Currently, more than 500 hospitals and over 4,000 practices and clinics participate in the Nationwide Health Information Network (NwHIN). According to the Federal Health Architecture (FHA) program in the Office of the National Coordinator for Health Information Technology (ONC), (InformationWeek, March 2012), most of the hospitals are those involved in programs operated by the Departments of Defense (DoD) and Veterans Affairs (VA). Although participants also include entities such as Kaiser Permanente, health information exchanges or organizations (HIEs/HIOs) such as HealthBridge, and federal agencies including CMS, the DoD and VA, the overall percentage of participation in the NwHIN remains relatively low.
The NwHIN is the set of standards, services, and policies developed to enable and ensure the secure electronic exchange of health information. Geared originally towards larger HIEs/HIOs and other networks and systems, as envisioned, the NwHIN would be a network of networks among the States and their respective health care providers and hospitals facilitating the efficient exchange of electronic health information and promoting interoperability.
Most stakeholders would agree that safeguards should be in place to protect the confidentiality, integrity and availability of health information as it is exchanged among health care providers and at a national level as well as to promote public trust in such electronic exchanges. However, there remains a lack of consensus on where (and what) standards and processes should be set for such exchanges, deterring broader participation in the NwHIN, creating confusion, and inhibiting exchange among providers in general. Currently, the various States as well as the private sector have implemented a variety of, and sometimes conflicting, approaches to how and under what conditions information can be exchanged electronically.
In recognition of this and under order by the HITECH Act, ONC has released a Request for Information, "Nationwide Health Information Network: Conditions for Trusted Exchange” (RFI), seeking public comment on establishing a governance mechanism for the NwHIN and a form of “rules of the road” for electronic exchange. The RFI seeks to identify potential rules and processes for trusted exchange of health information among the various health care providers and health information organizations or regional health information organizations and promoting trust and confidence among health care providers and their patients.
We believe that this is an opportune time to solicit input on how the governance mechanism for the nationwide health information network should be shaped and how we could effectively use our statutory authority to complement existing Federal regulations to support and enable nationwide electronic exchange. We also believe that a properly crafted governance mechanism could yield substantial public benefits, including: reduced burden and costs to engage in electronic exchange; added protections for consumers and health care providers; and, in the long-run, a more innovative, and efficient electronic exchange marketplace that would ultimately create an environment where electronic exchange is commonplace and “worry-free. 77 FR 28545.
In general, the RFI seeks public comment on five proposed areas and sets of questions which combined would create a framework for the electronic exchange of health information:
- Conditions for trusted exchange (CTEs), which would include safeguard, interoperability and business practice CTEs (those standards and implementation specifications as described in the HITECH Act),
- Validation process for conformance to CTEs as NwHIN network validated entities (NVE),
- Process for retiring and updating CTEs to address current exchange needs,
- Process for classifying the readiness of standards and implementation specifications to support interoperability related to CTEs, including identifying gaps needing to be filled to support nationwide electronic exchange, and
- Monitoring and transparent oversight, primarily by federal agencies, including ONC, OCR and the FTC, with some responsibilities delegated to the private sector.
Much like for certification of EHR technology in the Medicare and Medicaid EHR Incentive Programs, ONC would select an accrediting body responsible for the validation process of NVEs. However, rather than focusing on and regulating only the product itself (e.g., the “certified” EHR technology), the services and activities performed by the entity itself would be the primary focus. The NVE framework itself would be voluntary, with entities seeking validation as NVEs to the extent value is identified in seeking such validation, with of course, the ability as NVE status gains ground to be required as a condition of contracts, grants, and other relationships and procurements.
ONC clearly recognizes the critical need for flexibility and avoidance of a “one-size-fits-all” approach to governance and therefore would propose a variety of standards for electronic exchange, ranging from basic to more complex and ever-evolving exchange activities and use cases. Entities contemplated which could seek status as an NVE would include EHR developers; regional, state, local or specialty-based health information exchanges; health information service providers; State agencies; Federal agencies, and integrated delivery networks.
Notably, ONC would propose that NVEs which were not otherwise Covered Entities or Business Associates comply with certain provisions of HIPAA, specifically 164.308, 164.310, 164.312, and 164.316. NVEs in addition to complying with all of the HIPAA Security Rule's “required” implementation specifications would also be required to comply with those “addressable” as well, a proposition ONC is almost guaranteed to receive lively comment on. NVEs would also be held to a more uniform set of policies and practices than those that would be required to comply with the HIPAA Privacy and Security Rules.
Consistent with previous recommendations of the HIT Policy Committee, ONC has not proposed that either an opt-out or opt-in mechanism would be required, but rather, that “meaningful choice” must be provided within three proposed exceptions, noting HIPAA baseline authorizations remain required for certain purposes:
- For purposes of medical treatment;
- When information exchange is mandatorily required under law; or
- Where the NVE is acting solely as a conduit and not accessing or using the information beyond what is required to encrypt and route it to its intended destination.
Two other important proposals set forth by the RFI which ONC has requested public comment on is that NVEs would be required to either encrypt or make available encrypted channels for information to flow through, and that NVEs would not be permitted to use or disclose de-identified information for economic gain. In addition, an NVE would be required to implement and use one of two types of transport specifications: unsurprisingly, the Direct Project transport specifications, which may cause consternation for several HIEs, and the Exchange transport specifications.
The overarching question which needs to be answered for this RFI is, are we there yet? Are we ready to adopt a nationwide governance mechanism? If so, can we come to a consensus on those critical standards, services and activities which are necessary for efficient, effective and trusted exchange of health information, while keeping the flexibility and responsiveness needed to support the broad array of electronic exchange activities as they evolve?
A Notice of Proposed Rulemaking (NPRM) would be the next step after ONC’s consideration of public comments. Public comments on the RFI are due June 14, 2012 and may be submitted online at https://www.federalregister.gov/articles/2012/05/15/2012-11775/nationwide-health-information-network-conditions-for-trusted-exchange
**NOTE: As of June 5, ONC has extended the deadline for public comments on the RFI until Friday, June 29, 2012. Comments must be submitted by 11:59PM Eastern Daylight Time.