Return to flip book view

Breaking Through the Data Dams

Page 1



By Lee Barrett, Marsali Hancock
Lesley Berkeyheiser, CCSFP
and Elinela Perez, LL.M, CIPP/E.

Page 2

About TNAP IntroductionGoal 1: Empower IndividualsGoal 2: Enable Providers and CommunitiesGoal 3: Public and Population HealthGoal 4: Open and Accessible APIsAbout the AuthorsCONTENTS235678910Copyright © 2019 All rights reserved.

Page 3

ABOUT TNAPThe Trusted Network Accreditation Program (TNAP), founded by EHNAC, SAFE BioPharma Association, WEDI, eHealth Initiative and the EP3 Foundation, leverages existing industry-wide identity verification, authentication, privacy and security frameworks and best practices already in use across the healthcare ecosystem. The program provides third party review with accreditation for Trusted Exchange participants, and a person-centered governance model for security, privacy, regulatory compliance and rights management, including compliance with new privacy regulatory requirements.The initiative directly aligns with the development of the 21st Century Cures Act including the Trusted Exchange Framework and Common Agreement (TEFCA) and, promotes interoperability, assuring the security and privacy of trusted networks, and the use of enabling technologies in the healthcare ecosystem. Confirmed participants include HINs, HIES, ACOS, Data Registers, Lab, Providers, Payers, Vendors, and Suppliers. 3

Page 4


Page 5

INTRODUCTION5This document is modeled after the Office of the National Coordinator’s Draft Trusted Exchange Framework to empower patients and provide a baseline of healthcare interoperability along with acknowledgment of the data dams or areas of challenge (blocking the desired flow of information) so needed to move high volumes of sensitive data in a secure manner. Each of the areas set forth below provides a summary of today’s current environment, a real-life example, and the corresponding data dams/blockages to the free flow of sensitive data. Lastly, this document includes how the TNAP provides core features that address each of these challenge areas.

Page 6

Summary In today’s healthcare world, some industry sectors (like life insurance and research) have the ability to consolidate longitudinal healthcare data about a specific patient. However, that information is typically not made available to the patient.Real Life ScenarioA middle-aged woman with comprehensive private insurance needs longitudinal data to observe trends and make data-informed choices to improve her health and well being. To do so, she must find, access, and aggregate all of her health information. This includes health records from her primary-care doctor, specialists like ophthalmologist, dermatologist, gynecologist, mental health providers (who include psychiatrist and psychologist), dentists and endodontist, podiatrist, and physical therapist. It also includes her gym records where she works weekly with her trainer and nutritionist, logging detailed health records that include weight, BMI, blood pressure, heart rate, daily supplements, diet, and sleep patterns in an application. Top Data DamsDespite of the fact that our patient is technically savvy and tracks wellness information, she is limited by her providers' proprietary or legacy technology. Her insurance company gave her the Health Records, but they only include claims information from in-network providers. Her primary-care physician, endodontist, podiatrist, and other specialists belong to different hospitals and healthcare systems. Her psychiatrist, psychologist, and ophthalmologist have their own private practice. When she asked for records from her longtime dentist, only paper copies were made available for which she had to pay. Some of her clinics offered apps to communicate directly with her. However, she has no ability to consolidate her information even as a baseline for her own personal use. When she chooses to pursue genetic testing, this information cannot be amassed into the others based on its sensitivity, even though it is all hers! EMPOWER INDIVIDUALSGOAL 1 ● Improve patient ability to coordinate their own care● Not limited to what it is stored in electronic health records● Access data from different resources (including technologies that individuals use every day)● Enable Individuals to access and aggregate longitudinal dataThe Trusted Network Accreditation Program ResolutionThe Trusted Network Accreditation Program provides a “measurement” or standard setting the “Privacy and Security” bar related to the handling of healthcare data. Each participant or “contributor” is required to follow identity, privacy, and security rules making information available to patients in a method that supports all facets of healthcare delivery and receipt.6

