Exchanging Health Data During Disasters New 10-State Initiative Using Direct Secure E-Mail
Exchanging Health Data During Disasters

Until the interoperability of electronic health records can be achieved, the Direct Project and point-to-point data exchange can help ensure the secure transfer of patient information in times of disasters, says Tia Tinney of the Southeast Region Collaborative for HIT.

In the wake of disasters, such as the tornadoes that affected Joplin, Mo., healthcare organizations learned that having EHR system interoperability is helpful when exchanging health information, Tinney says.

But in the absence of interoperable EHRs and linked health information exchanges, tools such as the Direct protocol can assist organizations, Tinney says.

The Direct protocol offers specifications for a secure, scalable, standards-based way to send encrypted health information directly to known, trusted recipients over the Internet. It facilitates the simplest form of health information exchange.

"As state HIEs advance, it's intended that all certified EHR technologies will meet interoperability standards to ensure the same type of seamless transitions seen in Joplin," she says in an interview with Information Security Media Group [transcript below].

"Until that day comes, we can implement tools that are available today, such as Direct and a point-to-point exchange, to ensure the secure transfer of patient data," Tinney says.

Tinney serves as a coordinator at SERCH, a multi-state health information exchange effort launched in 2010 with funding from the Office of the National Coordinator for Health IT, which is now leading a new 10-state initiative to promote the use of Direct for health information sharing across state boundaries in times of disasters.

In the interview, Tinney discusses:

  • The kind of health data being exchanged in the pilot project;
  • Why Direct secure messaging provides healthcare organizations flexibility in exchanging patient data;
  • Other lessons learned from recent natural disasters.

At SERCH, Tinney serves as the coordinator of the multi-state health information technology collaborative encompassing 11 states in the Southeast. She is responsible for the coordination and distribution of various documentation and information about the facilitation of state health information exchange programs and Medicaid enterprise management systems, including Medicaid EHR incentive payments. She also conducts knowledge-sharing platform forums. Previously, Tinney worked on several programs of the Kentucky Cabinet for Health and Family Services' office of administrative and technology services.

SERCH

MARIANNE KOLBASUK MCGEE: Please describe for us very briefly what SERCH is.

TIA TINNEY: The Southeast Regional Health IT and Health Information Exchange Collaboration ... was initiated in April 2010 as a knowledge-sharing platform where state HIE programs, along with federal entities, have sought to resolve cross-border issues and implement various secure electronic methods to facilitate a multi-state exchange of information. Our original members are Alabama, Arkansas, Florida, Louisiana, Georgia, Mississippi, North Carolina, South Carolina, Kentucky, Tennessee, Virginia and Texas. Fall 2012 saw the release of our SERCH RTI International white paper for disaster preparedness, and we started taking our first steps towards initiating cross-border exchange with the group that we've called the SERCH Connect Initiative.

MCGEE: What 10 states are involved with this new disaster-related initiative, and how will that initiative work?

TINNEY: The states that we have participating in the SERCH Connect Initiative are Alabama, Arkansas, Mississippi, Florida, Louisiana, Georgia, North Carolina, South Carolina, Virginia, West Virginia, Michigan, and Wisconsin. All of these states have established or are working to establish at least one interstate connection.

For how the initiative works ... [here's] a little background: In July 2012, SERCH issued the RTI International disaster preparedness white paper, which recommended a phased approach utilizing existing data sources and health plans in the absence of a fully functional state health information exchange during a disaster. Following its release, SERCH members collaborated in taking the first steps toward building a multistate health information service provider point-to-point exchange utilizing Direct secure messaging.

Direct is a secure HIPAA-compliant e-mail service that allows users to send and receive e-mail messages and attachments. [During] a natural disaster, if a patient were located in any of SERCH's participating states, the provider would be able to use Direct secure messaging and a point-to-point contact. Only authorized users who have been issued a valid e-mail address can send and receive protected health information that's encrypted and secure. This, and the availability of Direct, are among the many reasons that all of our states are working on outreach and encouraging providers to sign up with their state programs for a Direct account. They will know that Direct is a viable solution in the absence of a fully functional state HIE, in addition to also establishing those connections with their state HIEs as we move down the path toward a more robust exchange.

Data to be Exchanged

MCGEE: What sort of health data will be exchanged? And is it primarily Direct secure e-mail that will be used to exchange this data?

