Health Information Exchange, a core component of his Prescription for Pennsylvania health care reform plan. The exchange would decrease the number of duplicative tests, reduce the time it takes doctors to access patient records, and improve the way information on diseases and other vital data is reported, Rendell said.
Other governors have made similar commitments or have indicated an interest in doing so. Market researcher Input said recently that the number of governors who mentioned health IT in their state-of-the-state speeches almost doubled this year compared to 2007.
So far, states have not had to spend a lot of money on health IT projects. Much of the initial funding has come from the federal government and industry partners, and the amount states have committed is relatively small.
Minnesota and Missouri — two of the more aggressive states when it comes to health IT — have tagged just $18.5 million and $15 million, respectively, for such projects in their 2008-2009 budgets.
Because they represent such minimal amounts, states’ health IT budgets are probably safe, even during an economic downturn, said Stephanie Jamieson, issues coordinator at the National Association of State Chief Information Officers.
“I just can’t see them taking those to the chopping block,” she said.
But it’s not a completely safe scenario. The National Governors Association is tracking at least six states — Arizona, California, Florida, Michigan, Nevada and Ohio — that it believes are already in a full-blown recession. California and Florida in particular have been major backers of health IT.
Like Jamieson, NGA Executive Director Ray Scheppach said he thinks most states won’t cut health IT spending, particularly because they anticipate potential savings in the future. But even relatively small health IT budgets could be threatened in states under the heaviest economic pressure if a downturn continues for some time, he added.
Some states might not be waiting to see what happens. Input said Arizona’s budget only contains $275,000 for health IT.
It could be some time before the health IT budget picture clears. States typically don’t feel the full effect of a national economic downturn until sometime after the event. The dot-com bust happened in 2000 and 2001, for example, but states didn’t see the resulting hit to their budgets until a year or two later.
So, although the downturn isn’t considered any great threat yet to states’ health IT activities, the potential exists. It’s now a matter of waiting to see what happens.
Comments (0)
By Brian Robinson
When sharing health information, government agencies must abide by rules established under the Health Insurance Portability and Accountability Act (HIPAA), which does not allow such information to be transmitted unprotected via public networks.
That seems like a simple rule, but schemes that provide secure sharing, such as public-key infrastructure and Pretty Good Privacy, are complex to create and maintain, and they require the use of trusted third parties to provide the necessary keys.
If the chain that includes those keys is lost, the whole process must be redone.
Even direct encryption can be complicated. All potential senders and recipients of the information must have special software on their computers.
Furthermore, direct encryption is good for one-to-one communication, but it doesn’t work well in the kinds of highly collaborative environments that exist at government agencies.
Officials in Virginia Beach, Va., faced those issues when they started exploring secure ways to exchange health information with their partners.
Their solution is the appropriately named Secure Messaging Application (SMA), which was developed in summer 2007.
“In the past, we used to share information by fax or through the mail, or people would come to the office and pick it up,” said Mick Vollmer, information technology architect at the Virginia Beach Communications and IT Department.
“When the Internet arrived, we obviously saw it as a cool thing,” he said. “Now if a provider calls for information about a particular customer, we can provide that as a PDF through e-mail.”
Secure, compliant and simple The challenge is sending files securely in a way that meets HIPAA standards and is intuitive for employees to use, Vollmer said.
SMA’s simplicity lies in its role as a transport mechanism for messages rather than an e-mail system. Messages are hosted on a Virginia Beach government server and therefore never leave the government’s infrastructure unencrypted.
Plus, all activities rely on Internet-standard Secure Sockets Layer security and a virtual private network connection, so everything that happens during an SMA conversation is encrypted.
With SMA, users have control over what happens to the information they receive. They can choose to delete messages immediately after reading them or leave them on the server for the system to delete after a specified time.
That’s a significant advantage over a standard e-mail system, which typically backs up and archives messages automatically. SMA’s approach protects it from malicious attacks and from e-discovery and Freedom of Information Act requests that target e-mail content.
“We wanted to make sure that people understood that this is not a regular e-mail system,” Vollmer said. “The information it carries won’t be kept in perpetuity.”
However, the approach can create some initial problems for users because the system is not intuitive and its functionality is not the same as a regular e-mail system even though it resembles one, he said.
For example, users can’t forward messages via SMA because doing so would pose a risk that the information could fall into the wrong hands, and that’s a chance Virginia Beach officials didn’t want to take, Vollmer said.
