The Office of the National Coordinator for Health IT has begun listening sessions to identify and understand the experience and barriers of organizations as they prepare to scale up health information exchange.
Participants in the first listening session were concerned about confidence in the patient data policies among connecting networks, assuring patient identification, variations in technical exchange standards and the need for a framework for trust.
The goal is to make sure that information will follow the patient, wherever and whenever it is needed and regardless of vendor or geographical boundaries, said Dr. Farzad Mostashari, the national health IT coordinator.
“ONC has embraced health information exchange, the verb. There are lots of different methods for this to occur. As long as we can get closer to this vision of information liquidity to benefit the patient, it’s good,” he said at the Jan. 17 online governance town hall.
ONC decided not to issue federal regulations around rules of the road for nationwide health information exchange but support existing governance activities that organizations have started to advance widespread exchange.
The question is how to “assure that the flow between such providers does not pose artificial barriers,” he said.
As providers access a network to request information about a patient, exchange organizations may have variations in their policies for rules of the road for query-based exchange, according to Paul Wilder, vice president of product management for the New York eHealth Collaborative, a state-designated entity. New York has about dozen regional health information exchanges (RHIOs), each with their own policies based upon the state’s governance standard.
[See also: State Medicaid IT upgrades progressing, Kaiser survey finds]
“We see what happens when we have these policy gaps, between what is defined but still broad enough, that it’s difficult if you’re not 100 percent harmonious. You end up with data liquidity going down to almost negative because once one side thinks that their policies and their interpretations within that boundary is appropriate, and the other side does not have the same thing, the two entities cannot connect,” he said.
For example, one RHIO, which stipulates that only physicians may look at patient data, won’t exchange with a RHIO that also allows nurses and front office staff as part of a covered entity to view the information. “That mismatch means both sides don’t trust each other," Wilder added, "and the data stops.”
New York state policy uses the covered entity standard, and additional protections are voluntary, he said. A large number of New Yorkers, meanwhile, travel to New Jersey and Connecticut for services and vice versa. Other states will experience this as they try to connect across their borders.
Instead, taking the example of driver licenses, no matter which state has issued the document it is recognized in every state regardless of the effectiveness of that state’s driver test. Likewise, across exchanges, “what we’d like is that once I have logged in and authenticated to the first one, that the other exchange accept the trust and user role that they have defined in the first one. We’ll pass data because you are part of this trust fabric,” he said.
Participants also were concerned that health information service providers (HISPs) could have different or lower standards with which to participate to offer end-user identity authentication services to support a framework for trust.
Validation with a trust organization could offer sufficient confidence in HISPs, according to Dr. David Kibbe, president and CEO of DirectTrust.org, a non-profit trade association to build such a framework for Direct community participants. Members agree to follow the policies and best practices of a set of technical, legal and business standards to support directed exchange.
Members don’t want to have to deal with validation several times, but once. A HISP can be trusted in an automated way for subscribers.
“The biggest problem is that there isn’t uniform understanding of public key infrastructure and the levels of identity proofing and insurance to feel comfortable that they aren’t putting their subscribers at risk,” Kibbe said.
Related articles:
HIE and the patient privacy conundrum
Podcast: HIX, HIE and the industrialization of healthcare
Q&A: On remaining ambiguities in the final HIPAA rule
Are providers ripe for a massive medical records heist?
