Linking HIEs: Key Security Issues

Massive New York Project Tackles Integration
Linking HIEs: Key Security Issues

Consistency in privacy and security policies will prove critical to an effort in New York to link 10 regional health information exchanges into a statewide network, says David Whitlinger, executive director of the statewide initiative.

See Also: Reducing Complexity in Healthcare IT (eBook)

The state is providing $55 million to fund the Statewide Health Information Network of New York, or SHIN-NY. The funds will help link the state's 10 regional health information exchanges, in effect creating a public utility of networked, interconnected electronic health records, says Whitlinger, executive director of the New York eHealth Collaborative, which oversees SHIN-NY.

Because New York planned the development of a statewide network over several years, it has robust security and privacy policies in place, Whitlinger explains in an interview with Information Security Media Group (transcript below).

"These are the policies that allow for who has access to a certain patient's records and what they can use that data for," he says. "The policies dictate that the patient really has ultimate control. They have the ability to give consent [for] access [by] individual providers ... to see the data.

In the interview, Whitlinger also discusses:

  • The role that secure e-mail based on the Direct protocol plays in facilitating "transactional" health data exchange among clinicians, such as when patients are discharged from hospitals or need referrals for medical specialists;
  • Computer algorithms used to ensure the correct patient record is matched to the correct patient during health information exchange;
  • The status of efforts to launch a statewide patient portal providing secure records access;
  • SHIN-NY's long-term business sustainability model.

As executive director of the New York eHealth Collaborative, Whitlinger leads its various HIE-related efforts and its work as a regional extension center assisting healthcare providers making the shift to electronic health records. Previously, Whitlinger was director of healthcare device standards and interoperability for Intel in its digital health group. He also led the cross-industry consortium, the Continua Health Alliance, focused on establishing an ecosystem of interoperable, personal telehealth systems.

Linking HIEs

MARIANNE KOBALSUK MCGEE: What is the significance of New York State Funding to SHIN-NY as a statewide health information exchange, and what does it mean for SHIN-NY to become a public utility?

DAVID WHITLINGER: As many other states started with American Recovery and Reinvestment Act funding in order to get their state health information exchange off the ground, New York actually got started before that with its own state funds and a grant mechanism. Then, the federal ARRA funds helped move that forward a little further. We ended up at the end of last year [with] the ARRA Funds running out, we have 10 regional networks around the state. Each of those have their own community governance and hardware and software, bringing together the different providers in the community. We said to that group of organizations and stakeholders from across the state, "we're not in the position where we don't quite have enough adoption of the network, enough usage or users of the network where it could be charged on a fee-for-use or fee-for-service model and be self-sustaining. What would you like to do?" And the resounding community response was, "Look, we really think that this is a public good. This shouldn't just fall on the shoulders of those who are using it and see the light towards its benefit." At some point you have free riders; organizations that are using the network and not paying for it. You have organizations that are receiving the benefits of the network because the healthcare system is more efficient but not paying for it. We think this really needs to be treated as a public good. We would believe the best way of funding this is to tax and charge for it being a government mechanisms and provide it to the healthcare community as a public good. That is how we call it a public utility.

SHIN-NY Vision

MCGEE: What is the vision for SHIN-NY? For instance, will it be possible for healthcare providers across the state to securely access and exchange a patient's healthcare data?

WHITLINGER: Absolutely. We have two major technologies, or capabilities, that are built into the SHIN-NY. One of them is essentially the Google Search, although it's obviously very specific and much more tightly controlled then a Google Search, but it is the ability to search for a patient's records across the network. Now that works today in 10 different communities, and where they look for records on a given patient when queried is within that community. At the end of the year that query will go across the whole state and pull all the records. That means if the patient lived half their life in Manhattan, the other half their life in Buffalo, all of the records would be available where ever they reside. The other technology that we have is what's called Direct, or secure, e-mail. It is the ability for one provider to send another provider a patient's record. This is really important for transactions. So a patient is discharged from the hospital. That hospital then sends the record of what occurred within the hospital to the primary care or specialty care physician that is going to receive that patient after they leave the hospital, or maybe it's from primary care to specialty care for a referral and then back again from specialty care to primary care after the special work has been done. Those care transitions are using a secure email technology called Direct.

Web Portals

MCGEE: Will patients statewide also be able to securely access their health information through a SHIN-NY Web portal?

