Interoperability Workgroup Governance Subgroup
July 23, 2014
Christoph Lehmann, co-chairCarol Robinson, co-chair
2
Agenda
• Overview of Subgroup activities • ONC Governance Overview • Next Steps
3
Membership
Member Organization
Christoph Lehmann, co-chair Vanderbilt School of Medicine
Carol Robinson, co-chair Robinson & Associates ConsultingJitin Asnaani AthenahealthJohn Blair Taconic IPAAnne Castro BlueCross BlueShield of South CarolinaTony Gilman Texas Health Services AuthorityMelissa Goldstein George Washington UniversityAnil Jain Explorys, Inc.Beth Morrow The Children’s Partnership
Tim Pletcher Michigan Health Information Network Shared Services (MiHIN)
David Sharp Maryland Health Care CommissionDeanna Wise Dignity HealthMariann Yeager Healtheway, Inc.FHA Representative TBD
4
Subgroup Charge
• Identify the substance, scope, and process ONC should use to implement an approach to establish the “rules of the road” necessary for information to flow efficiently across networks
• This approach should address the key problems that slow trust and exchange across diverse entities and networks that provide exchange services including:– misaligned/inconsistent security policies and practices– privacy policies and practices and operational/business– inconsistent policies and technical agendas of governance bodies at
the local, state and regional levels
5
Meeting Schedule
Meetings Task
Wednesday, July 23rd 2:00-4:00 pm ET • Review charge• Governance history• Action steps
Friday, August 15th 10:00am-12:00 pm ET • Listening session?
Friday, August 22nd 10:00am-12:00 pm ET • Listening session?
Wednesday, September 3rd • Draft framework recommendations to HITPC
Friday, September 12th 10:30-12:30 pm ET
Friday, September 19th 10:30-12:30 pm ET
Friday, September 26th 10:30-12:30 pm ET
Friday, October 3rd 10:30-12:30 pm ET • Report to Interoperability WG
Wednesday, October 15th – Joint HITPC/HITSC meeting
• Final recommendations
Governance and ONC
Jodi G. Daniel, JD, MPHDirector, Office of PolicyOffice of the National Coordinator for Health IT (ONC)
Post HITECH Governance Activities
7
Background HIE Governance
HITECH Act - Required ONC to establish a “governance mechanism for the nationwide health information network.”
8
ONC Role
Background HIE Governance
• Public Input– Health IT Policy Committee Recommendations –
December 2010– RFI - Nationwide Health Information Network:
Conditions for Trusted Exchange - May 2012• Response– ONC announced decision not to continue with
formal rulemaking process - September 2012
9
ONC’s HIE Governance Definition
The establishment and oversight of a common set of behaviors, policies, and standards that enable trusted electronic health information exchange among a set of participants.
10
HIE Governance Focus
Health information exchange at a national level, to address challenges to exchange between different exchange organizations and across state boundaries.
11
ONC Governance Activities
• Cooperative Agreements • Framework of Principles• HIE Governance Forum • Monitor Exchange Progress
12
Exemplar HIE Governance Program
Recipient Award
DirectTrust.org, Inc. $280,205
New York eHealth Collaborative, Inc. $200,000
13
• In late March 2013 ONC awarded two cooperative agreements to existing HIE governance entities to:– develop and adopt policies, interoperability
requirements and business practices that align with national priorities
– overcome interoperability challenges– reduce implementation costs, and– assure the privacy and security of health information
Governance Framework for Trusted Electronic Health Information Exchange
Principles
14
Organizational Trust
Business Technical
National HIE Governance Forum
• Created under National eHealth Collaborative cooperative agreement with ONC
• Forum for HIE governing entities convened in 2013 to identify their common challenges and potential common solutions
15
National HIE Governance Forum
• Used the Governance Framework as a guide in prioritizing their areas of focus.
• Developed resources to advance trust in health information exchange for consideration by the wider community of exchange entities: – Identity and Access Management: Level of Assurance (LOA) Continuum: This
educational resource helps organizations examine identity management and progress along the LOA continuum to support secure exchange with a wider group of entities while reducing risk.
– Trust Framework for Health Information Exchange: This whitepaper proposes a framework for exposing trust requirements between many stakeholders.
– HIE Certification and Accreditation Landscape: This presentation provides the results of a preliminary assessment of HIE certification and accreditation activities.
