HIT Standards Committee Meeting

1. HIT Standards Committee Meeting Nationwide Health Information Network Governance June 30, 2010 Mary Jo Deering, PhD ONC, Office of Policy and Planning NHIN Policy and Governance Maryjo.deering@hhs.gov

2. Current Request For FACA Committee Input • Help us frame initial request for public input on nationwide health information network governance: what issues and questions should be included? • HIT Policy Committee (HITPC) June 25, 2010: Guidance on governance for NHIN policies and services • HIT Standards Committee (HITSC) June 30, 2010: Guidance on governance for NHIN standards • The slides that follow reflect our experiences and preliminary analysis • We have identified possible questions whose answers will shape the Notice of Proposed Rulemaking (NPRM) • We will be seeking additional input from the HITSC and HITPC in September to develop the NPRM 2

3. Background and Purpose of Rule Making • HITECH directed the National Coordinator to “establish a governance mechanism for the nationwide health information network.” • To be accomplished by rulemaking • Rulemaking would establish foundational policies and structures which would: • Engender trust • Assure effectiveness • Meet or exceed consumer expectations • facilitate use of the nationwide health information network • Recognize that some governance is in place (e.g., HIPAA Privacy and Security Rules); identify where complementary governance mechanisms are necessary for evolving nationwide health information network.

4. Scope of Rulemaking for Nationwide Health Information Network Governance Identify Governance Requirements in Domains of the Health Information Exchange (HIE) Trust Framework • Agreed Upon Business, Policy and Legal Requirements: All participants will abide by an agreed upon a set of rules, including (but not necessarily limited to) compliance with applicable law and act in a way that protects the privacy and security of the information and is in accordance with consumer/patient expectations. • Transparent Oversight : Oversight of the exchange activities to assure compliance. Oversight should be as transparent as possible. • Enforcement and Accountability: Each participant must accept responsibility for its exchange activities and answer for adverse consequences. • Identity Assurance:  All participants need to be confident they are exchanging information with whom they intend and that this is verified as part of the information exchange activities. • Technical Requirements: All participants agree to comply with some minimum technical requirements necessary for the exchange to occur reliably and securely. 4

5. Scope of governance • Should participation or compliance with nationwide health information network standards, services and policies (or a subset) be: • Optional • Preferred – “seal of approval”/nationwide health information network brand • Mandatory • How and where should governance apply? • What are appropriate levers of governance? • When should they be applied? • Under what conditions?

6. Business, Policy And Legal Requirements And Expectations – Key Issues • When should patient consent be required and for what? • Populate Record Locator Service (RLS) • Disclose/reuse personal health information (PHI) • More granular (e.g. particular data elements) • What requirements are necessary to assure data integrity and quality? • Should requirements (for consent, data use, etc.) vary by exchange model? • Exchange participants (query and lookup) • Directed secure routing (known endpoints) • How should we specify appropriate purposes for using, exchanging and reusing data and minimize data required for transactions? 6

7. Transparent Oversight – Key Issues • Is there a role for federal and/or state oversight to monitor and address abusive market behaviors? • Is there a need for a federal mechanism of oversight over information exchange organizations? • What are the appropriate federal and state roles? • How can transparency and open processes be assured for setting nationwide health information network policies and technical requirements? • How can transparency, oversight and accountability be assured for the nationwide health information network (e.g., auditing and alert capabilities, patient access, correction, redress)? 7

8. Enforcement and Accountability – Key Issues • Should there be a certification or accreditation program for intermediaries (e.g., HISPs) or participants (e.g., Exchange)? If so: • Key roles for certifying / accrediting body • Certification / accreditation requirements • Limits of certification / accreditation • What other types of enforcement and accountability measures should be considered? • Regulatory requirements • Contractual mechanisms (with federal government, between participants) 8

9. Identity Assurance – Key Issues • Should there be identity assurance requirements for: • Provider access to clinical information systems/data? • Patient/consumer access? • For participation in nationwide health information network transactions? • Should there be mechanisms to validate identity assurance processes and mechanisms, e.g., certification or accreditation? 9

10. Technical Requirements – Key Issues • Do we need additional testing and oversight to assure participant conformance with nationwide health information network technical requirements? Potential mechanisms: • Threshold for exchanging with federal agencies/government contracts • Certification/meaningful use • Government identifying best practices • What level of interoperability in the nationwide health information network is required to meet policy goals? 10

11. Discussion