Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building Tools for Trust for Nationwide Health Information Exchange Copyright 2009. All Rights Reserved. 1.

Similar presentations


Presentation on theme: "Building Tools for Trust for Nationwide Health Information Exchange Copyright 2009. All Rights Reserved. 1."— Presentation transcript:

1 Building Tools for Trust for Nationwide Health Information Exchange Copyright 2009. All Rights Reserved. 1

2 OFFICE OF THE National Coordinator PANEL Ashley Corbin, CMS Steve Gravely, Troutman Sanders Stephania Putt, VA Mariann Yeager, ONC Copyright 2009. All Rights Reserved. 2

3 Discussion Topics Trust Considerations Case Study: Nationwide Health Information Network Trust Perspectives Copyright 2009. All Rights Reserved. 3

4 Building Tools for Trust for Nationwide Health Information Exchange Trust Considerations Copyright 2009. All Rights Reserved. 4

5 Tools for Trust Needed to Support Nationwide Health Information Exchange Built upon a foundation of policies Implemented in legal agreements Architected to support trust technically Validated and tested Controlled access among trusted participants Accountability through oversight Copyright 2009. All Rights Reserved. 5

6 Considerations for Trust 6 Copyright 2009. All Rights Reserved. Recognize diverse range of organizational structures Establish common agreement on essential policies Balance complex web of various federal, state and local laws and regulations Define rules of engagement for exchanging information on wide-scale basis Determine accountability measures and roles and responsibilities –Breaches –Disputes –Oversight Identify approaches that work in current environment with flexibility to adapt

7 Building Tools for Trust for Nationwide Health Information Exchange Case Study: Nationwide Health Information Network (NHIN) Copyright 2009. All Rights Reserved. 7

8 What is the NHIN A set of protocols and standards that run on existing internet infrastructure and provides the capability to connect diverse entities needing to exchange health information. Participants are entities that facilitate information exchange with a broad set of users, systems, geography or community Enables valid, trusted entities to participate Membership required: Tested for conformance and interoperability Signed trust agreement that allocates responsibilities and accountability to protect information exchanged Digital credentials issued to permit only approved “participants” to exchange data with other members Copyright 2009. All Rights Reserved. 8

9 Federal Entity Health Community Regional Health Exchange PHR Pharmacy Network Integrated Delivery Network NHIN Network Gateway NHIN Architecture Participants support a gateway that conforms to NHIN requirements and enables its connected users/systems/networks/communities to exchange information among other NHIN participants. Participants are registered in a “directory” so other members of the NHIN know the types of messages supported and where to direct requests Copyright 2009. All Rights Reserved. 9

10 NHIN Cooperative Participants Private HIEsState-Level HIEs Provider Organizations / IDNs Federal Entities CareSpark Delaware Health Information Network Cleveland ClinicCDC Community Health Information Collaborative New York eHealth CollaborativeKaiserCMS HealthLINC (Bloomington) North Carolina Health Care Information and Communications Alliance (NCHICA) DoD HealthBridge IHS Indiana (Regenstrief Institute) West Virginia Health Information Network (WVHIN) NCI Long Beach Network for Health NDMS Lovelace Clinic Foundation (LCF) SAMHSA MedVirginia SSA Wright State University VA Copyright 2009. All Rights Reserved. 10

11 Limited Production Controlled rollout of production exchange of identifiable health information Initial NHIN production participants Others joining … 11 Copyright 2009. All Rights Reserved.

12 What Does the NHIN Enable? More efficient and timely availability of health records for Social Security disability benefits determination Began Q1 2009 Biosurveillance reporting between state departments of health and CDC Q4 2009 Exchange of summary patient records for continuity of care Q4 2009 Other functionality will be prioritized by NHIN interim governance process Copyright 2009. All Rights Reserved. 12

13 NHIN Trust Fabric Built upon a foundation of policies Implemented in legal agreement, called Data Use and Reciprocal Support Agreement (DURSA) Architected to support trust technically Validated and tested as a condition of membership Controlled access among trusted participants Accountability through interim governance mechanisms 13 Copyright 2009. All Rights Reserved.

