Blumenthal’s Farewell Post: ONC’s Surprising FACAs

Dr. David Blumenthal Posts “ONC’s Surprising FACAs” on Health IT Buzz Blog
April 7, 2011, 3:25 pm / Written by Dr. David Blumenthal / National Coordinator for Health Information Technology
Republished by e-Healthcare Marketing below.

Dr. David BlumenthalI am often asked what has surprised me most during my tenure as National Coordinator for Health Information Technology. There have been many surprises, but one thing clearly stands out: the extraordinary contributions of our Federal Advisory Committees (FACAs) and their many workgroups

I have served on, and been advised by, lots of volunteer committees in both the private and public sectors. Some have been helpful, some less so. But nothing prepared me for the magnificent way our Health Information Technology Policy Committee (HITPC) and Health Information Technology Standards Committee (HITSC) have performed, and the role they have played in implementing the HITECH Act. My hat’s off to the wise legislators who created these two statutory bodies under HITECH. And my deep thanks goes to the chairs and co-chairs of the committees, to the dedicated citizens and federal officials who have served on the FACAs and their workgroups over the last two years, as well as to Judy Sparrow, the ONC manager of our Federal Advisory Committees process.

As of the end of March, Judy had organized 368 meetings of the FACAs or their workgroups: the equivalent of a meeting every other day over a two-year period. Assuming three-hour meetings attended by 15 people (and many are longer and bigger), that amounts to more the 16,500 person hours of some of the most talented health information technology (HIT) experts in the country. The sheer volume of this work is extraordinary. But equally impressive have been their specific recommendations. These meetings have directly influenced numerous key policy decisions and regulations by the federal government. For example:

  1. The basic structure and content of the meaningful use rule: The HITPC and its Meaningful Use Workgroup suggested the five major health goals that provided the organizing framework for meaningful use; many of the specific objectives for meaningful use; and the idea of injecting flexibility into the meaningful use regime by creating a core set of objectives and a menu set from which providers could chose.
  2. The key standards that the Secretary adopted under the Interim Final Rule – setting  forth standards, implementation specifications, and certification criteria for electronic health records (EHRs): The HITSC generated these standards based on previous work performed by the Health IT Standards Panel.
  3. The structure of the certification process: The HITPC and its Adoption/Certification Workgroup proposed that the certification process be open and competitive, and that we create a streamlined temporary process quickly – to be followed by a more complicated permanent process – so as to get certified records into the market in time for the beginning of meaningful use. The federal government adopted all these recommendations.

Beyond these critical suggestions that have already influenced policy, the committees continue to generate wise, thought-provoking recommendations that ONC will carefully consider in the future. For example:

  1. The concept that patients should have “meaningful choice” regarding the uses of their personal health information: Bypassing the common controversy over whether patients should be able to “opt-in” or “opt-out” of the electronic exchange of their data, the HITPC and its Privacy and Security Tiger Team focused on the bottom line. Patients should have the information they need to make informed choices over how their data are managed. The Committee also laid out a definition of the term meaningful choice.
  2. The governance of the Nationwide Health Information Network (NwHIN): The HITPC and its Governance Workgroup recommended that in fulfilling the HITECH requirement to govern the NwHIN, ONC develop conditions of trust and interoperability that any organization must meet to participate in the federally sponsored Nationwide Health Information Network. The decision about whether to meet those conditions, and become a member of NwHIN, would be voluntary. Thus the NwHIN would have to prove its usefulness as a guarantor of the privacy and security of data and of effective interoperability – a very useful market test of the government’s NwHIN service.

ONC’s advisory groups have made and will continue to make many other contributions. All have taken shape in open meetings with opportunities for public comment. Indeed, in some ways, our FACAs have made policy development at ONC wiki-like – a ground up, participatory process in which the federal government has facilitated the work of a vast community of citizen experts.

This experience with the ONC FACAs raises the general question of why some federal advisory committees are more successful than others, but some key factors seem to have played a role. The HITECH legislation and the meaningful use framework gave the committees concrete deliverables and timelines. This made it easier to set priorities and push to consensus on numerous, complex, and potentially divisive issues. A second factor may have been the nature of the HIT community. Its members believe passionately in the value of information to make health and health care better, and they are ready to commit personal time and set aside personal agendas in service of creating a modern, electronic health information system for the United States.

Regardless of the reasons, the ONC FACAs have been a wonderful surprise. We could never have accomplished what we have without them. If HITECH reaches its potential, a lot of the credit will go to the hundreds of dedicated citizens who have contributed thousands of person-hours to make health care better for all Americans through HIT.

In the January 2011 Annual Meeting of eHealth Initiative in Washington, DC, this blogger had the privilege of asking Dr. Blumenthal  the first question after the National Coordinator delivered a keynote address. In short the question was “What’s most surprised you in your tenure as Coordinator?” Dr. Blumenthal paused for a moment, appearing to reflect, seemed to indicate it was the first time he had been asked the question, and he answered that the tremendous volunteer effort of the Health IT community in supporting the Office of the National Coordinator was the most surprising.

ONC announces launch of “Direct Project” pilots via Press Release and Blumenthal/Chopra Blog Post

‘Open Government’ process yields rapid drive toward early exchange of electronic health information
HHS Press Release: 2/2/2011

Blumenthal and Chopra Blog post from ONC’s Health IT Buzz blog comes after press release
Additional articles: NY Times, Govt Health IT, and Project Direct blog

The Office of the National Coordinator for Health IT (ONC) announced today that providers and public health agencies in Minnesota and Rhode Island began this month exchanging health information using specifications developed by the Direct Project, an ‘open government’ initiative that calls on cooperative efforts by organizations in the health care and information technology sectors.  Other Direct Project pilot programs will also be launched soon in New York, Connecticut, Tennessee, Texas, Oklahoma and California to demonstrate the effectiveness of the streamlined Direct Project approach, which supports information exchange for core elements of patient care and public health reporting.

The launch of the pilot demonstrations, less than a year from the inception of the Direct Project, shows the project is on track to give U.S. health care providers early access to an easy-to-use, internet-based tool that can replace mail and fax transmissions of patient data with secure and efficient electronic health information exchange.

“This is an important milestone in our journey to achieve secure health information exchange, and it means that health care providers large and small will have an early option for electronic exchange of information supporting their most basic and frequently-needed uses,” said Dr. David Blumenthal, national coordinator for health information technology.  “Other efforts are also going forward at full-throttle to build a comprehensive structure of health information exchange.  But by bringing together health care and IT companies, including competitors, to rapidly produce a system that supports basic clinical delivery and public health needs, we will be able to more quickly start building electronic information exchange into our health care system.”

Designed as part of President Obama’s ‘open government’ initiative to drive rapid innovation, the Direct Project last year brought together some 200 participants from more than 60 companies and other organizations.  The volunteers worked together to assemble consensus standards that support secure exchange of basic clinical information and public health data.  Now, pilot testing of information exchange based on Direct Project specifications is being carried out on schedule this year, aiming toward formal adoption of the standards and wide availability for providers by 2012.

“This is a new approach to public sector leadership, and it works,” said Aneesh Chopra, the United States Chief Technology Officer.  “Instead of depending on a traditional top-down approach, stakeholders worked together to develop an open, standardized platform that dramatically lowers costs and barriers to secure health information exchange. The Direct Project is a great example of how government can work as a convener to catalyze new ideas and business models through collaboration.”

The two pilot programs that have already begun using Direct Project-based information exchange are in Minnesota and Rhode Island:

Since mid-January, Hennepin County Medical Center (HCMC), Minnesota’s premier Level 1 Adult and Pediatric Trauma Center, has been successfully sending immunization records to the Minnesota Department of Health (MDH). “This demonstrates the success that is possible through public-private collaborations,” said James Golden, PhD, Minnesota’s state HIT coordinator. “This is an important milestone for Minnesota and a key step toward the seamless electronic movement of information to improve care and public health.”

Recognizing Minnesota’s leadership in delivering high-quality, cost-effective healthcare, U.S. Senator Amy Klobuchar (D-MN) said, “this is the type of innovation that can help strengthen our health care system by reducing waste and improving quality. We need to continue to improve our health care system by continuing to integrate information technology to better serve patients and providers.”

