A lot can be learned from the work done by how individual state health information exchanges (HIEs) deal with policy, contract and technical requirements and one specific area of interest is Health Information Service Provider (HISP)-to-HISP communication. In a recent blog post, John Halamka, CIO of Beth Israel Deaconess Medical Center, wrote that the Massachusetts HIE stakeholders are working through getting vendors, organizations and regional sub-networks onto the same page as it prepares to meet Stage 2 Meaningful Use requirements.
Halamka alluded to organizations using their individual vendor’s HISP, such as eClinicalWorks users employing the eCW HISP, and how that type of fragmentation wasn’t what the stakeholders had in mind when forming the MassHIWay. It had been presumed that the ideal scenario for Halamka and the rest of those involved with the MassHIWay would be all organizations and vendors using a boilerplate set of agreements and policies. This was the original HIway HISP concept:
Halamka asked out loud in his blog post how MassHIWay can best knit together all of the HISPs into a trust fabric that authenticates our users, authorizes access for appropriate clinicians, and minimizes privacy risks. “It’s clear that we must embrace technology and policies which enable HISP to HISP communications, not just a single HISP and certificate authority,” he said.
So instead of the MassHIWay being the sole certificate/registration authority, stakeholders will need to adapt and focus on HISP-to-HISP communication best practices and policies. There are many types of participants to consider, from basic entry participants to state-sponsored HIE HISPs and PHR HISPs, but Halamka offered a few technology options:
- Use DirectTrust.org certificate bundles backed by processes that enable organizations to trust a common entity and thus transitively trust each other.
- Create a Massachusetts specific process to trust the root certificates of each HISP that connects to the MassHIWay
- Ask each provider in the state to sign a MassHIWay participant agreement regardless of the HISP they use, ensuring common policy and legal protections are in place.
There weren’t any concrete answers that came out of the meeting, but at least it’s widely understood that though the technology and policy details still need to be worked out, there will be multiple HISPs that connect healthcare organizations, vendors and patients in the state. The big hurdle is clearly the privacy and security concerns that go along with trusting that these different HISPs will properly identity proof/authenticate their senders and receivers. As the Direct Project notes, encryption and authorization are critical to the HISP-HISP relationship:
In the case where both sender and receiver delegate access to a full service HISP, the sending HISP has access to unencrypted content only through the Business Associate Agreement (BAA)-authorized relationship between sender and sending HISP; the receiving HISP has access to decrypted content only through a similar BAA-authorized relationship to the receiver. The two HISPs never expose unencrypted protected health information (PHI)/personal identifiable information (PII) to one another.