HIT Policy Committee NwHIN Governance Workgroup NwHIN Conditions for Trusted Exchange Request For Information (RFI)

1
HIT Policy CommitteeNwHIN Governance Workgroup
NwHIN Conditions for Trusted ExchangeRequest
For Information (RFI)

• May 15, 2012

2
Our Nine Questions
Actors, Accreditation and Validation Bodies, and Validation Entity Eligibility
1. Question 8 We solicit feedback on the appropriateness of ONCs role in coordinating the governance mechanism and whether certain responsibilities might be better delegated to, and/or fulfilled by, the private sector.
Question 9 Would a voluntary validation process be effective for ensuring that entities engaged in facilitating electronic exchange continue to comply with adopted CTEs? If not, what other validation processes could be leveraged for validating conformance with adopted CTEs? If you identify existing processes, please explain the focus of each and its scope.
Question 10 Should the validation method vary by CTE? Which methods would be most effective for ensuring compliance with the CTEs? (Before answering this question it may be useful to first review the CTEs we are considering to adopt, see section VI. Conditions for Trusted Exchange.
Question 11 What successful validation models or approaches exist in other industries that could be used as a model for our purposes in this context?
Question 13 Should there be an eligibility criterion that requires an entity to have a valid purpose (e.g., treatment) for exchanging health information? If so, what would constitute a valid purpose for exchange?
Question 14 Should there be an eligibility criterion that requires an entity to have prior electronic exchange experience or a certain number of participants it serves?
Question 15 Are there other eligibility criteria that we should also consider?
Question 16 Should eligibility be limited to entities that are tax-exempt under section 501(c)(3) of the IRC? If yes, please explain why.
Question 17 What is the optimum role for stakeholders, including consumers, in governance of the nationwide health information network? What mechanisms would most effectively implement that role?
2
3
Nationwide Health Information Network
GovernanceConditions of Trusted Exchange

• Conditions for Trusted Exchange (CTEs) Three
  Domains
• Safeguards focus on the protection of
  individually identifiable health information
  (IIHI) to ensure its confidentiality, integrity,
  and availability and to prevent unauthorized or
  inappropriate access, use, or disclosure.
• Example S-1 An NVE must comply as if it were a
  covered entity, and must treat all implementation
  specifications as required.
• Interoperability focus on the technical
  standards and implementation specifications
  needed for exchanging electronic health
  information.
• Example I-2 An NVE must follow required
  standards for establishing and discovering
  digital certificates.
• Business Practices focus on the operational and
  financial practices to which NVEs would need to
  adhere in support of trusted electronic health
  information exchange.
• Example BP-2 An NVE must provide open access
  to the directory services it provides to enable
  planned electronic exchange.

4
Accreditation and Validation ProcessOverview

• Similar to the permanent certification program
  for HIT, the National Coordinator would approve a
  single body to accredit and oversee validation
  bodies.
• Validation bodies would evaluate an entitys
  conformance to adopted CTEs as opposed to a
  particular products (e.g., EHR technology)
  certification to certification criteria.
• Certified HIT could be used by an entity as a way
  to demonstrate conformance with certain adopted
  CTEs
• Accreditation body would be expected to conform
  to internationally accepted standards for
  accreditation bodies
• Validation bodies - upon accreditation by the
  accreditation body and authorization from the
  National Coordinator - would subsequently
  perform the validation of entities conformance
  to adopted CTEs.
• Validation could use different methodologies
  (self-attestation, laboratory testing for
  conformance, certification, accreditation) and
  could vary depending on CTE type and potential
  methodology burden.

