Monday, May 14, 2012

Nationwide Health Information Network: Conditions for Trusted Exchange

First, I want to point out that the Nationwide Health Information Network Exchange (upper case) is a specific organization that is being turned into a private, nonprofit entity this fall with the idea that it would be weaned off government funding by October 2013. The nationwide health information network (lower case) is defined as the set of standards, services, and policies that enable secure health information exchange over the Internet. The Exchange is a group of health care stakeholders that have put the standards, services and policies which have been developed into production. So really the ONC has released an RFI for comment on the governance mechanism for the nationwide health information network, and I don't know what will happen the commonly used NwHIN acronym (which used to be NHIN) except used as part of the NwHIN Exchange.

An important aspect of this governance mechanism is the establishment of a framework for entities that facilitate electronic exchange to be validated. The creation of this voluntary program under which entities that enable electronic health information exchange could be validated based on meeting ONC established "Conditions for Trusted Exchange" (CTE). Upon successful validation to adopted CTEs an entity would be recognized as a "Nationwide Health Information Network Validated Entity" (NVE) and thus become responsible for performing electronic exchange services in accordance with the adopted CTEs. To drive value of validation as a NVE public and private organizations could specify NVE recognition as a condition in awarding contracts, procurements and/or in other situations where validation would be beneficial.

The ONC seeks comment on 5 areas:
  1. The establishment of a set of conditions for trusted exchange (CTEs) – “rules of the road”
  2. A validation process for entities to demonstrate conformance to the CTEs (and subsequently become an NVE)
  3. Processes to update and retire CTEs
  4. Establishment of a process to classify the readiness of technical standards and implementation specifications to support interoperability related CTEs
  5. Approaches for monitoring and transparent oversight
It is anticipated that eligible entities for validation as a NVE may include (but not limited to):
  • EHR developers;
  • Integrated delivery networks;
  • Regional, state, local or specialty-based health information exchanges;
  • Health information service providers;
  • State and Federal agencies.
In a very similar way that the roles and responsibilities were established under the permanent certification program for the EHR Incentive Program, ONC would select a single Accreditation Body to accredit Validation Bodies, who would be authorized to validate an entities CTE compliance. If an entity successfully completes the validation process they would become an NVE. Validation could consist of testing/certification of products or technology (interoperability CTEs); and the accreditation of services (safeguard and business practice CTEs). This process would differ from the EHR certification programs in that validation would evaluate an entity’s conformance to adopted CTEs as opposed to a particular product’s certification to certification criteria.

Below is a rough framework of the proposed CTEs and the questions ONC is seeking comment on in this RFI. I will be working on some comments on many of these questions to submit prior to the June 15, 2012 deadline.

A. Establishing a Governance Mechanism

CTEs are being grouped into three categories: safeguards, interoperability, and business practices.
  • Safeguards CTEs would focus on the protection of IIHI to promote its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure
  • Interoperability CTEs would focus on the technical standards for the exchange and integration of electronic health information so that it is useful for the recipient
  • Business Practices CTEs would focus on the operational and financial practices or standards to which NVEs would need to adhere in support of trusted electronic exchange
Question 1: Would these categories comprehensively reflect the types of CTEs needed to govern the nationwide health information network? If not, what other categories should we consider?

Question 2: What kind of governance approach would best produce a trusted, secure, and interoperable electronic exchange nationwide?

Question 3: How urgent is the need for a nationwide governance approach for electronic health information exchange? Conversely, please indicate if you believe that it is untimely for a nationwide approach to be developed and why.

Question 4: Would a voluntary validation approach as described above sufficiently achieve this goal? If not, why?

Question 5: Would establishing a national validation process as described above effectively relieve any burden on the States to regulate local and regional health information exchange markets? Question 6: How could we ensure alignment between the governance mechanism and existing State governance approaches?

Question 7: What other approaches to exercising our authority to establish a governance mechanism for the nationwide health information network should we consider?

B. Actors and Associated Responsibilities

Question 8: We solicit feedback on the appropriateness of ONC’s role in coordinating the governance mechanism and whether certain responsibilities might be better delegated to, and/or fulfilled by, the private sector.

