building tools for trust for nationwide health information exchange copyright 2009. all rights...
TRANSCRIPT
Building Tools for Trust for Nationwide Health Information Exchange
Copyright 2009. All Rights Reserved.1
OFFICE OF THE
National Coordinator
PANEL
Ashley Corbin, CMS
Steve Gravely, Troutman Sanders
Stephania Putt, VA
Mariann Yeager, ONC
Copyright 2009. All Rights Reserved.2
Discussion Topics
Trust Considerations
Case Study:Nationwide Health Information Network
Trust Perspectives
Copyright 2009. All Rights Reserved.3
Building Tools for Trust for Nationwide Health Information Exchange
Trust Considerations
Copyright 2009. All Rights Reserved.4
Tools for Trust Needed to Support Nationwide Health Information Exchange
• Built upon a foundation of policies
• Implemented in legal agreements
• Architected to support trust technically
• Validated and tested
• Controlled access among trusted participants
• Accountability through oversight
Copyright 2009. All Rights Reserved.5
Considerations for Trust
6Copyright 2009. All Rights Reserved.
• Recognize diverse range of organizational structures
• Establish common agreement on essential policies
• Balance complex web of various federal, state and local laws and regulations
• Define rules of engagement for exchanging information on wide-scale basis
• Determine accountability measures and roles and responsibilities
– Breaches
– Disputes
– Oversight
• Identify approaches that work in current environment with flexibility to adapt
Building Tools for Trust for Nationwide Health Information Exchange
Case Study: Nationwide Health Information Network (NHIN)
Copyright 2009. All Rights Reserved.7
What is the NHIN
A set of protocols and standards that run on existing internet infrastructure and provides the capability to connect diverse entities
needing to exchange health information.
• Participants are entities that facilitate information exchange with a broad set of users, systems, geography or community
• Enables valid, trusted entities to participate
• Membership required:
Tested for conformance and interoperability
Signed trust agreement that allocates responsibilities and accountability to protect information exchanged
Digital credentials issued to permit only approved “participants” to exchange data with other members
Copyright 2009. All Rights Reserved.8
Federal EntityHealth Community
Regional Health Exchange
PHRPharmacy Network
Integrated Delivery Network
NHINNetwork
GatewayGateway
GatewayGateway
GatewayGatewayGatewayGateway
GatewayGateway
GatewayGateway
NHIN Architecture
Participants support a gateway that conforms to NHIN requirements and enables its connected users/systems/networks/communities to exchange information among other NHIN participants.
Participants are registered in a “directory” so other members of the NHIN know the types of messages supported and where to direct requests
Copyright 2009. All Rights Reserved.9
NHIN Cooperative Participants
Private HIEs State-Level HIEsProvider
Organizations / IDNsFederal Entities
CareSparkDelaware Health
Information Network Cleveland Clinic CDC
Community Health Information Collaborative
New York eHealth Collaborative Kaiser CMS
HealthLINC (Bloomington) North Carolina Health Care Information and Communications
Alliance (NCHICA)
DoD
HealthBridge IHS
Indiana (Regenstrief Institute)West Virginia Health Information
Network (WVHIN) NCI
Long Beach Network for Health NDMS
Lovelace Clinic Foundation (LCF) SAMHSA
MedVirginia SSA
Wright State University VA
Copyright 2009. All Rights Reserved.10
Limited Production
Controlled rollout of production exchange of identifiable health information
Initial NHIN production participants
Others joining …
11Copyright 2009. All Rights Reserved.
What Does the NHIN Enable?
More efficient and timely availability of health records for Social Security disability benefits determination
Began Q1 2009
Biosurveillance reporting between state departments of health and CDC
Q4 2009
Exchange of summary patient records for continuity of care
Q4 2009
Other functionality will be prioritized by NHIN interim governance process
Copyright 2009. All Rights Reserved.12
NHIN Trust Fabric
• Built upon a foundation of policies
• Implemented in legal agreement, called Data Use and Reciprocal Support Agreement (DURSA)
• Architected to support trust technically
• Validated and tested as a condition of membership
• Controlled access among trusted participants
• Accountability through interim governance mechanisms
13Copyright 2009. All Rights Reserved.
