Where Accreditation Is Due: Building Trust To Spur HIE Adoption

By Lee Barrett, executive director, EHNAC

With Stage 2 Meaningful Use (MU2) deadlines looming, many healthcare providers will be scrambling to meet its key requirement - exchanging patient data. Of course, the challenge is ensuring the security of this Protected Health Information (PHI) when it’s transferred over the Internet within and between new organizational models such as ACOs and via new exchange entities such as Health Information Exchanges (HIEs) and Health Information Service Providers (HISPs). The solution: Reliable, secure transport of PHI between authorized care providers, via an established set of standards, policies, and services - Direct exchange via the Direct Standard.

Directed Exchange 101
In 2010, the Office of the National Coordinator for Health Information Technology (ONC) initiated the Direct Project to create a simple, secure, scalable, standards-based way for trusted entities to share secured PHI. The result, Directed exchange, is healthcare-specific, Internet-based e-mail that uses the Direct standard and a public key infrastructure (PKI) to secure data transmission by assuring:

1. Senders of receivers’ identities;
2. Receivers of the senders’ identities;
3. No modifications to content in transit; and
4. Complete control of PHI by sender and receiver.

The security of PHI, however, rests on four important ‘rights’ – the right senders, sending the right data, to the right receivers via the right entities.

All Directed exchanges include a sender and receiver, typically hospitals, physicians, labs or providers, and an intermediary. The message or file is signed with the sender’s private key, and encrypted with the receiver’s public key. The sender knows the intended receiver is the only one with the private key to decrypt the data; the receiver knows the assumed sender is the only with the unique signature.

The simplest form of Directed exchange is sender-to-receiver, via an electronic courier. Technically, the courier is an intermediary, but encryption and decryption are the responsibilities of the sender and receiver. Because PHI never leaves or enters the organization unencrypted, there’s no place for a data breach.

Intermediaries: Directed exchange middlemen
Some providers and organizations, however, prefer to delegate these tasks to intermediaries – HISPs, Certificate Authorities (CAs), and Registration Authorities (RAs). The sender, the receiver, or both can use a HISP, sending unencrypted PHI to the HISP to encrypt or decrypt accordingly.

Unlike sender-to-receiver Directed exchange, when an intermediary is involved, there’s no way for a sender/receiver to know if its PHI is going to the intended receiver/sender or the intended receiver/sender HISP, which would have multiple receivers/senders. Neither sender nor receiver knows if the PHI encryption/decryption is being done by the other party or by the other party’s HISP. Either party can decide to change HISPs, assume or resume responsibility for encryption/decryption. So, how do the HISPs know that they can trust each other?

It’s an issue of interoperability. Right now, with no overarching accreditation framework, subscribers/providers that don’t use the same HISP must sign detailed security agreements with each other.

For example: Provider A uses HISP1, and wants to send PHI to Provider B. Provider B uses HISP2. Before any PHI can be exchanged between HISP1 and HISP2, Provider A and Provider B must sign a detailed security agreement. With multiple contracts, each slightly different – it’s an extremely expensive, highly inefficient method that can take years to establish.

A better option is Scalable Trust – a universal accreditation framework that allows HISPs to trust each other without contracts.

What are Scalable Trust and accreditation?
Unlike certification, which qualifies technology, and authentication, which validates the senders’ and receivers’ identities, accreditation affirms that the intermediaries – HISPs, CAs and RAs – are using at least the minimum set of established standards, policies and best practices, for a secure exchange.

On the individual level, accreditation assures providers that their PHI is going through a trusted intermediary using Direct exchange. On a global scale, accreditation consolidates the tangled web of provider-to-provider legal agreements into a single network of “Trust Agents” using Direct exchange.

Recently, ONC gave its blessing for accreditation, awarding a grant to DirectTrust.org and the Electronic Healthcare Network Accreditation Commission (EHNAC) to launch the national accreditation program for HISPs, CAs and RAs, while agreeing to work collaboratively with the organizations to further compliance and adoption.

The Direct Trusted Agent Accreditation Program (DTAAP) facilitates security, interoperability and trust among Direct exchange participants by:

• Validating technical, security, trust and business practice conformance of Trust Agents involved in Direct;
• Assuring HISP-to-HISP interoperability among accredited Trust Agents and other Direct participants; and
• Promoting policies and best practices for security and trust, consistent with state and federal law.

Accreditation: Not just for trusted agents anymore
The benefits of accreditation for intermediaries are clear. Accreditation tells users/subscribers the intermediary is a trustworthy directed exchange agent and service provider, and it allows the intermediary to include its anchor certificates in DirectTrust’s Trusted Anchor Bundle Distribution Service, which identifies it as a Trusted Agent to users/subscribers.

For physicians and healthcare organizations – the subscribers and PHI senders/receivers – accreditation means they can use intermediaries, which allows them to exchange PHI safely and securely without having to invest in expensive technology platforms. In addition, providing a secure, scalable, standards-based HIE solution, accreditation allows providers to comply with MU2 mandates and claim incentives.

For EHR vendors, accreditation ensures the interoperability needed to participate – and assure their customers that they can exchange PHR with other EHR systems in HIEs and ACOs. Vendors can provide direct messaging, freeing their customers from having to use portals to communicate with clinics and physicians in other networks that use different HIE software. With MU2 incentives about to expire, vendors must give their customers functionality for interoperability. Accreditation is a competitive imperative and advantage.

For HIEs and ACOs, accreditation eliminates the need for time- and resource-intensive negotiations and bi-directional contracts, facilitating the interoperability essential to widespread – and therefore viable – data exchange to share information with patients, send lab results and alerts, and populate repositories for query-based exchange, among other tasks.

As with meaningful use, incentives are available – but fast disappearing – to offset DTAAP application costs. Now is the time for stakeholders to research what incentives may be available at both local and the federal levels.

The Importance of being interoperable
For meaningful use to deliver meaningful change in healthcare, there must be an effective way to exchange important clinical data. For this, we need interoperability. Direct exchange, with its trust anchors and trust bundles, provides efficient, effective interoperability. DTAAP accreditation raises basic interoperability to the level of trusted data exchange.

Lee Barrett is executive director of the Electronic Healthcare Network Accreditation Commission (EHNAC), a non-profit standards development organization and accrediting body. In partnership with DirectTrust, an organization for participants in the Direct community, EHNAC developed standards for a national accreditation program for health information “trusted agent” service providers, including HISPs, CAs and RAs.