Are We Ready for the Nationwide Health Information Network? ONC Releases RFI for Governance of NwHIN

Currently, more than 500 hospitals and over 4,000 practices and clinics participate in the Nationwide Health Information Network (NwHIN).  According to the Federal Health Architecture (FHA) program in the Office of the National Coordinator for Health Information Technology (ONC), (InformationWeek, March 2012), most of the hospitals are those involved in programs operated by the Departments of Defense (DoD) and Veterans Affairs (VA).  Although participants also include entities such as Kaiser Permanente, health information exchanges or organizations (HIEs/HIOs) such as HealthBridge, and federal agencies including CMS, the DoD and VA, the overall percentage of participation in the NwHIN remains relatively low. 

The NwHIN is the set of standards, services, and policies developed to enable and ensure the secure electronic exchange of health information.  Geared originally towards larger HIEs/HIOs and other networks and systems, as envisioned, the NwHIN would be a network of networks among the States and their respective health care providers and hospitals facilitating the efficient exchange of electronic health information and promoting interoperability.  

Most stakeholders would agree that safeguards should be in place to protect the confidentiality, integrity and availability of health information as it is exchanged among health care providers and at a national level as well as to promote public trust in such electronic exchanges.  However, there remains a lack of consensus on where (and what) standards and processes should be set for such exchanges, deterring broader participation in the NwHIN, creating confusion, and inhibiting exchange among providers in general.  Currently, the various States as well as the private sector have implemented a variety of, and sometimes conflicting, approaches to how and under what conditions information can be exchanged electronically. 

In recognition of this and under order by the HITECH Act, ONC has released a Request for Information, "Nationwide Health Information Network: Conditions for Trusted Exchange” (RFI), seeking public comment on establishing a governance mechanism for the NwHIN and a form of “rules of the road” for electronic exchange.  The RFI seeks to identify potential rules and processes for trusted exchange of health information among the various health care providers and health information organizations or regional health information organizations and promoting trust and confidence among health care providers and their patients.   

We believe that this is an opportune time to solicit input on how the governance mechanism for the nationwide health information network should be shaped and how we could effectively use our statutory authority to complement existing Federal regulations to support and enable nationwide electronic exchange. We also believe that a properly crafted governance mechanism could yield substantial public benefits, including: reduced burden and costs to engage in electronic exchange; added protections for consumers and health care providers; and, in the long-run, a more innovative, and efficient electronic exchange marketplace that would ultimately create an environment where electronic exchange is commonplace and “worry-free.  77 FR 28545. 

In general, the RFI seeks public comment on five proposed areas and sets of questions which combined would create a framework for the electronic exchange of health information:

  1. Conditions for trusted exchange (CTEs), which would include safeguard, interoperability and business practice CTEs (those standards and implementation specifications as described in the HITECH Act),
  2. Validation process for conformance to CTEs as NwHIN network validated entities (NVE),
  3. Process for retiring and updating CTEs to address current exchange needs,
  4. Process for classifying the readiness of standards and implementation specifications to support interoperability related to CTEs, including identifying gaps needing to be filled to support nationwide electronic exchange, and
  5. Monitoring and transparent oversight, primarily by federal agencies, including ONC, OCR and the FTC, with some responsibilities delegated to the private sector.

Much like for certification of EHR technology in the Medicare and Medicaid EHR Incentive Programs, ONC would select an accrediting body responsible for the validation process of NVEs.  However, rather than focusing on and regulating only the product itself (e.g., the “certified” EHR technology), the services and activities performed by the entity itself would be the primary focus.  The NVE framework itself would be voluntary, with entities seeking validation as NVEs to the extent value is identified in seeking such validation, with of course, the ability as NVE status gains ground to be required as a condition of contracts, grants, and other relationships and procurements.

ONC clearly recognizes the critical need for flexibility and avoidance of a “one-size-fits-all” approach to governance and therefore would propose a variety of standards for electronic exchange, ranging from basic to more complex and ever-evolving exchange activities and use cases.  Entities contemplated which could seek status as an NVE would include EHR developers; regional, state, local or specialty-based health information exchanges; health information service providers; State agencies; Federal agencies, and integrated delivery networks.

Notably, ONC would propose that NVEs which were not otherwise Covered Entities or Business Associates comply with certain provisions of HIPAA, specifically 164.308, 164.310, 164.312, and 164.316.  NVEs in addition to complying with all of the HIPAA Security Rule's “required” implementation specifications would also be required to comply with those “addressable” as well, a proposition ONC is almost guaranteed to receive lively comment on.  NVEs would also be held to a more uniform set of policies and practices than those that would be required to comply with the HIPAA Privacy and Security Rules.

