Health information exchange took center stage during an online "listening session" organized Jan. 17 by the Office of the National Coordinator for Health IT (ONC). Participants relayed their experience and shared challenges they've faced in gearing up for widespread exchange of health information.
Participants expressed concerns about confidence in the patient data policies among connecting networks, ensuring patient identification, variations in technical exchange standards and the need for a framework for trust.
The goal is to make sure that information will follow the patient, wherever and whenever it is needed and regardless of vendor or geographical boundaries, said ONC chief Farzad Mostashari, MD.
“ONC has embraced health information exchange, the verb. There are lots of different methods for this to occur. As long as we can get closer to this vision of information liquidity to benefit the patient, it’s good,” Mostashari commented.
ONC decided not to issue federal regulations around "rules of the road" for nationwide health information exchange, but rather to support existing governance activities that organizations have started to advance widespread exchange.
The question is how to “ensure that the flow between such providers does not pose artificial barriers,” Mostashari said.
As providers access a network to request information about a patient, exchange organizations may have variations in their policies for rules of the road for query-based exchange, according to Paul Wilder, vice president of product management for the New York eHealth Collaborative, a state-designated entity. New York has about a dozen regional health information exchanges (RHIOs), each with its own policies based upon the state’s governance standard.
“We see what happens when we have these policy gaps between what is defined but still broad enough -- it’s difficult if you’re not 100 percent harmonious. You end up with data liquidity going down to almost negative because once one side thinks that their policies and their interpretations within that boundary are appropriate, and the other side does not have the same thing, the two entities cannot connect,” Wilder said.
For example, one RHIO, which stipulates that only physicians may look at patient data, won’t exchange with a RHIO that also allows nurses and front-office staff as part of a covered entity to view the information. “That mismatch means both sides don’t trust each other," Wilder added, "and the data stops.”
New York state policy uses the covered entity standard, and additional protections are voluntary, he said. A large number of New Yorkers, meanwhile, travel to New Jersey and Connecticut for services and vice versa. Other states will experience similar situations as they try to connect across their borders.
Instead, taking the example of driver licenses, no matter which state has issued the document, it is recognized in every state regardless of the effectiveness of that state’s driver test. Likewise, across exchanges, “what we’d like is that once I have logged in and authenticated to the first one, that the other exchange accept the trust and user role that they have defined in the first one. We’ll pass data because you are part of this trust fabric,” Wilder said.
Participants also were concerned that health information service providers (HISPs) could have different or lower standards with which to participate to offer end-user identity authentication services to support a framework for trust.
Validation with a trust organization could offer sufficient confidence in HISPs, according to David Kibbe, MD, president and CEO of DirectTrust.org, a nonprofit trade association that builds such a framework for Direct community participants. Members agree to follow the policies and best practices of a set of technical, legal and business standards to support directed exchange.
Members don’t want to have to deal with validation several times. A HISP can be trusted in an automated way for subscribers, explained Kibbe.
“The biggest problem is that there isn’t uniform understanding of public key infrastructure and the levels of identity proofing and insurance to feel comfortable that they aren’t putting their subscribers at risk,” Kibbe said.