How Wisconsin HIE Simplifies SecuritySegregating Data in Central Repository
The Wisconsin Health Information Exchange's hybrid data architecture model simplifies data security, says CEO Kim Pemble.
The health information exchange, which was launched in 2004, facilitates secure data exchange among more than 50 hospitals and clinics across 29 counties in Wisconsin.
WHIE's data architecture means it has two places to secure data - its primary data center and backup, Pemble says in an interview with Information Security Media Group's Marianne Kolbasuk McGee (transcript below). "In a distributed model, the security is wider spread. There are more points of potential threat."
WHIE stores healthcare data in one repository, as in the conventional centralized model, but the data is segregated logically based on the sources of the data, Pemble says. That means participating members, such as hospitals, not only retain ownership of their data, but they specify how that data can be used by the exchange. "Each [member] has ownership over their data, and we're only allowed to use the data as the owners allow," he says.
In the interview, Pemble also:
- Describes WHIE's opt-in approach for patient consent, and why the exchange is considering moving to an opt-out model;
- Outlines how WHIE authenticates users in the exchange;
- Offers security advice to start-up HIEs.
Pemble, who joined WHIE in 2008, has more than 30 years of health IT, including positions as vice president of IT for Infinity Healthcare and VP and CIO for SynergyHealth. In addition to his role at WHIE, Pemble is also president of the National Institute of Medical Informatics, a non-profit organization that sponsors WHIE.
Wisconsin Health Information Exchange
MARIANNE KOLBASUK MCGEE: Tell us a little bit about your organization and your role.
KIM PEMBLE: WHIE is a not-for-profit regional health information exchange providing services primarily in southeastern Wisconsin. There are currently 15 emergency departments across a four-county area and four community health centers that are using information from the exchange in minute-to-minute patient care. In addition ... in total across the state there are 51 hospitals that are contributing data to the exchange for public health syndromic surveillance purposes.
Hybrid Data Model
MCGEE: What model of data exchange does the Wisconsin Health Information Exchange use and why?
PEMBLE: Our model is based on what's frequently referred to as hybrid. This provides some flexibility for us in how we can meet different use cases. By hybrid, I mean that while the data is centralized - that's stored in one location - the ownership of the data is maintained by those health systems or hospitals or clinics that are providing the data to the exchange. The exchange does not have any ownership rights to that data. We're only allowed to do with the data what the owners of it - the hospitals, health systems - allow us to do. That centralized model is one that we've implemented where while the data's brought together, it's logically separated so that at any time should any of the participating organizations choose to no longer participate in the exchange, their data may be removed from the exchange and no longer be accessible by any of the other participating organizations that remain.
Those are critical elements from a business perspective, as well as a security and patient privacy approach. That centralized approach and the way the data is existing in one database, even though it has separate logical separations, allows us to address certain use cases, like the public health reporting where we aggregate across all these different hospitals and provide real-time, as well as batch, access to that data for public health syndromic surveillance purposes. We completely de-identify the data and provide it to the public health officials in support of their syndromic surveillance work.
Additionally, having the data stored in this manner allows us to perform various different analytics on the data to help communities such as the Milwaukee Health Care Partnership, with whom we've had a very long and cooperative relationship here in Milwaukee County. They seek to implement various different workflow and procedural changes among all of the emergency departments across five different health systems in conjunction with their work at the community health centers in Milwaukee County. [This] ensures that patients are receiving care in the most appropriate settings. So if patients are using the emergency departments for care, [Milwaukee Health Care Partnership] can refer those patients out to community health centers so that they now have a primary care provider. And we look at the analytics on patient encounter data to see what patterns of care existed prior to that event and after it. [We look] to see if the efforts the partnership is bringing forward in that referral model are actually in the long run encouraging patients to seek care from primary care or patient-centered health and home settings.
Comparing Security to Other Models
MCGEE: How does the hybrid model that you use safeguard data security and privacy, compared with other models that you considered and rejected?
PEMBLE: ... From a hybrid model security perspective, actually there are two points where the data exists. One is the primary data center and then the back-up data center. We have just those two points that we need to secure. In a distributed model, the security is wider spread. There are more points of potential threat. All the models provide extensive security around this data. All of the HIEs are extremely conscious of the importance of securing this data. Any breach in these HIEs will have a long-lasting impact on all of the HIE efforts, so we are all very conscious of the necessity to keep the data secure.