Question 9: Would a voluntary validation process be effective for ensuring that entities engaged in facilitating electronic exchange continue to comply with adopted CTEs? If not, what other validation processes could be leveraged for validating conformance with adopted CTEs? If you identify existing processes, please explain the focus of each and its scope.

Question 10: Should the validation method vary by CTE? Which methods would be most effective for ensuring compliance with the CTEs? (Before answering this question it may be useful to first review the CTEs we are considering to adopt, see section “VI. Conditions for Trusted Exchange.”)

Question 11: What successful validation models or approaches exist in other industries that could be used as a model for our purposes in this context?

Question 12: What would be the potential impact of this accreditation/validation body model on electronic health information exchange, in particular, on the volume and efficiency of exchange in local health care markets and provider confidence? What is the best way to maximize the benefit while minimizing the burden on providers or other actors in the market?

Question 13: Should there be an eligibility criterion that requires an entity to have a valid purpose (e.g., treatment) for exchanging health information? If so, what would constitute a “valid” purpose for exchange?

Question 14: Should there be an eligibility criterion that requires an entity to have prior electronic exchange experience or a certain number of participants it serves? Question 15: Are there other eligibility criteria that we should also consider?

Question 16: Should eligibility be limited to entities that are tax-exempt under section 501(c)(3) of the IRC? If yes, please explain why.

Question 17: What is the optimum role for stakeholders, including consumers, in governance of the nationwide health information network? What mechanisms would most effectively implement that role?

C. Monitoring and Transparent Oversight

Question 18: What are the most appropriate monitoring and oversight methods to include as part of the governance mechanism for the nationwide health information network? Why?

Question 19: What other approaches might ONC consider for addressing violations of compliance with CTEs?

Question 20: What limits, if any, would need to be in place in order to ensure that services and/or activities performed by NVEs for which no validation is available are not misrepresented as being part of an NVE’s validation? Should NVEs be required to make some type of public disclosure or associate some type of labeling with the validated services or activities they support?

Question 21: How long should validation status be effective?

D. Conditions for Trusted Exchange (CTEs)

1. Safeguards CTEs

[S-1]: An NVE must comply with sections 164.308, 164.310, 164.312, and 164.316 of title 45 of the Code of Federal Regulations as if it were a covered entity, and must treat all implementation specifications included within sections 164.308, 164.310, and 164.312 as "required."

Question 22: Are there HIPAA Security Rule implementation specifications that should not be required of entities that facilitate electronic exchange? If so, which ones and why?

Question 23: Are there other security frameworks or guidance that we should consider for this CTE? Should we look to leverage NISTIR 7497 Security Architecture Design Process for Health Information Exchanges32? If so, please also include information on how this framework would be validated.

[S-2]: An NVE must only facilitate electronic health information exchange for parties it has authenticated and authorized, either directly or indirectly.

Question 24: What is the most appropriate level of assurance that an NVE should look to achieve in directly authenticating and authorizing a party for which it facilitates electronic exchange?

Question 25: Would an indirect approach to satisfy this CTE reduce the potential trust that an NVE could provide? More specifically, should we consider proposing specific requirements that would need to be met in order for indirect authentication and authorization processes to be implemented consistently across NVEs?

Question 26: With respect to this CTE as well as others (particularly the Safeguards CTEs), should we consider applying the “flow down” concept in more cases? That is, should we impose requirements on NVEs to enforce upon the parties for which they facilitate electronic exchange, to ensure greater consistency and/or compliance with the requirements specified in some CTEs?

[S-3]: An NVE must ensure that individuals are provided with a meaningful choice regarding whether their Individually Identifiable Health Information (IIHI) may be exchanged by the NVE.

Question 27: In accommodating various meaningful choice approaches (e.g., opt-in, opt-out, or some combination of the two), what would be the operational challenges for each approach? What types of criteria could we use for validating meaningful choice under each approach? Considering some States have already established certain “choice” policies, how could we ensure consistency in implementing this CTE?