The second pilot implementation site, The Rhode Island Quality Institute (RIQI), has delivered a pilot project with two primary goals. First, RIQI is improving patient care when patients are referred to specialists by demonstrating simple, direct provider-to-provider data. Second, RIQI is leveraging Direct Project messaging as a means to securely feed clinical information, with patient consent from practice-based EHRs to the state-wide HIE, currentcare, to improve quality by detecting gaps in care and making sure the full record is available to all care providers.

Discussing RIQI’s collaborative approach to health IT, Laura Adams, president and CEO of RIQI said, “All too often, providers do not have the data they need to take the best care of patients they serve. Direct Project allows the Quality Institute to be on the cutting edge – providing health information exchange via currentcare, delivering the efficient rollout of technology through the Regional Extension Center, and enabling and measuring real patient outcome improvements in our Beacon Community. The ability to bring together and drive consensus among a diverse set of stakeholders has been critical in the successful rollout of these innovative programs.”

“Rhode Island continues to be a nationwide leader in improving health care with better information technology,” said Senator Sheldon Whitehouse (D-RI). “Health care providers communicating with each other in a secure and cost-efficient way helps patients get better sooner with less hassle and confusion.”

Other pilot projects to be launched this year include a Tennessee effort with the Veteran’s Administration, local hospitals and CareSpark to provide care to veterans and their families; a New York effort including clinicians in hospital and ambulatory care settings with MedAllies and EHR vendors; a Connecticut effort involving patients, hospitals, ambulatory care settings and a Federally Qualified Health Center with Medical Professional Services, a PHR, and a major reference laboratory; an expansion of the VisionShare immunization data pilot to Oklahoma; a California rural care effort involving patients, hospitals and ambulatory care settings with Redwood MedNet; and an effort in South Texas with a collaboration of hospitals, ambulatory care settings, public health, and community health organizations to improve care to mothers with gestational diabetes and their newborns.

The Direct Project was launched in March 2010 as a part of the Nationwide Health Information Network, to specify a simple, secure, scalable, standards-based way for participants to send authenticated, encrypted health information directly to known, trusted recipients over the Internet in support of Stage 1 Meaningful Use requirements.  Participants include EHR and PHR vendors, medical organizations, systems integrators, integrated delivery networks, federal organizations, state and regional health information organizations, organizations that provide health information exchange capabilities, and health information technology consultants.

Information transfers supported by Direct Project specifications address core needs, including standardized exchange of laboratory results; physician-to-physician transfers of summary patient records; transmission of data from physicians to hospitals for patient admission; transmission of hospital discharge data back to physicians; and transmission of information to public health agencies.  In addition to representing most-needed information transfers for clinicians and hospitals, these information exchange capabilities will also support providers in meeting “meaningful use” objectives established last year by HHS, and will thus support providers in qualifying for Medicare and Medicaid incentive payments in their use of electronic health records.  The Direct Project specifications can also support physician-to-patient information transfers, and Microsoft Corp. today announced an application for that purpose based on Direct Project standards. For more information about the Direct Project, please visit

Other ongoing efforts supported by ONC are underway to bring about a comprehensive health information structure in the U.S.  These include technical and governance issues that are being addressed under the Nationwide Health Information Network, which embodies the standards, services and policies that enable health information exchange over the internet.  The Nationwide Health Information Network Exchange is already supporting some health information exchange between federal agencies and the private sector.  In addition, ONC provides grants to states to develop locally-appropriate policies and standards for health information exchange that are consonant with broader national standards.

For more information about the Office of the National Coordinator for Health Information Technology, please visit

Direct Project Pilot Programs Launched
Wednesday, February 2nd, 2011 | Posted by: Dr. David Blumenthal and Aneesh Chopra U.S. Chief Technology Officer and Associate Director for Technology White House Office of Science and Technology Policy on ONC’s Health IT Buzz blog and reposted here by e-Healthcare Marketing.

Today we celebrated another milestone on the Nation’s journey to better health care through the use of electronic health records and health information technology. We launched two pilot projects – one in Minnesota and the other in Rhode Island – for easily and securely transmitting personal health information via the Internet. These efforts – combined with others that will soon be underway in New York, Connecticut, Tennessee, Oklahoma, Texas, and California – mean we’re on schedule with a very important new tool that will soon enable health care providers to safely transmit patient data over the Internet, instead of relying on mail and fax. This is a significant step toward meeting ONC’s commitment to make health information exchange (HIE) accessible and practical for all the nation’s clinicians.

HIE is one of the primary benefits that can be derived from adopting health information technology. HIE means your records can be shared among your doctors, without getting lost or delayed. It means your hospital discharge instructions can be provided instantly to your physician – and to you. It means that if you are in an accident and arrive in the ER unconscious, your record can be made available, and the care you receive can be that much safer and more effective.

Since last year, HHS has been supporting a new initiative, the Direct Project, to provide an early, practical option for health information exchange. Even while other work goes on to build a more complete HIE infrastructure, Direct aimed at rapidly developing a system that providers could use soon, to support the simpler information exchange functions that they need the most.

This project started only 10 months ago, in March 2010. Now, the launch of pilot programs means that we’re on schedule to take it live, and make safe, Internet-based transfers of most-used health information a reality in the United States. That will enable existing electronic exchanges to become more standardized and convenient. And it will enable many more providers, and many more data transactions, to take advantage of the HIE benefit.

How was this fast-paced development achieved? Actually, by adopting some lessons from the IT sector itself. We set aside the “top down” approach that’s traditional for government. Instead we invited private companies (including some well-known competitors!) and public sector entities to work together, on a volunteer basis, to respond to the need for a leading-edge HIE option. Here was the challenge: Give us an easy-to-use tool, with consensus specifications, that will support HIE for the most common clinical information needs – and deliver a useable result for providers in less than two years.

And it’s working. Employing the principles and practice of “open government,” as championed by the President, these different stakeholders worked together and delivered a product, which is now in its testing phase. These same stakeholders will go out, we hope, and develop competing products based on the very standards they worked together to assemble!

It’s time for new ways of achieving the public good. The national push to health information technology is one new horizon. And the “open government” principles that today are delivering an entry-level HIE system, ahead of schedule, are yet another.

It is indeed a milestone worth celebrating.
For comments on Blumenthal/Chopra blog post, go directly to ONC’s Health IT Buzz blog.

Press Roundup
Steve Lohr of New York Times describes in February 2, 2011 Bits blog post how ONC took a  “page from the open-source model of collaboration” to develop the Direct Project, formerly called NHIN Direct.

In Government Health IT on February 2, 2011, Mary Mosquera reported that a  “total of 29 health IT vendors say they plan to connect using Direct’s standards and specifications.”

Arien Malec, director for the Direct Project, wrote his own blog post with initial reporting on the breadth of the project and a go-live event held in Washington, DC on February 2, 2011.

Peter Neupert, corporate vice president of the Microsoft Health Solutions Group, announced in his Neupert on Health blog on February 2, 2011 ”that next week we will be launching new functionality that wires every Microsoft HealthVault account to use online encrypted patient e-mail based on Direct Project security protocols. To start with, we will enable physicians to transmit a copy of a patient’s clinical information to a new email address created within HealthVault.”

Blumenthal Reviews ONC’s 2010 Accomplishments on ONC Blog

2010 ONC Update Meeting: Advancing the Dialogue on Health IT
Monday, December 27th, 2010 | Posted by: Dr. David Blumenthal on ONC’s Health IT Buzz blog and republished here by e-Healthcare Marketing.

Thank you to everyone who participated in the 2010 ONC Update on December 14-15, 2010 where we had the opportunity to discuss ONC’s strategies and programs, hear about your experiences in the field, assess progress to date, and get caught up on HITECH’s implementation. Video-recordings of the webcast are now available through the ONC website at

The 2010 ONC Update was held in conjunction with 2010 ONC Grantee Meeting which brought together for the first time the awardees of all of the ONC programs , including the Beacon Communities Program, Regional Extension Center Program, SHARP Program, State Health Information Exchange Program, and the many Workforce Development Programs.

This year, significant strides were made in health information technology. And for us, information technology has always been a means to an end, the end of improving health, improving the health system, making the lives of our fellow Americans better, making our nation’s health professionals and institutions able to live up to their aspirations, empowering Americans to have and take control of their own health and lives. These are the reasons why the Congress and the President enacted the HITECH Act and the reason that the Office of the National Coordinator exists today.

