The Brooklyn HIE's Security StrategyHow the Network's Privacy Protections Will Evolve
In an exclusive interview, Koch describes the exchange's:
• Use of encryption, which will evolve as BHIX enables physicians to access the exchange directly from their electronic health records systems;
• Approach to verifying the identities of those sending and receiving information;
• Policies for gaining patient permission for sharing information;
• Plans for working with providers to give patients an accounting of who has viewed their information; and
• Collaboration with other HIEs in the state on the broader security issues that will emerge when the exchanges are linked.
Koch has led BHIX since its formation in 2007. She is a member of the Policy and Operations Council of the New York eHealth Collaborative. She formerly served as associate general counsel at Maimonides Medical Center in Brooklyn. And she was assistant counsel with the New York State Department of Health in the Bureau of Professional Medical Conduct.
HOWARD ANDERSON: This is Howard Anderson, managing editor at Information Security Media Group. Today we're talking with Irene Koch, executive director of the Brooklyn Health Information Exchange. Thanks for joining us today, Irene.
IRENE KOCH: Thanks for having me.
ANDERSON: Please give us an update on status of the Brooklyn HIE.
KOCH: We are live with our health information exchange at BHIX. We have a bunch of hospitals and homecare agencies, nursing home and payers now contributing data and starting to also access the data from the health information exchange. We went live initially in the fall of 2008 and now have an upgraded system that is operational.
ANDERSON: What kinds of information are the participants sharing now, and what kinds of transactions are on the horizon?
KOCH: At the current time we have an assortment of clinical data that comes in from all these various different organizations. And it ranges from admission/discharge/transfer data from the registration systems to different kinds of clinical data like procedures, diagnosis, healthcare advance directive information, labs and so forth. And so the actual focus of the data exchange currently has been on transferring this clinical information for viewing and historical purposes. But immediately on the horizon for us is turning to the world of transactions to facilitate the kinds of referrals and exchanges of data that happen on a one-to-one basis when patients go from one place to the other. And those are the kinds of things, like referrals...that are on our immediate horizon.
ANDERSON: Can you give us a few examples of how participants are using the exchange now?
KOCH: Sure. Like I said, right now we're live with clinicians pulling data from a clinical portal sponsored by BHIX. So we have physicians who might be treating the patient in an emergency room, for example, who need to get information on that patient because the patient may be comatose or unable to participate in their care. Physicians can do what's called a "break the glass" inquiry on the BHIX clinical portal for one-time access to this patient's clinical information to treat them in the emergency. And we've gotten feedback from those clinicians that they've actually been able to get very valuable information on those patients through BHIX that they would never have known about otherwise to help care for that patient.
And so although the workflow of getting data from a clinical portal outside of one's own information system isn't ideal, we still are getting feedback that the data is very, very valuable. So when I refer to the workflow issue, what we're working on and testing right now is having a physician from within his own electronic medical record be able to push a button to get the same exact data that I talked about sent right into their system as a summary document....
ANDERSON: So are you using encryption now to protect information being exchanged or will that be added as you move to the transactional model in the months to come?
KOCH: There is currently encryption. It's just a different sort of encryption that happens when you're using the portal versus when you're exchanging data into an electronic medical record using these newer profiles. So right now we are doing encryption of the data through VPN tunnels and so forth, and the data being retrieved from the system is accessed through an encrypted process as well....
ANDERSON: How do you go about verifying the identities of those sending and receiving information?
KOCH: When data is being retrieved from the system through the BHIX portal, the user's identity is determined through...their user name and their password. And once the login is complete, their role and consent is evaluated to determine what activities that user can perform. But again, we're very much moving toward the world where that is not the only way to access data through BHIX. We're moving toward being able to serve up the data to a user who identifies himself from within his or her own EHR system.
And so when you're using those interoperable electronic health records, the mechanism is a little bit different and uses...client certificates and other technology that the technical team has spent a lot of time in our project and through statewide work defining.
ANDERSON: What is your policy for enabling patients to opt in or out of having their information exchanged?
KOCH: The policy that we have implemented here at BHIX is entirely consistent with the parallel universe of the policy that's gone on through the entire New York state collaboration process (among various HIEs.)....We don't actually even refer to it as opt in or opt out because it's a little bit misleading. What it really amounts to is that when a clinical provider wants to access a communitywide batch of data through a health information exchange governed by that exchange, since it's not just one providers organization at a time, there needs to be an affirmative consent from the patient to be able to authorize that one user to access that information.
So it's really called an affirmative consent model and each patient is given the option to either grant each different provider organization consent to see their data, to access their data through BHIX, so that would be a "grant consent" or they can give them the option to "deny consent" so that for that particular provider organization they may not ever access data on that patient through BHIX. Or, there's that "interim" status, until you know the answer of the patient or if the patient wants to just leave it that way, which is that only in an emergency situation may the provider access information through BHIX and we just referred to that earlier when we talked about "breaking the glass."
So it's really an all-or-nothing consent of that patient. We don't filter based on different types of data for this large amount of communitywide exchange....As we move from a communitywide exchange of data to a more one-to-one or push type of model, there's going to be a lot more discretion on picking and choosing bits of data that one provider opts to send to another, and that's a whole different way of using a health information exchange to improve care.
ANDERSON: How do you plan to enable patients who request it to get a list of who has accessed their information via an exchange?
KOCH: Our privacy policies have a lot provision about the participants that use BHIX so that they can engage with their patients to provide them the information that they need to satisfy the patient's request for information. Enabling patients to get their data through BHIX is going to be happening through our provider organizations because they're the ones that really have the relationship with the patient.
So if a patient is at a hospital and requests a record from that hospital, we will work with that hospital who's a member of BHIX to help them amass a list of access points through BHIX to that patient's data....
ANDERSON: It sounds like you anticipate that your exchange will be linking up with others throughout the state. What additional security issues does that raise?
KOCH: Yes, we very much anticipate that our health information exchange will link up with others throughout the state and, of course, here in New York City....
So of course we're going to need to link up with other health information exchanges throughout the state and even in other states because patients come to New York City for business and for care. In order to really improve the care of these patients, you need to get data from lots of different places. So it's not even just security issues that you need to address when you think about all of those interactions. It's the identification of the patients from different hubs and the identification of the users to make sure that the users here have proper access to not just the data that was originally from BHIX but from these other information organizations and exchanges as well.
So we're very actively participating in statewide work to start discussing those issues with our colleagues. But that's definitely a work in progress and something that's requiring a lot of effort for everyone to work on together.
ANDERSON: Finally, what advice on privacy and security issues would you give to other HIEs that are just in the formative stages based on your experience so far?
KOCH: It's absolutely central to everything that the health information exchange does to be able to think of the privacy and security domain as they relate to every new function and technical feature that is deployed. To think of it as an afterthought is a real mistake.
One of the strengths of BHIX actually was that in every bit of technical build we wove in not only the privacy and security kind of perspective but also the clinical perspective to make sure that they were all aligned at the same time so that the technical folks don't build in a bubble. That's going to be essential for anyone going forward.
As we think of the National Health Information Network that's really developing across the country, we really need to make sure that the privacy and security issues that get resolved in each region, in each state, harmonize with one another so that we actually can effectuate the kind of exchange that we need to do across the country. Because the worst thing that would happen would be that there would be bubbles and silos of places where you could exchange data but not really take it to the next level, which will really bring the most value.
ANDERSON: Thanks, Irene. We've been talking today with Irene Koch of the Brooklyn Health Information Exchange. This is Howard Anderson. Thanks so much for listening.