The 64 page document, as its title clearly states, is focused on creating trust in the exchange of health information at a National level. To that end, ONC is proposing to define a set of policies and regulations to be adhered to by participants in information exchange as “conditions for trusted exchange” (CTE). Consistent with current direction and the funding of Health Information Exchange (HIE) organizations, ONC is envisioning a set of entities specifically built for, or specializing in, the exchange of health information. These new entities (or new services) are named Nationwide Health Information Network Validated Entities (NVEs), and very much resemble what was previously referred to as Health Internet Service Providers (HISPs) in the context of the Direct Project based exchange.
Going forward, ONC proposes to assume responsibility for “oversight of all entities and processes established as part of the governance mechanism”, including management and endorsement of CTEs, “selection and oversight processes for an accreditation body that would be responsible for accrediting organizations interested in becoming validation bodies” and “[a]uthorizing and overseeing validation bodies which would be responsible for validating that eligible entities have met adopted CTEs”. For starters, ONC proposes three types of CTEs with the understanding that many others will be added in the future. Here is an (almost) verbatim list of the proposed CTEs:
Safeguards[S-1]: An NVE must comply with a good portion of the HIPAA regulations as if it were a covered entity.
[S-2]: An NVE must only facilitate electronic health information exchange for parties it has authenticated and authorized, either directly or indirectly.
[S-3]: An NVE must ensure that individuals are provided with a meaningful choice regarding whether their Individually Identifiable Health Information (IIHI) may be exchanged by the NVE.
[S-4]: An NVE must only exchange encrypted IIHI.
[S-5]: An NVE must make publicly available a notice of its data practices describing why IIHI is collected, how it is used, and to whom and for what reason it is disclosed.
[S-6]: An NVE must not use or disclose de-identified health information to which it has access for any commercial purpose.
[S-7]: An NVE must operate its services with high availability.
[S-8]: If an NVE assembles or aggregates health information that results in a unique set of IIHI, then it must provide individuals with electronic access to their unique set of IIHI.
[S-9]: If an NVE assembles or aggregates health information which results in a unique set of IIHI, then it must provide individuals with the right to request a correction and/or annotation to this unique set of IIHI.
[S-10]: An NVE must have the means to verify that a provider requesting an individual’s health information through a query and response model has or is in the process of establishing a treatment relationship with that individual.
[I-1]: An NVE must be able to facilitate secure electronic health information exchange in two circumstances: 1) when the sender and receiver are known; and 2) when the exchange occurs at the patient’s direction.
[I-2]: An NVE must follow required standards for establishing and discovering digital certificates.
[I-3]: An NVE must have the ability to verify and match the subject of a message, including the ability to locate a potential source of available information for a specific subject.
[BP-1]: An NVE must send and receive any planned electronic exchange message from another NVE without imposing financial preconditions on any other NVE.
[BP-2]: An NVE must provide open access to the directory services it provides to enable planned electronic exchange.
[BP-3]: An NVE must report on users and transaction volume for validated services.
Considering the broad spectrum of CTEs, the entities accredited to validate NVEs will need a very broad range of capabilities to do a proper job at validation and monitoring of exchanges. ONC allows for the possibility that NVEs may be fully or partially validated, similar to EHRs being certified as Complete or Modular, and in both cases it is assumed that NVEs will be able to publicly advertise their compliance status. All these definitions are in a proposal stage, and ONC is requesting input on pretty much the entire proposed structure. You have 30 short days to file your response.
This is a very technical subject and, with the notable exception of those actively working in health care IT, this publication may not elicit any interest in the physician or patient population. However, there is one item in this RFI which prompted me to hurry up and write this post, because after consistently complaining for several years, my wishes have been answered in the form of the beautiful [S-6] CTE!! So here are my impressions of this lovely thought and the document that surrounds it.
After what seems like an eternity, ONC officially recognizes that de-identified information can be rather easily re-identified and that those who happen to own the hardware infrastructure where people’s medical records are stored do not have an inherent right of ownership to those records. I would very much like to see ONC extend this regulation to every HIT vendor, not just those specializing in exchange of information, since if it is pertinent to NVEs, it must be also pertinent to EHRs, HIEs, ancillary software vendors and, yes, pharmacy software vendors. I am not naive enough to believe that CTE [S-6] will survive the rule making process, but for the moment, the detailed description of the dangers inherent in the wholesale of patient data is reason for celebration.
All Safeguards CTEs (with the exception of [S-9], which could cause havoc in the many places where data originated from), are proposing to put in place regulations that are beneficial to the privacy and security of patients and their medical information. The Interoperability CTEs are also very sensible and actually a bit restrained. Put together, these 12 CTEs, if complied with, should create enough trust in exchanging entities to allay the concerns of physicians and patients regarding the transfer process itself. Other concerns may persist, but it was not the intent of this RFI to address those. Releasing an RFI prior to a formal notice of proposed rulemaking (NPRM), is also a positive sign that ONC is open to considering other opinions (too bad that this is how [S-6] will be killed off). So, even if you don’t clearly see your dog in this fight, read the document (it’s very readable and informative), find your dog, and back him up.
The Business Practice CTEs are overreaching into the world of private business. ONC is asking if NVEs should perhaps be required to be non-profit. Not a good idea, but even if they are, those entities will need to have a sustainable business model, or forever be dependent on Government grants. If their dreams of making billions from health data are to be crushed, then they must be allowed to make a living by selling services. Current hype notwithstanding, software is not free to develop and maintain in a professional and trustworthy manner. The reporting CTE [BP-3] sounds too much like big government and should not be necessary. Most vendors are incessantly advertising their number of customers and transactions, and perhaps statistics is something NVEs should be paid for to provide.
Bureaucracy, lots of it, expanded and extended indefinitely into the future with no end in sight.
And now we wait for the public comments to be submitted, the NPRM to be published, more public comments, the final rule to be issued, and the “governance of governances” to be established. Keeping my fingers crossed for little [S-6] to make it to the finish line….