HIT Policy CommitteeHIT Policy CommitteeNHIN WorkgroupNHIN Workgroup

HIE Trust Framework: HIE Trust Framework: Essential Components for Trust

April 21, 2010

David Lansky, ChairFarzad Mostashari, ONC

Discussion Topics

• Recommendations for a national-level HIE Trust Framework that addresses elements for trust among parties in the exchange

• HIE trust framework is applied to a directed push model– Implications of third parties supporting aspects of the HIE trust

framework

2

NHIN Workgroup Recommendation (Feb. 2010)Role of Government

• Establish and maintain a framework of trust, including ensuring adequate privacy and security protections to enable electronic health information exchange.

• Create structures/incentives to enable information exchange where trust or necessary standards / services do not exist.

• Limit intervention where information exchange with providers currently exists – to the extent possible.

• Create incentives to improve interoperability, privacy and security of information exchange.

• Support real-world testing and validation of the services and specifications to verify scalability on a nationwide basis.

3

HIE Trust Framework: Findings

• There is a need for a national-level trust framework to promote the electronic exchange of health information:– Provides a tool for understanding how trust may be implemented

across a broad range of uses and scenarios;

– Addresses need for adequate privacy and security protections, although not intended to reflect all that is needed for consumer trust in HIE;

– Articulates the common elements required for exchange partners to have confidence in health information exchange (HIE)

• Recognizes that implementation of the elements will vary depending upon various factors (e.g. exchange partners, information, purpose, etc.)

– Supports interoperability from a policy perspective;

– Recognizes obligation to abide by and to continue complying with trust requirements in order to continue realizing value of information exchange;

– Considers lessons learned from existing HIE activities. 4

HIE Trust Framework: Recommendation

• Adopt an overarching trust framework at the national level to enable health information exchange that includes these essential elements: – Agreed Upon Business, Policy and Legal Requirements /

Expectations– Transparent Oversight – Enforcement and Accountability– Identity Assurance– Minimum Technical Requirements

• All five components needed to support trust, but individually may not be sufficient.

5

HIE Trust Framework: Essential Components for Trust

• Agreed Upon Business, Policy and Legal Requirements: All participants will abide by an agreed upon a set of rules, including compliance with applicable law and act in a way that protects the privacy and security of the information.

• Enforcement and Accountability: Each participant must accept responsibility for its exchange activities and answer for adverse consequences.

• Transparent Oversight : Oversight of the exchange activities to assure compliance. Oversight should be as transparent as possible.

• Identity Assurance:  All participants need to be confident they are exchanging information with whom they intend and that this is verified as part of the information exchange activities.

• Technical Requirements: All participants agree to comply with some minimum technical requirements necessary for the exchange to occur reliably and securely.

6

1. Agreed Upon Business, Policy and Legal Requirements

• Agreed upon and mutually understood set of expectations, obligations, policies and rules around how partners will use, protect and disclose health information in general and their exchange-related activities specifically (not necessarily top-down regulation). – Built upon existing applicable law, including HIPAA and federal

and state law.

– Requires participants to act in a way that protects privacy and security of the information. (Privacy and Security Workgroup addressing privacy and security of the information once received.)

– Varies depending upon context – e.g. type of exchange, parties involved (including relationship of partners), purposes for which data are exchanged (including secondary and future use), etc.

7

2. Enforcement and Accountability

• Each exchange partner should be accountable for its exchange activities and must be prepared to answer at multiple levels. For example: – Individual subjects of the exchanged information; – Other participants in the exchange; – Third parties providing enabling functions; – Certifiers / accrediting bodies; – Governmental entities.

• Methods for confirming, detecting and enforcing compliance, and the consequences may vary at each level (e.g. loss of status or business, enforcement of penalties and, if appropriate, redress for those harmed, etc.)

• Common desire to avoid these consequences and continue to derive value gives each exchange partner some comfort that all other exchange

partners will uphold their commitments.

