Accountability and enforcement, not just policy, needed to produce trust framework for health information exchange

At yesterday’s monthly meeting of the Health IT Policy Committee, a briefing provided by the leads of the Committee’s NHIN Workgroup described the need for a health information exchange (HIE) trust framework and spelled out five components the workgroup members consider essential to overcome some of the barriers to greater HIE adoption. Notable among these essential elements is “accountability and enforcement,” which to the NHIN Workgroup means “each participant must accept responsibility for its exchange activities and answer for adverse consequences.” While it may sound obvious, the inclusion of an enforcement mechanism is a significant departure — and in our opinion, a welcome and necessary one — from the trust models articulated for health IT in the past and more broadly for healthcare security and privacy requirements in general. More typical is the sort of voluntary compliance model used for HIPAA enforcement — investigations against alleged violators of the HIPAA Privacy Rule or Security Rule are launched in response to complaints filed by patients or other healthcare stakeholders, but not as the result of direct monitoring of covered entity actions. There are no proactive HIPAA audits performed by the government; while the HHS Office of Civil Rights (OCR) has the authority to conduct “compliance reviews” of covered entities at any time, as a general rule OCR initiates such reviews only after receiving complaints about an entity. This lack of direct monitoring or proactive enforcement is one key reason why there have been so few criminal prosecutions under HIPAA, and such a voluntary violation reporting model does little to instill confidence that the legal obligations and constraints HIE participants agree to when they sign data sharing agreements will be followed. To date, the Nationwide Health Information Exchange (NHIN) governance model has relied on a legal agreement — the Data Use and Reciprocal Support Agreement (DURSA) — that obligates its signatories to be monitored, but no regular monitoring capability is yet in place, and even when implemented, such monitoring will not extend to the individual participants’ own security and privacy practices.

Against this historical backdrop, the notion even within an as-yet conceptual framework of specifying security and privacy requirements for HIE participants coupled with enforcement is a positive step forward. It remains to be seen what form this enforcement might take, and similarly whether any sort of technical enforcement or automated compliance monitoring might be sought. The NHIN Workgroup briefing suggests that self-certification and entity self-assertion of compliance may be among the valid means of enforcement, but also implies that organizational monitoring may also be employed whether by government, other HIE participants, third party authorities, or some combination of these. Absent such objective enforcement, it is hard to see how HIE participants can have sufficient confidence in others to live up to their legal obligations. The operational prerequisites for establishing trust frameworks among disparate entities — especially those with different goals and potentially mis-aligned business objectives — is a compelling subject area for further research.