But, of course, there are many organizations and groups that have those high aspirations. Our unique contribution comes from a core insight that good intentions have to be powered by strong capabilities. And science and technology have created for us an enormously powerful new set of tools in the form of health information technology.

We are here to make sure that those tools are used fully to realize our collective aspirations. Information is the lifeblood of medicine. As health professionals and institutions, we are only as good as the information we have about the patients that we care for. Health IT is destined to be the circulatory system for that information in the decades to come.

The last several months have been a whirlwind of activity. And it is easy to forget how much we’ve accomplished. We established the meaningful use framework, one that I think is unprecedented in the history of electronic health information systems. No other country has laid out a similar framework for what can and should be accomplished using health information technology. And on January 3, the Centers for Medicare & Medicaid Services will launch the registration process for those who wish to participate in the Medicare and Medicaid EHR Incentive Programs.

We’ve issued a standards and certification regulation. As of this week, we have five certifying bodies that are available to certify electronic health records. They’ve certified more than 200 records and modules in the several months since they’ve been in existence.

Regional extension centers – 62 of them are working hard to provide hands-on assistance to those providers that need the most help in making this transition. As of this week, 30,000 physicians have already enrolled in these extension programs across the United States.

The State Health Information Exchange Program has provided 56 states and territories with planning grants. More than 20 of these states and territories have approved implementation plans, and new implementation plans are being approved every day.

Seventeen Beacon Communities are now in place. They didn’t exist a year ago. They are paving the way toward real improvements in health and health care in the communities they serve, leveraging health information technology. The SHARP Program is tackling new challenges through research and development.

And ONC’s Workforce Development Programs are preparing a whole new workforce and creating new jobs to support the transformation of our health care system through the use of information technology. To date, we have seen almost 2,300 new enrollees in community college programs and close to 400 in University‑based Training Programs focused on health information technology. And we are well on our way in these very early stages toward meeting that target of 10,000 new health professionals trained annually during the lifetime of the program.

In addition to our grants, we have dozens of contracts that are supporting programs like the Nationwide Health Information Network. And our Health IT Policy Committee and Health IT Standards Committee continue to provide enormously valuable guidance on the many policies and standards that are needed to support execution against our mission.

All of these efforts not only play a critical role in our strategy related to the improvement of health and health care through information technology, but also provide the foundation for health systems change and upcoming reforms in how we deliver and pay for care.

As we look to 2011, there will be many challenges. Driving change is hard. And it takes leadership, commitment and the ability to move forward – despite the many obstacles that each of you will encounter. I hope your sense of contributing something unique to health care and the American people – for most certainly you are – balances the incredibly hard work that you are undertaking. Someday you will look back and realize that you were present at the creation of something big.

Thanks again, and we look forward to our continued collaboration in the new year.
###To comment directly on ONC’s Health IT Buzz Blog, click here.
See Blumenthal Letter #22 on e-Healthcare Marketing.

Health IT Special Issue of The American Journal of Managed Care: Dec 2010

AJMC Publishes Health Information Technology Special Issue Online Dec 20, 2010
“Featuring scholarly articles and perspectives from policymakers, payers, providers, pharmaceutical companies, health IT vendors, health services researchers, patients, and medical educators, this [December 2010 special] issue of  The American Journal of Managed Care is a reflection” of  “the  dramatic growth of interest in the potential for HIT to improve health and healthcare delivery,” writes Sachin H. Jain, MD, MBA and David Blumenthal, MD, MPP in their introductory article titled “Health Information Technology Is Leading Multisector Health System Transformation.”  Both Jain and Blumenthal are with the Office of the National Coordinator for Health Information Technology.

Authors of 23 Articles in Special Issue
Sachin H. Jain, MD, MBA; and, David Blumenthal, MD, MPP; Cynthia L. Bero, MPH; and Thomas H. Lee, MD; Aaron McKethan, PhD; and Craig Brammer; John Glaser, PhD; Pete Stark; Newt Gingrich, PhD, MA; and Malik Hasan, MD; James N. Ciriello, MS; and Nalin Kulatilaka, PhD, MS; Seth B. Cohen, MBA, MPA; Kurt D. Grote, MD; Wayne E. Pietraszek, MBA; and Francois Laflamme, MBA; Amol S. Navathe, MD, PhD; and Patrick H. Conway, MD, MSc; Reed V. Tuckson, MD; Denenn Vojta, MD; and Andrew M. Slavitt, MBA; Marc M. Triola, MD; Erica Friedman, MD; Christopher Cimino, MD; Enid M. Geyer, MLS, MBA; Jo Wiederhorn, MSW; and Crystal Mainiero; Nancy L. Davis, PhD; Lloyd Myers, RPh; and Zachary E. Myers; Bryant A. Adibe, BS; and Sachin H. Jain, MD, MBA; Spencer S. Jones, PhD; John L. Adams, PhD; Eric C. Schneider, MD; Jeanne S. Ringel, PhD; and Elizabeth A. McGlynn, PhD; Jeffrey L. Schnipper, MD, MPH; Jeffrey A. Linder, MD, MPH; Matvey B. Palchuk, MD, MS; D. Tony Yu, MD; Kerry E. McColgan, BA; Lynn A. Volk, MHS; Ruslana Tsurikova, MA; Andrea J. Melnikas, BA; Jonathan S. Einbinder, MD, MBA; and Blackford Middleton, MD, MPH, MS;Alexander S. Misono, BA; Sarah L. Cutrona, MD, MPH; Niteesh K. Choudhry, MD, PhD; Michael A. Fischer, MD, MS; Margaret R. Stedman, PhD; Joshua N. Liberman, PhD; Troyen A. Brennan, MD, JD; Sachin H. Jain, MD, MBA; and William H. Shrank, MD, MSHS; Amir Dan Rubin, MBA, MHSA; and Virginia A. McFerran, MA; Fredric E. Blavin, MS; Melinda J. Beeuwkes Buntin, PhD; and Charles P. Friedman, PhD Robert D. Hill, PhD; Marilyn K. Luptak, PhD, MSW; Randall W. Rupper, MD, MPH; Byron Bair, MD; Cherie Peterson, RN, MS; Nancy Dailey, MSN, RN-BC; and Bret L. Hicken, PhD, MSPH; Jeffrey A. Linder, MD, MPH; Jeffrey L. Schnipper, MD, MPH; Ruslana Tsurikova, Msc, MA; D. Tony Yu, MD, MPH; Lynn A. Volk, MHS; Andrea J. Melnikas, MPH; Matvey B. Palchuk, MD, MS; Maya Olsha-Yehiav, MS; and Blackford Middleton, MD, MPH, MSc; Emily Ruth Maxson, BS; Melinda J. Beeuwkes Buntin, PhD; and Farzad Mostashari, MD, ScM; Daniel C. Armijo, MHSA; Eric J. Lammers, MPP; and Dean G. Smith, PhD; Katlyn L. Nemani, BA.

Look for an upcoming post on e-Healthcare Marketing reviewing this special issue of AJMC.

‘Health IT: Making Health Care Better’: Commentary on America’s Health Rankings Site

‘Health IT: Making Health Care Better’ by Sachin Jain
On the Web site dedicated for 20 years to using data to promote better health in the United States, Sachin H. Jain, MD, MBA, wrote a commentary on the role of the national HITECH initiative to collect and exchange health information for better patient care.  Titled  “Health IT: Making Health Care Better,” Jain’s commentary appears on the 21st Edition of America’s Health Rankings®: A Call to Action for Individuals and Their Communities. Jain is special assistant to the National Coordinator for Health Information Technology.

Jain discusses using electronic health records to improve patient quality management, encourage better clincal decisions, providing health information where and when it is needed, and getting information from here to there.

To read Jain’s commentary, click here.

NHIN Direct: Renamed The Direct Project–Where is Direct Today? Nov 29 Webinar

NHIN 203: “NHIN Direct: Where We Are Today” from National eHealth Collaborative
Monday, November 29, 2010, 1:00 – 2:30pm ET
Led by Arien Malec,
Coordinator, The Direct Project
NHIN has been renamed (for now) the Nationwide Health Information Network (NW-HIN), and its counterpart program for provider to provider transfer of clinical information outside of NW-HIN has been renamed the Direct Project for now.

