Webinar: Trust Fabric must cover all aspects of NHIN

The Nationwide Health Information Network (NHIN) is a set of policy standards and services that enable the internet to secure meaningful exchange to achieve the objectives of the HITECH Act. However, this “network of networks” won’t succeed unless trust is built into every facet of the information exchange, said Mariann Yeager, NHIN Policy and Governance Lead at the Office of the National Coordinator for Health IT (ONC), and Steven Gravely, JD, a partner at the law firm of Troutman Sanders, during a recent webinar.

The webinar, “The Trust Fabric of the NHIN: Making Exchange a Good Choice,” was presented by the National eHealth Collaborative, as part of its NHIN University webcast series.

The NHIN Workgroup of the HIT Policy Committee was formed in the fall of 2009 “to create set of recommendations around policies and technical framework that allows NHIN to be open to all and to foster innovation,” Yeager said. “Everybody realizes that interoperability is not one size fits all.”

“We needed to make sure there was an environment that was fostering existing exchanges and allowing new exchanges to come forward, but also looking at the types of issues around policies and accountability in the mix,” she said. “Trust was an absolute important underpinning of that activity.”

The group recognized that privacy and security protections are essential, and that trust as an element of information exchange may be implemented differently across organizations, Yeager said. “The framework allows for that variability,” and offers a way to talk about trust in a more substantial way, she added.

The NHIN Workgroup made its recommendations to the HIT Policy Committee on April 21. The group advised that the ONC adopt an overarching trust framework at a national level, not to dictate what states and local entities do, "but to allow a way to talk about and articulate and have a nomenclature around trust,” she said.

The group identified five elements for a national trust framework:
1. Agreed-upon business, policy and legal requirements: All participants will abide by an agreed upon set of rules, including compliance with applicable law and act in a way that protects the privacy and security of the information. Exchange participants must comply with HIPAA and applicable laws. Information exchange is limited to permitted purposes, and participants have a duty to respond to information queries, Gravely said. NHIN permissions are based on digital credentials, and participants must have the necessary operational infrastructure to support exchange, he said.
    2. Enforcement and accountability: Each participant must sign the DURSA and comply with its guideline for suspension and termination. “In a network of networks model, the DURSA agreement codifies [and allocates] risk based on responsibility and a party’s ability to control the activity” if an untoward event causes patient injury or organization harm, said Gravely. Liability limitations are included, he added.

    3. Transparent oversight: Oversight of the exchange activities to assure compliance. Oversight should be as transparent as possible and is handled by the NHIN Exchange Coordinating Committee and Technical Committee. Robust breach reporting requirements are built-in, along with the supporting infrastructure, Gravely said, and “the multi-level dispute resolution process ends up with the Coordinating Committee.”

    4. Identity assurance
    : All participants need to be confident they are exchanging information with whom they intend and that this is verified as part of the information exchange activities. Coordinating Committee vets applications from prospective participants. Every participant signs DURSA, the defining legal document for exchange. “That is foundational to mutual trust--knowing that everyone at the table is operating by the same set of rules and meets the same set of requirements,” Gravely said.

    5. Technical requirements:
    All participants agree to comply with some minimum technical requirements necessary for the exchange to occur reliably and securely. Must adhere to defined specifications and must undergo validation testing and have self-auditing capabilities, said Gravely.

    “We started off with the aspiration that we could create an infrastructure that would make trust a reasonable choice. Now, we have created a model in which trust is a reasonable choice…by finding a way to implement these components of trust into operational, living, breathing documents, procedures and infrastructure, said Gravely.

    “That’s a good thing, because as I read the HITECH Act, it’s no longer optional that we do this: It’s mandatory that we do this if we have any hope [of achieving] the level of operational activity that the HTIECH act requires for healthcare providers as we move forward,” he concluded.

    Around the web

    The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

    The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

    Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.