The move toward the creation of a nationwide health information exchange (HIEs) and related state HIEs took another step forward when the Health Information Technology Policy Committee's National Health Information Network (NHIN) workgroup met in December to discuss developing best practices for a standards-based exchange of health information, drafting security policies to support the HIE framework and generate "push" criteria to move patient data between providers.
When Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996, the law was designed "to protect health information by establishing transaction standards for the exchange of health information, security standards, and privacy standards for the use and disclosure of individually identifiable health information." In response, the electronic medical records (EMR) industry developed electronic audit trails and borrowed the term "break glass," common in commercial fire alarm systems, to define emergency access to a patient's EMR.
EMR technology leaders such as Epic, Allscript, GE Healthcare, and Microsoft Sentillion, have break glass policies in their software. But break glass works only within affiliated healthcare networks, hospitals or physician practices that use the same EMR vendor. This single-vendor approach is inadequate to protect confidential patient information across multi-vendor, state- and nationwide HIEs. In fact, Allscript currently is the only EMR developer that contractually guarantees its system will meet future Federal certification requirements.
Push - or proactive - criteria require provider credentialing and digital authentication. The NHIN workgroup is considering two means of provider credentialing: To build Federal directories of medical providers and organizations, and to identify commercial and/or non-profit directories already in-use. The workgroup meeting included testimony from industry leaders in the directories services business - including Surescripts, the Council for Affordable Healthcare, the Federation of State and Medical Boards, and the Social Securities Administration. Speakers identified their concerns about the possible complexity of provider-credentialing and digital authentication.
Multiple authentication challenges: An example of the obstacles facing the NHIN workgroup is digital authentication for e-Prescribing. Under HIPAA, the pharmacy industry completed the transition in 2008 to a National Provider Identifier (NPI). However, the U.S. National Institutes of Health (NIH) reports that pharmacies have been waiting for Drug Enforcement Administration (DEA) approval of e-prescribing of controlled substances, such as OxyContin, Ritalin and Valium. A green light from the DEA would be a catalyst for physicians and pharmacies to move to electronic prescribing. But the industry is concerned the DEA will create a separate electronic authentication directory for these and other controlled substances.
Credentialing Process: Medical providers and organizations exchange patient information under contractual "data use and reciprocal" agreements. Within affiliated healthcare networks, hospitals and physician practices this is an addendum to existing contracts and is based on the the U.S. Department of Health and Human Services standardized Data Use and Reciprocal Support Agreement (DURSA). The Council for Affordable Quality Healthcare (CAQH), a provider credentialing database, recommended that the NHIN workgroup refine DURSA to allow data-sharing through a state- and nationwide healthcare information exchange framework.
CAQH also presented other guidelines to the workgroup. The council recommended that NHIN avoid reinventing the wheel to assure a minimal learning curve and a minor investment in technology. It also suggested the workgroup provide ongoing data quality improvements; integrate multi-state licensing and sanctions-monitoring; include key provider associations, and serve as a "trusted source" for all participating stakeholders.