If you want entrance into the health information service provider (HISP) communication exchange world in the Bay State, you must be trusted. And by trust, we mean ensuring authorization among Massachusetts users exchanging the health information. That, according to stakeholders in the state, comes only when you sign in to the Massachusetts pipeline that bides organizations by its policies.
That’s how Massachusetts is handling and easing HISP to HISP apprehensions over communication, according to John D. Halamka, MD, MS, chief information officer of Beth Israel Deaconess Medical Center in Boston. Halamka, chairman of the New England Healthcare Exchange Network (NEHEN), Co-Chair of the HIT Standards Committee, recently caught up with HealthITSecurity.com.
Technical concerns set stage for Mass.
Earlier this year, Halamka blogged about his state ironing out the specifics of building what he called a “trust fabric for health information exchange” and another set of challenges — HISP to HISP communication.
He also cited the four basic scenarios to think through:
1. An SMTP/SMIME sender to an SMTP/SMIME receiver
2. An SMTP/SMIME sender to an XDR receiver
3. An XDR sender to an SMTP/SMIME receiver
4. An XDR sender to an XDR receiver
“Scenarios 1 and 4 could be done without a HISP at all if the EHR fully implements the Direct Standard including certificate discovery,” he said then. “Cases 2 and 3 require thoughtful security planning to support end to end encryption between two HISPs.”
But what struggles exist when supporting XDR? Halamka blogged the HISP “must act as the agent of senders and receivers, holding their private key for use in the conversion from/to SMTP/SMIME.”
What Massachusetts is doing now
Halamka said that in his state, things are clearly regulated to ensure comprehensive security. Their state HISP must work with other HISPs.
“We have uniform agreements in Massachusetts that our state HISP — defined as the service provider that an EHR uses to send records to an authorized recipient — must work with other HISPs: Surescripts, Athena, eCW, Cerner and Quest,” he said.
That way, users in the state can ensure root certificate trust from HISP to HISP, signing appropriate business associate agreements, he added. “This ensures appropriate authentication and a fabric of trust,” Halamka said.
However, this does not ensure authorization – a point Halamka stressed. Just because Surescripts hosts “Joe’s Endoscopy Shack,” he cited, and it really is Joe, does not imply that Massachusetts wants to exchange patient identified information with Joe.
So how does Massachusetts handle that? Get provider organizations signed up and agreeing to work with its procedures.
“For authorization we have a whitelist of provider organizations which have signed the Massachusetts participation agreement and agreed to be bound by our privacy policies,” he said. “The combination of certificate-enforced HISP to HISP trust with a white list of organizations that have signed our participation agreement is sufficient to enable secure exchange of healthcare data among HISPs.”