In our data center, we have virtual private network connections to all the different health systems with whom there are data submissions or users are accessing the exchange. We have the full audit trail, as do the other models. So really the security components focus more on the physical sides where different servers exist. Because we have operational responsibility around all of those servers, we can ensure that they're all current in their security patches for operating systems, for virus threats and other risks that may be presented to them. I want to emphasize that regardless of the model - centralized, distributed or hybrid - all of the HIEs are extremely aware and conscientious about their responsibility to keep the data secure.
MCGEE: How many other health information exchanges do you work with?
PEMBLE: We do some work with our state-level HIE, which is the Wisconsin Statewide Health Information Network. That's one of the organizations that is working with funding from the Office of the National Coordinator. Our initiative started back in 2004, and we had some funding from a Connecting Communities for Better Health grant and then a Medicaid Transformation Grant. Now in our fifth year of clinical operation, since March of 2008, our funding has come primarily from the health systems that are using the system and from state Medicaid. We've also had some funding from the Centers for Disease Control to help in the expansion of our public health syndromic surveillance work.
Obtaining Patient Consent
MCGEE: Please describe your approach to obtaining patient consent for exchanging their information. For instance, does the Wisconsin Health Information Exchange require patients to opt-in or opt-out? Is there any sort of granular consent where patients can authorize some data to be exchanged but not other data, like mental health?
PEMBLE: Currently, the WHIE has a relatively minimal data set. We receive admission records from health systems, claims data from the state for Medicaid patients, and continuity of care documents from one of our community health centers. The consent model's integrated into the workflow at the different clinics and hospitals where the exchange is used. Staff there work with the patient to obtain their consent so it is an opt-in model. We're reviewing that again and looking at the potential of it becoming an opt-out model, [which is] easier to operationalize and that would align us more closely with what appears to be the direction that, for example, WSHIN is taking. The consent can be acquired by any user of the exchange that has that capability as part of their role. Along with the consent process, when a user acquires the patient's consent, the exchange knows when that was acquired, where it was acquired, the user that acquired it, and a copy of the consent form actually becomes part of the patient's history in the exchange.
Likewise, we have a service that allows a patient to withdraw from the exchange. So if I were to consent today and then went home and thought about this more and changed my mind, I could return to the clinic and withdraw my consent. That withdrawal process - where it was acquired, when it was acquired, who the user was that acquired it and a copy of the template that was executed - is part of [the patient] history. We do not allow currently any granular consent. It's either you have consented or you have not consented.
That consent process, once executed, has a three-year life or until the patient withdraws. So we don't need to have consent every time the patient encounters a care relationship at any of the clinics or hospitals where the exchange is being used. We track when that three-year time window is up so that we can alert clinicians and their staff who may be seeing the patient that it's time to reacquire the consent. That's the workflow for all non-emergent settings ... it's our structure that a consent is not a required element at the time of an emergency department encounter.
MCGEE: What approach are you taking to authenticate the identity of organizations or individuals that are using the exchange to share information?
PEMBLE: The only people that are allowed access to the exchange are those who are employees of a participating organization, and each employee or user has to execute a consent or a data use agreement. That data use agreement identifies what [the user's] role is within the organization. We use that infrastructure, their user account, on the exchange, so that it matches their role within the emergency department. We work with the health systems and the clinics to ensure that as employees assume different roles within an organization, that their access to the exchanges are appropriately adjusted.[Access is] removed if [a user is] no longer in a role or no longer an employee of a participating organization so that access is no longer there for them.
The access is not available outside of their clinic or hospital service areas. They cannot go home and log-on to the exchange. There wouldn't in our current model be a need for a staff member to be accessing anyone's data in the exchange outside of their care-providing site and role. ... The ability to access any given patient's history in the exchange is dependent on that patient being currently enrolled for care at that organization or having a current relationship with a provider such as your primary care provider at a clinic site. The clinicians do not have the ability to log-on to the exchange and go browsing to find a given patient. They have to have a care relationship with that patient in order to have the access.
Advice for HIE Start-Ups
MCGEE: What advice do you have to start-up health information exchanges in terms of best practices for data security and privacy?
PEMBLE: Security and privacy are certainly very critical elements to how an exchange operates. But I think the most important step and one that will provide a strong foundation for discussions around security and privacy models is to engage the community. I see some of the HIE initiatives under way that appear to have a more technically driven focus to their implementation approach. Really [an] HIE is less - in my opinion - about the technology and more about how we can enable the use of information to provide better healthcare. Certainly the provision of that care needs to be done in a model that's respective of the security and privacy requirements that not only exist at a national level, but that also may exist at a state level. And because of the state level being more secure as it is here in Wisconsin than even HIPAA, we need to respect not only the state laws but the federal laws at the same time.