4
5
Actors and Associated Responsibilities8. ONCs
roles delegation of responsibilities to the
private sector.
Proposed Role Suggested Lead Existing Authorities and/or Alternatives to Consider
1. Endorsing and adopting CTEs, publishing guidance ONC In accordance with the National Coordinators authority at section 3001(c)(1)(A) and processes identified at section 3004 under the PHSA, and publishing interpretative guidance
2. Facilitating the receipt of input from the HIT Policy and Standards Committees and other interested parties on revisions to CTEs, new CTEs, and the appropriate retirement of CTEs ONC In accordance with processes identified at sections 3002(b)(3) and 3003(b)(2) of the PHSA
3. Selection and oversight processes for an accreditation body ONC ONC would approve a single body to accredit and oversee validation bodies.
4. Authorizing and overseeing validation bodies responsible for validating that eligible entities have met adopted CTEs ONC
5. Administering a process to classify the readiness for nationwide adoption and use of technical standards and implementation specifications to support interoperability related CTEs ONC ONC would have to adopt specific certification criteria that could be used to certify other types of HIT through established certification program.
6. Overall oversight of all entities and processes established as part of the governance mechanism. ONC
5
6
ONC Role8. ONCs roles delegation of
responsibilities
Role Recommendations
We solicit feedback on the appropriateness of ONCs role in coordinating the governance mechanism and whether certain responsibilities might be better delegated to, and/or fulfilled by, the private sector. -The workgroup agrees that ONC has a critical role to play in coordinating NwHIN governance. Specifically in Endorsing and adopting CTEs and publishing guidance Facilitating input from/to the HIT Policy and Standards Committees on revisions to CTEs, creating new CTEs, and retirement of CTEs Selection and oversight processes for an accreditation body Overall oversight of all entities and processes established as part of the governance mechanism. -The work group further believes that while ONC should ultimately oversee the process for selecting and overseeing an accreditation body, but that the day-to-day validation and oversight of NVEs should fall to private sector entities overseen by the accreditation body. -The workgroup recommends that ONC should play an arbiter role for any disputes that may arise between actors (accreditation body, validation bodies and NVEs), to reconcile disputes and ensure that the intent of the CTEs are followed in practice. The workgroup recommends that the dispute resolution process should be spelled out in the rule. -The workgroup recommends that ONC produce operationally defied descriptions of CTEs and be responsible for updating and clarifying those definitions over time. - The workgroup recommends that other private entities may have a significant role to play in the adoption and use of standards and implementation specifications to support interoperability related to CTEs.
6
7
Validation Process9. Voluntary Nature of Process
Role Comments
9(a) Would a voluntary validation process be effective for ensuring that entities engaged in facilitating electronic exchange continue to comply with adopted CTEs? -The workgroup felt it was important to clarify the intent of this question as it was not clear what was intended by a voluntary validation process. - Work group recommends that in order for NVEs to participate in the Nationwide Health Information Network, the validation process should be mandatory. A voluntary process would not be sufficient it does not adequately support a trust framework to assure NVEs that other NVEs will conform to the safeguard, interoperability and business process CTEs. Further, without conformance to standards, cost for participating in the Network would increase. The WG believes that a voluntary approach to governance will only work if there are sufficient incentives to encourage widespread participation, e.g. a requirement by Federal agencies that exchange partners be NVE, incorporation of NVE status into MU requirements, safe harbors, financial incentives.
9(b) What other validation processes could be leveraged for validating conformance with adopted CTEs? -The work group recommends that the validation process likely would be a combination of certification, accreditation and self-attestation (further articulated in the subsequent question) and that a self-policing mechanism would be ineffective.
7
8
Conditions for Trusted ExchangeSafeguards
S-1 An NVE must comply as if it were a covered entity, and must treat all implementation specifications as required.
S-2 An NVE must only facilitate electronic health information exchange for parties it has authenticated and authorized, either directly or indirectly.
S-3 An NVE must ensure that individuals are provided with a meaningful choice regarding whether their IIHI may be exchanged by the NVE.
S-4 An NVE must only exchange encrypted IIHI.
S-5 An NVE must make publicly available a notice of its data practices describing why IIHI is collected, how it is used, and to whom and for what reason it is disclosed.
S-6 An NVE must not use or disclose de-identified health information to which it has access for any commercial purpose.
S-7 An NVE must operate its services with high availability.
S-8 If an NVE assembles or aggregates health information that results in a unique set of IIHI, then it must provide individuals with electronic access to their unique set of IIHI.
S-9 If an NVE assembles or aggregates health information which results in a unique set of IIHI, then it must provide individuals with the right to request a correction and/or annotation to this unique set of IIHI.
S-10 An NVE must have the means to verify that a provider requesting an individuals health information through a query and response model has or is in the process of establishing a treatment relationship with that individual.
8
9
Conditions for Trusted ExchangeInteroperability
I-1 An NVE must be able to facilitate secure electronic health information exchange in two circumstances 1) when the sender and receiver are known and 2) when the exchange occurs at the patients direction.
I-2 An NVE must follow required standards for establishing and discovering digital certificates.
I-3 An NVE must have the ability to verify and match the subject of a message, including the ability to locate a potential source of available information for a specific subject.
9
10
Conditions for Trusted ExchangeBusiness Practices
BP-1 An NVE must send and receive any planned electronic exchange message from another NVE without imposing financial preconditions on any other NVE.
BP-2 An NVE must provide open access to the directory services it provides to enable planned electronic exchange.
BP-3 An NVE must report on users and transaction volume for validated services.
10
11
Validation Process10. Validation Method
Role Comments
10 (a) Should the validation method vary by CTE? -Yes, the workgroup recommends that validation methods should vary by CTE. The workgroup further suggests that validation methods be mutable over time, allowing for changes in methodology to accommodate changes to CTEs
10 (b) Which methods would be most effective for ensuring compliance with CTEs? -As a principle, the work group recommends that a certification process would generally be most appropriate for CTEs that focus on standards and specifications (technical CTEs), while accreditation processes should be adopted for policy and process CTEs. Accreditation for policy and process CTEs could be initially done through self-attestation. However, ONC should consider a more formal verification processes (including audits and site visits), especially with respect to CTEs that dont carry with them civil/monetary penalty implications/penalties or for which there are no other formal compliance processes (i.e., that dont invoke state of federal law such as HIPAA).
Examples of validation methods from RFI self-attestation, laboratory testing for conformance, certification, accreditation Examples of validation methods from RFI self-attestation, laboratory testing for conformance, certification, accreditation
11
12
Validation Process11. Comparative Models
Role Comments
11. What successful validation models or approaches exist in other industries that could be used as a model for our purposes in this context?
12
13
NwHIN Validated Entity (NVE) Eligibility
CriteriaOverview

