National Provider Directory: Why Needed?How Project Supports Secure Health Info Exchange
Developing secure nationwide health information exchange brings with it security, interoperability and workflow challenges, says David Whitlinger of the New York eHealth Collaborative, which oversees a statewide health information exchange.
The collaborative recently received a $200,000 grant from the Office of the National Coordinator for Health IT to develop a national provider directory that will help tackle some of those challenges. The directory aims to ensure that electronic queries for patient data go to the right place and privacy is protected, Whitlinger says in an interview with HealthcareInfoSecurity (transcript below).
The New York collaborative also has been working with other states, along with the vendor community, to establish interoperability technical standards to solve HIE workflow issues.
"That work has come to a culmination early this year where we produced those technical standards, produced the testing standards and created a testing program ... in order for both EHR vendors as well as health information networks to test that they're adhering to the standards," Whitlinger says.
In the interview, Whitlinger also describes:
- Why interoperability and workflow are among the biggest challenges in secure nationwide health information exchange;
- Why patient control over their health data is crucial;
- Issues involved with protecting sensitive patient information.
As executive director at NYeC, Whitlinger leads the organization in its various HIE related efforts, and also in its work as a regional extension center assisting healthcare providers making the shift to EHRs. Previously, Whitlinger was director of healthcare device standards and interoperability for Intel in its Digital Health Group. He also led the cross-industry consortium, the Continua Health Alliance, focused on establishing an ecosystem of interoperable, personal telehealth systems.
MARIANNE KOLBASUK MCGEE: Could you briefly tell us about NYeC?
DAVID WHITLINGER: The New York eHealth Collaborative, NYeC, was formed in 2007 as a public/private partnership. It's a 501c3 with its own board of directors, its own leadership, but it works very, very strongly in partnership with the State Department of Health. We've had a great partner in the Department of Health in developing healthcare IT across the state, both in the adoption as well as in the formation of a public utility network, or as we call it the SHIN-NY, the Statewide Health Information Network of New York.
NYeC's role is several-fold. We worked on policy in the early days of the organization, and that was policies to establish trust and the rules of the road for health information exchange in New York. Then, that rapidly moved on into adoption and growing the usage of electronic health records in general. About that same time frame, the federal government came forward with the Affordable Care Act and all of the work that went into adoption of [EHR] meaningful use in those programs. ... Then we've been establishing exchange across the state as a public utility, both with a network of health information exchanges across the state that are known as RHIOs [regional health information organizations] as well as us serving as some of the technical infrastructure for a large portion of the state as well. We've got a hand in a lot of the different aspects of growing health information exchange as a tool set for providers and, moving forward here shortly, the patient community.
Nationwide Secure HIE
MCGEE: Why is nationwide secure health information exchange important? What do you think some of the biggest privacy and security challenges are that need to be overcome?
WHITLINGER: If you look at national health information exchange on two fronts, there's no question that healthcare is local, and the majority of exchange that's actually useful for the healthcare system and for the patient is actually very local to the patient and where they work and live. That being said ... the state boundaries do create some amount of division in healthcare delivery because of payment systems and how the different state governments regulate or produce payment from a government perspective. There are different boundaries that occur in different laws that affect the ability to exchange. ... A complete and comprehensive national network is a difficult challenge. The variations by the different states are not trivial.
The federal government, I believe, has taken some tremendous steps forward with meaningful use in the development of a method of exchange that pretty much replicates electronically a lot of the physical exchange that's going on and therefore fits to the norms of the policies across the country. That's what's called Direct exchange, or point-to-point And without getting into the policy details, it very much conforms to the way that records can be exchanged today via fax machine or physical U.S. mail types of methods.
That being said, where there are borders of high density, particularly here in New York where we have a high density between New York City, New Jersey, Connecticut, and obviously Pennsylvania, Vermont and the more rural areas, healthcare crosses the state borders, and there you have an equal desire to have a network of providers who are all utilizing the same data. That creates some challenges with regards to conformance to policy across borders.
MCGEE: Tell us about the new cooperative agreement that NYeC has with the Office of the National Coordinator for Health IT and the work you'll be
WHITLINGER: The New York eHealth Collaborative early on determined, much as others did across the country, that one of the significant barriers for usage of health information exchange and the values that it can create in the healthcare system is workflow. Workflow really struggles because the primary health IT system that the physician community uses is their electronic health record, and in many cases it's difficult, costly and challenging to integrate health information exchange into that workflow.
