nhin workgroup recommendation

HIT Policy CommitteeNHIN Workgroup Recommendations

David Lansky, ChairPacific Business Group on Health

Danny Weitzner, Co-ChairDepartment of Commerce, NTIA

January 13, 2010

INTRODUCTORY REMARKS

Chair� David Lansky, Pacific Business Group on Health

Co-Chair� Danny Weitzner, Department of Commerce, NTIA

Members• Christine Bechtel, National Partnership for Women & Families• A. John Blair, III, Taconic IPA• Neil Calman, Institute for Family Health• James Borland, Social Security Administration• Carol Diamond, Markle Foundation• Colin Evans, Dossia• Tim Cromwell, Department of Veterans Affairs• Jonah Frohlich, Deputy Secretary, Health IT, California• Leslie Harris, Center for Democracy and Technology• Arien Malec, Relay Health• Marc Overhage, Regenstrief Institute• Marc Probst, Intermountain Healthcare• Wes Rishel, Gartner• Micky Tripathi, Massachusetts eHealth Collaborative

ONC/HHS� Farzad Mostashari� Todd Park� Doug Fridsma

Workgroup Members

Nationwide Health Information Network

• Workgroup’s Definition of the NHINA set of policies, standards and services that enable the Internet to be used for secure and meaningful exchange of health information to improve health and health care.

• NHIN Work Group ChargeTo create a set of recommendations for a policy and technical framework for the NHIN in a way that is both open to all and fosters innovation.

Workgroup Context

• Meaningful use criteria in the proposed CMS rule require exchange of health information among providers and with patients to improve quality, safety, and efficiency of care, patient engagement, coordination of care, and population health.

• Stage 1 criteria involve direct communication of patient data among providers and with patients (e.g., doctor to consultant, or lab to doctor, or doctor to pharmacy), where:– the exchange is for treatment or payment purposes;– the sender and receiver are known; but– the sender may or may not have a prior relationship with the

recipient.

• The NHIN should support achievement of Meaningful Use in 2011 and beyond.

Meet the needs of today and tomorrow

Stage I- ePrescribing- Lab results into EHRs- Send clinical summary

to providers and patient- Public health reporting- Quality reporting (2012)

Stage 2- Patient PHR access- ePrescribing refills- Electronic summary record- Receive health alerts- Immunization information

Stage 3- Access comprehensive patient data- Automated real-time surveillance

Goal:�This�is�part�of�an�evolutionary�pathThere�will�be�incremental�growthAll�journeys�start�with�a�few�steps

EXCHANGING PATIENT DATA

Vocabulary/ Document/ Message Standards Directories

Authentication / certificates Delivery Protocols

Security

Trust Relationships

Vocabulary/ Document/ Message Standards

Authentication/certificates Delivery Protocols Trust Relationships

Directories

Foundational NHIN Components

Security

Working Assumptions

• A goal is to support widest possible participation by providers at the individual and organizational level.

• Incremental approach is reasonable; change will be evolutionary.

• The approach for 2011 is intended to be foundational and help progress toward longer-term aims in 2013, 2015 and beyond.

• Leverage the Internet and appropriate security protocols as the transport mechanism.

• What can the government do today to enable the broadest participation across a wide spectrum of providers, large and small, by 2011.

• Desired attributes of government role:– Recognizes (and learns from) existing patterns of exchange– Minimized to accomplish the agreed upon purposes.– Creates incentives to stimulate information exchange without

impeding existing exchange models.– Fosters innovation to achieve new means for information

exchange.– Facilitates long-term expansion of information exchange under

a variety of scenarios.

Government Role

Key Findings

• Key elements that need to be in place to facilitate and encourage the broadest range of providers (individuals and organizations) to be able to achieve meaningful use in 2011:– Secure Internet transport.– Directories to allow parties to locate those to whom information

is transferred.– Means to authenticate/validate identity of parties involved in

information exchange.– Trust fabric that provides parties with sufficient confidence that

the exchange can be accomplished successfully.

Findings: Directories

• Extensive provider directories exist, but were created for different business purposes which, in their present form, may not be sufficient:– Varying types of data maintained.– Different data definitions.– Certain data may not be currently collected (e.g. place of care).– The quality and accuracy of the data.

• The quality of the data depends upon the value to the subject of the data, as well as the use and incentives for accuracy.

• The private sector and those government programs that rely on directories will still need to maintain and operationally support directories.

Findings: Identity Proofing and Authentication

• Risk analysis must determine level of assurance required, this may vary depending upon context.

• Assurance requires both identity proofing (carbon-based life form) and authentication (same entity); both are best done as close to the provider as possible.

• Implementation may be supported through various technical means and by a multitude of entities.

• The Federal Government has defined standards and services for identity proofing and authentication, as well as mechanisms to procure reliable intermediaries to manage identities.