Per National eHealth Collaborative’s NHIN University, “Students will learn about the history of The Direct Project and how it fits within the framework of the Nationwide Health Information Network. The class will focus on current activities of The Direct Project and gain insight from its Coordinator, Arien Malec, on the success of the community-based, open approach to development and the future of the Project.”


  • “Understand the purpose and goals of The Direct Project, including its history and organizational structure
  • Gain insight into the collaborative process that is central to the mission of Direct
  • Learn about current activities of Direct and how they fit within the Nationwide Health Information Network and, eventually, the Standards and Interoperability Framework
  • Find out about the future of The Direct Project and how to get involved in the growing Direct community”


AUDIOCONFERENCE: (866) 699-3239 or (408) 792-6300
(Please join the event with a computer system first and follow the audio instructions on the screen.)

ACCESS/EVENT CODE: 668 619 540

ATTENDEE ID: You will receive this number when you join the event first with a computer connection.

NHIN University Link to NHIN 203

NHIN Governance: Learn to Speak NHIN on Nov 4 & Have Your Say Too!

1. National eHealth Collaborative (NeHC) Presents
NHIN 202:  NHIN Governance Authorities
2. FACA Blog Seeks Governance Feedback Nov 3

NHIN 202:
Thur, Nov 4, 2010, 3:00pm to 4:00pm

Excerpted/summarized from National eHealth Collaborative on 11/1/2010.
You will learn about the initial recommendations of the Health IT Policy Committee’s Governance Workgroup and the process of turning them into rules. ONC and Advisory Committee/Workgroup leaders will serve as faculty and will respond to your feedback.


  • Mary Jo Deering, PhD – Senior Policy Advisor, Office of Policy and Planning, Office of the National Coordinator for Health IT (ONC)
  • John Lumpkin – Chair, Health IT Policy Committee Governance Workgroup; Senior VP and Director, Robert Wood Johnson Foundation
  • Michael Matthews – Chair, NHIN Exchange Coordinating Committee; Member, Health IT Policy Committee Governance Workgroup; CEO, MedVirginia


  • Aaron Seib – Interim CEO and NHIN Program Director, National eHealth Collaborative

PHASE 1 Recommendations of Workgroup from FACA Blog Post 
Or see FACA Blog post reposted below.
WEBINAR: Click here

AUDIOCONFERENCE: (866) 699-3239 or (408) 792-6300
(Please join the event with a computer system first and follow the audio instructions on the screen.)

ACCESS/EVENT CODE: 665 557 547

ATTENDEE ID: You will receive this number when you join the event first with a computer connection.

National eHealth Collaborative Relationship with NHIN
“The Nationwide Health Information Network (NHIN) is a collection of standards, specifications and policies that enable the secure exchange of health information over the internet. Today, a group of federal and private entities known as the NHIN Exchange have implemented those standards, specifications and policies as one operational model for exchanging health information nationwide. As part of this model, those entities established a committee structure to administer and support their operational approach.

“Through its cooperative agreement with ONC, NeHC is supporting that committee structure, and supports ONC’s efforts to disseminate information about the work of these committees to interested parties and the broader stakeholder community.”

Federal Advisory Committee Blog Post:
Feedback Requested by Nov 3
Governance Workgroup Seeks Comments
on Roles and Responsibilities for Governance

Monday, October 25th, 2010 | Posted by: John Lumpkin on FACA Blog and reposted here by e-Healthcare Marketing. 

The Governance Workgroup (Workgroup) is developing recommendations on governance mechanisms for the nationwide health information network.  The Workgroup identified overarching objectives, key principles and core functions for governance in its Preliminary Report and Recommendations on the Scope of Governance [PDF – 94 KB] presented to the HIT Policy Committee on October 20th.  The Workgroup is now preparing final recommendations on how governance functions should be implemented and by whom.  As a first step, the Workgroup would like to identify existing mechanisms that might be appropriate, with or without modifications, and with or without some added coordination; and whether new mechanisms are needed, and if so, which?  The Workgroup would like public input on these issues and has created a table listing the core functions and questions to frame the input.  The table is available at here [DOC – 81 KB]. A short version of the table is presented below, for your comments.  If you prefer, you can download and complete the table and email it to Please put “Governance Workgroup Recommendations” in the Subject Line.

We would appreciate receiving comments as soon as possible and no later than November 3.

Recommended Governance Functions include:

(For more details, see the Recommendations report [PDF – 94 KB] presented to the HIT Policy Committee)

I. Establish policies for privacy, security, interoperability and to promote adoption of the NW-HIN.

a. Privacy and Security

b.  Interoperability, Eligibility Criteria and Compliance Expectations

c.  Address gaps; coordinate stakeholder input

d. Coordinate with technical and validation bodies

II. Establish technical requirements to assure policy and technical interoperability.

a. Adopt requirements

b. Coordinate with policy setting body

c. Change and transition process

d. Recognize or authorize shared technical services

III. Establishing appropriate mechanisms to assure compliance, accountability and enforcement.

a. Determine eligibility

b. Evaluate compliance

c. Assure accountability

d. Enforce

IV. Oversight of the governance mechanisms.

a. Track issues

b. Monitor ongoing compliance

c. Assess risks and benefits to prevent harm

d. Evaluate effectiveness

e. Resolve disputes

While all comments are welcome, we would specifically like input on these questions for each of the four recommended governance functions listed above:

  1. What existing entity or process could be leveraged NW-HIN governance? How does it function?
  2. What is the jurisdiction for its functions and under what authority does it operate?
  3. What level of formality is used (e.g. self-regulated, state regulated)?
  4. Can it scale to satisfy NW-HIN needs (w/ or w/out changes)?
  5. Does it satisfy NW-HIN governance objectives (w/ or w/out) changes?  If yes, provide rationale.
  6. Are additional mechanisms or processes necessary? Why?

Thank you,
John Lumpkin, MD, MPD, Chair, Governance Workgroup
To comment directly, go to the FACA Blog post.

ONC Site Map Updated in Conjunction with New Health IT Unified Theme

“Connecting America for Better Health” – ONC for HIT
Web Site Map for Office of the National Coordinator for Health IT
On August 27, 2010, the Office of National Coordinator (ONC) for Health IT announced a new “unified identity for Health IT”  which includes a “new theme and visual identity” for the ONC Web site and ONC and can be seen at the top of ONC Web pages.

The site map below for  ONC’s Web site is pulled primarily from the left navigation bar on the ONC site with some additional links to key areas. [Please send any corrections or comments to e-Healthcare Marketing. This is an update to a previous site map posted on February 16, 2010 on e-Healthcare Marketing, including new workgroups.]

While the visible structure of the Web site remains mainly the same, the home page and much of the underlying architecture appears to have been updated to simplify access to users, highlight new and important content, and simplify the addition of new information anticipated to come soon, such as announcements of the  Authorized Testing and Certification Bodies (ATCB) and Certified EHRs and EHR Modules.

The new theme and identity ”really captures the spirit of these combined efforts to boost national adoption of electronic health records and ensure success. The insignia will also help people easily identify and connect with official HITECH information, resources, programs, and partners,” wrote Communucations Director Peter Garrett on the Health IT Buzz blog on August 27, 2010. Now to the site map.


