Thursday, April 4, 2013

Exemplar HIE Governance Entities Announced

In the fall of 2012 the ONC decided that now is not the time for regulations on health information exchange governance. They decided to instead implement an approach that provides a means for defining and implementing nationwide trusted exchange with higher agility, by working in concert with the private market in a collaborative manner. On December 20, 2012 ONC released the Exemplar Health Information Exchange Governance Entities Program Funding Opportunity Announcement. Two organizations have now been awarded a cooperative agreement by the ONC to participate in the program. This work will support and advance the efforts of these existing governance entities which will benefit consumers and providers by allowing health information to flow securely between unaffiliated healthcare organizations.

DirectTrust (I am a member of the Board of Directors of DirectTrust) is one of the awardees in the program. they will work with ONC to develop and adopt policies, interoperability requirements and business practices that align with national priorities, overcome EHR interoperability challenges, reduce implementation costs for providers and patients, and assure the privacy and security of health information exchange. DirectTrust will work with ONC to implement the technical mechanism and process for trust anchor exchange to enable Directed exchange more easily across vendor boundaries, as well as to develop and implement a federated agreement among accredited participants that avoids the need for one to one legal agreements. They will also continue development of the national accreditation program for health information service providers (HISPs), certificate authorities (CAs), and registration authorities (RA) who act as trusted agents on behalf of users of Directed exchange. The accreditation program, launched in November 2012 in partnership with the Electronic Healthcare Network Accreditation Commission (EHNAC), is targeted to achieve wide scale participation by the end of 2013.

"The work that will be done by DirectTrust will be crucial in promoting good governance practices and enhancing the exchange of patients’ health information," said ONC’s Claudia Williams, program director, State Health Information Exchange Program. "I encourage ONC grantees, vendors, providers and health information exchange initiatives to work closely with DirectTrust in an effort that will help to improve the care and health of patients."

The New York eHealth Collaborative (NYeC) will also participate in the Exemplar HIE Governance Program on behalf of the EHR/HIE Interoperability Workgroup (IWG). In partnership with the ONC the workgroup will continue its efforts in developing robust implementation specifications for ‘plug and play’ interoperability. The IWG will attempt to address the implementation challenges facing the exchange of health information including patient matching and querying provider directories. The IWG recently selected the Certification Commission for Health Information Technology (CCHIT) to carry out compliance testing against the workgroup’s agreed upon specifications. "We are thrilled that the ONC has recognized the significant contributions of the EHR/HIE Interoperability Workgroup in driving the development and implementation of plug and play exchange standards," said Dave Whitlinger, Executive Director of the New York eHealth Collaborative.


  1. On their announcement call today, ONC makes the point of avoiding HIE regulation by using this mechanism, but to a patient advocate they seem to be replacing open regulatory debate and open standards processes with sponsorships of closed governance schemes designed to exclude patients and bypass the open standards process., CommonWell and Epic all share this closed governance characteristic.

    We've had "directed exchange" among providers for decades. It's called Fax. The DirectTrust model is analogous and, as currently envisioned, offers no benefit to the patient. Institutions that do not communicate with patients using fax today are just as likely to exclude patients with "untrusted" Direct addresses tomorrow. Are we repeating the restriction of patient access under the rubric "HIPAA doesn't allow us to do that" with 21st century jargon?

    OCR, keepers of HIPAA, for their part, are quite clear about patient right to access. makes it clear that a patient who is "known to the practice" can receive electronic communications to any address they present even if it's a plain, unencrypted email. As someone put it so clearly in our last Blue Button+ call, this could lead to the paradoxical situation where a physician is prevented from sending to an "untrusted" Direct email address so she is forced to communicate with the patient via an insecure regular email.

    ONC needs to reconcile the closed DirectTrust process with HIPAA and make it clear that patients are still first-class citizens in directed exchange regardless of how DirectTrust decides to certify provider-to-provider exchanges.