Page 7

Summary Many healthcare providers have become certified in Meaningful Use in various stages improving some types of data exchange. However, exported data remains inconsistent in quality, format, and content. Additionally, stringent federal and state laws make sharing certain kinds of information impossible unless one can verify, in near real-time, the identity, roles, and permissions of the providers, patients, and all recipients of highly protected information.Real Life ScenarioAn 18-year-old patient was released from nine days of inpatient, psychiatric crisis care. Now, she must coordinate services to address her eating disorder and alcohol addiction within her parents’ health insurance. This entails the daunting task of identifying providers and programs taking new patients. Sadly, no in-network providers were available and the only residential substance use program with an opening is out of state. Unfortunately, she is unable to receive electronic health information from her substance use and mental health providers and share them with her new private practice psychiatrist. Her safety is at risk! She has no communication vehicle to coordinate her other health care providers able to write prescriptions, such as a dentist or podiatrist. She and her doctors are unaware of serious unintended drug interactions when combined with her privacy-protected medication.Top Data DamsSome providers, mitigating stringent state and federal privacy laws, seem confused about the HIPAA Individual Right to Access. They provide sensitive data only in paper form. But even if providers want to share data, it is difficult to agree on the identity of the patient and the process to confirm matching, linking and confidentiality requirements. Additionally, apps that allow patients to populate their own information create data quality problems. When and how can patient-entered information be imported to electronic health records? What are the requirements to ensure quality data with provenance for peer-reviewed studies, population safety, and patient care? Significant data obstacles are caused by the lack of rules about who to share with, when and how to share including Levels of Assurance for Identity and Authentication.ENABLE PROVIDERS AND COMMUNITIESGOAL 2 ● Improve patient and provider safety● Increase efficiency● Gather and aggregate comprehensive data from many sources● Provide a common method authenticating trusted health information networks participantsThe Trusted Network Accreditation Program ResolutionThe Trusted Network Accreditation Program requires participants to produce evidence that they meet HIPAA Privacy and Security requirements including enhanced standards to verifying roles and identity, patient linking, permissions, sharing and authentication.7

Page 8

Summary Recent natural disasters demonstrated that electronic health information exchange in emergency situations might be impossible.Real Life ScenarioLong-term care facilities in California wildfires were unable to verify their patients' identity or access their medical records immediately following evacuation. Providing care, without a verified patient and provider identity creates liability risks. Mental health medication, insulin, and even dialysis require prescribing orders. Many facilities do not have electronic health records, and not all patients have hospital records. During Hurricane Maria, in Puerto Rico, officials were unable to determine deaths or health needs as a result of the disaster. Additionally, data regarding immunizations are not credible. Top Data DamsHaving a standardized method to record and maintain the longitudinal patient information is a necessity to allow for improved patient and provider safety. Once again, we find that the need for set patient matching, healthcare network contributor credentialing (ability to be sure those who are sharing/contributing or receiving data on the network are who they say they are), is the core problem. PUBLIC AND POPULATION HEALTHGOAL 3● Provide real-time, quality data collection● Deliver real-time actionable data● Provide privacy-protected, secure access to comprehensive health informationThe Trusted Network Accreditation Program ResolutionThe Trusted Network Accreditation Program provides a “measurement” or standard setting the “Privacy and Security” bar related to the handling of healthcare data. Each participant or “contributor” is required to follow privacy and security rules, to provide evidence that they are who they say they are, and to promote efficient and secure exchange of information to facilitate direct patient care and quality data collection in support of public need.8

Page 9

Summary In today’s healthcare world, those who build healthcare systems that support gathering and exchange do not allow for systems to seamlessly connect to other systems. This includes electronic health record systems, as well as device manufacturers. Real Life ScenarioOur healthy middle-aged patient wants to add fitness information to her favorite provider portal. However, today, only certain devices work with her current provider portal thus requiring her to purchase a different fitness tracker in order to promote data tracking.Another situation is that discharge data from one inpatient provider to a rehabilitation center is not seamless since the providers belong to different healthcare systems. Therefore, instead of having an efficient secure electronic data interchange, the records drop back to paper form and delay delivery of the most appropriate provider care possible. Top Data DamsBecause vendors and device manufacturers are not currently required to follow standard systems life cycle development processes including building Application Programming Interfaces that are “open” and usable by all, systems cannot seamlessly or easily pass data from one to another. Often, if this is desired, someone, usually the patient has to pay for the custom programming to be reworked to meet the goal. OPEN AND ACCESSIBLE APIsGOAL 4 ● Enable open and accessible application programming interfaces (APIs)● User-focused innovation to make health information more accessible● Improve electronic health record usabilityThe Trusted Network Accreditation Program ResolutionThe Trusted Network Accreditation Program requires standard privacy and security rules to be followed including the best practice life cycle development. This means, whether working with an electronic health network system or a medical device, data is moved in and out of that system in the same method. This is similar to how financial data is moved around in today’s world. Promoting the use of standards for this data sharing such as the FHIR (Fast Healthcare Interoperability Resource Specification) standard is also contained within the TNAP program.9

Page 10

ABOUT THE AUTHORSEP3 Foundation a 501(c)3 nonprofit, is a multi-sector community of standards organizations, industry leaders, researchers, and government agencies committed to privacy-preserving data sharing. The EP3 Foundation networks use new data paradigms to give you the power to access, protect, and share data without revealing personal or sensitive information.The Electronic Healthcare Network Accreditation Commission (EHNAC) is a voluntary, self-governing standards development organization (SDO) established to develop standard criteria and accredit organizations that electronically exchange healthcare data. These entities include accountable care organizations, data registries, electronic health networks, EPCS vendors, e-prescribing solution providers, financial services firms, health information exchanges, health information service providers, management service organizations, medical billers, outsourced service providers, payers, practice management system vendors and third-party administrators. The Commission is an authorized HITRUST CSF Assessor, making it the only organization with the ability to provide both EHNAC accreditation and HITRUST CSF certification.Contact us to 10