Webinar: DURSA is too complex to work, and other myths

“It’s difficult to separate health information exchange (HIE) from the matter of trust,” said Steven Gravely, JD, a partner at the law firm of Troutman Sanders, at a webinar titled “Multi-party legal agreements for HIE” during the recent National eHealth Collaborative's Stakeholder Forum.

“You can think about the trust agreements in one of two categories: There are point-to-point agreements, and then there are multi-party agreements,” said Gravely. “Historically, we have had a point-to-point framework. Certainly, it has worked well—it is supporting a lot of data exchange around the U.S. today." Many U.S. parties are in point-to-point agreements.

However, the point-to-point framework for HIE is not scalable on a large-scale basis, said Gravely, adding: “Increasingly, participants in the federal and the non-federal space have come to the conclusion that they are not going to get where they want to be in terms of data exchange using the point-to-point frame work.”

Enter the multiparty agreement framework. The primary benefit of a such an agreement is that it is infinitely scalable and it can accommodate an infinite number of parties. “The drawback is, it’s not as customizable as point-to-point. Instead of two parties, you may have 200 or 300 or 2,000 parties to the agreement, and by definition you do not have a fully tailored, customizable agreement. There must be a consensus among the group” to make multiparty agreements work, he said.

“When we sat down to create the NHIN [Nationwide Health Information Network] a few years ago, we knew the concept was a network-of-networks model. What type of multiparty agreement should we have? How can that be used to support the notion of broad-based exchange within network of networks model potentially nationally?

“The end product was a document, the Data Use and Reciprocal Support AgreementDURSA,” Gravely said.

“The DURSA is a legal agreement, a contract among multiple parties who wish to participate in the lawful and secure exchange of information using a set of interoperability standards and specifications that have been developed through the NHIN,” he said. However, there are some misconceptions among healthcare organizations about the multiparty agreement that facilitates HIE, Gravely said, so he devoted some webinar time to “mythbusting.”

Myth: DURSA is extremely difficult to comply with, and only large sophisticated organizations can comply with its terms. In reality, “the legal requirement is that DURSA requires you comply with laws you’re already subject to and frankly you’re already complying with, he said. "You [also] have to comply with the exchange policies, with the technical specifications."

Myth: If your organization is a NHIN participant, then all users in your organization must sign the DURSA. “That is not correct: If you’re Kaiser, Kaiser has signed the DURSA. That doesn’t mean every contractor or every employee has signed the DURSA,” Gravely said. In addition, he cited Med Virginia, an HIE. “Med Virginia has signed DURSA as a participant. That doesn’t mean its over 1,000 physician users and hospitals have signed it.”

There are “flow-downs”—DURSA provisions that a participant is obligated to be sure are included in employment or user agreements, said Gravely, but most such agreements would already include these provisions. The flow-downs are:
  • Compliance with applicable law;
  • Reasonable cooperation with participant related to exchange issues;
  • Users only submit messages through NHIN exchange for permitted purposes;
  • Use of message content in accordance with terms and conditions of NHIN;
  • Breach notification; (“HITECH requirements are new for all of us, and we’ve all had to go back and work on our agreements to make sure they adhere to HITECH requirements,” Gravely said.)
  • Refrain from password disclosure; and
  • The signatory submits to the authority of the participant for purposes of disciplinary action

Myth: In participating exchanges, all users must report breaches of data within one hour. “That’s not what DURSA says,” Gravely retorted. "Once a participant becomes aware a breach may have occurred, then they are required to report to the Coordinating Committee within one hour."

Entering an HIE agreement might not be a simple procedure, but it’s not as onerous as organizations might think. “DURSA is a multiparty agreement designed for information exchange,” said Gravely. “That’s all it is.”

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.