HIE Trust Framework: Essential Components for Trust;
NHIN Workgroup of HIT Policy Committee
Presentation with slides were made at Health IT Policy Committee on April 21, 2010 by David Lansky, Chair of NHIN Workgroup and Farzad Mostashari of ONC. The slides have been converted to html for your viewing.
PDF Version
Discussion Topics
–Recommendations for a national-level HIE Trust Framework
–HIE trust framework is applied to a directed push model
–Implications of third parties supporting aspects of the HIE trust framework
NHIN Workgroup Recommendation (Feb. 2010)
Role of Government
–Establish and maintain a framework of trust, including ensuring adequate privacy and security protections to enable electronic health information exchange.
–Create structures/incentives to enable information exchange where trust or necessary standards / services do not exist.
–Limit intervention where information exchange with providers currently exists – to the extent possible.
–Create incentives to improve interoperability, privacy and security of information exchange.
–Support real-world testing and validation of the services and specifications to verify scalability on a nationwide basis.
HIE Trust Framework: Findings
–There is a need for a national-level trust framework to promote the electronic exchange of health information:
–Provides a tool for understanding how trust may be implemented across a broad range of uses and scenarios
–Addresses need for adequate privacy and security protections
–Articulates the common elements required for exchange partners to have confidence in health information exchange (HIE)
•Recognizes that implementation of the framework will vary depending upon various factors (e.g., exchange partners, information, purpose, etc.)
–Supports interoperability from a policy perspective –Considers lessons learned from existing HIE activities
HIE Trust Framework: Recommendation
–Adopt an overarching trust framework at the national level to enable health information exchange that includes these essential elements:
–Agreed Upon Business, Policy and Legal Requirements / Expectations
–Transparent Oversight –Accountability and Enforcement
–Identity and Authentication –Minimum Technical Requirements
–All five components needed to support trust, but individually may not be sufficient.
HIE Trust Framework:
Essential Components for Trust
•Agreed Upon Business, Policy and Legal Requirements: All participants will abide by an agreed upon a set of rules, including compliance with applicable law, and act in a way that protects the privacy and security of the information.
•Transparent Oversight: Oversight of the exchange activities to assure compliance. Oversight should be as transparent as possible.
•Accountability and Enforcement: Each participant must accept responsibility for its exchange activities and answer for adverse consequences.
•Validation of Exchange Partners & Identities: All participants need to be confident they are exchanging information with whom they intend and that this is verified as part of the information exchange activities.
•Technical Requirements: All participants agree to comply with some minimum technical requirements necessary for the exchange to occur reliably and securely.
1. Agreed Upon Business, Policy and Legal Requirements
Agreed upon and mutually understood set of expectations, obligations, policies and rules around how partners will use, protect and disclose health information in general and their exchange-related activities specifically (not necessarily top-down regulation).
–Built upon existing applicable law, including HIPAA and federal and state law.
–Requires participants to act in a way that protects privacy and security of the information.
–Varies depending upon context – e.g., type of exchange, parties involved (including relationship of partners), purposes for which data are exchanged (including secondary and future use), etc.
Value as a Factor for Reinforcing Trust
Compliance with the trust framework is necessary in order to realize value of exchange
–Value of exchange creates incentive to participate in information sharing; –Obligation to abide by and continue complying with trust requirements in order to continue realizing that value;
–Knowing that one’s exchange partners see value in the exchange provides some assurance that they will continue to comply;
–Other elements address specific aspects to promote trust.
2. Transparency and Oversight
“Oversight” is intended to mean management, maintenance, supervision, and monitoring of the trust relationship and exchange activities.
There should be as much transparency as possible in:
–The oversight mechanisms employed to protect the information; and
–The oversight process and results, including findings and consequences. (Some oversight, e.g., governmental oversight, may not be entirely transparent.)
–The nature of oversight and the mechanisms used will depend upon exchange model, the parties involved, and the needs the exchange partners identify.
