Comments Regarding ONC RFI – Conditions for Trusted Exchange
June 27, 2012
Dr. Farzad Mostashari
Office of the National Coordinator for Health Information Technology
Attn: Governance RFI
Department of Health and Human Services
Hubert H. Humphrey Building, Ste. 729D
200 Independence Avenue, SW
Washington, DC 20201
RE: Nationwide Health Information Network: Conditions for Trusted Exchange, Request for Information
The American Clinical Laboratory Association (“ACLA”) is pleased to submit this response to the Office of the National Coordinator for Health Information Technology’s (“ONC’s”) Request for Information on Nationwide Health Information Network: Conditions for Trusted Exchange.1 ACLA is an association representing clinical laboratories throughout the country, including local, regional, and national laboratories. As providers of millions of clinical diagnostic laboratory services each year, ACLA member companies are involved in health information exchange activities across the country and will be impacted directly by the governance mechanism for the nationwide health information network which the ONC is contemplating.
Certain ACLA members believe that ONC’s nationwide governance approach may be premature, given the recent and ongoing maelstrom of Health Information Technology (“HIT”) developments, including standards and vocabulary development, “meaningful use” Stage 1 and the transition to Stage 2, ICD-10, electronic prescribing, Health Information Portability and Accountability Act (“HIPAA”) disclosure accounting and breach notification rules, and so on. Some feel that a new governance and validation approach may disrupt existing and near-term exchange efforts. Although ACLA understands that the ONC is directed by the Public Health Service Act to establish a governance mechanism for the nationwide health information network, it is not required to do so by a particular deadline.2 ONC has not articulated a need for national governance standards or for federal government involvement in health information exchange at the moment, and ACLA suggests that the ONC consider a longer-term approach to developing the governance standards.
If the ONC decides to proceed in the near-term on the development of nationwide governance standards, however, it is important for ONC to remember that laboratories are critical stakeholders in health information exchange and should have a “seat at the table” when major policy decisions are made about such information exchange. As you know, laboratory test results comprise a majority of most patients’ medical records in the United States and those results inform medical decision-making in most cases. As such, ACLA believes it is important to recognize the
vital role that clinical laboratories play in health information exchange and to involve laboratories in developing and implementing a nationwide health information network.
Importantly, ACLA believes that ONC should declare that clinical laboratories are among the entities eligible to be Network Validated Entities (“NVEs”) responsible for performing electronic exchange services in accordance with adopted Conditions for Trusted Exchange (“CTEs”). Many laboratories already facilitate information exchange among various entities, and although laboratories should not be required to obtain NVE status, they should have the option to do so.
Below are ACLA’s responses to several of the questions posed in the Request for Information (“RFI”); we have responded to them in the order that they appear in the RFI rather than their order of importance to ACLA. We welcome a continuing dialogue with the ONC, the HIT Policy Committee, and the HIT Standards Committee on these issues of great importance to clinical laboratories.
Question 1: Would these categories comprehensively reflect the types of CTEs needed to govern the nationwide health information network? If not, what other categories should we consider?
Response: ONC should consider adding an additional category related to minimum standards for functionality to ensure that NVEs are able to meet the requirements for different exchange purposes and that they meet baseline requirements.
Question 2: What kind of governance approach would best produce a trusted, secure, and interoperable electronic exchange nationwide?
Response: ACLA favors an industry-based nomination process so that trusted organizations and individuals who are known within their own communities are represented. Additionally, minimum governance and position requirements could help ensure that a wide variety of stakeholders are represented.
Question 3: How urgent is the need for a nationwide governance approach for electronic health information exchange? Conversely, please indicated if you believe that it is untimely for a nationwide approach to be developed and why?
Response: ACLA members have been at the forefront of electronic information exchange and do not oppose broadening the reach of such exchange, nor do they want to impede the progress or natural maturing of health information exchange. Nonetheless, as we indicated above, some of our members remain concerned about keeping pace with the myriad HIT changes and requirements at the federal and state levels. We ask that, before developing a Notice of Proposed Rulemaking on a governance mechanism, ONC articulate its rationale for moving ahead now with a governance mechanism and/or consider an approach that is phased in over five-to-ten years.
Question 6: How could we ensure alignment between the governance mechanism and existing State governance approaches?
Response: The Department of Health and Human Services (“HHS”) could seek to align State governance approaches with the approach of the nationwide health information network by creating compelling incentives for States to conform their approaches to the national model. Additionally, the national governance approach should adopt the best aspects of State governance mechanisms, and ONC would learn the most about the best State approaches by actively recruiting State representatives to serve on its advisory committees and encouraging broad State participation in the governance structure.
Question 10: Should the validation method vary by CTE?
Response: No, the validation method should not vary by CTE.
Question 12: What would be the potential impact of this accreditation/validation body model on electronic health information exchange, in particular, on the volume and efficiency of exchange in local health care markets and provider confidence? What is the best way to maximize the benefit while minimizing the burden on providers or other actors in the market?
Response: ACLA members are concerned that the validation process, which includes a two year development cycle for a CTE, could be burdensome, expensive, time-consuming, and may interfere with efficiency in the short-term rather than enhance it. A longer-term approach to implementing the governance model over five-to-ten years would be more reasonable.
Question 13: Should there be an eligibility criterion that requires an entity to have a valid purpose (e.g., treatment) for exchanging health information? If so, what would constitute a “valid” purpose for exchange?
