On May 15, the Office of the National Coordinator for Health IT published a request for information calling for public comment on proposed "rules of the road" to govern the Nationwide Health Information Network. The centerpiece of the proposal is a voluntary program under which entities that enable electronic health information exchange could be validated (i.e., formally recognized) for meeting ONC-established "conditions for trusted exchange," or "CTEs."
The question of how best to govern a nationwide system of HIE has long been an open one, percolating in the background while health care stakeholders have begun exchanging information within state boundaries. The RFI represents ONC's current thinking about the policies and standards necessary to enable HIE on a nationwide scale.
Background: What Exactly Is NwHIN?
ONC has officially defined NwHIN as "a portfolio of services, standards and policies that enable secure health information exchange over the Internet." ONC is developing and testing this portfolio of services, standards and policies through a number of different projects, including the Nationwide Health Information Network Exchange ("Exchange") and the Direct Project ("Direct"), each of which enables a unique model of HIE.
For example, Exchange is a pilot project in which private sector health care providers, federal government agencies like the Department of Veterans Affairs and others actively engage in query-response or "pull" model HIE. Direct, on the other hand, provides technical standards that enable health care providers to securely "push" health information to another known, trusted recipient over the Internet on a one-to-one basis.
Another ONC initiative, the Standards and Interoperability Framework, is working to develop more standards and specifications to add to the NwHIN portfolio, such as technical standards that will enable the secure exchange of laboratory results among health care providers.
ONC's conceptualization of NwHIN as a portfolio of services, standards and policies reflects its belief that there is no one-size-fits-all model of HIE. Rather, within an environment of trust facilitated by effective governance, HIE can be achieved through a variety of mechanisms, including through state-funded regional health information organizations, private networks operated by electronic health record vendors or other venues.
Background on the RFI
The HITECH Act required ONC to establish a governance mechanism for the NwHIN. To satisfy this requirement, the Health IT Policy Committee, one of two federal advisory committees that provide advice to ONC, formed the NwHIN Governance Workgroup and charged it with "draft[ing] a set of recommendations on the scope and process of governance for nationwide health information exchange, including measures to ensure accountability and oversight."
The Governance Workgroup held a series of public meetings and formally transmitted its recommendations for NwHIN governance to ONC in December 2010. ONC incorporated many of the Governance Workgroup's recommendations into the RFI, including that the governance mechanism be voluntary, that the governance apply to entities that enable HIE as opposed to individual health care providers and that its requirements build on existing law without setting the bar so high as to be unachievable.
According to ONC, HIE has traditionally been governed "by a patchwork of contractual relationships, procurement requirements, state and federal laws, and industry self-regulation." This patchwork has led to "asymmetries in the policies and technical standards" that health care providers are using to exchange information within their discrete communities. This, in turn, makes it difficult for health care providers in different communities to share information.
To alleviate this problem, ONC hopes to establish a consistent, baseline set of rules of the road for electronic exchange and believes that a properly crafted governance mechanism could yield substantial public benefits, including:
- Reduced burden and costs to engage in electronic exchange;
- Added protections for consumers and health care providers; and
- A more innovative and efficient electronic exchange marketplace in which electronic exchange is commonplace and "worry-free."
Overview of the RFI
ONC is proposing a voluntary program under which entities that enable HIE, such as state-based or private health information networks, could be validated as meeting ONC-established CTEs. ONC describes CTEs as conditions necessary to enable trusted exchange among health care providers nationwide, regardless of the model of exchange in which the provider is engaging. Specifically, ONC is proposing CTEs in three areas:
-
Safeguards, which focus on the protection of individually identifiable health information ("IIHI");
-
Interoperability, which focus on the technical standards needed for interoperable exchange; and
-
Business practices, which focus on ensuring that entities that enable HIE abide by sound operational and financial practices.
ONC is proposing 16 CTEs in total, which are listed in the bullets below. It is important to note that some of the CTEs would impose requirements that go above and beyond what current law requires. For example, one of the safeguard CTEs would require entities that enable HIE to implement security safeguards like encryption that are currently not mandatory under the Health Insurance Portability and Accountability Act ("HIPAA"), the federal law that governs how health care providers ensure the privacy and security of patient health information. Another of the safeguard CTEs would prohibit entities that enable HIE from using or disclosing de-identified health information for any commercial purpose. Under HIPAA, covered entities may use or disclose de-identified data freely; HIPAA does not regulate use of de-identified information.