–Oversight will operate at multiple levels (e.g., parties to the exchange, individual subject of the information, third parties, government, etc.)
–Oversight should make that even with the trust framework and mechanisms in place, that there is no guarantee of privacy and security.
3. Enforcement and Accountability
Each exchange partner is accountable for its exchange activities and must be prepared to answer at multiple levels. For example:
–Individual subjects of the exchanged information;
–Other participants in the exchange;
–Third parties providing enabling functions; –Certifiers / accrediting bodies; –Governmental entities.
–Methods for confirming, detecting and enforcing compliance may vary (e.g., self-certification, self-attestation, trust enabling organization, etc.)
–Specific mechanisms and business rules may vary based upon context.
–May include enforcement of penalties for failing to uphold commitments to conduct activities as a trusted exchange partner and, if appropriate, redress for those harmed by such failure.
Common desire to avoid these consequences gives each exchange partner some comfort that all other exchange partners will uphold their commitments.
4. Identity and Authentication
–Exchange partners will not exchange information with just anyone. Each has to be confident they are exchanging information with whom they intend to exchange information and that the other partner is trustworthy.
–Each exchange partner therefore validates (and maintains an audit log of) the identity of those with whom it exchanges information.
==Validation of parties to the exchange can occur in a number of ways (e.g., using identity proofing and digital credentials to validate authorized members of a network).
5. Minimum Technical Requirements
In all exchanges, partners have to adhere to technical standards to support the privacy and security requirements of the trust framework.
–Technical requirements for the exchange could include measures designed to ensure that data received have been unaltered during transit.
–Non-compliance with technical requirements for secure transport will prevent an exchange from occurring, but may not always be visible.
Trust Enabling Functions Applied to Directed Push of Information Scenario
Agreed upon business, policy and legal requirements
–Based upon applicable law and expectation that privacy and security of the information will be protected
–Additional policies relating to use of data by enabling organizations (e.g., metadata or data content)
–Informal social contract if EHR-to-EHR without use of a third party;
–Formal agreements may be required if there is a third party involved in supporting aspects of trust framework, such as:
•Between a healthcare provider organization and a third party that performs or supports part of the trust framework for that provider (e.g., secure routing, identity services) or provider directory services.
•Between a healthcare provider organization and a third party that offers other HIE services, such as secure messaging, translation, data aggregation, etc.;
•Between healthcare provider organization and its end users.
Trust Enabling Functions – Applied to Directed Push of Information
Transparency and Oversight
–Patient and exchange partners oversee and monitor to ensure exchange occurs. –Governmental oversight of compliance with laws (e.g., HIPAA).
–There is a governmental role regarding the performance of identity assurance and routing functions.
–That oversight must include transparency to foster accountability of the enabling functions.
–A third party that provides trust enabling functions may also play a role in oversight.
Enforcement and Accountability
–Exchange partners are accountable to each other, patient and governmental agencies.
–Third parties that support trust enabling functions should also be accountable.
–One consequence for failing to uphold commitments to comply with the minimum requirements and code of conduct is termination of the exchange relationship between the parties.
–Other consequences could include legal implications (e.g., if breach of formal contract), liability, redress for harm, etc.)
Identity and Authentication
–Identities of exchange partners and/or users validated by provider organization or third party identity service provider; other participants rely upon this.
Minimum Technical Requirements
–Meaningful use certification criteria (e.g., secure transport, etc.)
–The ability to look up and locate a provider’s electronic address
–The ability to securely route information to the provider’s electronic address, which could occur:
•EHR to EHR or Lab to HER
•EHR to PHR
•EHR to EHR using a third party’s routing services;
•EHR to EHR using third party services (e.g. registry services, provider directories, identity services, etc.);
•EHR to EHR using other HIE services (e.g., HIOs, PHRs, eprescribing networks, secure messaging, EHR-specific networks, etc.)