Building Tools for Trust for Nationwide Health Information Exchange Copyright 2009. All Rights Reserved. 1

Building Tools for Trust for Nationwide Health Information Exchange

Copyright 2009. All Rights Reserved.1

OFFICE OF THE

National Coordinator

PANEL

Ashley Corbin, CMS

Steve Gravely, Troutman Sanders

Stephania Putt, VA

Mariann Yeager, ONC


Discussion Topics

Trust Considerations

Case Study:Nationwide Health Information Network

Trust Perspectives



Trust Considerations


Tools for Trust Needed to Support Nationwide Health Information Exchange

• Built upon a foundation of policies

• Implemented in legal agreements

• Architected to support trust technically

• Validated and tested

• Controlled access among trusted participants

• Accountability through oversight


Considerations for Trust

6Copyright 2009. All Rights Reserved.

• Recognize diverse range of organizational structures

• Establish common agreement on essential policies

• Balance complex web of various federal, state and local laws and regulations

• Define rules of engagement for exchanging information on wide-scale basis

• Determine accountability measures and roles and responsibilities

– Breaches

– Disputes

– Oversight

• Identify approaches that work in current environment with flexibility to adapt


Case Study: Nationwide Health Information Network (NHIN)


What is the NHIN

A set of protocols and standards that run on existing internet infrastructure and provides the capability to connect diverse entities

needing to exchange health information.

• Participants are entities that facilitate information exchange with a broad set of users, systems, geography or community

• Enables valid, trusted entities to participate

• Membership required:

Tested for conformance and interoperability

Signed trust agreement that allocates responsibilities and accountability to protect information exchanged

Digital credentials issued to permit only approved “participants” to exchange data with other members


Federal EntityHealth Community

Regional Health Exchange

PHRPharmacy Network

Integrated Delivery Network

NHINNetwork

GatewayGateway

GatewayGateway

GatewayGatewayGatewayGateway

GatewayGateway

GatewayGateway

NHIN Architecture

Participants support a gateway that conforms to NHIN requirements and enables its connected users/systems/networks/communities to exchange information among other NHIN participants.

Participants are registered in a “directory” so other members of the NHIN know the types of messages supported and where to direct requests


NHIN Cooperative Participants

Private HIEs State-Level HIEsProvider

Organizations / IDNsFederal Entities

CareSparkDelaware Health

Information Network Cleveland Clinic CDC

Community Health Information Collaborative

New York eHealth Collaborative Kaiser CMS

HealthLINC (Bloomington) North Carolina Health Care Information and Communications

Alliance (NCHICA)

DoD

HealthBridge IHS

Indiana (Regenstrief Institute)West Virginia Health Information

Network (WVHIN) NCI

Long Beach Network for Health NDMS

Lovelace Clinic Foundation (LCF) SAMHSA

MedVirginia SSA

Wright State University VA


Limited Production

Controlled rollout of production exchange of identifiable health information

Initial NHIN production participants

Others joining …


What Does the NHIN Enable?

More efficient and timely availability of health records for Social Security disability benefits determination

Began Q1 2009

Biosurveillance reporting between state departments of health and CDC

Q4 2009

Exchange of summary patient records for continuity of care

Q4 2009

Other functionality will be prioritized by NHIN interim governance process


NHIN Trust Fabric

• Built upon a foundation of policies

• Implemented in legal agreement, called Data Use and Reciprocal Support Agreement (DURSA)

• Architected to support trust technically

• Validated and tested as a condition of membership

• Controlled access among trusted participants

• Accountability through interim governance mechanisms


Initial Set of NHIN Tools for Trust

• Articulated expectations for privacy and security

– White paper

– Operating policies and procedures

– Participant security obligations

• Data Use and Reciprocal Support Agreement (DURSA)

• Technical services and Data Content - Specification Factory

• Management of digital certificates and service registry

• Validation and testing

– Testing Team – develop testing artifacts

– NIST – develop and support testing infrastructure

• Interim Governance Process

– Addressed through NHIN Technical Board, Coordinating Committee and Communications groups

