Skip to main content

NwHIN: Government Governance of Governances

Today, the Office of the National Coordinator for Health Information Technology (ONC) has released a Request for Information (RFI) regarding the governance of a Nationwide Health Information Network (NwHIN). The document outlines ONC’s current thinking on the subject and poses 66 questions to the public. The NwHIN is the proposed vehicle by which secure and presumably trusted health information exchange is facilitated and accelerated. The NwHIN consists, or is envisioned to eventually consist, of a set of standards and policies to govern health information exchange over the Internet. It does not include the actual infrastructure for such exchange. Below is a brief summary of the RFI highlights and the obligatory commentary on the proposed governance methodology.

Highlights

The 64 page document, as its title clearly states, is focused on creating trust in the exchange of health information at a National level. To that end, ONC is proposing to define a set of policies and regulations to be adhered to by participants in information exchange as “conditions for trusted exchange” (CTE). Consistent with current direction and the funding of Health Information Exchange (HIE) organizations, ONC is envisioning a set of entities specifically built for, or specializing in, the exchange of health information. These new entities (or new services) are named Nationwide Health Information Network Validated Entities (NVEs), and very much resemble what was previously referred to as Health Internet Service Providers (HISPs) in the context of the Direct Project based exchange.

Going forward, ONC proposes to assume responsibility for “oversight of all entities and processes established as part of the governance mechanism”, including management and endorsement of CTEs, “selection and oversight processes for an accreditation body that would be responsible for accrediting organizations interested in becoming validation bodies” and “[a]uthorizing and overseeing validation bodies which would be responsible for validating that eligible entities have met adopted CTEs”. For starters, ONC proposes three types of CTEs with the understanding that many others will be added in the future. Here is an (almost) verbatim list of the proposed CTEs:

Safeguards
[S-1]: An NVE must comply with a good portion of the HIPAA regulations as if it were a covered entity.
[S-2]: An NVE must only facilitate electronic health information exchange for parties it has authenticated and authorized, either directly or indirectly.
[S-3]: An NVE must ensure that individuals are provided with a meaningful choice regarding whether their Individually Identifiable Health Information (IIHI) may be exchanged by the NVE.
[S-4]: An NVE must only exchange encrypted IIHI.
[S-5]: An NVE must make publicly available a notice of its data practices describing why IIHI is collected, how it is used, and to whom and for what reason it is disclosed.
[S-6]: An NVE must not use or disclose de-identified health information to which it has access for any commercial purpose.
[S-7]: An NVE must operate its services with high availability.
[S-8]: If an NVE assembles or aggregates health information that results in a unique set of IIHI, then it must provide individuals with electronic access to their unique set of IIHI.
[S-9]: If an NVE assembles or aggregates health information which results in a unique set of IIHI, then it must provide individuals with the right to request a correction and/or annotation to this unique set of IIHI.
[S-10]: An NVE must have the means to verify that a provider requesting an individual’s health information through a query and response model has or is in the process of establishing a treatment relationship with that individual.
Interoperability
[I-1]: An NVE must be able to facilitate secure electronic health information exchange in two circumstances: 1) when the sender and receiver are known; and 2) when the exchange occurs at the patient’s direction.
[I-2]: An NVE must follow required standards for establishing and discovering digital certificates.
[I-3]: An NVE must have the ability to verify and match the subject of a message, including the ability to locate a potential source of available information for a specific subject.
Business Practices
[BP-1]: An NVE must send and receive any planned electronic exchange message from another NVE without imposing financial preconditions on any other NVE.
[BP-2]: An NVE must provide open access to the directory services it provides to enable planned electronic exchange.
[BP-3]: An NVE must report on users and transaction volume for validated services.

Considering the broad spectrum of CTEs, the entities accredited to validate NVEs will need a very broad range of capabilities to do a proper job at validation and monitoring of exchanges. ONC allows for the possibility that NVEs may be fully or partially validated, similar to EHRs being certified as Complete or Modular, and in both cases it is assumed that NVEs will be able to publicly advertise their compliance status. All these definitions are in a proposal stage, and ONC is requesting input on pretty much the entire proposed structure. You have 30 short days to file your response.

Commentary

This is a very technical subject and, with the notable exception of those actively working in health care IT, this publication may not elicit any interest in the physician or patient population. However, there is one item in this RFI which prompted me to hurry up and write this post, because after consistently complaining for several years, my wishes have been answered in the form of the beautiful [S-6] CTE!! So here are my impressions of this lovely thought and the document that surrounds it.

