Transcript Building Tools for Trust for Nationwide Health Information

Building Tools for
Trust for Nationwide Health
Information Exchange
1
Copyright 2009. All Rights Reserved.
PANEL
Ashley Corbin, CMS
Stephania Putt, VA
Steve Gravely, Troutman Sanders
Mariann Yeager, ONC
OFFICE OF THE
National Coordinator
2
Copyright 2009. All Rights Reserved.
Discussion Topics
Trust Considerations
Case Study:
Nationwide Health Information Network
Trust Perspectives
3
Copyright 2009. All Rights Reserved.
Building Tools for Trust for Nationwide Health Information Exchange
Trust Considerations
4
Copyright 2009. All Rights Reserved.
Tools for Trust Needed to Support
Nationwide Health Information Exchange
• Built upon a foundation of policies
• Implemented in legal agreements
• Architected to support trust
technically
• Validated and tested
• Controlled access among trusted
participants
• Accountability through oversight
5
Copyright 2009. All Rights Reserved.
Considerations for Trust
• Recognize diverse range of organizational structures
• Establish common agreement on essential policies
• Balance complex web of various federal, state and local laws and
regulations
• Define rules of engagement for exchanging information
on wide-scale basis
• Determine accountability measures and roles
and responsibilities
– Breaches
– Disputes
– Oversight
• Identify approaches that work in current
environment with flexibility to adapt
6
Copyright 2009. All Rights Reserved.
Building Tools for Trust for Nationwide Health Information Exchange
Case Study:
Nationwide Health Information
Network (NHIN)
7
Copyright 2009. All Rights Reserved.
What is the NHIN
A set of protocols and standards that run on existing internet
infrastructure and provides the capability to connect diverse entities
needing to exchange health information.
• Participants are entities that facilitate information
exchange with a broad set of users, systems, geography
or community
• Enables valid, trusted entities to participate
• Membership required:
 Tested for conformance and interoperability
 Signed trust agreement that allocates responsibilities
and accountability to protect information exchanged
 Digital credentials issued to permit only approved
“participants” to exchange data with other members
8
Copyright 2009. All Rights Reserved.
NHIN Architecture
Participants support a gateway that conforms to NHIN requirements and
enables its connected users/systems/networks/communities to exchange
information among other NHIN participants.
Federal Entity
Health Community
Participants are
registered in a
“directory” so
other members
of the NHIN
know the types
of messages
supported and
where to direct
requests
NHIN
Network
Gateway
Copyright 2009. All Rights Reserved.
Gateway
Integrated Delivery Network
Gateway
Gateway
Pharmacy Network
9
Regional Health
Exchange
Gateway
Gateway
PHR
NHIN Cooperative Participants
Private HIEs
State-Level HIEs
Provider
Organizations / IDNs
Federal Entities
CareSpark
Delaware Health
Information Network
Cleveland Clinic
CDC
New York eHealth Collaborative
Kaiser
CMS
Community Health Information
Collaborative
HealthLINC (Bloomington)
HealthBridge
Indiana (Regenstrief Institute)
Long Beach Network for Health
Lovelace Clinic Foundation (LCF)
MedVirginia
Wright State University
10
Copyright 2009. All Rights Reserved.
North Carolina Health Care
Information and Communications
Alliance (NCHICA)
West Virginia Health Information
Network (WVHIN)
DoD
IHS
NCI
NDMS
SAMHSA
SSA
VA
Limited Production
Controlled rollout of production exchange of
identifiable health information
Initial NHIN production participants
Others joining …
11
Copyright 2009. All Rights Reserved.
What Does the NHIN Enable?
More efficient and timely availability
of health records for Social Security
disability benefits determination
Began Q1 2009
Biosurveillance reporting between
state departments of health and CDC
Q4 2009
Exchange of summary patient
records for continuity of care
Q4 2009
Other functionality will be prioritized
by NHIN interim governance process
12
Copyright 2009. All Rights Reserved.
NHIN Trust Fabric
• Built upon a foundation of policies
• Implemented in legal agreement, called Data Use and
Reciprocal Support Agreement (DURSA)
• Architected to support trust technically
• Validated and tested as a condition of membership
• Controlled access among trusted participants
• Accountability through interim governance
mechanisms
13
Copyright 2009. All Rights Reserved.
Initial Set of NHIN Tools for Trust
• Articulated expectations for
privacy and security
– White paper
– Operating policies and procedures
– Participant security obligations
• Data Use and Reciprocal Support
Agreement (DURSA)
• Technical services and Data Content
- Specification Factory
• Management of digital certificates
and service registry
14
Copyright 2009. All Rights Reserved.
• Validation and testing
– Testing Team – develop testing
artifacts
– NIST – develop and support testing
infrastructure
• Interim Governance Process
– Addressed through NHIN Technical
Board, Coordinating Committee and
Communications groups
– ONC as the convener and facilitator
Building Tools for Trust for Nationwide Health Information Exchange
NHIN Trust Agreement
15
Copyright 2009. All Rights Reserved.