    ONC's current silence relative to provider-to-patient and patient-to-provider communications via Direct enables the EHR vendors to segregate patient engagement (Meaningful Use Stage 2 VDT) into a separate ghetto away from the ubiquitous Direct infrastructure of state health information exchanges and prevents the crossover between patient and physician mobile apps and web services. This, in turn, just furthers the EHR vendor lock-in and industry consolidation that we have seen with MU Stage 1.

    Both patients and physicians would be much better served if ONC adopted and and extended the open Blue Button+ process as the only MU2 certified way to do Directed Exchange and query across domains. This would begin to undo the monopoly created by MU1 by allowing data to flow under the direction of physicians and patients without interference from the EHR vendors. This is the HIE governance leadership we need as a substrate for health reform.

    1. Adrian, I think you are mistaken in many respects. How in the world does providing a mechanism to replace Fax for provider to provider communication keep patients from accessing their information. DirectTrust has not even tackled the provider to patient communication issue yet, and most of that work has been going on in Automate Blue Button. The two efforts are not mutually exclusive. There is absolutely nothing that DirectTrust is doing that will inhibit patient access...

    2. Brian,

      The problem is not what inhibits patient access to data but the fact that patients have longstanding rights to control their health information.

      This right is exercised via the right of consent, ie the right control the collection, use, and disclosure of PHI. However, the amendments to HIPAA in 2002 eliminated the right of consent. See:

      But the Preamble to the Amended HIPAA Privacy Rule also stated that HIPAA was to be the "FLOOR" for data privacy protections, not the ceiling:

      HHS stated in issuing the Amended Rule: “The Privacy Rule provides a floor of privacy protection. State laws that are more stringent remain in force. In order to not interfere with such laws [affording a right of consent] and ethical standards, this Rule permits covered entities to obtain consent. Nor is the Privacy Rule intended to serve as a 'best practices' standard. Thus, professional standards that are more protective of privacy retain their vitality." 67 Fed. Reg. at 53,212 (August 14, 2002).

      Industry and the government have long ignored and obscured the fact that HIT and HIE should have been built to ensure that Americans' stronger privacy rights prevailed. HIT should comply with our health privacy rights in state law, common law, tort law, federal law, medical ethics and with our fundamental right to health "informational privacy" elaborated in Constitutional decisions starting with Roe v Wade.

      Only individuals have legal, ethical, or moral standing to control PHI.

      As the public discovers that HIT systems and data exchanges secretly use, disclose, and sell their most sensitive personal information, millions more people every year will avoid or delay treatment for very serious illnesses like cancer, depression, and STDs. Millions more will hide data. FACT: The lack of health privacy causes bad outcomes.

      HIT systems that cause millions of people to act and put their health and lives at risk are seriously flawed. Industry and government must address the flaws.

      Remember all the massive funding and response that followed the knowledge about 100,000 preventable medical errors? The lack of privacy harms at least 10x as many people. Where is the government's response to that?

      We do not even have a map to track all the hidden uses of PHI nor do we have a 'chain of custody' for where our health data flows.

      Continuing to build systems designed to maintain institutional control over PHI will never be accepted by the public. Patient Privacy Rights has a 5-yearplan to restore patient control over PHI. See my book chapter in "Information Privacy in the Evolving Healthcare Environment" edited by Koontz. see:

      Also see PPR's Trust Framework--it lays out what exactly it will take for systems, platforms, applications, clouds, and mobile devices to be trusted by the public:

      Deborah C. Peel, MD

    3. Thanks Deborah, I appreciate your efforts on behalf of patients. I am acquainted with PPR's position, but do not think that the work of DirectTrust or the EHR/HIE Interoperability Workgroup are incompatible with your efforts. I would certainly be against anyone secretly using, disclosing, or selling sensitive personal information and in particular PHI.
      I still do not see any clear connection between the issues you have raised and the work of DirectTrust, or Healtheway for that matter. The eHealth Exchange and interoperable Direct secure messaging are going to provide a technical framework that would be absolutely necessary for what you envision to become a reality. I look at today's developments as a very positive sign and am encouraged that we can eventually overcome some of the barriers that we have been facing for years, both in provider to provider communication for better care coordination and eventually in provider to patient communication. My position has always been that the patient owns their data, and they and their caregivers should have the same access as every other member of the care team.

