Among the more interesting aspects of building a health information exchange (HIE) is ensuring that the work done in the short-term doesn’t stifle future innovation. HeathITSecurity.com had previously spoken with New Hampshire Health Information Organization (NHHIO) acting Executive Director Jeff Loughlin and Denise Purington, VP and CIO of Elliot Hospital and Chair of NHHIO, about how the exchange was built and some security strategies.
However, Part 2 of the interview took a deeper dive into how its members, mostly hospitals at the moment, store data and what that means for security and future NHHIO projects, such as a master patient index (MPI).
How do NHHIO members house their data?
Purington: Many of our members are hospitals, though we’re getting more providers. Most organizations, however, are using EMRs that are housed within the organization. Very few are using cloud-based services. Many of the providers in the state are owned and employed by health systems. The independent providers in New Hampshire, being a relatively small state, are being bought out by the bigger organizations. But even the smaller providers are using EMRs that are either housed in their organizations or may be doing an Application Service Provider (ASP) service with a company such as AllScripts or Meditech. But, for the most part, the 26 hospitals house their systems internally.
With help from Orion Health, we’ve placed “land devices” in our organizations that have helped with data encryption and ensuring that the protocols are correct before they leave our organization.
How do the Direct standards fit with Health Level Seven (HL7) standards?
Loughlin: Because we’re trying to be something more than [a HISP] and be the state-wide HIE, we exchange all other kinds of data, such as HL7 lab results or radiology results that may not be part of Meaningful Use, depending on organization. We’re trying to use the Direct protocols for the security and encryption reasons, as not every vendor is prepared to send other types of information using those same types of security protocols.
We can take a traditional HL7 message that would normally be sent through a point to point VPN and send it across our network. We installed these “local appliances” that takes the traditional HL7 and puts it into a Direct, compliant package while using all of the Direct standards for security and transmission. In most cases, there’s an appliance on the other end to receive that information. We’re driving forward with Direct, and the tool that allows us to take non-direct information and make it Direct compliant, because that’s the path toward interoperability.
Does providers housing their own data affect future plans? What if they began to use newer, cloud-based technologies?
Loughlin: From our perspective, no. We try to keep this appliance local, as we have one site that has data either housed or on an ASP services through their vendor in Arkansas, but we keep the appliance here. So we still have a little old-school virtual private network (VPN) technology that we have to incorporate now and then between their device and our database. But in general, it doesn’t matter where the data resides, as 90 percent of these exchanges are web-based, SOAP transactions [for secure conversations over HTTP] and we’re using standard Transport Layer Security (TLS) technology.
We have a larger story to come in terms of what we’re building right now with NHHIO, which is a master patient index (MPI). We’re using that, in the short run, to build a record locator service so organizations can know where medical records exist. And that’s a basis for future electronic capability where organizations are able to send and receive electronic queries for data.
At that point, it doesn’t have to be centralized, as we can look at a federated data model where organizations feel safe in owning that data. But if we can access that electronically by routing specific queries through our MPI locator service, the providers get that history of data across the spectrum that’s presented to you without having to access it through a single database. It can be collected through a myriad of databases owned by the provider.