Consistent with previous recommendations of the HIT Policy Committee, ONC has not proposed that either an opt-out or opt-in mechanism would be required, but rather, that “meaningful choice” must be provided within three proposed exceptions, noting HIPAA baseline authorizations remain required for certain purposes: 

  1. For purposes of medical treatment;
  2. When information exchange is mandatorily required under law; or
  3. Where the NVE is acting solely as a conduit and not accessing or using the information beyond what is required to encrypt and route it to its intended destination.

Two other important proposals set forth by the RFI which ONC has requested public comment on is that NVEs would be required to either encrypt or make available encrypted channels for information to flow through, and that NVEs would not be permitted to use or disclose de-identified information for economic gain.  In addition, an NVE would be required to implement and use one of two types of transport specifications:  unsurprisingly, the Direct Project transport specifications, which may cause consternation for several HIEs, and the Exchange transport specifications. 

The overarching question which needs to be answered for this RFI is, are we there yet? Are we ready to adopt a nationwide governance mechanism? If so, can we come to a consensus on those critical standards, services and activities which are necessary for efficient, effective and trusted exchange of health information, while keeping the flexibility and responsiveness needed to support the broad array of electronic exchange activities as they evolve?

A Notice of Proposed Rulemaking (NPRM) would be the next step after ONC’s consideration of public comments.  Public comments on the RFI are due June 14, 2012 and may be submitted online at

**NOTE: As of June 5, ONC has extended the deadline for public comments on the RFI until Friday, June 29, 2012.  Comments must be submitted by 11:59PM Eastern Daylight Time. 

ONC Announces Launch of "Direct Project" Pilots

In a Press Release posted today, February 2nd, ONC announced that providers and public health agencies in Minnesota and Rhode Island began this month exchanging health information using specifications developed by the Direct Project, which is described as an "open government" initiative that calls on cooperative efforts by organizations in the health care and information technology sectors. The ONC Press Release notes that other Direct Project pilot programs will also be launched soon in New York, Connecticut, Tennessee, Texas, Oklahoma and California. The story is also covered today by the New York Times in Steve Lohr's article "U.S. Tries Open-Source Model for Health Data Systems".

The ONC Press Release notes that Direct Project is intended to give health care providers early access to an easy-to-use, internet-based tool that can replace mail and fax transmissions of patient data with secure and efficient electronic health information exchange.  It was designed as part of President Obama’s ‘open government’ initiative to drive rapid innovation, and last year is said to have brought together some 200 participants from more than 60 companies and other organizations. Volunteers worked together to assemble consensus standards that support secure exchange of basic clinical information and public health data. Now, pilot testing of information exchange based on Direct Project specifications is being carried out this year with the aim toward formal adoption of the standards by 2012.

ONC states that information exchange supported by Direct Project specifications address core needs, including standardized exchange of laboratory results; physician-to-physician transfers of summary patient records; transmission of data from physicians to hospitals for patient admission; transmission of hospital discharge data back to physicians; and transmission of information to public health agencies. The Press Release also notes

[t]hat in addition to representing most-needed information transfers for clinicians and hospitals, these information exchange capabilities will also support providers in meeting 'meaningful use' objectives established last year by HHS, and will thus support providers in qualifying for Medicare and Medicaid incentive payments in their use of electronic health records.

If you would like more information about Direct Project, or have questions such as:

  • How does direct exchange fit into the big picture?
  • How is direct exchange different than HIE initiatives?
  • Does direct exchange support or supplant State HIE initiatives?
  • What is the security model for Direct Project?
  • Who issues Digital Certificates for users?
  • What are the limitations of the Direct Project model?

Then, check out the following links for excellent information:



Another Kind of HIE -- Health Insurance Exchanges & Recent NPRM

The Affordable Care Act (ACA), enacted in March 2010, requires states to establish Health Insurance Exchanges through which individuals and small businesses can purchase affordable insurance. Under the ACA, a state can set up its own exchange, or elect to allow the federal government administer an exchange in their state. States are also allowed to create two exchanges: one for the individual, and and one for the small business insurance market. A state is also allowed to collaborate with its neighboring states to develop regional exchanges. For a good bullet summary of what the ACA requires, the Commonwealth Fund has a posted a Power Point worth checking out.  These "HIEs" must begin operation by January 1, 2014. 

On October 22, a briefing took place that included Joel Ario, Deputy Director of the HHS Office of Consumer Information and Insurance Oversight (OCIIO), who addressed the current status of the states and their initiatives to develop HealthInsurance Exchanges, and to work together with OCIIO to produce state guidelines.  During the briefing, Mr. Ario gave an overview of what states like Massachusetts, Utah and Oregon are already doing to implement the ACA, and mentioned that the federal government is offering states Health Insurance Exchange planning grants of up to $1 million.  A transcript and other interesting materials from the October 22 briefing are posted on Alliance for Health Reform's website.