WHITLINGER: Yes that's right. We started a patient portal project last year and this project was started as what we call a 'crowd source'. So we went out to the New York Design and Development Community and said, "Give us your best. Design a patient portal that you think patients would really find engaging [and a] user interface that would be really compelling and easy to use, for the masses of New Yorkers who might want to access their records and see their health information." We had 16 different designs submitted. Over a hundred thousand New Yorkers voted for the different designs online. There was an overwhelming winner. The company is called Mana Health and they are now in the final stages of finishing the testing of this patient portal. It's very exciting. We're all almost to our first data patients using this portal.

Patient ID Matching

MCGEE: How will you tackle patient ID matching?

WHITLINGER: The algorithms, the computer codes that are used in order to match patients today are very, very robust. With a couple of pieces of information, even a state that has a high density and a high population as New York, we're still 98.9 percent of the time able to do an exact match where there's no possibility of the patient that is being looked up not being the patient that we're providing records for. Then of course in that last two percent, we have mechanisms of providing the provider with other information about the patients that they can then ensure they have the right patient.

Connecting Health Exchanges

MCGEE: What are the biggest challenges in interconnecting all of SHIN-NY's 10 regional health information exchange organizations, especially as it relates to data privacy and security?

WHITLINGER: The state has done part of the development of this network over the course of many years. These are the policies that allow for who has access to a certain patient's data and what can they use that data for? At the end of this, the policies really dictate that the patient has ultimate control. They have the ability to consent or give access to individual providers, and they're giving those rights to see the data. That set of policies were really designed across the whole state and put together over the course of years with many stakeholder workgroups and policy development. Now that we're stitching the individual communities together into a statewide network, having consistency in those policies has been very germane to making it all work. There are not inconsistencies in the policies now, we can connect these networks, and the rules of the road, so to speak, are uniform. The technology of connecting these different networks is actually fairly straight forward. That places the ability for one network to query another as something that has been developed over the course of time. We really expect some new engineering; this is a fairly large scale not only for the nation but perhaps in the world with regards to the volume of records and the number of patients.

Fueling Economic Development

MCGEE: How will the New York state health information exchange effort fuel economic development and business sustainability?

WHITLINGER: Just a little bit on sustainability of HIEs in general. An HIE has, I think, in the past struggled for two reasons. One, the cost of [operating] the HIE long enough and connecting the healthcare providers together enough in a community such that the network has value has been long. The cost and time have been long. So in other words, the network really doesn't have any value to anybody, and you have at least half of the providers in the community contributing data. That is why when somebody asks for records on a given patient, they get back something relevant. So without having enough provider data in the network, it doesn't have value. People don't want to pay for it. It's not providing any use in the healthcare community. And the time it's taking HIEs to get there because of the lack of standards and engagement by the provider community, has been longer than the amount of grant money that they've had.

The second problem that has occurred is that largely until the last year or so, healthcare has been a fee-for-service model. There's been fairly low adoption of managed care payment systems. Why is that relevant? If the providers don't really have a financial incentive to know what each other are doing in order to better manage the patient and therefore get paid, then they don't really have a need to use a network like this. That is changing. We see payment reform all over the place now, not just with Medicaid but also with commercial plans where their incentivizing providers to care what the other providers are doing on a given patient at all times. So now these providers say, "I need a network like this so I can have that data." So back to the sustainability. One, New York needs a little bit more time in order to get the adoption of the overall network in order to have enough data in the network to be fully useful to all of the providers in the community. We're almost there. We see that line of sight is within 18 months. Then, the payment models around us are accelerating into the usage of it. Long short of it, roughly $3.60 per person in New York would cover the overall cost of a very robust SHIN-NY network, and we think that's readily obtainable if the stakeholder community chooses either with taxation or without taxation. At that point, we would be in a position to be sustainable on our own simply because of the value of the network.

Model for Others?

MCGEE: How might New York state's health information exchange, as well as its privacy and security practices, potentially serve as a model for other states moving forward?

WHITLINGER: We really are at a very large scale. The population of New York and the density of both population and healthcare deliveries is something we've had to overcome a lot of problems with that we think are going to be very germane to following in our footsteps. To that end, the technology the large scale interoperability, the ability to connect networks together, and then the policies themselves, those are things that we think are great models for other states. The amount of time and energy that it has taken us to get here was a raw development effort. Hopefully other states cannot replicate what we've done, not replicate the mistakes and missteps that we've made, and get there faster and far cheaper.


About the Author

Megan Goldschmidt

Megan Goldschmidt

Associate Editor

Goldschmidt is the former Associate Editor for ISMG. A recent graduate of Ithaca College, she has worked for multiple publications in NJ and NY, including the Trentonian and the Rochester Business Journal, instilling a passion for writing, editing and social media.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.