Virginia Beach’s path to SMA Before creating SMA, Virginia Beach officials evaluated commercial systems but quickly realized that they had a lot of drawbacks. Nothing was designed to provide the simple and secure messaging that the city government was seeking.
Also, the commercial solutions were mostly client/server based, with all of the complexities and ongoing maintenance involved in those systems.
Plus, the licensing models were user- or message-based. City officials anticipated eventually registering thousands of users but didn’t know the exact number and therefore had no way to predict future costs.
SMA seems to have provided Virginia Beach with the best of both worlds. It is the simple and secure messaging system officials were looking for, and it was inexpensive compared with the alternatives. Consulting fees plus city employees’ time cost $50,000, while it would have cost $200,000 or more to buy and implement a commercial solution.
As a homegrown product, SMA needed no additional investment by the government. SMA runs on computer systems the city already had in place. It’s based on Microsoft’s .NET Web application development software and uses Microsoft SQL Server for the back-end database.
However, SMA’s ultimate success has not been determined because it will take some time for government employees and outside users to become familiar with it. Vollmer said there were just 40 active accounts as of mid-February, but that might not give an accurate picture because his office doesn’t track how many people have accessed the system in any given time period.
“It’s definitely a culture change,” he said.
Law enforcement potential SMA’s reputation is already prompting other government agencies to give it a closer look. For example, police department officials think it could help them in several areas, perhaps by providing a way to securely interact with local pawnshop owners and supporting anonymous crime tip lines.
It’s also a possible channel for fraud and abuse alerts and citizen complaints.
Other state and local governments will be able to profit immediately from SMA’s development because Virginia Beach officials are offering it free to anyone who requests it. It comes on a CD with the source code and all necessary documentation. However, the city doesn’t provide technical support or allow SMA to be used for commercial purposes.
“We’ve already had other cities come to get [the CD], and we’ve had expressions of interest from several others,” Vollmer said. “We just ask that if they expand on its use in any way that they share that with others.”
Comments (0)
By Dr. Mark Frisse
The Government Accountability Office recently assessed the progress that has been made in health information technology based on the work of the Office of the National Coordinator for Health IT (ONC).
GAO outlined ONC’s considerable accomplishments. They include advancing outpatient and inpatient electronic health records; creating models for networking and exchanging information, including the Nationwide Health Information Network I and II pilot projects; and encouraging the development of standards in health information privacy and security at the state and national levels.
However, in listing those achievements, GAO failed to acknowledge the broader foundation from which that progress springs.
The innovation that has stemmed from Health and Human Services Secretary Mike Leavitt’s vision is important, but health IT progress is equally the product of thousands of professionals and consumers who — on their own and without a strong government mandate — have concluded that a more effective technology infrastructure is essential to improving our ailing health care system.
One could argue that the national coordinator should be responsible for harnessing the momentum of those programs for the greater good. At the same time, the impact of some of ONC’s accomplishments should be put in perspective. For example, I believe the NHIN I initiative was conducted too hastily to identify the essential components of such a network and articulate how those components could be used.
“According to HHS, in early 2007 its contractors delivered final prototypes that could form the foundation of a nationwide network for health information exchange,” a GAO report states. The NHIN I summary report cited 24 core services, 12 common transaction features and 14 annexes on common themes such as identity arbitration, consumer data-sharing permissions and data routing.
One hopes a smaller set of high-priority items will emerge that can be adopted across the health care sector. I believe about 12 of the core services are must-do high priorities, and many others could be set aside for future consideration.
In the meantime, how should an organization as talented as ONC develop a national strategy? Here are a few suggestions.
1. Look to all successes, not just the NHIN pilots. Many health care providers, insurers, corporations and health information exchanges are doing good work. Some of the most vibrant and promising efforts are operating outside NHIN.
2. Build on the goal — first raised by the Commission on Systemic Interoperability — of making the availability of a medication history for every American a top priority.
3. If a second quick win is desired, focus the same approach on clinical laboratory information.
4. Create guidelines for managing identities. That is an important topic for consumers, and it is crucial to e-prescribing and other applications. If e-prescribing is expanded to include controlled substances, identity management will become even more important.
5. Focus on simple core guidelines for confidentiality and privacy that transcend applications and can serve as the basis for a new and revised legislative and policy approach.
6. Focus — as HHS does — on incentives to adopt helpful technologies that foster a more effective system of care.
7. Postpone or abandon 50 percent of the discussions taking place on topics that are not foundational. To paraphrase Tennessee Gov. Phil Bredesen: Don’t try to build Version 6.0 before you’ve got Version 1.0 working.
