Those who have paid attention to the Health IT Policy and Privacy and Security Tiger Team meetings over the past few months know that the healthcare industry is still in the early stages of formulating health data exchange security standards. The big questions are what needs to happen short-term to spark the process and how will standards be created for the long run?
Micky Tripathi, Chair of the Health IT Policy Committee’s health information exchange work group and CEO of the Massachusetts eHealth Collaborative (MAeHC), has taken part in many of these discussions and knows that the pragmatic approach to health information exchange (HIE) security requires patience. One of the big takeaways from the HIT Policy and Tiger Team meetings for Tripathi has been the complex nature of standardizing the security of health information acceptance and delivery. The conversations within the meetings often become granular for good reason because there are so many layers to HIE queries as well as plenty of different approaches.
The problem that one would love to solve at the end of the day is “How can one organization query another organization for the information they need delivered to them when they need it that is securely delivered and according to patient preferences?” All of that [needs to be accomplished] without any central infrastructure or organization helping to manage that. When you boil down that challenge at the end of the day, we’d love to solve that issue.
Healthcare technology professionals are often asked, for example, why robust technology standards for HIE queries aren’t already in place. The comparison to other industries is akin to apples and oranges, however, because there are subsidiary issues that are unique to healthcare.
Most people will say “I don’t understand, other industries and vendors can query across platforms or across entities.” Healthcare is different because it’s more complicated and more fragmented. So this query issue and lack of robust standards is an issue because right now, due to fragmentation, you don’t have all of the vendors lined up around a particular standard. The EHR certification process gives us a set of standards for that like they have for point-to-point pushing of information back and forth.
Why not just point-to-point push messaging?
Another concern is, unlike just point-to-point push messaging, which is what Stage 2 Meaningful Use requires with respect to data exchange, there are other factors involved with direct messaging security. Tripathi said that one is “How do I do that in a way that corresponds with patient permission?” This poses a problem because requirements vary by state and figuring out how you’re going to do that in an automated way isn’t easy. Next, there’s the question of “How is the direct messaging going to get automated into clinical workflows in a way that’s going to make sense?” Organizations aren’t used to dealing with that type of integration right now.
Most organizations can do that with existing security provisions that are in place and with existing workflows. So I think that’s a bit of a challenge with respect to clarity. If you’re listening in on those [policy committee] calls, you’re hearing a whole bunch of detailed conversation that veers off into other areas, but that shows the nature of the problem, not the nature of the people that are engaged or the activity itself because it is genuinely complicated.
Where Stage 3 (and maybe Stage 4) Meaningful Use fits in
While most healthcare providers are beginning to grapple with Stage 2 Meaningful Use requirements, Tripathi and the rest of the committee members are beginning to set the stage for Stage 3 Meaningful Use and potentially Stage 4 Meaningful Use direct messaging security requirements. And the fact that the ONC put out a Request for Comment (RFC) to get some industry feedback shows it realizes it needs more information on the subject to give better perspective on what’s going to work and what’s not.
I suspect that you’ll see the seeds for it in Stage 3, but as Farzad Mostashari, the National Coordinator for Health Information Technology, has said a few times, we’ll probably be looking at a Stage 4 Meaningful Use and that may be where you see it more robust. Stage 3 may start to lay some of the foundation around some of the technical requirements, but it may be that we’re not mature enough in terms of business processes and technology to be able to lay down firm requirements and expect that people will be able to adjust so dramatically in the timelines that we have for Stage 3.
Another substantial part of evaluating the role of meaningful use is differentiating between behavioral and technical requirements for healthcare providers. Tripathi believes that since it’s such a complex space, ONC may put out certain set of certification requirements for technology vendors that enable query-type capabilities. But there wouldn’t be corresponding behavioral requirements in place for the providers yet due to business and legal issues. As a result, this could give the market the opportunity to move forward with the technologies they have in place. This would drive the vendors to standardize, but also give leeway to clinicians to where it’s most appropriate, said Tripathi.