          Meaningful Use
          Certification Program
          Privacy and Security
          HITECH Programs
          On the Frontlines of Health Information Technology
               NEJM Articles: Dr. Blumenthal
                                             Dr. Benjamin
          Federal Advisory Committees

Top Banner Links
          Get email updates from ONC
          Follow ONC on Twitter

HITECH & FUNDING Opportunities
          Contract Opportunities
          Learn about HITECH
          HIT Extension Program — Regional Extension Centers Program
          Beacon Community Program

     State Health Information Exchange Cooperative Agreement Program
     Health Information Technology Extension Program
     Strategic Health IT Advanced Research Projects (SHARP) Program
     Community College Consortia to Educate HIT Professionals Program
     Curriculum Development Centers Program
     Program of Assistance for University-Based Training
     Competency Examination Program
     Beacon Community Program

                  (Meeting Calendar At-A-Glance)

HIT Policy Committee Meetings
          Meeting Webcast & Participation
Upcoming Meetings
Past Meetings
HIT Policy Committee Recommendations
HIT Policy Committee Workgroups
          Meaningful Use
          Information Exchange
          Nationwide Health Information Network (NHIN)
          Strategic Planning
          Privacy & Security Policy
          Privacy & Security Tiger Team
          Quality Measures

Health IT Standards Committee Meetings
          Meeting Webcast & Participation
Upcoming Meetings
Past Meetings
HIT Standards Committee Recommendations
HIT Standards Committee Workgroups
          Clinical Operations
          Clinical Quality
          Privacy & Security
          Vocabulary Task Force

           Meaningful Use
           Privacy and Security
           Standards and Certification
          State-Level Health Initiatives 
          Nationwide Health Information Network
          Federal Health Architecture
          Clinical Decision Support & the CDS Collaboratory
                 FACA Meeting Calendar
          Fact Sheets
          Federal Health IT Programs
          Technical Expert Workshops

         News Releases (2007 – Present)
         FACA Meeting Calendar
         Fact Sheets
         Federal Health IT Programs
         Technical Expert Workshops

          Coordinator’s Corner: Updates from Dr. Blumenthal
          Budget & Performance
          Contact ONC and Job Openings
#                             #                     #

For a review of the new look and feel of the ONC site, see an earlier post on e-Healthcare Marketing.

Privacy and Security Tiger Team’s Recommendations in Full Text

Health IT Policy Committee Approves Tiger Team Recommendations
Mary Mosquera reported in Government HealthIT reported on August 20, 2010
“The Health & Human Services Department Health IT Policy Committee endorsed a set of recommendations on when health care providers must obtain consent before exchanging patient heath records electronically with other clinicians, testing labs or health information exchange (HIE) networks.”

Here’s the full-text version of the Tiger Team’s recommendations to the Health IT Policy Committee, which the committee approved and sent on to the Office of the National Coordinator (ONC) for Health IT.
PDF Version
HTML Version below:

August 19, 2010

David Blumenthal, MD, MPP
Chair, HIT Policy Committee
U.S. Department of Health and Human Services
Washington, D.C. 20201

Dear Mr. Chairman:

An important strategic goal of the Office of the National Coordinator (ONC) is to build public trust and participation in health information technology (IT) and electronic health information exchange by incorporating effective privacy and security into every phase of health IT development, adoption, and use.

A Privacy and Security “Tiger Team,” formed under the auspices of the HIT Policy Committee, has met regularly and intensely since June to consider how to achieve important aspects of this goal.

The Tiger Team has focused on a set of targeted questions raised by the ONC regarding the exchange of personally identifiable health information required for doctors and hospitals to qualify for incentive payments under Stage I of the Electronic Health Records Incentives Program.

This letter details the Tiger Teamʼs initial set of draft recommendations for the HIT Policy Committeeʼs review and approval.

Throughout the process, the HIT Policy Committee has supported  the overall direction of the Tiger Teamʼs evolving recommendations, which have been discussed in presentations during regular Policy Committee meetings this summer. There has always been an understanding, however, that the Tiger Team would refine its work and compile a set of formal recommendations at the end of summer for the HIT Policy Committeeʼs final review and approval.

It bears repeating: The following recommendations apply to electronic exchange of patient identifiable health information among known entities to meet Stage I of “meaningful use — the requirements by which health care providers and hospitals will be eligible for financial incentives for using health information technology. This includes the exchange of information for treatment and care coordination, certain quality reporting to the Centers for Medicare & Medicaid Services (CMS), and certain public health reporting.

Additional work is needed to apply even this set of initial recommendations specifically to other exchange circumstances, such as exchanging data with patients and sharing information for research. We hope we will be able to address these and other key questions in the months to come.

Most importantly, the Tiger Team recommends an ongoing approach to privacy and security that is comprehensive and firmly guided by fair information practices, a well-established rubric in law and policy. We understand the need to address ad hoc questions within compressed implementation time frames, given the statutory deadlines of the EHR Incentives Program. However, ONC must apply the full set of fair information practices as an overarching framework to reach its goal of increasing public participation and trust in health IT.

Core Tiger Team Recommendation:
All entities involved in health information exchange – including providers (1)
and third party service providers like Health Information Organizations (HIOs) and other intermediaries – should follow the full complement of fair information practices when handling personally identifiable health information.

Fair information practices, or FIPs, form the basis of information laws and policies in the United States and globally. This overarching set of principles, when taken together, constitute good data stewardship and form a foundation of public trust in the collection, access, use, and disclosure of personal information.

We used the formulation of FIPs endorsed by the HIT Policy Committee and adopted by ONC in the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. (2)  The principles in the Nationwide Framework are:
(1) Our recommendations are intended to broadly apply to both individual and institutional providers.

            • Individual Access – Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format.           

            • Correction – Individuals should be provided with a timely means to dispute the  accuracy or integrity of their individually identifiable health information, and to have  erroneous information corrected or to have a dispute documented if their requests are denied.           

            • Openness and Transparency – There should be openness and transparency    about policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information.           

            • Individual Choice – Individuals should be provided a reasonable opportunity and  capability to make informed decisions about the collection, use, and disclosure of  their individually identifiable health information. (This is commonly referred to as the individualʼs right to consent to identifiable health information exchange.)          

            • Collection, Use, and Disclosure Limitation – Individually identifiable health      information should be collected, used, and/or disclosed only to the extent necessary         to accomplish a specified purpose(s) and never to discriminate inappropriately.           

            • Data Quality and Integrity – Persons and entities should take reasonable steps to         ensure that individually identifiable health information is complete, accurate, and up-    to-date to the extent necessary for the personʼs or entityʼs intended purposes and     has not been altered or destroyed in an unauthorized manner.          

            • Safeguards – Individually identifiable health information should be protected with           reasonable administrative, technical, and physical safeguards to ensure its  confidentiality, integrity, and availability and to prevent unauthorized or inappropriate   access, use, or disclosure.           

            • Accountability – These principles should be implemented, and adherence  assured, through appropriate monitoring and other means and methods should be in   place to report and mitigate non-adherence and breaches.

The concept of remedies or redress — policies formulated in advance to address situations where information is breached, used, or disclosed improperly — is not expressly set forth in this list (although it is implicit in the principle of accountability). As our work evolves toward a full complement of privacy policies and practices, we believe it will be important to further spell out remedies as an added component of FIPs.

We also note that in a digital environment, robust privacy and security policies should be bolstered by innovative technological solutions that can enhance our ability to protect information. This includes requiring that electronic record systems adopt adequate security protections (like encryption, audit trails, and access controls), but it also extends to decisions about infrastructure and how health information exchange will occur, as well as how consumer consents will be represented and implemented. The Tiger Teamʼs future work will need to address the role of technology in protecting privacy and security.


In addition to a firm embrace of FIPs, the Tiger Team offers the following set of Core Values to guide ONCʼs work to promote health information technology:

             • The relationship between the patient and his or her health care  provider isthe foundation for trust in health information exchange, particularly with  respect to protecting the confidentiality of personal health information.           

             • As key agents of trust for patients, providers are responsible for  maintaining the privacy and security of their patientsʼ records.           

              • We must consider patient needs and expectations. Patients should not  be surprised about or harmed by collections, uses, or disclosures of  their  information.Ultimately, to be successful in the use of health information exchange  to  improve health and health care, we need to earn the trust of both consumers    and physicians.


ONC has asked the Tiger Team for specific recommendations in the following areas:

            • Use of intermediaries or third party service providers in identifiable health  information exchange;

            • Trust framework to allow exchange among providers for purpose of treating  patients;

            • Ability of the patient to consent to participation in identifiable health information  exchange at a general level (i.e., yes or no), and how consent should be  implemented;

            • The ability of technology to support more granular patient consents (i.e., authorizing  exchange of specific pieces of information while excluding other records); and

            • Additional recommendations with respect to exchange for Stage I of Meaningful Use – treatment, quality reporting, and public health reporting.

All of our recommendations and deliberations have assumed that participating individuals and entities are in compliance with applicable federal and state privacy and security laws.

We evaluated these questions in light of FIPs and the core values discussed above.

1.    Policies Regarding the Use of Intermediaries/Third Party Service Providers/ Health Information Organizations (HIOs)

In the original deliberations of the Privacy and Security Work Group of the HIT Policy Committee, we concluded that directed exchange among a patientʼs treating providers – the sending of personally identifiable health information from “provider A to provider B” – is generally consistent with patient expectations and raises fewer privacy concerns, assuming that the information is sent securely.

