Webinar: DURSA is too complex to work, and other myths

Mary Stevens | | Health Exec | Informatics
“It’s difficult to separate health information exchange (HIE) from the matter of trust,” said Steven Gravely, JD, a partner at the law firm of Troutman Sanders, at a webinar titled “Multi-party legal agreements for HIE” during the recent National eHealth Collaborative's Stakeholder Forum.

“You can think about the trust agreements in one of two categories: There are point-to-point agreements, and then there are multi-party agreements,” said Gravely. “Historically, we have had a point-to-point framework. Certainly, it has worked well—it is supporting a lot of data exchange around the U.S. today." Many U.S. parties are in point-to-point agreements.

However, the point-to-point framework for HIE is not scalable on a large-scale basis, said Gravely, adding: “Increasingly, participants in the federal and the non-federal space have come to the conclusion that they are not going to get where they want to be in terms of data exchange using the point-to-point frame work.”

Enter the multiparty agreement framework. The primary benefit of a such an agreement is that it is infinitely scalable and it can accommodate an infinite number of parties. “The drawback is, it’s not as customizable as point-to-point. Instead of two parties, you may have 200 or 300 or 2,000 parties to the agreement, and by definition you do not have a fully tailored, customizable agreement. There must be a consensus among the group” to make multiparty agreements work, he said.

“When we sat down to create the NHIN [Nationwide Health Information Network] a few years ago, we knew the concept was a network-of-networks model. What type of multiparty agreement should we have? How can that be used to support the notion of broad-based exchange within network of networks model potentially nationally?

“The end product was a document, the Data Use and Reciprocal Support AgreementDURSA,” Gravely said.

“The DURSA is a legal agreement, a contract among multiple parties who wish to participate in the lawful and secure exchange of information using a set of interoperability standards and specifications that have been developed through the NHIN,” he said. However, there are some misconceptions among healthcare organizations about the multiparty agreement that facilitates HIE, Gravely said, so he devoted some webinar time to “mythbusting.”

Myth: DURSA is extremely difficult to comply with, and only large sophisticated organizations can comply with its terms. In reality, “the legal requirement is that DURSA requires you comply with laws you’re already subject to and frankly you’re already complying with, he said. "You [also] have to comply with the exchange policies, with the technical specifications."

Myth: If your organization is a NHIN participant, then all users in your organization must sign the DURSA. “That is not correct: If you’re Kaiser, Kaiser has signed the DURSA. That doesn’t mean every contractor or every employee has signed the DURSA,” Gravely said. In addition, he cited Med Virginia, an HIE. “Med Virginia has signed DURSA as a participant. That doesn’t mean its over 1,000 physician users and hospitals have signed it.”

There are “flow-downs”—DURSA provisions that a participant is obligated to be sure are included in employment or user agreements, said Gravely, but most such agreements would already include these provisions. The flow-downs are:
  • Compliance with applicable law;
  • Reasonable cooperation with participant related to exchange issues;
  • Users only submit messages through NHIN exchange for permitted purposes;
  • Use of message content in accordance with terms and conditions of NHIN;
  • Breach notification; (“HITECH requirements are new for all of us, and we’ve all had to go back and work on our agreements to make sure they adhere to HITECH requirements,” Gravely said.)
  • Refrain from password disclosure; and
  • The signatory submits to the authority of the participant for purposes of disciplinary action

Myth: In participating exchanges, all users must report breaches of data within one hour. “That’s not what DURSA says,” Gravely retorted. "Once a participant becomes aware a breach may have occurred, then they are required to report to the Coordinating Committee within one hour."

Entering an HIE agreement might not be a simple procedure, but it’s not as onerous as organizations might think. “DURSA is a multiparty agreement designed for information exchange,” said Gravely. “That’s all it is.”

Mary Stevens

Related Content

Alabama security breach exposes personal information of cardiologists, heart patients
AI helps cardiologists deliver personalized healthcare—but there is still plenty of work to do
Best in KLAS 2024: New rankings for cardiovascular information systems, hemodynamic solutions
Best in KLAS 2024 rankings released, showcasing medical imaging IT systems
Cloud image storage for radiology is a growing trend in healthcare
Indiana hospitals reduce nuisance alerts by 77% with medication decision support software

Around the web

Cardiovascular Business
Payment cuts and beyond: Key takeaways for cardiologists from the 2025 Medicare Physician Fee Schedule

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

AI in Healthcare
A modest proposal to rally AI regulators around a simple game plan

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”

Cardiovascular Business
FDA commissioner urges clinicians to join fight against medical misinformation

FDA Commissioner Robert Califf, MD, said the clinical community needs to combat health misinformation at a grassroots level. He warned that patients are immersed in a "sea of misinformation without a compass."

Design by Adaptive Theme
Trimed Popup
Trimed Popup