The Exquisite
After what seems like an eternity, ONC officially recognizes that de-identified information can be rather easily re-identified and that those who happen to own the hardware infrastructure where people’s medical records are stored do not have an inherent right of ownership to those records. I would very much like to see ONC extend this regulation to every HIT vendor, not just those specializing in exchange of information, since if it is pertinent to NVEs, it must be also pertinent to EHRs, HIEs, ancillary software vendors and, yes, pharmacy software vendors. I am not naive enough to believe that CTE [S-6] will survive the rule making process, but for the moment, the detailed description of the dangers inherent in the wholesale of patient data is reason for celebration.

The Good
All Safeguards CTEs (with the exception of [S-9], which could cause havoc in the many places where data originated from), are proposing to put in place regulations that are beneficial to the privacy and security of patients and their medical information. The Interoperability CTEs are also very sensible and actually a bit restrained. Put together, these 12 CTEs, if complied with, should create enough trust in exchanging entities to allay the concerns of physicians and patients regarding the transfer process itself. Other concerns may persist, but it was not the intent of this RFI to address those. Releasing an RFI prior to a formal notice of proposed rulemaking (NPRM), is also a positive sign that ONC is open to considering other opinions (too bad that this is how [S-6] will be killed off). So, even if you don’t clearly see your dog in this fight, read the document (it’s very readable and informative), find your dog, and back him up.

The Bad
The Business Practice CTEs are overreaching into the world of private business. ONC is asking if NVEs should perhaps be required to be non-profit. Not a good idea, but even if they are, those entities will need to have a sustainable business model, or forever be dependent on Government grants. If their dreams of making billions from health data are to be crushed, then they must be allowed to make a living by selling services. Current hype notwithstanding, software is not free to develop and maintain in a professional and trustworthy manner. The reporting CTE [BP-3] sounds too much like big government and should not be necessary. Most vendors are incessantly advertising their number of customers and transactions, and perhaps statistics is something NVEs should be paid for to provide.

The Ugly
Bureaucracy, lots of it, expanded and extended indefinitely into the future with no end in sight.

And now we wait for the public comments to be submitted, the NPRM to be published, more public comments, the final rule to be issued, and the “governance of governances” to be established. Keeping my fingers crossed for little [S-6] to make it to the finish line….

Comments

Post a Comment

Popular posts from this blog

Dr. Watson is Not a Meaningful User

IBM ’s Dr. Watson of Jeopardy! fame has finally completed its residency and fellowships and, presumably to its creators’ utter delight, is now a practicing Oncologist. The prodigy “cognitive system” completed its training in less than a year at the illustrious Memorial Sloan-Kettering Cancer Center, and although only proficient in lung cancer right now, Dr. Watson’s career as an advisor to oncologists everywhere is off to a great start. A recently released video demonstration shows Dr. Watson in action, researching, evaluating and treating a 37 year old woman with newly diagnosed stage IV lung cancer in his advisory capacity to a hurried and pretty uninspiring human oncologist. Regardless of the slightly weird scenario, it is worth noting that in a fraction of a second Dr. Watson, scours 3,469 text books, 69 guidelines, 247,460 journal articles 106,054 other clinical documents and 61,540 clinical trials, and evaluates their contents against the patient’s EMR to identify need for furt
Post a Comment
Read more

VIDERI QUAM ESSE

I was reading the popular HIStalk health IT news/opinion site the other day when I ran into a blurb stating that beginning in 2014, a new “North Carolina law requires hospitals with EHRs to connect to the state’s HIE and submit data on services paid for with Medicaid funds”. For the uninitiated, HIE stands for Health Information Exchange, and in this context it refers to a federally funded organization whose mission is to facilitate clinical information exchange in the State. There are similar organizations in most every State, funded back in 2009, alongside Meaningful Use and other shovel ready economic stimulus activities, through the ARRA and its HITECH Act. The noble goal of HIE organizations everywhere is to improve care for patients by simplifying interoperability between disparate EHR technologies, allowing clinicians timely access to relevant, up-to-date medical information at the point of care. It makes perfect sense that North Carolina would like to “nudge” hospitals into sh
Post a Comment
Read more

Translucency with Turbid Clouds

Did you ever read a seemingly inconsequential sentence somewhere and it then just refused to leave your mind for days on end, triggering avalanches of thoughts way beyond the original intent, if there even was one? It just happened to me a few days ago when I read one more industry article about the recent Medicare data dump. The following remark was attributed to a primary care doctor: “The U.S. is entering an era of more accountability and transparency in all aspects of people's personal and professional lives and “medicine cannot be excluded,” he said”.  Back in 1996 a science fiction author by the name of David Brin, published an article in Wired Magazine , where he too prophetically argued that the era of transparency is no longer preventable. Ignoring an entire branch of physics, Mr. Brin suggested that the only antidote to the floodlights shining on each individual consists of a “flashlight” we can use to point at the elites running the lightshows. But Mr. Brin forgot anoth
Post a Comment
Read more