HIE Technology

download HIE Technology

of 4

Transcript of HIE Technology

  • 8/11/2019 HIE Technology

    1/4

    Section 3.1 Exchange Readiness

    HIE Technology

    This tool provides an introduction to the technology used in a health information

    exchange (HIE) service.

    Instructions for Use1. Review the types of technology in an HIE and its uses as you evaluate your health

    information technology (HIT) options.

    . Revise policies and procedures for o!taining consent" as applica!le" should you

    participate in a health information organi#ation (HI$).

    HIE Technical ServicesThe following is a depiction of HIE technical services within the two main types ofHI$ architectural models% federated and consolidated. The !lac&" curved lines depict

    the federated model and the red" straight lines depict the consolidated model.

    'ithin a given HI$" which may include an integrated delivery networ& (shown on the

    right)" the federated model of exchange would occur !y (1) the reuesting

    organi#ation initiating a reuest to the HIE service to determine if a person has

    information of interest within the HI$. The HIE service would ma&e sure that

    Section 3.1 Exchange Readiness HIE Technology - 1

  • 8/11/2019 HIE Technology

    2/4

    the reuestor is authori#ed" authenticated" and has access privileges to theinformation and that the person has provided consent for that reuestor to

    disclose the specific information !eing reuested. () yes*no response would!e returned to the reuesting organi#ation. (+) The reuesting organi#ation

    would in turn issue a reuest to receive the information and transmit thisinformation to the supplying organi#ation within the HI$. (,) The supplying

    organi#ation would supply the information in the format agreed upon !y the

    various data sharing and participation agreements.In a consolidated model" all processes are essentially the same" !ut the HIE service

    does not need to negotiate the external point-to-point transactions reuired in the

    federated model. misconception a!out the consolidated model is that all dataare pooled. ore often than not" data from each organi#ation are separated !y

    logical" if not physical vault-li&e" controls that ensure only data authori#ed fordisclosure may !e disclosed. any fear that a consolidated model is less secure

    and affords less privacy. However" if centrally managed !y an organi#ation thatutili#es super! security controls and strong HIE data stewardship principles (+.

    HIE /ata 0tewardship)that model is very li&ely to !e at less ris& than a point-

    to-point model where the strength of the security euates to that maintained in

    the wea&est organi#ation. efore passing 2udgment on any model" privacy andsecurity controls must !e understood.

    HIE 0ervices include%

    Directory servicesprovide person identification (3I/) and record locator services.

    This affords the a!ility to identify individuals and to lin& them to potential sources

    of information. Ensuring accurate identification is a challenge in an HI$" as eachparticipating organi#ation will have its own medical record num!er or person

    identifier. In the a!sence of a national uniue identifier for health care" a matching

    process is used for positive person identification when any participating

    organi#ation see&s to find information within the HI$ for a given person. Inaddition" a record locator service (R40) may !e needed. In a federated

    architecture" the HIE service identifies where data may reside for a given person inorder to feed that !ac& to the reuesting organi#ation. In a consolidated model" the

    record locator service identifies in which vault a person5s data resides.

    Identity managementincludes the following services%

    6redentialing users includes the process of certifying that an organi#ation

    and*or system meets the !aseline security and other technical reuirements

    needed to exchange data as well as providing authori#ation for access. Theseprovisions come from the participant agreement.

    3rovisioning users includes managing an authentication process (password"

    to&en or !iometric for electronic signature" or use of an encrypted digitalsignature process) and access controls (which user may have access to which

    data under which circumstances) /irectory service provides information on which organi#ations" systems"

    providers" and others are credentialed to use the HIE service. In this directory"

    service is usually also the information from the data sharing agreementdescri!ing the format in which data can !e exchanged.

    7ederation management provides the !asic security and communication

    standards for exchange of information. 0ecurity standards include theTransport 4ayer 0ecurity (T40) 3rotocol and its predecessor" 0ecure 0oc&ets

    Section 3.1 Exchange Readiness HIE Technology -

  • 8/11/2019 HIE Technology

    3/4

    4ayer (004)" which are cryptographic protocols that provide security and dataintegrity for communications over T63*I3 networ&s such as the Internet. These

    protocols aid in the use of applications such as 'e! !rowsing" email" efax"instant messaging and 8oice over Internet 3rotocol (8oI3)" some or all of

    which may !e services supported !y the HIE service. 6ommunication securitystandards include 'e! 0ervices ('0) ddressing" 0ecurity ssertions ar&up

    4anguage (04)" and*or others.

    uditing and reporting with audit logs and usage reports are maintained andanaly#ed as a further security measure.

    Consent managementis the active management and enforcement of users5

    consent when collecting" storing" accessing" processing" and disclosing personal

    health information. 7rom a policy perspective" consumers provide the capture and

    management of consent directives. 7rom other applications of such consentmanagement services" the two typical choices are%

    $pt-out% data are exchanged !y default unless restricted !y the person

    $pt-in% data are not exchanged !y default until the person provides consent

    In some HI$s" a more-layered or uilted approach may !e used that com!ines opt-out

    and opt-in. 7or instance" an HI$ may decide to include all persons in its

    directory service to identify persons and locate records" for which a patientcould opt-out" !ut then reuire a person to opt-in to the actual instance of

    disclosure. The following issues are currently under discussion across all HI$s%consent management services" coupled with which data may !e consolidated or

    not9 whether data are pushed or pulled within the HI$9 whether discrete dataexchange is ena!led or only scanned documents and print files are availa!le9 and

    many other issues. :o laws or standard regulations currently exist that address

    these issues.

    /epending on the nature of the consent management process an HI$ adopts" thepractice may include one in which an individual is presented with information

    a!out the HI$ at the point of care and provided a consent directive form to

    complete" which will !e used for all future exchange of data until changed !y

    the individual. However" HI$s that are structured around a personal healthrecord may find that the individual person is much more engaged in consent

    management and may wish to manage consent for each exchange individually.6onsidera!le education a!out the impact of consent management will need to !e

    supplied to individuals as HI$s !egin to use the HIE service as their primarysource of information.

    Data exchangeis the actual transmission of data" whether point-to-point in a

    federated model or from a single repository or centrally-managed set of

    independent repositories. ost often today" a hy!rid model is deployed where la!

    results" as in the example a!ove" may !e sourced from ma2or la!s. notherexample may !e that medication history information from a pharmacy !enefits

    manager consolidation service such as RxHu! or Info0can). Immuni#ationinformation may !e consolidated into a single repository" such as the state or local

    pu!lic health department" and then point-to-point exchange occurs for otherinformation.

    Section 3.1 Exchange Readiness HIE Technology - 3

  • 8/11/2019 HIE Technology

    4/4

    Copyright 2009, Margret\A Consulting, LLC. Used with permission of author.

    !or su""ort using the tool#it

    0tratis Health Health Information Technology 0ervices

    ;