    4. I agree Brian, and thank you everyone for your thoughtful discussion . Parsimony has been encouraged by ONC and others for all areas of standards work. I think what we have here is not a situation of incompatible efforts, but instead many efforts working in harmony. The ABBI project has made significant progress, and consistent with harmonization goals, called upon existing named standards within meaningful use. DIRECT is one such example. As a member of the HITSC Privacy and Security Team, and leader of the DIRECTTRUST citizens efforts, I see tremendous progress being made to assure that privacy/security is not compromised. In fact this work will be consistent with the patient playing a more proactive and integrated role in HIT in general. I would state that privacy/security and patient access are top of mind. The 2013 work plan for the HITSC will include: Additional standards to support transport of data to and from patients. This work will build upon the ABBI project, DIRECT and perhaps other standards. ONC will be providing guidance to HITSC on the scope of this work. This will be led by the NWHIN power team with oversight and input from both the Privacy and Security and Consumer Technology Team. ( I co-chair). The natural conclusion of access to information is the desire to interact more fully. This will include the consumers ability to generate data for EHRs to consume, shared care plans, collaborative records across care teams that the patients define, and more. The work being done in S&I on longitudinal care plans assumes this collaboration with patient's and a large care team. As the ABBI project evolves, data will move at the patient's direction. There is opportunity in many people to provide input and direction, in this very public process, and is encouraged. The DIRECT and ABBI work provides real progress towards patient access and control, because the patient will have a digital identity or address, the data can transport securely, and the use of the data can begin to be directed by the patient. All steps in the right direction. Will we (all of us) get it all right the first time? No. But we will have a start.

  2. Brian,, CommonWell, Epic Everywhere and every state HIE I've seen uses HIPAA TPO as a way of bypassing patient authorization. We see this in the inconsistent opt-in, opt-out policies across the states. Blue Button+ is the only near-term hope patients have to get a handle on the TPO and other transactions that are being done on our behalf. Blue Button+ includes Direct and can benefit from Trust Bundles as long as their use is made transparent to the patient.

    DirectTrust is an unwise shortcut to a problem that Blue Button+ is much further along in solving than anything else. The only way to reduce the frustration of patients trying to get our own records is to force the institutions to use the same mechanism and that mechanism is Blue Button+.

    CommonWell is just as unwise as DirectTrust but at least they're not being funded by our tax dollars.


  3. Clearly patient access trumps anything that Direct Trust might come up with in terms of policy. Therefore the idea of having a non-public set of available root certificates or policies, direct addresses, etc, that would in any way restrict patient access through any medium is unacceptable in terms of the context of care in order to get in touch with any element of the Healthcare system that is a data steward. I think we can all agree on that point.

    Put it differently Direct was a technical specification, and as long as it stays in that space it is fine. Once you put in an access control mechanism with ONC's governance blessing based on who can and can not do Direct based on something that is based on the idea of "conditions for trusted exchange" being a pre-condition for access to send a message that inherently violates HIPAA if one is talking about patient messaging. Logically, because the data is non-portable.

    Providers are a different story as are HISPs. Non-conduit HISPs are part of the BAA scaling problem because they handle PHI and thus have to be held responsible. Direct conduit HISPs do not have this problem, (for example point to point EHR connectivity) but still need to exchange data with HISPs that do have a BAA with a provider. The trust at that point does not involve the conduit HISP, but is then between provider to provider. As such any pre-condition of trusted exchange will be determined to be a restraint of trade.

  4. Here is a direct link to the DirectTrust Code of Ethics:

    DirectTrust Code of Ethics