Data Use and Reciprocal Support
Agreement (DURSA)
• Developed as part of ongoing
NHIN activities
– Test Data DURSA –
September 2008
– Initial Draft Production DURSA –
December 2008
– Draft Production DURSA –
limited production – June 2009
• Large, multi-stakeholder team
assembled
– Contracts
– Grants
– Federal Participants
16
Copyright 2009. All Rights Reserved.
DURSA Team Representation
• Agreement developed by NHIN DURSA Team
• Consensus process with legal, privacy, security and program
representatives from diverse group:
Private entities
State entities
Federal entities
• Federal participants actively engaged in development
• Coordinated with and obtained input from:
–
–
–
–
NHIN Technical Teams (specifications and architecture)
ONC Office of Policy and Research
HHS, Office of the General Counsel
HHS, Office for Civil Rights
17
Copyright 2009. All Rights Reserved.
DURSA
• Multiparty agreement
• Assumes participants in production
• Establishes authority for interim governance
– NHIN Coordinating Committee
– NHIN Technical Board
• Establishes accountability
– Participant breach notification
– Mandatory non-binding dispute resolution
– Allocation of liability risk
18
Copyright 2009. All Rights Reserved.
NHIN DURSA Status
Test Data DURSA
• Applies to “test data”
(not PHI) for Trial
Implementations
• Executed by all participants in
Trial Implementations in
September 2008
Production DURSA
• Applies to exchange of PHI in
limited production
• Undergoing Federal clearance
• Comments due mid-July 2009
• Revised executable DURSA September 2009
• 2nd round of Federal
clearance (if needed) - October
/ November 2009
19
Copyright 2009. All Rights Reserved.
Building Tools for Trust for Nationwide Health Information Exchange
Panel Discussion: NHIN Trust Perspectives
20
Copyright 2009. All Rights Reserved.
Applicable Law
The DURSA reaffirms each Participant’s obligation to
comply with “Applicable Law.” As defined in the DURSA,
“Applicable Law” is the law of the jurisdiction in
which the Participant operates.
– For non-Federal Participants, this means the law in the
state(s) in which the Participant operates and any applicable
Federal law.
– For Federal Participants, this means applicable Federal law.
21
Copyright 2009. All Rights Reserved.
Privacy and Security Obligations
To the extent that each Participant has
existing privacy and security obligations
under applicable law (e.g. HIPAA or other
state or federal privacy and security statutes
and regulations), the Participant is required
to continue complying with these obligations.
Participants, which are neither HIPAA
covered entities, HIPAA business associates
nor governmental agencies, are obligated to
comply with specified HIPAA Privacy and
Security provisions as a contractual standard
of performance.
22
Copyright 2009. All Rights Reserved.
Requests for Data Based on
Permitted Purposes
Participant’s end users may only
request data through the NHIN for
“Permitted Purposes,” which
include treatment, payment,
limited health care operations with
respect to the patient that is the
subject of the data request,
specific public health activities,
quality reporting for “meaningful
use” and disclosures based on an
authorization from the individual.
23
Copyright 2009. All Rights Reserved.
Duty to Respond
• Participants that allow their respective end users to seek data for
treatment purposes have a duty to respond to requests for data for
treatment purposes.
• This duty to respond means that if actual data is not sent in response,
the Participant will at a minimum send a standardized response to the
requesting Participant.
• Participants are permitted, but not required, to respond to all other (nontreatment) requests.
• The DURSA does not require a Participant to disclose data when such
a disclosure would conflict with Applicable Law.
24
Copyright 2009. All Rights Reserved.
Future Use of Data Received
Through the NHIN
• Once the Participant or Participant’s end
user receives data from a responding
Participant (i.e. a copy of the responding
Participant’s records), the recipient may
incorporate that data into its records and
retain that information in accordance with
the recipient’s record retention policies
and procedures.
• The recipient can re-use and re-disclose
that data in accordance with all applicable
law and the agreements between a
Participant and its end users.
25
Copyright 2009. All Rights Reserved.
NHIN Participant Obligations
• Each Participant can apply its own local access policies before requesting
data from other Participants or releasing data to other Participants.
• Responding Participants are responsible meeting all legal requirements
before disclosing the data as required by their applicable law, including
obtaining an individual’s consent or authorization for treatment purposes.
• HIPAA Privacy and Security Rules are minimum requirements.
• When a request is based on a purpose for which authorization is required
under HIPAA (e.g. for SSA benefits determination), the requesting
Participant must send a copy of the authorization with the request for data.
26
Copyright 2009. All Rights Reserved.
CONNECT Seminar
Presentations are Available
for Download Online at
http://www.connectopensource.org
For more information:
http://www.hhs.gov/healthit/healthnetwork/resources
27
Copyright 2009. All Rights Reserved.