Question 28: Under what circumstances and in what manner should individual choice be required for other electronic exchange purposes?

Question 29: Should an additional “meaningful choice” Safeguards CTE be considered to address electronic exchange scenarios (e.g., distributed query) that do not take place following Interoperability CTE I-1?

Question 30: The process of giving patients a meaningful choice may be delegated to providers or other users of NVE services (as opposed to the patient receiving the choice from the NVE directly). In such instances, how would the provision of meaningful choice be validated?

[S-4]: An NVE must only exchange encrypted IIHI.

Question 31: Should there be exceptions to this CTE? If so, please describe these exceptions.

[S-5]: An NVE must make publicly available a notice of its data practices describing why IIHI is collected, how it is used, and to whom and for what reason it is disclosed.

Question 32: Are there specific uses or actions about which we should consider explicitly requiring an NVE to be transparent? Question 33: Would an NVE be able to accurately disclose all of the activities it may need to include in its notice? Should some type of summarization be permitted?

Question 34: What is the anticipated cost and administrative burden for providing such notice?

Question 35: Should this CTE require that an NVE disclose its activities related to de-identified and aggregated data?

Question 36: Should this CTE require that an NVE just post its notice on a website or should it be required to broadly disseminate the notice to the health care providers and others to which it provides electronic exchange services?

[S-6]: An NVE must not use or disclose de-identified health information to which it has access for any commercial purpose.

Question 37: What impact, if any, would this CTE have on various evolving business models? Would the additional trust gained from this CTE outweigh the potential impact on these models?

Question 38: On what other entities would this have an effect?

[S-7]: An NVE must operate its services with high availability.

Question 39: What standard of availability, if any, is appropriate?

[S-8]: If an NVE assembles or aggregates health information that results in a unique set of IIHI, then it must provide individuals with electronic access to their unique set of IIHI.

Question 40: What further parameters, if any, should be placed on what constitutes a "unique set of IIHI"?

[S-9]: If an NVE assembles or aggregates health information which results in a unique set of IIHI, then it must provide individuals with the right to request a correction and/or annotation to this unique set of IIHI.

Question 41: If an NVE were to honor an individual’s request for a correction to the unique set of IIHI that it maintains, what impact could such a correction have if the corrected information was accessible by health care providers and not used solely for the NVE’s own business processes?

Question 42: Are there any circumstances where an NVE should not be required to provide individuals with the ability to correct their IIHI?

[S-10]: An NVE must have the means to verify that a provider requesting an individual’s health information through a query and response model has or is in the process of establishing a treatment relationship with that individual.

Question 43: What method or methods would be least burdensome but still appropriate for verifying a treatment relationship?

Question 44: Are there circumstances where a provider should be allowed access through the NVE to the health information of one or more individuals with whom it does not have a treatment relationship for the purpose of treating one of its patients?

2. Interoperability CTEs

[I-1]: An NVE must be able to facilitate secure electronic health information exchange in two circumstances: 1) when the sender and receiver are known; and 2) when the exchange occurs at the patient’s direction.

Question 45: What types of transport methods/standards should NVEs be able to support? Should they support both types of transport methods/standards (i.e., SMTP and SOAP), or should they only have to meet one of the two as well as have a way to translate (e.g., XDR/XDM)?

Question 46: If a secure “RESTful” transport specification is developed during the course of this rulemaking, should we also propose it as a way of demonstrating compliance with this CTE?

[I-2]: An NVE must follow required standards for establishing and discovering digital certificates.

Question 47: Are the technical specifications (i.e., Domain Name System (DNS) and the Lightweight Directory Access Protocol (LDAP)) appropriate and sufficient for enabling easy location of organizational certificates? Are there other specifications that we should also consider?

Question 48: Should this CTE require all participants engaged in planned electronic exchange to obtain an organizational (or group) digital certificate consistent with the policies of the Federal Bridge?

[I-3]: An NVE must have the ability to verify and match the subject of a message, including the ability to locate a potential source of available information for a specific subject.