TINNEY: Yes. Being that Direct messaging is HIPAA compliant, it can be used to exchange health data and information related to patient treatment, payment and healthcare operations. Direct provides a more secure and efficient means to communicate information that providers are already communicating through fax, mail, phone or patient delivery. Because Direct's payload is agnostic, it gives providers a greater flexibility to share any available patient information in a variety of formats, whether it's attachments with highly structured data, or patient data displayed in PDFs, or just embedded within the e-mail text itself.

Direct messaging uses industry standards to provide a transport layer for data to be exchanged. [It] encompasses specific governance for the encryption and authentication methods to ensure that the intended recipient is the only user who will be able to access patient sensitive data. The transport layer ensures that if the e-mail were to go to an unintended recipient, the receiver would not be able to decipher the information.

Using Direct Protocol

MCGEE: Will this relationship between the 10 states be put into action only for health data exchange during disasters, or for non-emergency situations as well?

TINNEY: In May 2013, seven states signed on to an open letter issued to the Direct communities stating that they would be exchanging both for, and outside of the means of, disaster preparedness in hopes to utilize existing resources in a state of an emergency, and also to promote widespread adoption of Direct within the provider community. Since that time, Georgia, Wisconsin and Michigan have joined this initiative with more states inquiring and making connections between health information service providers every day. Due to the ever-changing landscape in the area of trusted exchange, I always like to say that the SERCH Connect Initiative has been a lesson in learning how to build a trusted exchange, not to define it.

Data Exchange during Disasters

MCGEE: Are there any particular security or privacy technologies or procedures that come into play for health data exchange during a disaster versus non-emergencies?

TINNEY: In the time of a disaster, all available data sources could be called into action to provide as much information at that point of care as possible. In some cases, participating health plans may engage resources that could manually monitor their Direct mailbox for requests for member information. Health plans typically have a rich data source - claims data - that can be used to identify members' medications and allergies, as well as their chief medical problems and medical providers involved in their members' care. This is also true of many hospitals that have the ability, even in a disaster, to function through their disaster response plans, leveraging off-site and remote data center operations. Direct capabilities are available regardless of any and every use-case scenario, from disasters to out-of-state travelers. One of the key advantages of Direct is that privacy and security requirements typically do not change in a disaster. Providers can also communicate documentation of necessary authorizations and their need-to-know patient information.

Disaster Preparedness

MCGEE: Are there certain technologies and procedures being put in place as part of disaster preparedness?

TINNEY: With Direct, it works the same whether it's a disaster or a non-disaster. That's kind of the beauty of it. It's that point-to-point contact, and as long as the providers have signed up for a Direct e-mail account they'll be able to exchange information regardless. Participating health plans could engage resources that could manually monitor their Direct mailbox for member information. Those health plans typically have a store of claims data that could be used to identify members' protected health information, such as medications and allergies, as well as chief medical problems and medical providers involved in their members' care. Ideally in a disaster situation, that's [why] the white paper had called for existing resources to be used.

Lessons Learned from Recent Disasters

MCGEE: Are there any lessons learned about health information exchange from recent disasters, such as Hurricane Sandy last year, that might come into play with this new initiative?

TINNEY: Of course. We have learned that states are still varying in implementation and connectivity of their state HIEs, but disasters such as Hurricane Sandy and the tornadoes in Joplin [Missouri] have shown us that EHR system interoperability is a necessary component in the success of health information exchange. For example, in the case of Joplin, St. John's Regional Medical Center in Missouri had transitioned from paper to electronic health records just three weeks before the disastrous tornadoes occurred. This makes us realize then the immense importance of implementing certified EHR technology and reaching out to providers to let them know these technologies are available; they do work an they do save lives. Due to St. John's sister hospitals implementing on the same certified EHR technology platform, there was a seamless exchange of information, which is ideal when we speak of a nationwide health information exchange.

In the absence of this ideal form, a system interoperability including query-and-response capabilities, tools such as Direct, can be utilized to facilitate that type of exchange. As state HIEs advance, it's intended that all certified EHR technologies will meet interoperability standards to ensure for the same type of seamless transitions seen in Joplin. This includes Direct secure messaging and the query and retrieval of patient information where it exists. Until that day comes, we can implement tools that are available today, such as Direct and a point-to-point exchange, to ensure the secure transfer of patient data. This enables providers to have the right information at the right time, leading to better patient outcomes in both routine care and during the time of a disaster.




Around the Network