However, the Tiger Team recognized that a number of exchange models currently in use are known to involve the use of intermediaries or third party organizations that offer valuable services to providers that often facilitate the effective exchange of identifiable health information (“third party service organizations”). A common example of a third party service organization is a Health Information Organization (HIO) (as distinguished from the term “health information exchange” (HIE), which can be used to refer to information exchange as a verb or a noun.) The exposure of a patientʼs personally identifiable health information to third party service organization raises risk of disclosure and misuse, particularly in the absence of clear policies regarding that organizationʼs right to store, use, manipulate, re-use or re-disclose information.

Our recommendations below regarding third party service organizations aim to address the following fair information practices:           

             Individual Access
✔        Openness and Transparency 
            Individual Choice
✔        Collection, Use, and Disclosure Limitation
Data Quality and Integrity Safeguards
✔        Accountability

Tiger Team Recommendation 1: With respect to third-party service organizations:

                    Collection, Use and Disclosure Limitation: Third party service organizations   may not collect, use or disclose personally identifiable health information for   any purpose other than to provide the services specified in the business   associate or service agreement with the data provider, and necessary  administrative functions, or as required by law.

                      Time limitation: Third party service organizations may retain personally identifiable health information only for as long as reasonably necessary to  perform the functions specified in the business associate or service agreement  with the data provider, and necessary administrative functions.

                        Retention policies for personally identifiable health information must be established,   clearly disclosed to customers, and overseen. Such data must besecurely returned or destroyed at the end of the specified retention period, according to established NIST standards and conditions set forth in the business associate or service agreement.

                      Openness and transparency: Third party service organizations should be obligated to disclose in their business associate or service agreements with  their customers how they use and disclose information, including without   limitation their use and disclosure of de-identified data, their retention policies   and procedures, and their data security practices.(3)

            • Accountability: When such third party service organizations have access to  personally identifiable health information, they must execute and be bound by  business associate agreements under the Health Insurance Portability and   Accountability Act regulations (HIPAA). (4) However, itʼs not clear that those agreements have historically been sufficiently effective in limiting a third-partyʼs use or disclosure of identifiable information, or in providing the required transparency.

               • While significant strides have been made to clarify how business associates  may access, use and disclose information received from a covered entity, business associate agreements, by themselves, do  not address the full complement of governance issues, including oversight,
(3) This is the sole recommendation in this letter that also applies to data that qualifies as de-identified under HIPAA. The “Tiger Team” intends to take up de-identified data in a more comprehensive way in subsequent months.
(4)  45 CFR 164.504(e).
accountability, and enforcement. We recommend that the HIT Policy  Committee oversee further work on these governance issues.

2. Trust Framework For Exchange Among Providers for Treatment

The issue of provider identity and authentication is at the heart of even the most basic exchange of personally identifiable health information among providers for purposes of a patientʼs treatment. To an acceptable level of accuracy, Provider A must be assured that the information intended for provider B is in fact being sent to provider B; that providers on both ends of the transaction have a treatment relationship with the subject of the information; and that both ends are complying with baseline privacy and security policies, including applicable law.

Our recommendations below regarding trusted credentialing aim to address the following fair information practices:
Individual Access Correction
✔        Openness and Transparency 
            Individual Choice Collection, Use, and Disclosure Limitation
✔        Data Quality and Integrity 
✔        Accountability

 Tiger Team Recommendation 2.1:

            • Accountability: The responsibility for maintaining the privacy and security of        a patientʼs record rests with the patientʼs providers, who may delegate    functions such as issuing digital credentials or verifying provider identity, as  long as such delegation maintains this trust.  

                        o To provide physicians, hospitals, and the public with an acceptable  level of accuracy and assurance that this credentialing responsibility is  being delegated to a “trustworthy” organization, the federal government   (ONC) has a role in establishing and enforcing clear requirements about     the credentialing process, which must include a requirement to validate   the identity of the organization or individual requesting a credential.

                         o State governments can, at their option, also provide additional rules  for credentialing service providers so long as they meet minimum  federal requirements.  

We believe further work is necessary to develop policies defining the appropriate level of assurance for credentialing functions, and we hope to turn to this work in the fall. A trust framework for provider-to-provider exchange also must provide guidance on acceptable levels of accuracy for determining whether both the sending and receiving provider each have a treatment relationship with the person who is the subject of the information being exchanged. Further, the trust framework should require transparency as to whether both senders and recipients are subject to baseline privacy and security policies. We offer the following recommendations on these points:

Tiger Team Recommendation 2.2:  

Openness and transparency: The requesting provider, at a minimum, should provide attestation of his or her treatment relationship with the individual who is subject of the health information exchange.  

Accountability: Providers who exchange personally identifiable health information should comply with applicable state and federal privacy and security rules. If a provider is not a HIPAA-covered entity or business associate, mechanisms to secure enforcement and accountability may include:  

o Meaningful user criteria that require agreement to comply with the HIPAA Privacy and Security Rules;  

o NHIN conditions of participation;  

o Federal funding conditions for other ONC and CMS programs; and  

o Contracts/Business Associate agreements that hold all participants to HIPAA, state laws, and any other policy requirements (such as those that might be established as the terms of participation).

Openness and transparency: Requesting providers who are not covered by HIPAA should disclose this to the disclosing provider before patient information is exchanged.  

3.    Right of the patient or provider to consent to identifiable health information       exchange at a general level — and how are such consents implemented

The Tiger Team was asked to examine the role that one of the fair information practices – individual choice or patient consent – should play in health information exchange. The recommendations cover the role of consent in directed exchange, triggers for when patient consent should be required (beyond what may already be required by law), the form of consent, and how consent is implemented. We also set forth recommendations on whether providers should be required to participate in certain forms of exchange. We must emphasize that looking at one element of FIPs in isolation is not optimal and our deliberations have assumed strong policies and practices in the other elements of FIPs required to support the role of individual consent in protecting privacy. 

            Our recommendations below regarding patient consent aim to address the following fair information practices:

            Individual Access 
            Openness and Transparency
✔        Individual Choice
Collection, Use, and Disclosure Limitation
 Data Quality and Integrity  

 A.   Consent and Directed Exchange

 Tiger Team Recommendation 3.1:

            • Assuming FIPs are followed, directed exchange for treatment does not  require patient consent beyond what is required in current law or what has been customary practice.

 Our recommendation about directed exchange is not intended to change the patient-provider relationship or the importance of the providerʼs judgment in evaluating which parts of the patient record are appropriate to exchange for a given purpose. The same considerations and customary practices that apply to paper or fax exchange of patient health information should apply to direct electronic exchange. As always, providers should be prepared and willing to discuss with patients how their information is disclosed; to take into account patientsʼ concerns for privacy; and also ensure the patient understands the information the receiving provider or clinician will likely need in order to provide safe, effective care.

B. Trigger for Additional Patient Consent
     Tiger Team Recommendation 3.2: 

      •     When the decision to disclose or exchange the patientʼs identifiable health  information from the providerʼs record is not in the control of the provider or  that providerʼs organized health care arrangement (“OHCA”), (5) patients   should be able to exercise meaningful consent to their participation. ONC    should promote this policy through all of its levers.  

            •   Examples of this include:  

                        o A health information organization operates as a centralized model, which retains identifiable patient data and makes that information available to other parties.  

                        o A health information organization operates as a federated model and                                 exercises control over the ability to access individual patient data.            

                        o Information is aggregated outside the auspices of the provider or OHCA and comingled with information about the patient from other    sources.
Organized health care arrangement (45 CFR 160.103) means: (1) A clinically integrated care setting in which individuals typically receive health care from more than one health care provider; (2) An organized system of health care in which more than one covered entity participates and in which the participating covered entities: (i) Hold themselves out to the public as participating in a joint arrangement; and (ii) Participate in joint activities that include at least one of the following: (A) Utilization review, in which health care decisions by participating covered entities are reviewed by other participating covered entities or by a third party on their behalf; (B) Quality assessment and improvement activities, in which treatment provided by participating covered entities is assessed by other participating covered entities or by a third party on their behalf; or (C) Payment activities, if the financial risk for delivering health care is shared, in part or in whole, by participating covered entities through the joint arrangement and if protected health information created or received by a covered entity is reviewed by other participating covered entities or by a third party on their behalf for the purpose of administering the sharing of financial risk. [provisions applicable to health plans omitted]

             • As we have noted previously, the above recommendation on consent applies  to Stage 1 Meaningful Use (thus, if consent applies, it applies to exchange for    treatment). We will need to consider potential additional triggers when we start  to discuss exchange beyond Stage One of Meaningful Use.  