ONC anticipates that the CTEs will be reviewed annually and will evolve over time. For example, some CTEs will be retired while new CTEs will be added. Entities that are validated as complying with the CTEs will become "network validated entities" ("NVEs") and will be responsible for providing HIE services that are compliant with the CTEs on an ongoing basis.
ONC is contemplating developing a process similar to its existing permanent certification program for EHRs, in which it would approve a single body to accredit and oversee the organizations that would "validate" NVEs.
Security CTEs
- S-1: An NVE must comply with sections 164.308, 164.310, 164.312, and 164.316 of [the HIPAA Security Rule] as if it were a covered entity, and must treat all implementation specifications included within sections 164.308, 164.310, and 164.312 as "required."
- S-2: An NVE must only facilitate electronic HIE for parties it has authenticated and authorized, either directly or indirectly.
- S-3: An NVE must ensure that individuals are provided with a meaningful choice regarding whether their IIHI may be exchanged by the NVE.
- S-4: An NVE must only exchange encrypted IIHI.
- S-5: An NVE must make publicly available a notice of its data practices describing why IIHI is collected, how it is used, and to whom and for what reason it is disclosed.
- S-6: An NVE must not use or disclose de-identified health information to which it has access for any commercial purpose.
- S-7: An NVE must operate its services with high availability.
- S-8: If an NVE assembles or aggregates health information that results in a unique set of IIHI, then it must provide individuals with electronic access to their unique set of IIHI.
- S-9: If an NVE assembles or aggregates health information which results in a unique set of IIHI, then it must provide individuals with the right to request a correction and/or annotation to this unique set of IIHI.
- S-10: An NVE must have the means to verify that a provider requesting an individual’s health information through a query and response model has or is in the process of establishing a treatment relationship with that individual.
Interoperability CTEs
- I-1: An NVE must be able to facilitate secure electronic health information exchange in two circumstances: (i) when the sender and receiver are known; and (ii) when the exchange occurs at the patient’s direction.
- I-2: An NVE must follow required standards for establishing and discovering digital certificates.
- I-3: An NVE must have the ability to verify and match the subject of a message, including the ability to locate a potential source of available information for a specific subject.
Business Practices CTEs
- BP-1: An NVE must send and receive any planned electronic exchange message from another NVE without imposing financial preconditions on any other NVE.
- BP-2: An NVE must provide open access to the directory services it provides to enable planned electronic exchange.
- BP-3: An NVE must report on users and transaction volume for validated services.
Proposal Open for Influence
ONC makes clear in the RFI that none of its proposals are set in stone and that it seeks public comment on all aspects of the RFI. The RFI includes 66 specific questions for the public's feedback, including but not limited to:
- Whether there are other governance systems that ONC should consider;
- Whether now is the right time to implement a governance system for NwHIN; and
- What the appropriate role for ONC in any NwHIN governance system may be.
One of the aspects of ONC's proposed governance system that is likely to be the subject of a significant amount of feedback is its voluntary nature. ONC explains that the proposal is designed to create a set of conditions for trusted exchange that entities enabling HIE will voluntarily choose to follow -- presumably because doing so will help them provide a higher value proposition to the health care providers they serve -- but it is not certain that such a system will succeed absent a mandate or a more concrete incentive. Its ultimate success will likely hinge on whether other public and private organizations choose to piggyback on the NwHIN governance process and require NVE recognition as a condition to awarding HIE-related contracts or otherwise entering into business arrangements with entities that enable HIE.
Another area ripe for comment is how to ensure alignment between whatever system of governance ONC may choose for NwHIN and the various approaches to governance that states across the country have implemented under HITECH's State HIE Program.
While it is too early to speculate what the ultimate NwHIN governance system may look like, the RFI is an important step toward enabling trusted and interoperable HIE on a nationwide scale. Its proposed common set of rules will help to lay the necessary foundation for consistent HIE that improves the quality and efficiency of health care.
Comments on the RFI are due on June 29 and are expected to shape ONC's release of a formal notice of proposed rulemaking on NwHIN governance. The timing of the NPRM is unclear.