The OCIIO is currently working with the DHHS to issue regulations and implement many of the provisions of the ACA that address private health insurance. On October 29th DHSS announced in a News Release the availability of competitive funding opportunities for States to design and implement the Information Technology (IT) infrastructure needed to operate Health Insurance Exchanges.  On November 3rd, HHS's Notice of Proposed Rulemaking was published in the Federal Register and proposes that Medicaid eligibility systems will potentially be eligible for an enhanced federal matching rate of 90 percent for design and development of new systems and a 75 percent federal matching rate for maintenance and operations. HHS points out on its website that States must meet a set of performance standards and conditions, including seamless coordination with the exchanges, in order for their Medicaid technology investments to qualify for the enhanced match.

For more information on Health Insurance Exchanges, what they are and how they fit into the big HIE puzzle, visit HHS's website for HIE IT Systems and OCIIO's website.  To review some of the more detailed requirements for HIEs under the ACA, Continue Reading below...

Continue Reading

OPM May Delay Launch of Massive Fed Health Database

In response to mounting privacy concerns, the federal Office of Personnel Management (OPM) may delay the proposed November 15th launch date of its Health Claims Data Warehouse. In early October, the OPM’s notice in the Federal Register announced that the “Warehouse” would be built to streamline operations of the Federal Employee Health Benefit Program, the National Pre-Existing Condition Insurance Program, and the Multi-State Option Plan- three programs that were included in this year’s Health Reform legislation. The OPM said that the “Warehouse” would collect, manage, and analyze health services data through direct data feeds from each program. The electronic records compiled would include individuals’ personal information such as Social Security Number, date of birth, and employment, as well as information about their healthcare coverage, procedures, and diagnoses. In its announcement, the OPM also noted that it would share this information for law enforcement purposes, judicial and administrative proceedings, and third-party health research and analysis.

In response to the OPM’s announcement, 16 organizations, including The Center for Democracy and Technology (CDT) and the ACLU, released a letter to the OPM citing concerns about the lack of available details about the new database. In particular, the letter pressed the OPM for details about the database’s security and privacy controls, and urged the OPM not to establish the “Warehouse” until the public had a fair chance to review its plans. In response, the OPM has promised to release further details after reviewing public comments, which can be submitted to the OPM up until November 15th. Whether this will delay the launch of the “Warehouse” has not yet been confirmed. However, when the OPM does release their plans, it will be important to ask if such a large government database is necessary, and if it violates the public’s privacy expectations.

This post was prepared with assistance from Melody Hsiou. Melody holds a Master from Public Health from Columbia University, and anticipates completing her Juris Doctorate with a Health Law Concentration from Seton Hall Law School in 2013.

ACLU Lawsuit Continues . . . Want Detailed Regulations Surrounding HIE Privacy

The Rhode Island chapter of the American Civil Liberties Union (ACLU) suit against the Rhode Island Department of Health (RI-DOH) remains in litigation, awaiting completion of discovery. The ACLU alleges that the state’s proposed rules for implementing the state health information exchange (HIE) failed to address certain provisions of the Rhode Island Health Information Exchange Act of 2008 that require protections for patient confidentiality, security and informed consent processes. Instead of adopting formal rules, the RI-DOH instead adopted internal policies, which the ACLU claims was both an unlawful bypass of the Administrative Procedures Act and in violation of the RI-DOH’s obligations under the HIE statute. In addition, the ACLU claims that it was not provided with a written response detailing the reasons why the RI-DOH rejected ACLU’s proffered recommendations.

The ACLU seeks to have the policies declared unenforceable and for the court to order RI-DOH to adopt formal rules addressing the statutory provisions that the ACLU alleges the RI-DOH responded to inadequately. Although the ACLU and its attorney, Frederic Marzilli, recognize the importance of HIEs and why the state approached implementation of the HIE with written policies instead of regulations, such as to better deal with the development and operation of such a new and groundbreaking mechanism, the ACLU’s position remains that the regulatory process must be followed. It argues that the critical privacy issues raised by HIEs require detailed rules as to how the state HIE system will work and protect patient confidentiality, security and informed consent. The State has continued to deny the allegations and is expected to file a motion to dismiss the case.  It remains uncertain whether ACLU will remain in court to fight another day.

For more information regarding the ACLU's specific comments on the Rhode Island's proposed rules, click on "Continue Reading" below

This post was prepared with assistance from Krystyna H. Nowik, Esq.

Continue Reading