The literature and our experiences are full of examples of successful ways to create a winning strategy that transcends presidential administrations and the ongoing changes in states and communities. That approach requires a realistic set of expectations, a clear focus and incremental steps toward the larger goal.
-- Frisse is a professor of biomedical informatics at Vanderbilt University and project director for a regional health information infrastructure program funded by Tennessee, Vanderbilt and the Agency for Healthcare Research and Quality.
Comments (0)
By David Perera
A Tower of Babel’s worth of languages and customs make Brooklyn, N.Y., a captivating place to live or visit but a challenging arena in which to practice medicine. The variety of spoken languages creates gaps in health information, and an aging population adds to the complexity.
“We have a population [that] is a melting pot,” said Justin Schwartz, director of patient information systems at Sephardic Nursing and Rehabilitation Center. The 279-bed facility is one of 11 medical centers in the Brooklyn Health Information Exchange (BHIX), which will launch later this year.
“Some people speak Spanish, some people speak Russian, some speak Chinese,” he said.
In addition to language barriers, for Brooklyn’s elderly, lost paperwork and misunderstood medical directions are common occurrences on the circuit from hospital to nursing home and back again.
“Many times, we may have the doctor’s name but not their telephone” number, said Nancy Daurio, a registered nurse and associate vice president of management information systems at Maimonides Medical Center. About half of the patients at the teaching hospital are elderly.
Both Schwartz and Daurio believe a new regional health information organization (RHIO) anchored by Maimonides and 10 other Brooklyn hospitals, nursing homes, home care providers and payers will ease those difficulties.
BHIX has received a $4 million start-up grant from New York state and another $3 million from Maimonides. A pilot project should be operational by May, with the full system online by late July.
The organizers say they are confident that the new network will improve the quality of health information — and, consequently, overall medical care — across the community.
Speaking the same medical language As befits a United Nations of cultures, Brooklyn’s health exchange will adopt a universal medical language. Officials said BHIX will start by sharing six data elements: patient demographics, allergies, medications, problem lists, provider care teams and advance directives. They are deciding how to define each of those elements, which is not simple.
“Allergies,” for instance, can mean drug, food or environmental allergies such as bee stings. Instead of limiting the types of allergies, BHIX will take an inclusive approach. Users “expressed their preference for seeing all the different types of allergies, and if they can be sorted by type, so much the better,” said Irene Koch, BHIX’s executive director.
Clinicians will access patient information via a Web portal connected to an enterprise master patient index, which will link to records managed by the member institutions.
Initiate Systems’ Initiate Patient software will locate the appropriate records, and MedPlus, an information technology subsidiary of Quest Diagnostics, will provide clinical software, a data exchange engine, and a document management and imaging system.
BHIX bought perpetual licenses to both companies’ software.
Under BHIX’s governance model, each member institution will designate which employees can access the network. The primary restriction is that data can only be used for providing health care.
“The rule is that you are doing it for the purposes of treatment,” quality improvement and disease management, Koch said. Clinicians will be the main users, although nonclinical employees involved in quality management will likely have access, too, she added.
When BHIX goes online later this year, users will be able to view all of the available information. That openness could change as more data elements are added and if BHIX’s managers decide some information should be reserved for specific users. For example, they might choose to restrict access to data generated from physicians’ notes.
The BHIX system can track caregivers by job title — such as “physician” or “nurse” — and will limit some functions to specific roles.
Emergency medicine doctors, for example, will be able to search for patients’ records even it it’s not clear that the patient has consented to sharing his or her data. A quality management user wouldn’t have that power.
BHIX members say they have big plans for the future, including expanding the number of data elements and providing access through local clinical systems. For now, logging on to the BHIX portal is the only way to access shared data. Members are also considering introducing clinical decision-support software and letting patients enter their own health data via a Web portal, Koch said.
Next-round financing Of course, such enhancements will depend on funding. BHIX has relied on grant money to get started, and officials hope to finance the next round of expansion through further grants, including some from New York state.
The state has wholeheartedly embraced health IT. Officials chartered the Office of Health IT Transformation in April 2007 to coordinate policy and, in 2004, established a program called the Health Care Efficiency and Affordability Law for New Yorkers to fund health IT efforts at a promised rate of $1 billion in four years. BHIX won one of the state’s largest initial grants — $4 million — in May 2006.
“New York is really incubating and fostering a lot of health information exchange projects and tends to appreciate the potential benefits of using RHIOs,” Koch said.
Comments (1)
|
|
