Contrasting trust models under development for NHIN and NHIN Direct

The Nationwide Health Information Network (NHIN), a government-sponsored initiative started in 2004 and re-emphasized in the Health Information Technology for Clinical and Economic Health (HITECH) Act, is no longer envisioned as a “network” at all (in the infrastructure sense), but instead as a collection of standards, services, and policies that collectively support the secure exchange of health information between participating entities. The original idea for the NHIN was that public and private sector organizations would benefit from adopting a common set of parameters governing their health data exchanges, and that once a few early adopters went into production using the NHIN, participation would grow rapidly. Instead, due in part to disagreements among different types of potential participants about how NHIN standards should be implemented, and also to concerns about policy incompatibilities between federal and commercial sector entities, there are currently very few organizations in production. The group of state and federal government agencies and a small number of commercial health care entities currently operating health information exchanges using the NHIN are collectively referred to as NHIN Exchange; this exchange is focused on the data exchange needs of federal agencies, to the degree that non-federal participants must join through a federally-sponsored contract. The NHIN has in general been focused on enabling health information exchanges between large organizations, but addressing the data exchange needs of small providers has received greater attention due to the recent focus on meaningful use measures that eligible health care providers must satisfy in order to qualify for financial incentives to acquire and implement electronic health record technology. A core requirement for showing meaningful use is that providers’ EHR technology must be implemented in a way that enables “electronic exchange of health information to improve the quality of health care” (Meaningful Use Notice of Proposed Rulemaking, 75 Fed. Reg. 1850 (January 13, 2010)). In order to enable secure health information exchange among smaller providers, the NHIN Direct project began earlier this year, specifically intended to look to use or expand upon NHIN standards and services to “allow organizations to deliver simple, direct, secure and scalable transport of health information over the Internet between known participants in support of Stage 1 meaningful use.”

Without delving into the details of all the standards and services and use cases that the NHIN and NHIN Direct are seeking to support, one very noticable difference between the two initiatives is in the area of trust. Participants working on both initiatives agree that trust is an essential aspect of any solution, because health care entities — large or small — are not expected to participate in any health information exchange unless they feel they can trust the other participants and any third parties involved in operating or managing or overseeing the exchange. While everyone seems to agree that such trust is important, the approach each initiative is taking with respect to trust is quite different. In particular, the basic trust model proposed for NHIN Direct is much more explicit than the trust framework being developed for the NHIN in terms of what “trust” actually means in a health information exchange context, and on the extent to which participants involved in a multi-party exchange can agree on policies, standards, and controls intended to support trust. Both programs tend to use the word “trust” incorrectly, as the results sought from their trust models and frameworks include confidence, reliability, assurance, or even surety but don’t really even begin to address establishing the trustworthiness of a given entity that would help another decide to accept the risk of engaging in an exchange with the other based on expectations about how the trusted entity will behave. This may be due to implicit assumptions about the interests of different would-be participants in health information exchanges, or because insufficient weight is given to the manner in which participants can establish their trustworthiness, or perhaps too little attention is focused on the very real distrust that exists between potential HIE participants.

To its credit, the NHIN Direct project candidly acknolwedges that different policies and assumptions will apply to different participants in different contexts, so the NHIN Direct basic trust model limits the scope of what any assertion of trust actually covers, and allows for the possibility (even the expectation) that a given organization may participate in multiple exchanges governed by different sets of policies or rules. The NHIN Direct approach has no central authority to assert trustworthiness of participants, and no trust-by-default among participants. NHIN Direct participants are expected (if not quite obligated) to make their own determinations about the relative trustworthiness of others. The NHIN Direct Security and Trust Workgroup’s keys for consensus summary addresses “only the level of trust necessary to establish confidence that the transmitted message will faithfully be delivered to the recipient, not that the two parties trust or should trust each other; this definition of trust is to be defined by source and endpoint out of band, and may be facilitated by entities external to the NHIN Direct specifications.”

By contrast, the NHIN Exchange in particular and the NHIN trust framework in general relies on a central (or root) authority that makes determinations of trustworthiness for all potential participants, and presumably only allows participation by trustworthy entities. There is not currently a standard set of criteria to serve as the basis for determining trustworthiness, but when and if such criteria exist, they are expected to address at least the minimum technical requirements a participant must satisfy, along with providing identity assurance, and articulating the business, policy, legal, and regulatory requirements that apply to participants. The health information exchange trust framework recommended in April by the Health IT Policy Committee’s NHIN Workgroup comprised five key components:

1. Agreed Upon Business, Policy and Legal Requirements / Expectations
2. Transparent Oversight
3. Enforcement and Accountability
4. Identity Assurance
5. Minimum Technical Requirements

NHIN participants sign a legal document called the Data Use and Reciprocal Support Agreement (DURSA) which is intended to serve as a master trust agreement applying the same permissions, obligations, expectations, and constraints to all exchange participants in all of the information exchange contexts it covers (treatment, payment, health care operations, public health activities, reporting on clinical quality measures, and other uses authorized by individuals to whom the data pertains). By executing the DURSA, participants don’t actually agree to trust each other, but they do agree to acknowledge and accept that different participants may have different policies, practices, and security controls such as system access policies. This means that a participant must rely on the determination of the NHIN governing authority (who approved applicants for participation) that the policies and controls used by an approved participant are sufficiently robust, and gives participants no real ability to question the approach that another participant takes to things like security. The reliance on a legal contract (the DURSA) and a planned monitoring, oversight, and enforcement function strongly suggests that what the NHIN has produced is a distrust framework, rather than one based on trust. While that might not sound as nice, if the scope of participation for the NHIN continues to include many different types of participating entities, many of which may have conflicting organizational interests, a common level of trust may never be established, so an approach designed to achieve cooperation despite distrust may be precisely what’s needed.

The intent to use a single overarching trust model for the NHIN is based on assumptions of feasibility:  if NHIN participants someday number in the hundreds or even thousands, negotiating trust between pairs or among small sub-sets of all those participants just isn’t practical. By positioning a common, trusted authority in the center, all that should be required to achieve trust throughout the NHIN is for each participating entity to establish a trust relationship with the NHIN governing authority (which at present means with the NHIN Coordinating Committee within the Office of the National Coordinator, but its governance role is considered interim pending the formalization of a permanent NHIN governing authority). It’s not entirely clear how such bilateral trust agreements can be made with the many different organizational interests represented by the different types of organizations (providers, insurers, researchers, agencies) that might seek to participate in the NHIN, to say nothing of the interests of the patients whose data would be exchanged by those entities. It does seem logical that working through a central agent — either a vested organization like ONC or a neutral network facilitator — would have better success in negotiating trust than if all the participants tried to reach consensus on a multilateral agreements. However, given the significant time and energy that many people have put into thinking about and trying to resolve issues like harmonizing the security and privacy requirements that apply to federal and private sector entities, both categories of which may or may not be covered by HIPAA, it is also understandable why the NHIN Direct Security and Trust Workgroup declared that “real world evidence suggests that achieving global trust is not practical.” While NHIN Direct is not primarily intended to effect changes in the approach or structure of the broader NHIN, it would be nice to see the development of the trust framework currently under consideration within the Health IT Policy Committee take some practical guidance on trust from NHIN Direct.