            An important feature of meaningful consent criteria, outlined further below, is  that the patient be provided with an opportunity to give meaningful consent    before the provider releases control over exchange decisions. If the patient does not consent to participate in an HIO model that “triggers” consent, the   provider should, alternatively, exchange information through directed    exchange. There are some HIOs that offer multiple services. The provider may still contract with an HIO to facilitate directed exchange as long as the      arrangement meets the requirements of recommendation 1 of this letter.

C. Form of Consent

Consent in our discussions refers to the process of obtaining permission from an individual to collect, use or disclose her personal information for specified purposes. It is also an opportunity to educate consumers about the decision, its potential benefits, its boundaries, and its risks.

While the debate about consent often devolves into a singularly faceted discussion of opt-in or opt-out, we have come to the conclusion that both opt-in and opt-out can be implemented in ways that fail to permit the patient to give meaningful consent. For example, consider the case in which patients are provided with opt-in consent, but the exercise of consent and education about it are limited – the registration desk provides the patient with a form that broadly describes all HIO uses and disclosures and the patient is asked to check a box and consent to all of it. As another example, consider the case in which patients have a right to opt-out – but the patient is not provided with time to make the decision and information about the right or how to exercise it can only be found in a poster in the providerʼs waiting room or on a page of the HIOʼs website. It would jeopardize the consumer trust necessary for HIOs to succeed to simply provide guidance to use “opt-in” or “opt-out” without providing additional guidance to assure that the consent is meaningful.

Tiger Team Recommendation 3.3: Meaningful Consent Guidance When Trigger Appliesʼs consent is “triggered,” such consent must be meaningful (6) in that it:

In a circumstance where patient

            Allows the individual advanced knowledge/time to make a decision. (e.g., outside of the urgent need for care.)          

            • Is not compelled, or is not used for discriminatory purposes. (e.g., consent to participate in a centralized HIO model or a federated HIO model is not a  condition of receiving necessary medical services.)

            • Provides full transparency and education. (i.e., the individual gets a clear   explanation of the choice and its consequences, in consumer-friendly language that is conspicuous at the decision-making moment.)

            • Is commensurate with the circumstances. (I.e., the more sensitive, personally  exposing, or inscrutable the activity, the more specific the consent   mechanism. Activities that depart significantly from patient reasonable    expectations require greater degree of education, time to make decision,  opportunity to discuss with provider, etc.)

            • Must be consistent with reasonable patient expectations for privacy, health, and safety; and

            • Must be revocable. (i.e., patients should have the ability to change their consent preferences at any time. It should be clearly explained whether such    changes can apply retroactively to data copies already exchanged, or whether  they apply only “going forward.”)

 D. Consent Implementation Guidance

Further considerations for implementation includes the following guidance:

Tiger Team Recommendation 3.4 :

            • Based on our core values, the person who has the direct, treating    relationship with the individual, in most cases the patientʼs provider, holds the    trust relationship and is responsible for educating and discussing with
 patients about how information is shared and with whom.            • Such education should include the elements required for meaningful choice, as well as understanding of the “trigger” for consent (i.e., how information is being accessed, used and disclosed).            • The federal government has a significant role to play and a responsibility to educate providers and the public (exercised through policy levers).            • ONC, regional extension centers, and health information organizations  should provide resources to providers, model consent language, and educational materials to demonstrate and implement meaningful choice. HIOs  should also be transparent about their functions/operations to both providers  and patients.            • The provider/provider entity is responsible for obtaining and keeping track of  patient consent (with respect to contribution of information from their records.) However, the provider may delegate the management/administrative functions to a third party (such as an HIO), with appropriate oversight.The Tiger Team was asked whether providers should have a choice about participating in exchange models.

E. Provider Consent to Participate in Exchange

Tiger Team Recommendation 3.5: Yes! Based on the context of Stage I Meaningful Use, which is a voluntary program, ONC is not requiring providers to participate in any particular health information exchange.Our recommendations below regarding granular consent aim to address the           following fair information practices:Individual Access                  
                        Openness and Transparency
✔        Individual Choice
Collection, Use, and Disclosure Limitation
                        Data Quality and Integrity
In making recommendations about granular consent and sensitive data, we have the following observations:

4. The current ability of technology to support more granular patient consents.

            • All health information is sensitive, and what patients deem to be sensitive is likely to be dependent on their own circumstances.

            • However, the law recognizes some categories of data as being more sensitive than others.            

            • Unless otherwise required by law and consistent with our previous recommendation 3.1, with respect to directed exchange for treatment, the presence of sensitive data  in the information being exchanged does not trigger an additional requirement to  obtain the patientʼs consent in the course of treating a patient.

            • Our recommendations on consent do not make any assumptions about the capacity for an individual to exercise granular control over their information. But since this capability is emerging and its certainly fulfills the aspiration of individual control, we  sought to understand the issue in greater depth.

            • The Tiger Team considered previous NVHS letters and received a presentation of  current NCVHS efforts on sensitive data. We also held a hearing on this topic to try to understand whether and how current EHR technology supports the ability for patients to make more granular decisions on consent – in particular, to give consent to the providers to transmit only certain parts of their medical record.

            • We learned that many EHR systems have the capability to suppress psychotherapy notes (narrative). We also learned that some vendors offer the individual the ability to suppress specific codes. We believe this is promising. With greater use and demand, this approach could possibly drive further innovations.

            • We also note, however, that the majority of witnesses with direct experience in    offering patients the opportunity for more granular control indicated that most patients (7) agreed to the use of their information generally and did not exercise   granular consent options when offered the opportunity to do so. The Tiger Team also learned that the filtering methodologies are still evolving and improving, but that challenges remain,
(7) Witnesses offered estimates of greater than 90%.
 particularly in creating filters that can remove any associated or related information  not traditionally codified in standard or structured ways.

            • While it is common for filtering to be applied to some classes of information by commercial applications based on contractual or legal requirements, we understand that most of the commercial EHR systems today do not provide this filtering capability at the individual patient level. There are some that have the capability to allow the user to set access controls by episode of care/encounter/location of  encounter, but assuring the suppression of all information generated from a particular episode (such as prescription information) is challenging.

            • Preventing what may be a downstream clinical inference is clearly a remaining   challenge and beyond the state of the art today. Even with the best filtering it is hard to guarantee against “leaks.”

            • The Tiger Team believes that methodologies and technologies that provide filtering capability are important in advancing trust and should be further explored. There are several efforts currently being piloted in various stages of development. We believe   communicating with patients about these capabilities today still requires a degree of  caution and should not be over sold as fail-proof, particularly in light of the reality of             downstream inferences and the current state of the art with respect to free text.    Further, communicating to patients the potential implications of fine-grained filtering  on care quality remains a challenge.

            • We acknowledge that even in the absence of these technologies, in very sensitive cases there are instances where a completely separate record may be maintained and not released (abortion, substance abuse treatment, for example). It is likely that  these practices will continue in ways that meet the expectations and needs of  providers and patients.

            • In our ongoing deliberations, we discussed the notion of consent being bound to the data such that it follows the information as it flows across entities. We know of no    successful large-scale implementation of this concept in any other sector (in that it achieved the desired objective), including in the case of digital rights management   (DRM) for music. Nonetheless, we understand that work is being done in this emerging area of technology, including by standards organizations.

            • While popular social networking sites are exploring allowing users more granular control (such as Facebook), the ability of individuals to exercise this capability as     intended is still unclear.(8) In addition, the data that
(8) See  and .

                        populates a Facebook account is under the userʼs control and the user has unilateral access to it. Health data is generated and stored by myriad of entities in addition to the patient.

            • Even the best models of PHRs or medical record banks provide individuals with control over copies of the individualʼs information. They do not provide control over the copy of the information under the providerʼs control or that is generated as a part of providing care to the patient. They also do not control the flow of information once    the patient has released it or allowed another entity to have access to it.

