The past two weeks of ONC hearings on NHIN have been intense. About as intense as healthcare policy reform can get when it comes to getting multiple sides, both business and government, to agree on standards. The ONC Privacy subcommittee dubbed the 'Tiger Team', was responsible for recommending the technical protocols a patient health record rides on and the business logic of how vendors are to exchange patient data with each other.
Within a very compressed time frame, the Tiger Team's tasks are running on these separate rails.
The transports being discussed are akin to subway lines. I decided to put together a visual depicting a subway system1 that represents all the moving parts being currently debated to make some sense of it.
The colored rail lines are the data protocols up for recommendation to the ONC. Without getting into too much NHIN Direct granularity, what's important here are the subway stations that depict the payload and the types of intermediary patient privacy levels that I had discussed in my last post. The current discussions are a set of four types2 of payloads:
- Direct Connect – This is a direct connection between a sender of data and it's receiver. There are no 3rd party intermediaries involved in this type of exchange.
- Routing Closed PHI – An intermediary is involved but does not access the Personal Health Information (PHI) that's part of the carriage.
- Routing Opens PHI – An intermediary is involved and opens the PHI that's part of the carriage. The need to open the PHI may be due to identifying the patient involved in order to properly route the data. It's unclear if this type of transport stores such information in a separate silo.
- Routing Edits PHI – An intermediary is involved and edits the PHI being sent. This can be a vendor on behalf of the sender or receiver that may scrub the data to properly format it for it's needs. Again, it has yet to be decided if such an entity has been given the right to store such information.
Also up for discussion are the use of certificate authorities. During the June 10th public hearing comment period, I had asked the Tiger Team:
I was referencing the creation of either a government or private accreditation body that would contain these certificates to authenticate the sender of payload.Regarding patient consent, is there an accreditation database container that checks the transaction?
Committee member, Dr. Halamka gives the example of a Verisign like company, a private entity that holds and verifies the certificates for secure SSL website browsing. These entities will need to be far more intelligent as they will also be given the task to verify the healthcare credentials of providers, hospitals and vendors etc.
Of note, the committee is also discussing the transport of data without the use of a certificate, but still encrypted as represented by the dashed lines in the diagram.
The ONC privacy workgroup is a serious exercise in the push and pull politics of States rights versus Federal mandate. During these hearings, each side is careful not to overstep the other, thus avoiding the proverbial train wreck.