Question 49: Should we adopt a CTE that requires NVEs to employ matching algorithms that meet a specific accuracy level or a CTE that limits false positives to certain minimum ratio? What should the required levels be?

Question 50: What core data elements should be included for patient matching queries? Question 51: What standards should we consider for patient matching queries?

Question 51: What standards should we consider for patient matching queries?

3. Business Practice CTEs

[BP-1]: An NVE must send and receive any planned electronic exchange message from another NVE without imposing financial preconditions on any other NVE.

Question 52: Should this CTE be limited to only preventing one NVE from imposing a financial precondition on another NVE (such as fees), or should it be broader to cover other instances in which an NVE could create an inequitable electronic exchange environment?

Question 53: Should this CTE (or another CTE) address the fees an NVE could charge its customers to facilitate electronic exchange or should this be left to the market to determine?

Question 54: Under what circumstances, if any, should an NVE be permitted to impose requirements on other NVEs?

[BP-2]: An NVE must provide open access to the directory services it provides to enable planned electronic exchange.

[BP-3]: An NVE must report on users and transaction volume for validated services.

Question 55: What data would be most useful to be collected? How should it be made available to the public? Should NVEs be required to report on the transaction volume by end user type (e.g., provider, lab, public health, patient, etc)?

E. Request for Additional CTEs

Question 56: Which CTEs would you revise or delete and why? Are there other CTEs not listed here that we should also consider?

Question 57: Should one or more of the performance and service specifications implemented by the participants in the Exchange be included in our proposed set of CTEs? If so, please indicate which one(s) and provide your reasons for including them in one or more CTEs. If not, please indicate which one(s) and your reasons (including any technical or policy challenges you believe exist) for not including them in one or more CTEs.

Question 58: In the notice of proposed rulemaking (NPRM) we intend to subsequently issue, should the above CTEs as well as any others we consider for the NPRM be packaged together for the purposes of validation? In other words, would it make sense to allow for validation to different bundles of safeguard, interoperability, and business practice CTEs for different electronic exchange circumstances?

Question 59: Should we consider including safe harbors for certain CTEs? If so, which CTEs and what should the safe harbor(s) be?

F. CTE Processes and Standards and Implementation Specification Classifications

1. CTE Life Cycle

Question 60: What process should we use to update CTEs?

Question 61: Should we expressly permit validation bodies to provide for validation to pilot CTEs?

Question 62: Should we consider a process outside of our advisory committees through which the identification and development to frame new CTEs could be done?

2. Interoperability Conditions for Trusted Exchange – Technical Standards andImplementation Specifications Classification Process.

Technical standards and implementation specifications could beassigned to one of three classifications:

  1. “Emerging” – This classification would refer to the technical standards and implementation specifications that still require additional specification and vetting by the standards development community, have not been broadly tested, have no or low adoption, and have only been implemented within a local or controlled setting.
  2. “Pilot” – This classification would refer to the technical standards and implementation specifications that have reached a level of specification maturity and adoption by different entities such that some entities are using them to exchange health information either in a test mode or in a limited production mode.
  3. “National” – This classification would refer to the technical standards and implementation that have reached a high-level of specification maturity and adoption by different entities such that most entities are using or are readily able to adopt and use them to exchange healthinformation to conduct business.

Question 63: What would be the best way(s) ONC could help facilitate the pilot testing and learning necessary for implementing technical standards and implementation specifications categorized as Emerging or Pilot?

Question 64: Would this approach for classifying technical standards and implementation specification be effective for updating and refreshing Interoperability CTEs?

Question 65: What types of criteria could be used for categorizing standards and implementation specifications for Interoperability CTEs? We would prefer criteria that are objective and quantifiable and include some type of metric.

G. Economic Impact

Question 66: We encourage comment and citations to publicly available data regarding the following:

  1. The potential costs of validation;
  2. The potential savings to States or other organizations that could be realized with the establishment of a validation process to CTEs;
  3. The potential increase in the secure exchange of health information that might result from the establishment of CTEs;
  4. The potential number of entities that would seek to become NVEs; and
  5. The NVE application and reporting burden associated with the conceptual proposals we discuss.