HIE Technology
-
Upload
bhattaashu3672 -
Category
Documents
-
view
212 -
download
0
Transcript of HIE Technology
-
8/11/2019 HIE Technology
1/4
Section 3.1 Exchange Readiness
HIE Technology
This tool provides an introduction to the technology used in a health information
exchange (HIE) service.
Instructions for Use1. Review the types of technology in an HIE and its uses as you evaluate your health
information technology (HIT) options.
. Revise policies and procedures for o!taining consent" as applica!le" should you
participate in a health information organi#ation (HI$).
HIE Technical ServicesThe following is a depiction of HIE technical services within the two main types ofHI$ architectural models% federated and consolidated. The !lac&" curved lines depict
the federated model and the red" straight lines depict the consolidated model.
'ithin a given HI$" which may include an integrated delivery networ& (shown on the
right)" the federated model of exchange would occur !y (1) the reuesting
organi#ation initiating a reuest to the HIE service to determine if a person has
information of interest within the HI$. The HIE service would ma&e sure that
Section 3.1 Exchange Readiness HIE Technology - 1
-
8/11/2019 HIE Technology
2/4
the reuestor is authori#ed" authenticated" and has access privileges to theinformation and that the person has provided consent for that reuestor to
disclose the specific information !eing reuested. () yes*no response would!e returned to the reuesting organi#ation. (+) The reuesting organi#ation
would in turn issue a reuest to receive the information and transmit thisinformation to the supplying organi#ation within the HI$. (,) The supplying
organi#ation would supply the information in the format agreed upon !y the
various data sharing and participation agreements.In a consolidated model" all processes are essentially the same" !ut the HIE service
does not need to negotiate the external point-to-point transactions reuired in the
federated model. misconception a!out the consolidated model is that all dataare pooled. ore often than not" data from each organi#ation are separated !y
logical" if not physical vault-li&e" controls that ensure only data authori#ed fordisclosure may !e disclosed. any fear that a consolidated model is less secure
and affords less privacy. However" if centrally managed !y an organi#ation thatutili#es super! security controls and strong HIE data stewardship principles (+.
HIE /ata 0tewardship)that model is very li&ely to !e at less ris& than a point-
to-point model where the strength of the security euates to that maintained in
the wea&est organi#ation. efore passing 2udgment on any model" privacy andsecurity controls must !e understood.
HIE 0ervices include%
Directory servicesprovide person identification (3I/) and record locator services.
This affords the a!ility to identify individuals and to lin& them to potential sources
of information. Ensuring accurate identification is a challenge in an HI$" as eachparticipating organi#ation will have its own medical record num!er or person
identifier. In the a!sence of a national uniue identifier for health care" a matching
process is used for positive person identification when any participating
organi#ation see&s to find information within the HI$ for a given person. Inaddition" a record locator service (R40) may !e needed. In a federated
architecture" the HIE service identifies where data may reside for a given person inorder to feed that !ac& to the reuesting organi#ation. In a consolidated model" the
record locator service identifies in which vault a person5s data resides.
Identity managementincludes the following services%
6redentialing users includes the process of certifying that an organi#ation
and*or system meets the !aseline security and other technical reuirements
needed to exchange data as well as providing authori#ation for access. Theseprovisions come from the participant agreement.
3rovisioning users includes managing an authentication process (password"
to&en or !iometric for electronic signature" or use of an encrypted digitalsignature process) and access controls (which user may have access to which
data under which circumstances) /irectory service provides information on which organi#ations" systems"
providers" and others are credentialed to use the HIE service. In this directory"
service is usually also the information from the data sharing agreementdescri!ing the format in which data can !e exchanged.
7ederation management provides the !asic security and communication
standards for exchange of information. 0ecurity standards include theTransport 4ayer 0ecurity (T40) 3rotocol and its predecessor" 0ecure 0oc&ets
Section 3.1 Exchange Readiness HIE Technology -
-
8/11/2019 HIE Technology
3/4
4ayer (004)" which are cryptographic protocols that provide security and dataintegrity for communications over T63*I3 networ&s such as the Internet. These
protocols aid in the use of applications such as 'e! !rowsing" email" efax"instant messaging and 8oice over Internet 3rotocol (8oI3)" some or all of
which may !e services supported !y the HIE service. 6ommunication securitystandards include 'e! 0ervices ('0) ddressing" 0ecurity ssertions ar&up
4anguage (04)" and*or others.
uditing and reporting with audit logs and usage reports are maintained andanaly#ed as a further security measure.
Consent managementis the active management and enforcement of users5
consent when collecting" storing" accessing" processing" and disclosing personal
health information. 7rom a policy perspective" consumers provide the capture and
management of consent directives. 7rom other applications of such consentmanagement services" the two typical choices are%
$pt-out% data are exchanged !y default unless restricted !y the person
$pt-in% data are not exchanged !y default until the person provides consent
In some HI$s" a more-layered or uilted approach may !e used that com!ines opt-out
and opt-in. 7or instance" an HI$ may decide to include all persons in its
directory service to identify persons and locate records" for which a patientcould opt-out" !ut then reuire a person to opt-in to the actual instance of
disclosure. The following issues are currently under discussion across all HI$s%consent management services" coupled with which data may !e consolidated or
not9 whether data are pushed or pulled within the HI$9 whether discrete dataexchange is ena!led or only scanned documents and print files are availa!le9 and
many other issues. :o laws or standard regulations currently exist that address
these issues.
/epending on the nature of the consent management process an HI$ adopts" thepractice may include one in which an individual is presented with information
a!out the HI$ at the point of care and provided a consent directive form to
complete" which will !e used for all future exchange of data until changed !y
the individual. However" HI$s that are structured around a personal healthrecord may find that the individual person is much more engaged in consent
management and may wish to manage consent for each exchange individually.6onsidera!le education a!out the impact of consent management will need to !e
supplied to individuals as HI$s !egin to use the HIE service as their primarysource of information.
Data exchangeis the actual transmission of data" whether point-to-point in a
federated model or from a single repository or centrally-managed set of
independent repositories. ost often today" a hy!rid model is deployed where la!
results" as in the example a!ove" may !e sourced from ma2or la!s. notherexample may !e that medication history information from a pharmacy !enefits
manager consolidation service such as RxHu! or Info0can). Immuni#ationinformation may !e consolidated into a single repository" such as the state or local
pu!lic health department" and then point-to-point exchange occurs for otherinformation.
Section 3.1 Exchange Readiness HIE Technology - 3
-
8/11/2019 HIE Technology
4/4
Copyright 2009, Margret\A Consulting, LLC. Used with permission of author.
!or su""ort using the tool#it
0tratis Health Health Information Technology 0ervices
;