14 Initial Set of NHIN Tools for Trust Articulated expectations for privacy and security –White paper –Operating policies and procedures –Participant security obligations Data Use and Reciprocal Support Agreement (DURSA) Technical services and Data Content - Specification Factory Management of digital certificates and service registry Validation and testing –Testing Team – develop testing artifacts –NIST – develop and support testing infrastructure Interim Governance Process –Addressed through NHIN Technical Board, Coordinating Committee and Communications groups –ONC as the convener and facilitator Copyright 2009. All Rights Reserved. 14

15 Building Tools for Trust for Nationwide Health Information Exchange NHIN Trust Agreement Copyright 2009. All Rights Reserved. 15

16 Data Use and Reciprocal Support Agreement (DURSA) Developed as part of ongoing NHIN activities –Test Data DURSA – September 2008 –Initial Draft Production DURSA – December 2008 –Draft Production DURSA – limited production – June 2009 Large, multi-stakeholder team assembled –Contracts –Grants –Federal Participants Copyright 2009. All Rights Reserved. 16

17 DURSA Team Representation Agreement developed by NHIN DURSA Team Consensus process with legal, privacy, security and program representatives from diverse group: Private entities State entities Federal entities Federal participants actively engaged in development Coordinated with and obtained input from: –NHIN Technical Teams (specifications and architecture) –ONC Office of Policy and Research –HHS, Office of the General Counsel –HHS, Office for Civil Rights 17 Copyright 2009. All Rights Reserved.

18 DURSA Multiparty agreement Assumes participants in production Establishes authority for interim governance –NHIN Coordinating Committee –NHIN Technical Board Establishes accountability –Participant breach notification –Mandatory non-binding dispute resolution –Allocation of liability risk Copyright 2009. All Rights Reserved. 18

19 NHIN DURSA Status Test Data DURSA Applies to “test data” (not PHI) for Trial Implementations Executed by all participants in Trial Implementations in September 2008 Production DURSA Applies to exchange of PHI in limited production Undergoing Federal clearance Comments due mid-July 2009 Revised executable DURSA - September 2009 2nd round of Federal clearance (if needed) - October / November 2009 Copyright 2009. All Rights Reserved. 19

20 Building Tools for Trust for Nationwide Health Information Exchange Panel Discussion: NHIN Trust Perspectives Copyright 2009. All Rights Reserved. 20

21 Applicable Law The DURSA reaffirms each Participant’s obligation to comply with “Applicable Law.” As defined in the DURSA, “Applicable Law” is the law of the jurisdiction in which the Participant operates. –For non-Federal Participants, this means the law in the state(s) in which the Participant operates and any applicable Federal law. –For Federal Participants, this means applicable Federal law. 21 Copyright 2009. All Rights Reserved.

22 Privacy and Security Obligations To the extent that each Participant has existing privacy and security obligations under applicable law (e.g. HIPAA or other state or federal privacy and security statutes and regulations), the Participant is required to continue complying with these obligations. Participants, which are neither HIPAA covered entities, HIPAA business associates nor governmental agencies, are obligated to comply with specified HIPAA Privacy and Security provisions as a contractual standard of performance. Copyright 2009. All Rights Reserved. 22

23 Requests for Data Based on Permitted Purposes Participant’s end users may only request data through the NHIN for “Permitted Purposes,” which include treatment, payment, limited health care operations with respect to the patient that is the subject of the data request, specific public health activities, quality reporting for “meaningful use” and disclosures based on an authorization from the individual. Copyright 2009. All Rights Reserved. 23

24 Duty to Respond Participants that allow their respective end users to seek data for treatment purposes have a duty to respond to requests for data for treatment purposes. This duty to respond means that if actual data is not sent in response, the Participant will at a minimum send a standardized response to the requesting Participant. Participants are permitted, but not required, to respond to all other (non- treatment) requests. The DURSA does not require a Participant to disclose data when such a disclosure would conflict with Applicable Law. Copyright 2009. All Rights Reserved. 24

25 Future Use of Data Received Through the NHIN Once the Participant or Participant’s end user receives data from a responding Participant (i.e. a copy of the responding Participant’s records), the recipient may incorporate that data into its records and retain that information in accordance with the recipient’s record retention policies and procedures. The recipient can re-use and re-disclose that data in accordance with all applicable law and the agreements between a Participant and its end users. Copyright 2009. All Rights Reserved. 25

26 NHIN Participant Obligations Each Participant can apply its own local access policies before requesting data from other Participants or releasing data to other Participants. Responding Participants are responsible meeting all legal requirements before disclosing the data as required by their applicable law, including obtaining an individual’s consent or authorization for treatment purposes. HIPAA Privacy and Security Rules are minimum requirements. When a request is based on a purpose for which authorization is required under HIPAA (e.g. for SSA benefits determination), the requesting Participant must send a copy of the authorization with the request for data. Copyright 2009. All Rights Reserved. 26

27 Copyright 2009. All Rights Reserved. 27 CONNECT Seminar Presentations are Available for Download Online at http://www.connectopensource.org For more information: http://www.hhs.gov/healthit/healthnetwork/resources http://www.hhs.gov/healthit/healthnetwork/resources


Download ppt "Building Tools for Trust for Nationwide Health Information Exchange Copyright 2009. All Rights Reserved. 1."

Similar presentations


Ads by Google