            • Discussions about possible or potential future solutions were plentiful in our deliberations. But the Tiger Team believes that solutions must be generated out of  further innovation and, critically, testing of implementation experience.

            • The Tiger Team also considered previous NCVHS letters and received a presentation of current NCVHS efforts on sensitive data.

            • The Tiger Team therefore asked whether and what actions ONC might take to stimulate innovation and generate more experience about how best to enable patients to make more granular  consent decisions.

Tiger Team Recommendation 4: Granular ConsentThe technology for supporting more granular patient consent is promising  but is still in the early stages of development and adoption. Furthering   experience and stimulating innovation for granular consent are needed.This is an area that should be a priority for ONC to explore further, with a wide vision for possible approaches to providing patients more granular  control over the exchange and use of their identifiable health information, while also considering implications for quality of care and patient safety, patient educational needs, and operational implications.The goal in any related endeavor that ONC undertakes should not be a search for possible or theoretical solutions but rather to find evidence (such as through pilots) for models that have been implemented successfully and in   ways that can be demonstrated to be used by patients and fulfill their expectations. ONC and its policy advising bodies should be tracking this issue in an ongoing way and seeking lessons learned from the field as health information exchange matures.

            • In the interim, and in situations where these technical capabilities are being developed and not uniformly applied, patient education is  paramount: Patients must understand the implications of their decisions and the extent to which their requests can be honored, and we  encourage setting realistic expectations. This education has implications for providers but also for HIOs and government.                       Our additional recommendations below regarding Stage 1 of Meaningful Use aim to address the following fair information practices:
Individual Access
                        Openness and Transparency
✔        Individual Choice
✔        Collection, Use, and Disclosure Limitation
Data Quality and Integrity
Tiger Team Recommendation 5:

5. Exchange for Stage 1 of Meaningful Use – Treatment, Quality reporting, Public health reporting

                      • Individual Consent: The exchange of identifiable health information for “treatment” should be limited to treatment of the individual who is the subject of the information, unless the provider has the consent of the subject individual to access, use, exchange or disclose his or her  information to treat others. (We note that this recommendation may  need to be further refined to ensure the appropriate care of infants or  children when a parentʼs or other family members information is needed to provide treatment and it is not possible or practical to obtain even a general oral assent to use a parentʼs information.)Collection, Use and Disclosure Limitation: Public health reporting by providers (or HIOs acting on their behalf) should take place using the least amount of identifiable data necessary to fulfill the lawful public  health purpose for which the information is being sought. Providers   should account for disclosure per existing law. More sensitive identifiable data should be subject to higher levels of protection.  
                        o In cases where the law requires the reporting of identifiable data (or where identifiable data is needed to accomplish the  lawful public health purpose for which the information is sought),                                    identifiable data may be sent. Techniques that avoid identification, including pseudonymization, should be considered, as appropriate.

            • Collection, use and Disclosure Limitation: Quality data reporting by providers (or HIOs acting on their behalf) should take place using the least amount of identifiable data necessary to fulfill the purpose for which the information is being sought. Providers should account for disclosure. More  sensitive identifiable data should be subject to higher levels of protection.

            • The provider is responsible for disclosures from records under its control, but    may delegate lawful quality or public health reporting to an HIO (pursuant to a business associate agreement) to perform on the  providerʼs behalf; such delegation may be on a “per request” basis or  may be a more general delegation to respond to all lawful requests.


The foregoing recommendations were targeted to address set of questions raised by ONC. They should not be taken as the definitive or final word on privacy and security and health IT/health information exchange; they are instead a set of concrete steps that the Tiger Team believes are critical to establishing and maintaining trust. As we have said from the outset, these recommendations can only deliver the trust necessary when they are combined with the full implementation of all the FIPs. Only a systemic and comprehensive approach to privacy and security can achieve confidence among the public. In particular, our recommendations do not address directly the need to also establish individual access, correction and safeguards capabilities, and we recommend these be considered closely in the very near future, in conjunction with a further detailed assessment of how the other FIPs are being implemented.

We look forward to continuing to work on these issues.

Deven McGraw Chair
Paul Egerman Co-Chair

Appendix A—Tiger Team Members
Deven McGraw, Chair, Center for Democracy & Technology
Paul Egerman, Co-Chair
Dixie Baker, SAIC
Rachel Block, NYS Department of Health
Carol Diamond, Markle Foundation
Judy Faulkner, EPIC Systems Corp.
Gayle Harrell, Consumer Representative/Florida
John Houston, University of Pittsburgh Medical Center; NCVHS
David Lansky, Pacific Business Group on Health
David McCallie, Cerner Corp.
Wes Rishel, Gartner
Latanya Sweeney, Carnegie Mellon University
Micky Tripathi, Massachusetts eHealth Collaborative

Patient Care Summary Exchange: State HIE Conference Call

ONC’s State HIE Technical Assistance Webinar:
Patient Care Summary Exchange and Meaningful Use
August 6, 2010
Excerpted from the State HIE Leadership Forum/Presentations and Webinars Page on August 11, 2010
Slide Set PDF

The audio (and appears to have been presented in teleconference audio format only) starts out talking about “meaningful use” since  the focus is on the exchange of  Patient Care Summaries and Stage 1 of Meaningful Use. It  includes a discussion about the Continuity of Care Record (CCR) and the newer Continuity of Care Document (CCD); NHIN direct and NHIN Exchange; and several case studies presented by the people involved (NEHEN in Massachussetts; MedVirginia in Virginia, NHIN, and Social Security Administration; KHIE in Kentucky; and Rhode Island HIE and NHIN Direct).

Excerpts selected from slides:
Care Summaries & Stage 1 Meaningful Use
Based on the Meaningful Use Final Rule, “eligible professional, eligible hospital or CAH who transitions or refers their patient to another setting of care or provider of care provides a summary of care record for more than 50% of transitions of care and referrals.”

–Core requirement is to perform at least one test of EHR’s capacity ot electronically exchange information.
–To fulfill menu set requirement, EHR must enable a user to electronically transmit a patient summary record to other providers and organizations including
        –at a minmum, diagnostic test results, problem list, medication list, and a medication allergy list
       –uses HL7 CCD or ASTM CCR

Stage 1 Meaningful Use Objectives that might require sharing of a CCD/CCR:
–Provide patients with an electronic copy of their health information upon request
–Provide a clinical summary for each visit
–Exchange clinical information electronically with other providers and patient authorized entities
–Provide summary care record for each transition of care and referral
–Provide patients with an electronic copy of their discharge instructions and procedures
–Other MU requirements could use clinical documents (e.g. lab results, public health reporting)

Initial Set of Standards
–Requires clinical summaries for patients for each office visit in “human readable” format  and on electronic media
–Clinical summary can (be) either HITSP C32-compliant CCD or ASTM CCR
–Why 2 standards?
            — CCD growing in popularity
            — CCR still in use, especially among early adopters
            — In some circumstances the CCR is easier, faster, and requires fewer resources to implement than the CCD
             — Electronic exchange not required in Stage 1, so why make anyone migrate now from one format to the other?

NHIN Specifications
–Both NHIN Exchaneg and NHIN Direct offers means to transport clinical summaries
–Both mechanisms support Stage 1 Meaningful Use
–Both rely on standards for effective communication
–NHIN Exchange offers the means for transporting care summaries; relies on more spohisticated technology, most suitable when participants do not necesssarily know each other personally
–NHIN Direct offers specifications that enable transport of care summaries; relies on simpler technology, most suitable when participants know each other personally and have a data exchange relationship
–Many states are interested in supporting both models for different workflows.

State HIE Strategies
–Can take several forms, just like statewide HIE can take several forms
–Requires some elements of policy, some elements of infrastructure
–Use data from environmental scan to understand current situation, capabilities, pilots, including other relevant states
–Work with RECs to develop consistent message and appropriate capabilities; rely on their services
–Insist on common terminology and coding
–Keep EHR system vendors’ feet to the fire in implementing capabilities “in the field”
–Recognize that manysites are still using HL7 v2 messages
–Provide HIE services to support care summaries
         –Full services like RLS, MPI, directory, IHE XCA
         –Enabling service for NHIN Direct like provider directory
–Consider the impact of the availability of many clinical documents when exchange is successful

Data Aggregation and Data Content issues to be considered are highlighted.