Findings: Trust Fabric

• Information exchange depends on common trust elements, including:– Rules for interaction.– Pre-existing personal and business relationships.– Understanding and clear expectation of how data will be used.– Assurance that the exchange takes place as expected

(including the identity of those exchanging data).– Oversight and accountability for compliance.

• Implementation of the trust elements will differ based on the nature of the parties to the exchange and the information being exchanged.

• The absence of a mature policy and technical trust framework is an impediment to information exchange.

RECOMMENDATIONSNHIN Workgroup

Recommendations Topics

1. Meaningful Use2. Transport vs. Content3. Directories4. Authentication

What is the Workgroup’s definition of the NHIN?

A set of policies, standards and services that enable the Internet to be used for secure and meaningful exchange of health information to improve health and health care.

Recommendation #1 – Meaningful Use

• The policies, standards, and services of the NHIN should enable the broadest range of providers to exchange information to achieve meaningful use and enable consumers to be able to access their health information (as well as states and other organizations that support those providers).

• The Federal government should focus on the minimum standards, policies and services needed for foundational exchange components to further meaningful use in the near-term.

Recommendation #2 – Transport vs. Content

• The initial focus should be on private and secure transport over the Internet, with increased focus on data content over time.

• The NHIN policies, standards and services should be structured so that simple intermediaries can provide required services for private and secure routing of health information.

Recommendation #3 – Directories

• The federal government already maintains provider directories to meet existing federal obligations and should work with stakeholders to improve upon and leverage these directories for the NHIN.

• The federal government has a unique role in assuring that authoritative provider directories are available to accelerate the exchange of information to successfully support and increase efficiency of meaningful use.

• The federal government should define a core set of policies for the inter-operation of trusted directories.

Recommendation #4 - Authentication

• Build upon existing federal standards, policies and practices for authentication and identity proofing.

• Determine the level of confidence appropriate for different exchange scenarios.

• Permit innovation and local autonomy in the method of authentication.

• If intermediaries are involved in the exchange, make sure that certification (independent verification) of those intermediaries is done for authentication and identity proofing.

• Include oversight mechanisms and redress.

One Possible NHIN Strawcase NHIN�Root�Certificate�Authority�

NHINCertificate�Authority

NHINCertificate�Authority

y

NNNNNNNNNNNNNNNNNHHHHIIIIINNNNNNNNNNNNNNNNNNNNNNNNNHHS�Authorized HSPCertifiers

HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHSS�AAutthhhhoriizedddd HHSSPPHHS�Authorized�HSP�

Certifiers

HS Authorized HSPCertifiersHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHSSSSSCC�AAAAAuttthhhhhhhoriiiiiizeddddddertifiersrtifie HHHHHSSSSSPPPPPCertifiersAuthorized HSPCertifiers

HSP HSP

“NHIN�Node”�Directory

• Health�Information�Exchange�Service�Providers�(HSPs)�identity�proof,�authenticate,�and�represent�providers�in�information�exchange.���

• HSPs�can�be�HIOs,�EHR�vendors,�transactions�companies,�health�systems,�IPAs,�govt�agencies,�etc.

• HSPs�maintain�local�directories�of�providers�they�serve�+�their�health�info�exchange�addresses

NHIN�CA�issues�certificate�to�HSP�if�it�an�Authorized�HSP�Certifier�validates�that�the�HSP�conforms�to�standards�for�HSP�operations�(identity�proofing,�authentication,�

authorization,�etc.)

NOTE:��Different�HSPs�and�other�“NHIN�nodes”�(e.g.,�PHRs)�can�support�different�levels�and�types�of�health�info�exchange�(simple�to�more�sophisticated)

Provider’s�certified�EHR�generates�health�info�package�in�compliance�with�applicable�vocabulary,�document,�and�

message�standards�(e.g.,�care�summary)

PHR

(HSPs,�other�nodes)

“Provider�A” “Provider�B”

HSPs�manage�secure�delivery�of�health�info�packages�(e.g.,�care�summaries)�via�the�Internet�to�and�from�providers�via�other�HSPs�and�to�and�from�other�“NHIN�nodes”�(e.g.,�PHRs)�

Next Steps: Trust

• There is a wide range of possible roles for government from no action / laissez-faire to detailed regulation or the passage of new laws.

• Trust implications require further consideration by the Workgroup, in conjunction with recommendations for governance of the NHIN.

WEB LINKS

NRPM Document:http://mycourses.med.harvard.edu/ec_res/nt/3E57FAE4-

A6AB-4CA8-AF6B-FAB1537595A4/nprm.pdf

Dr. John Halamka’s Blog – Life as a Healthcare CIO: Bookmarked Version

of the NPRM and IFR:http://geekdoctor.blogspot.com/2010/01/bookmarked-

version-of-nprm.html

Web Links