Each state health information exchange (HIE) has its own unique set of challenges, whether they’re derived from funding, technology or policy. But, interestingly, because the New Hampshire Health Information Organization (NHHIO) was behind other state HIEs in building its exchange, it was able to avoid some sustainability and privacy and security pitfalls.
NHHIO was among the later HIEs to be approved by the Office of the National Coordinator (ONC), as it received ONC funding in December of 2010. NHHIO used the delayed innovation period to decide that it would not store any member data and instead would only serve as a conduit for information being exchanged by healthcare organizations. And because the Direct standard was available for use at the time of its inception, NHHIO is able to provide health information service provider (HISP) in New Hampshire. Employing the Direct standard has helped NHHIO create a long-term encryption strategy.
Massachusetts eHealth Collaborative (MAeHC) Project Director and acting Executive Director of NHHIO Jeff Loughlin and Denise Purington, VP and CIO of Elliot Hospital and Chair of NHHIO, took some time to speak with HealthITSecurity.com about these go-live efforts and the future of NHHIO.
Are there any privacy challenges you can think of as NHHIO was being built?
Purington: Prior to NHHIO being named as a state health information organization, there was a multi-stakeholder group that was in place in New Hampshire knowing that the governor had asked for a strategic plan. Part of that plan was how exactly it was going to share data across the state. As that multi-stakeholder process was going on, the HITECH Act came out and sparked the funding to get an HIE set up. The HIE was set up through legislation, so the funding was given to the [state] Department of Health and Human Services (HHS) through a bill at the state level and we’re governed by this legislation.
One of the challenges we had here in New Hampshire was that the state has been pretty conservative when it comes to the privacy and security regulations. A big focus was storing data at the HIE level versus not storing data. NHHIO was organization that, out of the gate, would help entities with data transport while connecting them together instead of actually storing the data.
Loughlin: To a degree, New Hampshire came to the table a bit late in building an HIE. This ended up being to our benefit. Other HIEs that had a lot of money built large, centralized repositories and a lot of infrastructure to sell their services after the fact. We’ve seen a lot of HIEs in that model fail, whereas we decided to work the other way and start small and focus solely on the point-to-point delivery. Because we were a little later in implementation, we kind of hit the ground running when the Direct standards came into play in the EHR and Meaningful Use worlds.
That Direct standard has driven encryption, security process, Transport Layer Security (TLS) requirements for direct messaging – we’ve been able to fold all of that into our network. So we’re providing those HISP services and all of our transport and encryption follow that standard. Once we have that base layer established, as on top of being a HISP we are the state-wide HIE and expand our services.
What does being a data conduit mean now and for the future?
Purington: NHHIO does not store any data. It’s not that we can’t store the data or that legislation prevents us from storing that data, but we’ve chosen not to out of the gate. Our vision is to connect all of the providers in the state to the HIE and help them securely transport information from one point to another. We do that through the ability to encrypt packets of information that go from one organization to the other. The term we use here a lot is “post office” in that we just look at the address and pass [the packet] along.
Can you talk a little more about your HISP work?
Laughlin: We outsource much of our technical work to Orion Health, which is an accredited HISP through DirectTrust, so we’re following those standards. For example, Mass uses Orion but employs a different certificate base and are not part of the DirectTrust accreditation program.
We spent a lot of time with our wide-ranging board of directors in creating a detailed, lengthy participation agreement. The agreement has clearly articulated what the laws are around the use of the HIE, what can and can’t be sent, and how PHI must be shared with organizations. There was a big focus on educating members about those laws, knowing that when talking about our network specifically that we don’t have a centralized repository. I don’t know whether data being sent is encrypted end-to-end, so we’ve focused on the front end, so everyone knows what they can and can’t send. Over time, as we expand our services to other areas, we’ll need to implement policies for, example, behavioral health.