8

3. Transparency and Oversight

• “Oversight” is intended to mean management, maintenance, supervision, and monitoring of the trust relationship and exchange activities.

• There should be as much transparency as possible in: – The oversight mechanisms employed to protect the information; and– The oversight process and results, including findings and consequences.

(Some oversight, e.g. governmental oversight, may not be entirely transparent.)

• The nature of oversight and the mechanisms used will depend upon exchange model, the parties involved, and the needs the exchange partners identify.

• Oversight will operate at multiple levels (e.g. parties to the exchange, individual subject of the information, third parties, government, etc.)

• It should be clear that even with the trust framework and oversight mechanisms in place, there can be no absolute guarantee of privacy and security.

9

4. Identity Assurance

• Exchange partners will not exchange information with just anyone. Each has to be confident they are exchanging information with whom they intend to exchange information.

• Each exchange partner therefore validates (and should maintain an audit log of) the identity of those with whom it exchanges information.

• Validation of parties to the exchange can occur in a number of ways (e.g., based on manual determinations at practice level, or using identity proofing and digital credentials to validate members of a network).

10

5. Minimum Technical Requirements

• In all exchanges, partners have to adhere to technical standards to support the privacy and security requirements of the trust framework.

• Technical requirements for the exchange could include measures designed to ensure that data received have been unaltered during transit.

• Non-compliance with technical requirements for secure transport should prevent an exchange from occurring.

11

TRUST ENABLING FUNCTIONS APPLIED TO DIRECTED PUSH OF INFORMATION SCENARIO

12

Agreed upon business, policy and legal requirements

• Based upon applicable law and expectation that privacy and security of the information will be protected.

• Informal social contract if EHR-to-EHR (covered entity to covered entity) without use of third party.

• There may be agreements required between each healthcare provider organization and its end users.

• Formal agreements may be required if there is a third party involved, depending upon the actions performed and access to identifiable data. For example: – Business associate agreements likely if third party providers routing or

provider directory services.

– Additional policies and formal agreements may be required if third party offers other services, such as translation, data aggregation, etc. or if there is use of data by third party (whether metadata or data content).

, 13

Enforcement and Accountability

• Exchange partners should accountable to each other, patients and governmental agencies.

• Third parties that support identity assurance, provider directories, or secure routing functions should also be accountable.

• One consequence for failing to uphold commitments to comply with the trust framework is termination of the exchange relationship between the parties.

• Other consequences could include legal implications (e.g. if breach of formal contract, liability, redress for harm, etc.)

, 14

Transparency and Oversight

• Governmental oversight of compliance with laws (e.g., HIPAA).

• Patient and exchange partners oversee and monitor to ensure exchange occurs.

• Governmental oversight may be required for organizations that provide identity assurance and routing.

• Third parties may also play a role in oversight.• That oversight must include transparency to foster

accountability of the enabling functions.

, 15

Identity Assurance & Minimum Technical Requirements

• Identity Assurance– Identities of exchange partners and/or users validated by provider

organization or third party identity service provider; other participants rely upon this.

• Minimum Technical Requirements– Meaningful use certification criteria (e.g. secure transport, etc.)– The ability to look up and locate a provider’s electronic address– The ability to securely route information to the provider’s electronic

address, which could occur: • EHR to EHR or Lab to EHR;

• EHR to EHR using a third party’s routing services only;

• EHR to EHR using third party services (e.g. registry services, provider directories, identity services, etc.);

• EHR to EHR using other HIE services (e.g. HIOs, eprescribing networks, secure messaging, EHR-specific networks, etc.)

, 16

HIT Policy CommitteeHIT Policy CommitteeNHIN WorkgroupNHIN Workgroup

HIE Trust Framework: HIE Trust Framework: Essential Components for Trust

April 21, 2010

David Lansky, ChairFarzad Mostashari, ONC