– ONC as the convener and facilitator



NHIN Trust Agreement


Data Use and Reciprocal Support Agreement (DURSA)

• Developed as part of ongoing NHIN activities

– Test Data DURSA – September 2008

– Initial Draft Production DURSA – December 2008

– Draft Production DURSA – limited production – June 2009

• Large, multi-stakeholder team assembled

– Contracts

– Grants

– Federal Participants


DURSA Team Representation

• Agreement developed by NHIN DURSA Team

• Consensus process with legal, privacy, security and program representatives from diverse group:

Private entities State entities Federal entities

• Federal participants actively engaged in development• Coordinated with and obtained input from:

– NHIN Technical Teams (specifications and architecture)– ONC Office of Policy and Research– HHS, Office of the General Counsel– HHS, Office for Civil Rights


DURSA

• Multiparty agreement

• Assumes participants in production

• Establishes authority for interim governance

– NHIN Coordinating Committee

– NHIN Technical Board

• Establishes accountability

– Participant breach notification

– Mandatory non-binding dispute resolution

– Allocation of liability risk


NHIN DURSA Status

Test Data DURSA

• Applies to “test data”(not PHI) for Trial Implementations

• Executed by all participants in Trial Implementations in September 2008

Production DURSA

• Applies to exchange of PHI in limited production

• Undergoing Federal clearance

• Comments due mid-July 2009

• Revised executable DURSA - September 2009

• 2nd round of Federal clearance (if needed) - October / November 2009



Panel Discussion: NHIN Trust Perspectives


Applicable Law

The DURSA reaffirms each Participant’s obligation to comply with “Applicable Law.” As defined in the DURSA,

“Applicable Law” is the law of the jurisdiction inwhich the Participant operates.

– For non-Federal Participants, this means the law in the state(s) in which the Participant operates and any applicable Federal law.

– For Federal Participants, this means applicable Federal law.


Privacy and Security Obligations

To the extent that each Participant has existing privacy and security obligations under applicable law (e.g. HIPAA or other state or federal privacy and security statutes and regulations), the Participant is required to continue complying with these obligations.

Participants, which are neither HIPAA covered entities, HIPAA business associates nor governmental agencies, are obligated to comply with specified HIPAA Privacy and Security provisions as a contractual standard of performance.


Requests for Data Based onPermitted Purposes

Participant’s end users may only request data through the NHIN for “Permitted Purposes,” which include treatment, payment, limited health care operations with respect to the patient that is the subject of the data request, specific public health activities, quality reporting for “meaningful use” and disclosures based on an authorization from the individual.


Duty to Respond

• Participants that allow their respective end users to seek data for treatment purposes have a duty to respond to requests for data for treatment purposes.

• This duty to respond means that if actual data is not sent in response, the Participant will at a minimum send a standardized response to the requesting Participant.

• Participants are permitted, but not required, to respond to all other (non-treatment) requests.

• The DURSA does not require a Participant to disclose data when such a disclosure would conflict with Applicable Law.


Future Use of Data Received Through the NHIN

• Once the Participant or Participant’s end user receives data from a responding Participant (i.e. a copy of the responding Participant’s records), the recipient may incorporate that data into its records and retain that information in accordance with the recipient’s record retention policies and procedures.

• The recipient can re-use and re-disclose that data in accordance with all applicable law and the agreements between a Participant and its end users.


NHIN Participant Obligations

• Each Participant can apply its own local access policies before requesting data from other Participants or releasing data to other Participants.

• Responding Participants are responsible meeting all legal requirements before disclosing the data as required by their applicable law, including obtaining an individual’s consent or authorization for treatment purposes.

• HIPAA Privacy and Security Rules are minimum requirements.

• When a request is based on a purpose for which authorization is required under HIPAA (e.g. for SSA benefits determination), the requesting Participant must send a copy of the authorization with the request for data.



CONNECT Seminar

Presentations are Available

for Download Online at http://www.connectopensource.org

For more information: http://www.hhs.gov/healthit/healthnetwork/resources

Documents

Building Tools for Trust for Nationwide Health Information Exchange Copyright 2009. All Rights Reserved. 1