In the past, a lot of times that health information exchange would be an Internet-based portal and the workflow would be challenged to jump out of the electronic health record system over to the portal and back again with some information about the patient. It was fairly clumsy.
Two years ago, we brought together a large portion of the rest of the states who were, from a policy perspective and from a technology perspective, in a similar position as New York. We asked the states if they would like to work together, along with the vendor community, to establish strict interoperability plug-and-play technical standards that would solve that workflow problem both for Direct exchange and for query-based exchange. That work has come to a culmination here early this year: We produce those technical standards, produce the testing standards and created a testing program with CCHIT [Certification Commission for Health Information Technology] in order for both EHR vendors as well as health information networks to test that they're adhering to the standards, and therefore their products will collectively work together - plug-and-play - out of the box, with great workflow and low costs. That work occurred over half of the country ... and with 30 vendors - just a multitude of collaboration, participation and development of all of that.
That now is reaching the testing phases. The first pilots of the testing program are occurring. We'll see logoed products here later this year and the logo will mean they've tested their product and it's now ready to be used in a plug and play network.
The ONC has now asked us to take that work forward. There are a couple of other places where there's work that could be done on how we exchange records across networks, and the principle one is the directory of providers. What does the address book look like, and how is that address book shared nationally, such that we can have doctors in one part of the country find the addresses readily and easily for doctors in another part of the country and exchange information, if necessary, for delivery of care to a particular patient? We'll be spending quite a bit of time on the provider directory set of problems, both technology and policy, as well as a couple of other issues that are thorny in regards to the query-based exchange.
MCGEE: What are some of those thorny questions?
WHITLINGER: Those issues are also in regards to being able to find different providers and how the network of networks can start to be assembled across borders, and that has to do with being able to recognize the patient's providers and the consent of the patient across borders.
Security, Privacy of Health Data
MCGEE: Related to the work that you're doing under the cooperative agreement, what are some of the goals, particularly as they relate to security and privacy of health data?
WHITLINGER: First and foremost, I think security and privacy really is paramount and it succeeds best when as much control as possible can be given to the patient - as much control as the patient desires. We found that, time and time again, to be what's successful in New York. We found that, to a large degree, patients very readily want their data to be shared to a large group of providers and all the providers that they see, and they would like that to be a seamless experience that. ...
What they really want to benefit from is to know who has seen their data. If they have an ability of knowing who has seen their data that can be done through electronic auditing mechanisms, then they have a great deal of confidence that the system can be audited. If there are things that happened that shouldn't happen, they have recourse in that their privacy and security concerns can be addressed because the system is looking out for them.
MCGEE: Besides the cooperative agreement with ONC, are there other privacy and security-related efforts that are under way or planned at NYeC that you can tell us a little bit about?
WHITLINGER: New York, being a state that really worked heavily on query-based exchange - that's the ability for a provider or, in the near future, for a patient to ask for all their records on a given patient identity and receive them. That query-based exchange has a need for a lot of trust. Some of the places where we end up with that being a more difficult issue is around behavioral health data, reproductive health data or substance abuse data. And the rules around those types of data are very important to be adhered to and to be embodied in the exchange in the practices of the providers. That does make it a little bit more difficult. The institutions that only deal in those types of data can very thoughtfully figure out how to manage that data and deal with it in a way that protects the patient and protects the privacy and still delivers care in a thoughtful and meaningful way.
Some institutions don't [offer] those types of care delivery; [they] mix it in with primary care or other types of care. Therefore you can have substance abuse data or reproductive health data that might just, by practice, get mixed in with general health data. It makes it a little bit more difficult to apply the rules because you've got mixed records. As much as we can try, it sometimes creates issues. Those are areas where we would really like to start to dig in more both with technology and with policy in order to get broader access to more information as well as protect the rights and the needs of the privacy of those patients.
Protecting Patient Information
MCGEE: What would that involve? Would that involve data segmentation or other sorts of technologies?
WHITLINGER: ... There are technologies such as natural language processing that even can comb through some of the messiest of records and look for keywords that could be sensitive and should be somehow dealt with in a different way. Then there's a set of policies around how should the system deal with that. There's a fair amount of folks in the physician community that would really argue that editing a record could be more harmful than good. We need to be very careful in how we deal with that from a policy perspective and how we deal with that from a notification perspective, both for the patient and the providers, so that everybody is aware of what the implications are and how best to proceed. We're forming collaborative workgroups inside the state in order to work on those different issues and come to some technology answers as well as some policy and practice answers that will move that forward. ...