Initial Set of NHIN Tools for Trust
• Articulated expectations for privacy and security
– White paper
– Operating policies and procedures
– Participant security obligations
• Data Use and Reciprocal Support Agreement (DURSA)
• Technical services and Data Content - Specification Factory
• Management of digital certificates and service registry
• Validation and testing
– Testing Team – develop testing artifacts
– NIST – develop and support testing infrastructure
• Interim Governance Process
– Addressed through NHIN Technical Board, Coordinating Committee and Communications groups
– ONC as the convener and facilitator
Copyright 2009. All Rights Reserved.14
Building Tools for Trust for Nationwide Health Information Exchange
NHIN Trust Agreement
Copyright 2009. All Rights Reserved.15
Data Use and Reciprocal Support Agreement (DURSA)
• Developed as part of ongoing NHIN activities
– Test Data DURSA – September 2008
– Initial Draft Production DURSA – December 2008
– Draft Production DURSA – limited production – June 2009
• Large, multi-stakeholder team assembled
– Contracts
– Grants
– Federal Participants
Copyright 2009. All Rights Reserved.16
DURSA Team Representation
• Agreement developed by NHIN DURSA Team
• Consensus process with legal, privacy, security and program representatives from diverse group:
Private entities State entities Federal entities
• Federal participants actively engaged in development• Coordinated with and obtained input from:
– NHIN Technical Teams (specifications and architecture)– ONC Office of Policy and Research– HHS, Office of the General Counsel– HHS, Office for Civil Rights
17Copyright 2009. All Rights Reserved.
DURSA
• Multiparty agreement
• Assumes participants in production
• Establishes authority for interim governance
– NHIN Coordinating Committee
– NHIN Technical Board
• Establishes accountability
– Participant breach notification
– Mandatory non-binding dispute resolution
– Allocation of liability risk
Copyright 2009. All Rights Reserved.18
NHIN DURSA Status
Test Data DURSA
• Applies to “test data”(not PHI) for Trial Implementations
• Executed by all participants in Trial Implementations in September 2008
Production DURSA
• Applies to exchange of PHI in limited production
• Undergoing Federal clearance
• Comments due mid-July 2009
• Revised executable DURSA - September 2009
• 2nd round of Federal clearance (if needed) - October / November 2009
Copyright 2009. All Rights Reserved.19
Building Tools for Trust for Nationwide Health Information Exchange
Panel Discussion: NHIN Trust Perspectives
Copyright 2009. All Rights Reserved.20
Applicable Law
The DURSA reaffirms each Participant’s obligation to comply with “Applicable Law.” As defined in the DURSA,
“Applicable Law” is the law of the jurisdiction inwhich the Participant operates.
– For non-Federal Participants, this means the law in the state(s) in which the Participant operates and any applicable Federal law.
– For Federal Participants, this means applicable Federal law.
21Copyright 2009. All Rights Reserved.
Privacy and Security Obligations
To the extent that each Participant has existing privacy and security obligations under applicable law (e.g. HIPAA or other state or federal privacy and security statutes and regulations), the Participant is required to continue complying with these obligations.
Participants, which are neither HIPAA covered entities, HIPAA business associates nor governmental agencies, are obligated to comply with specified HIPAA Privacy and Security provisions as a contractual standard of performance.
Copyright 2009. All Rights Reserved.22
Requests for Data Based onPermitted Purposes
Participant’s end users may only request data through the NHIN for “Permitted Purposes,” which include treatment, payment, limited health care operations with respect to the patient that is the subject of the data request, specific public health activities, quality reporting for “meaningful use” and disclosures based on an authorization from the individual.
Copyright 2009. All Rights Reserved.23
Duty to Respond
• Participants that allow their respective end users to seek data for treatment purposes have a duty to respond to requests for data for treatment purposes.
• This duty to respond means that if actual data is not sent in response, the Participant will at a minimum send a standardized response to the requesting Participant.
• Participants are permitted, but not required, to respond to all other (non-treatment) requests.
• The DURSA does not require a Participant to disclose data when such a disclosure would conflict with Applicable Law.
Copyright 2009. All Rights Reserved.24
Future Use of Data Received Through the NHIN
• Once the Participant or Participant’s end user receives data from a responding Participant (i.e. a copy of the responding Participant’s records), the recipient may incorporate that data into its records and retain that information in accordance with the recipient’s record retention policies and procedures.
• The recipient can re-use and re-disclose that data in accordance with all applicable law and the agreements between a Participant and its end users.
Copyright 2009. All Rights Reserved.25
NHIN Participant Obligations
• Each Participant can apply its own local access policies before requesting data from other Participants or releasing data to other Participants.
• Responding Participants are responsible meeting all legal requirements before disclosing the data as required by their applicable law, including obtaining an individual’s consent or authorization for treatment purposes.
• HIPAA Privacy and Security Rules are minimum requirements.
• When a request is based on a purpose for which authorization is required under HIPAA (e.g. for SSA benefits determination), the requesting Participant must send a copy of the authorization with the request for data.
Copyright 2009. All Rights Reserved.26