Assessing HIEs on Privacy Issues

New Accreditation Program for Health Information Exchanges
Assessing HIEs on Privacy Issues
Enforcing standards for privacy and security is a major part of a new health information exchange accreditation program, says Lee Barrett, executive director of the Electronic Healthcare Network Accreditation Commission.

Building trust in HIEs will require a demonstrated commitment to privacy and security policies and the use of specific technologies, Barrett says.

In an interview (transcript below), Barrett:

  • Describes how the commission recently expanded its accreditation efforts beyond claims clearinghouses to include HIEs and others. So far, two organizations, The Utah Health Information Network and Passport Health Communications, have earned HIE accreditation.
  • Outlines the privacy and security requirements for HIE accreditation. For example, HIEs must use encryption and authentication, have detailed policies in place for protecting against the unauthorized disclosure of patient information and create procedures for giving individuals the opportunity to consent to data exchange.
  • Predicts that the Nationwide Health Information Network and the Direct Project standards, now in development at the federal level, eventually will be used by most HIEs.

In addition to his position as executive director for the Electronic Healthcare Network Accreditation Commission, Barrett is senior vice president of the national healthcare consulting practice at Virtusa Corp. Previously, he was executive vice president of business development for American Dental Association Business Enterprises Inc. He also formerly was the vice president of EDI solutions for Ingenix Corp. and CEO of Claredi Corp.

HOWARD ANDERSON: Tell us about the commission and the organizations that it accredits.

LEE BARRETT: The Electronic Healthcare Network Accreditation Commission has been in existence since 1995 and is a not-for-profit organization. We are federally recognized as a standards development organization, and we started with a focus on (claims) clearinghouses. We created a program in conjunction with the Association for Electronic Healthcare Transactions; they put together a group of about 100 people that developed the criteria for a program to accredit the clearinghouses. The accreditation effort got spun off as a separate organization. ...

Since then, we have accredited over 50 organizations that are in the clearinghouse and electronic healthcare network realm, and we have broadened out these significantly by adding programs in the area of e-prescribing, medical billing, financial services, banking as well as third-party administrators. We've also added health information exchanges.

We have focused on privacy, security, confidentiality -- the whole aspect around the physical resources or the actual infrastructure that the organization has operationally. ...

There's legislation on the books in the states of Maryland and New Jersey specifically around our healthcare network accreditation program ... Any payers in those states that use a clearinghouse have to use one of our accredited clearinghouses. ...

HIE Accreditation

ANDERSON: How long have you been accrediting healthcare information exchanges, and how many have earned accreditation?

BARRETT: A little background. We spent about a year and a half developing the program. We put together a health information exchange group made up of approximately 100 organizations and policymakers from across the industry to develop the criteria for this. We first developed a white paper to look at whether there was a need for accreditation, and the answer was yes. Then we put together this group to develop all the criteria. Criteria, for us, equal standards. The standards ... have a significant focus around policy and procedures.

We launched that accreditation program version 1.0 the end of October of 2010. Since then, we have accredited the Utah Health Information Network and Passport. We have a number of others that are looking at it and evaluating it. For HIEs to go through accreditation, they need to be operational. So ... they can't just use EHNAC to go through and see whether or not they've got the right infrastructure before they've even got an operational environment.

We're spending a significant amount of time on outreach. The states of Maryland as well as Utah and Minnesota all have legislation that specifically states that any HIEs in those states have to be ENAC accredited. And we're working with several other states to look at that model legislation and hopefully adopt it.

Privacy, Security Standards

ANDERSON: Review some of the privacy and security standards that an HIE must meet to earn your accreditation.

BARRETT: We've got a whole set of criteria around privacy and confidentiality. We have a number of our criteria that are mandatory and others that are optional, but an organization has to go through and they have to achieve 85 percent compliance with all of our criteria to achieve full accreditation.

... A candidate must have policies to protect against disclosure of protected health information, or PHI. There's a whole set of other policies and procedures that go along with it. A candidate must use strong encryption as well as authentication and messaging integrity. A candidate must maintain a list of all individuals, contractors and business associates that access PHI. So there are ... probably over 30 different criteria just on privacy, security and confidentiality.

An organization that's part of our accreditation process has to submit a self-assessment that indicates what they have done and show evidence that they meet the criteria. Then we have a site reviewer that actually goes out to validate what the organization has provided. So we're evaluating their actual physical security as well.

Patient Consent

ANDERSON: Do you have a specific criteria for how to gain patient consent for the exchange of their data?

BARRETT: For patient consent, we don't have a specific criteria around it. Ours are much broader than that because we're looking at it from a standpoint of saying, "Do you have a policy and a procedure for how an individual can, in fact, achieve consent?" They have to demonstrate there's a form for individuals to go through to determine who they want to have their information disclosed to or not. So they have to demonstrate that policy to us.

Role of NHIN

ANDERSON: Do you think most HIEs eventually will use the emerging federal Nationwide Health Information Network standards and/or the Direct Project standards? If so, how might that affect the value of the accreditation you offer?

BARRETT: I think they, in fact, will use both at some point in time. ... We've got a lot of these HIEs that are in the process of forming. So I think the whole aspect of standardization is going to take time to catch on and for organizations to actually embrace it.

I'm all in favor of standards to begin with, as long as they're not redundant, as long as we're not creating so much ambiguity between standards that people don't know which standards to use. On the other hand, ... if there are certain de facto standards in the industry, we try to review those and we will adopt them as far as our criteria as well.

As for the Nationwide Health Information Network, it's clearly the vision for where we're heading ... over the next 10 years. So we're going to have this in place. We're going to have portability of records. We're going to have portability on all this information. So we have to have the controls in place. And the whole issue is trust of all the stakeholders regarding their information and their data.

So the only way we can (gain trust) is to put in the appropriate controls, the policies, the procedures, making sure we look at this from the standpoint of providing as much flexibility but as many controls as possible around the data. So aspects of encryption, authentication, the controls around opting in or opting out and giving the patient the authority to make the decision on what's going to happen to their data are all critical.

We're providing a process and, we hope, setting standards for HIEs and for the industry ... We're hoping to be one of the (federally recognized) certifiers for HIEs, e-prescribing and some of the other data points. We're not going to get into certifying electronic health records. We've got a number of organizations that are doing a great job there. ...

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.