The Nevada Department of Health and Human Services (DHHS) announced last week that NV DIRECT, a secure, encrypted web-based communication system for clinical staff, was now available for health care providers. Nevada state health IT coordinator Lynn O’Mara explained to HealthITSecurity.com some of the privacy and security decisions that are tied to directly sharing protected health information (PHI) with known and trusted recipients.
O’Mara has been working with DHHS and Nevada Health Information Exchange (NV-HIE) since 2010 on this direct secure messaging service and in addition to its current functionalities, she said the Nevada has viewed Direct as a proof of concept and starting point for an HIE. In releasing NV DIRECT, Nevada had to ensure that healthcare organizations and patients were comfortable with the privacy and security policies that are in place.
How did NV DIRECT handle patient privacy concerns?
Healthcare organizations are concerned about privacy and security all the time. What’s kind of interesting in Nevada is our state residents trust, not so much the hospital, but their physician with their PHI. So physicians have been concerned about HIE all along. But they said they know that as long as Direct Messaging conforms to ONC’s standards as well as that of vendors, they have a way to show patients that it’s a trusted exchange and they feel reassured. But they still have to experience it consistently over time for that trust to be built and to ensure that it’s secure.
Nevada is an opt-in state, so that means patients have to have given consent in order for their data to be exchanged electronically. That’s another way to assure them about privacy and security.
Do you pay attention to the Privacy and Security Tiger Team meetings?
The Office of the National Coordinator for Health Information Technology (ONC) is a partner to HIE state grantees, so we follow the Tiger Team very closely. Nevada already had quite a few laws in the books to protect privacy and security, so we’re probably in better shape than a lot of states to go in and do what we need to do security-wise.
How does Stage 2 Meaningful Use fit into this news?
Beyond the fact that it’s a grant requirement, we wanted to get this up first. Because while we’re in the process of getting more robust services for HIE setup, we wanted to have something for the physicians to meet their meaningful use requirements that involves HIE. Direct Secure Messaging will be a service offered by the Nevada HIE and it won’t be the only thing they offer.
Is there any apprehension security-wise that healthcare organizations would rush to implement Direct solely because of Stage 2 Meaningful Use?
That is a concern for everybody and ONC especially. They keep tweaking the privacy and security framework that we have to deal with and that’s one of the reasons I believe interoperability has been such a challenge. It’s not about systems technically being able to connect and exchange data, it’s about having the right privacy and security protocols in place that allow you to ensure there are no breaches. We’ve been hearing a lot about breaches, and luckily they haven’t been from HIEs yet.
I think the other thing is you run a greater risk of breaches or security issues when you use clinical data repositories. Nevada isn’t going to do that and is instead using a hybrid, federated approach. We’re going to be query-based, leave the records resident where it was created and not have a repository. That’s something our legislature and governor were most concerned about. One of the ways we can minimize opportunities for breaches.
How do you view security among interstate HIEs?
But Direct is probably going to be how inter-state HIE occurs for a while. We have a long way to go to resolve the interoperability issues between HIEs, which means you’ll want to do intrastate first. Direct is becoming important for those kinds of activities for inter-state. Nevada has three other boarder states in which we regularly have to access their data from.
We actually found out that the other states and Nevada had a lot more in common than we thought. It was pretty easy to resolve the policy issues. States are committed to the idea that PHI can cross boarders safely and securely. Governance is crucial to privacy and security and paramount to everyone involved.