16
Moving Forward
17
10 Year Interoperability Vision
• Leverage health IT to increase health care quality, lower health care costs and increase population health
• Focus on supporting health broadly, including but not limited to health care delivery
• Build incrementally over time from current technology – multiple methods of exchange required
• Focus on establishing best minimum possible for all; this creates room for innovation
• Maintain focus on and empower individuals
18
10 Year Interoperability Vision
19
10 Year Interoperability Vision
• Increasingly diverse market of electronic exchange and network service providers
• Service providers have enabled exchange through local governance, data use agreements, and other contractual arrangements
• Scaling exchange is imperative and requires adherence to a minimum set of common privacy, security and business practices
• ONC considering a more active role in aligning efforts and initiatives across the nation in order to support our interoperability goals
20
Moving Forward
• Governance has a key role to play in enabling our national interoperability goals
• ONC is looking to re-visit our governance strategy and set a new direction to promote interoperability
• We have identified key governance problems impacting interoperability and HIE
21
Key Governance Problems Impending Interoperability and Information Sharing
1) Misaligned/inconsistent security policies and practices1a) Encryption is not applied consistently to data at rest (data at the data source)1b) Encryption is not applied consistently to data in motion (during data transmission)1c) Data intermediaries do not use the same ID proofing practices/level of assurance (LOA) for data users – this relates to both individuals and care providers 1d) Data intermediaries do not use a shared set/minimum standard of authentication practices for users when they access electronic data (single factor v. 2 factor v. multifactor)
1e) Data intermediaries do not use a shared/common/minimum approach to authorization –
1f) Variation in the risk tolerance of data trading partners2) Misaligned/inconsistent privacy policies and practices
2a) Inconsistent consent laws for sharing PHI
22
Key Governance Problems Impending Interoperability and Information Sharing
3) Misaligned/inconsistent operational/business practices 3a) Variation in fees that intermediaries charge each other to exchange/move information3b) Variation in fees that intermediaries charge end users to exchange/move information3c) The exchange ecosystem is complex and continually evolving making it difficult to identify questionable business practices or operational impediments that are inhibiting or slowing health information exchange. 3d) Varying policies on permitted data uses (i.e. treatment only vs. treatment and research etc) create a significant roadblock to exchange between HIEs.
4) There has been a proliferation of incompatible governance bodies at local, state and regional levels (setting policy and technical agendas that are inconsistent)
4a) The mechanisms to hold data intermediaries accountable under different governance structures varies
4b) Some players in the marketplace have been reluctant to commit to a specific governance approach or new technical standards because of uncertainty about the marketplace’s direction and ONC’s future intention.
23
Key Governance Problems Impending Interoperability and Information Sharing
5) Lack of clarity on liability when information moves from one system to anotherNotes: in which cases and under what circumstances is the data discloser/releaser liable? At what point does liability move from sender to receiver?
24
6) There is a lack of ability to deem, monitor, and govern existing standards in an ongoing way to enable an evolution and progression of a standards portfolio. How to know when standards are ready and should be included, and when to retire them, etc – what’s our role in this?
Key Governance Problems Impending Interoperability and Information Sharing
7) Direct Specific Problems
7a) HISPs need to exchange trust anchors in a one-off manner or participate in a common trust bundle for their participants to be able to exchange with one another. Multiple trust bundles exist today tied to differing trust/security policies. Notes: A common technical standard has been established and is widely adopted to enable the exchange of trust anchors among HISPs in addition the concept of trust bundles has been widely adopted by the HISP community.
7b) As Direct has developed in the marketplace it has become clear that a common way for individuals to discover providers’ addresses across HISPs is necessary to support providers achievement of the Meaningful Use Transition of Care requirements. HISPs generally have internal provider directories of their customers but no common approach for sharing this information and keeping it updated between HISPs has been established.
7c) DirectTrust accreditation is not uniformly approached, cost of accreditation and the potential for smaller players who could not afford to undergo the accreditation process to effectively be locked out of participating in the trusted Direct community.
25
Key Governance Problems Impending Interoperability and Information Sharing
8) Query Specific Problems
8a) Patients should have meaningful choice as to whether or not they are included in an aggregator service that permits queries from external providers.
8b) Data holders need the ability to affirm that the data requester has (or will have) a direct treatment relationship with the patient and has the legal authority and is otherwise authorized to obtain the data.
8c) The entities facilitating query based exchange need a way to log queries and/or disclosures of PHI to facilitate oversight and enforcement.
8d) Data intermediaries and providers have varying patient matching standards and methods.8e) Data intermediaries have varying approaches to how data holders should respond to queries. For instance, if a HIO has data on a patient but the requester is not authorized to access it, even acknowledging the existence of a record would be disclosing PHI.
26
Potential Straw Man Governance Framework
27
Overarching Governance Principles
Temporary Deeming Program
Permanent Deeming Program
• Aimed at Governance Entities
• Temporary program sunsets upon completion of the Perm. Prog.
• Basic set of requirements built on top of base overarching governance principles
• Such a program would have to be established through rulemaking
• Aimed at entities doing exchange (HIE’s)
• Would create a core set of requirements
• Each module would be service level specific, and include technical and policy specifications
• Modules are meant to be quilted together to suit business model
Establishes high level, rules of the road applicable to entire ecosystem
Mon
itorin
g Pr
ogra
m
Gove
rnan
ce
Entit
ies
HIE
Entit
ies
Core Implementation Guide
Provider Directory Module
Query Modul
eDirect Modul
e
Patient Matching Module
Alert Module
28
Next Steps
• Listening session planning call
Recommended