• The RFI considers the following criteria that
  NVEs must meet to be eligible
• Meet all solvency and financial responsibility
  requirements imposed by the statutes and
  regulatory authorities of the State or States in
  which it, or any subcontractor performing some or
  all of its functions, would serve.
• Make some type of financial disclosure filing
• Provide evidence that it has a surety bond or
  some other form of financial security
• Have the overall resources and experience to
  fulfill its responsibilities in accordance with
  the CTEs when performing health information
  exchange services
• Have at least one year of experience
• Serve a sufficient number of providers to permit
  a finding of effective and efficient
  administration however, no prospective NVE would
  be deemed ineligible if it only served providers
  located in a single State
• Have to be a valid business or governmental
  entity operating in the United States.
• Have not had civil monetary penalties, criminal
  penalties, or damages imposed, or have been
  enjoined for a HIPAA violation within two years
  prior to seeking validation
• Not be listed on the Excluded Parties List System
  maintained by the General Services Administration
  
• Not be listed on the List of Excluded Individuals
  and Entities maintained by the Office of
  Inspector General
• Would not be appropriate to limited to tax-exempt
  501(c)(3) organizations.
• Some of the eligibility criteria being considered
  may be inapplicable to fed/State governmental
  entities.

13
14
Eligibility Criteria13. Organizational Purpose
Role Comments
13 (a) Should there be an eligibility criterion that requires an entity to have a valid purpose (e.g., treatment) for exchanging health information?
13 (b) If so, what would constitute a valid purpose for exchange?
14
15
Eligibility Criteria14. Prior Experience
Role Comments
14. Should there be an eligibility criterion that requires an entity to have prior electronic exchange experience or a certain number of participants it serves?
15
16
Eligibility Criteria15. Other Criteria to
Consider
Role Comments
15. Are there other eligibility criteria that we should also consider?
16
17
Eligibility Criteria16. Tax Exempt Status
Role Comments
16. Should eligibility be limited to entities that are tax-exempt under section 501(c)(3) of the IRC? If yes, please explain why.?
17
18
Stakeholders17. Optimal Role of Stakeholders
Role Comments
17. What is the optimum role for stakeholders, including consumers, in governance of the nationwide health information network? What mechanisms would most effectively implement that role?
Throughout the history of the nationwide health information network, a strong emphasis has been placed on ensuring broad stakeholder participation in the networks development and governance. Throughout the history of the nationwide health information network, a strong emphasis has been placed on ensuring broad stakeholder participation in the networks development and governance.
18