Response: Eligibility for NVE status should not be conditioned upon the purpose of the exchange of information. There are numerous legitimate purposes for health information exchange, and enumerating a limited number of purposes for which health information could be exchanged by an NVE could limit the value of the NVE’s services to other entities. Eligibility for NVE status should, instead, be conditioned on an entity’s commitment to adhere to HIPAA, its implementing regulations, and other applicable laws with respect to permissible uses and disclosures of information. To the extent that an NVE already is a “Business Associate” under HIPAA, a valid purpose already should exist for providing the entity with access to protected health information (“PHI”). However, there ought to be clearer rules about what individually-identifiable health information (“IIHI”) an exchange may ask for and what proof it must provide (e.g., physician consent, patient authorization) to those it asks to share that information.
Question 15: Are there other eligibility criteria that we also should consider?
Response: ONC should state clearly that, in addition to those enumerated entities who could qualify as NVEs,3 clinical laboratories also could be NVEs but would not be required to do so.
Question 16: Should eligibility be limited to entities that are tax-exempt under section 501(c)(3) of the IRC? If yes, please explain why.
Response: ACLA does not believe ONC should limit NVE status only to tax-exempt entities; both non-profit and for-profit entities should be eligible. Financial stability of entities facilitating electronic exchange is important, and limiting NVE eligibility to non-profits would limit the number of entities and the number of financially sustainable entities that could qualify. This would needlessly stunt the growth of health information exchange.
Question 17: What is the optimum role for stakeholders, including consumers, in governance of the nationwide health information network? What mechanisms would most effectively implement that role?
Response: Clinical laboratories are important stakeholders in any health information exchange because of the central role that laboratory results play in medical decision-making and because of the enormous volume of health information exchanged electronically that is related to laboratory tests. Laboratories should be represented and have responsibility for governance of the nationwide health information network, and laboratories’ perspectives should be heard and accorded the proper weight when governance decisions are being made.
ACLA is concerned that neither the HIT Policy Committee nor the HIT Standards Committee has had a representative from the clinical laboratory community since the committees were conceived. The importance of the policies made by these entities and their relevance to electronic health exchange call for the inclusion of laboratory representatives. As ONC may be aware, laboratory testing is the basis for 70 percent of medical decisions but accounts for less than three percent of federal health care spending. As such, there is a significant role for clinical laboratories to assist with the development of more integrated networks of information exchange that provide the most relevant information to health care providers for the patient’s benefit.
Question 18: What are the most appropriate monitoring and oversight methods to include as part of the governance mechanism for the nationwide health information network?
Response: The most appropriate monitoring and oversight methods would be written self- appraisals with self-monitoring with regard to the conditions for trusted exchange (“CTEs”) and associated standards or specifications, including internal standards of operation. Also, an accreditation entity or ONC could provide oversight with respect to NVE verification requests or other inquiries.
Question 20: What limits, if any, would need to be in place in order to ensure that services and/or activities performed by NVES for which no validation is available are not misrepresented as being part of an NVE’s validation? Should NVEs be required to make some type of public disclosure or associate some type of labeling with the validated services or activities they support?
Response: The correct approach depends on whether an NVE is accredited merely as an entity or with respect to its functions and services. Accreditation according to functions and services would support the integrity of validation better. One approach is to require an NVE to identify the functions and services of its exchange that have received accreditation; if new ones are added or modified, re-validation could be required.
Question 21: How long should validation status be effective?
Response: Validation status should be effective for no longer than 5 years, given the evolutionary path of NVEs, changing technologies, and the maturity and evolution of the regulatory framework, particularly as it relates to consumers.
Question 23: Are there other security frameworks or guidance that we should consider for this CTE? Should we look to leverage NISTIR 7497 Security Architecture Design Process for Health Information Exchanges? If so, please also include information on how this framework would be validated.
Response: ACLA does not believe there is any need for other security requirements, and imposing other requirements may make interoperability more complex, expensive, and/or inefficient. The RFI contemplates at least HIPAA and other standards for NVEs, and we agree with the concept that NVEs should be held to HIPAA privacy and security standards (indeed many already may be subject to those standards as Business Associates of HIPAA-covered entities).
Question 26: With respect to this CTE as well as others (particularly the Safeguards CTEs), should we consider applying the “flow down” concept in more cases? That is, should we impose requirements on NVEs to enforce upon the parties for which they facilitate electronic exchange, to ensure greater consistency and/or compliance with the requirements specified in some CTEs?
Response: The flow-down concept should be applied only when exchange participants are better positioned to perform the function than is the NVE. If the flow-down concept is applied when a participant is incapable of performing the function, health information exchange could be hindered. Flow-down would not be appropriate for authenticating, e.g., individual authorization to disclose PHI. However, if the CTE refers solely to the authentication and authorization of an exchange participant’s own personnel’s access to information or functionality, application of the concept should not be problematic.
Question 27: In accommodating various meaningful choice approaches (e.g., opt-in, opt- out, or some combination of the two), what would be the operational challenges for each approach? What types of criteria could we use for validating meaningful choice under such approach? Considering some State have already established certain “choice” policies, how could we ensure consistency in implementing this CTE?
Response: As indirect health care providers, clinical laboratories typically have no contact with patients and often receive inadequate demographic data on test orders to verify individual patient identity sufficiently to allow or disallow the patient’s data from being provided to an NVE. As a result, clinical laboratories typically are incapable of obtaining individual consent under either an opt-in or opt-out model. Currently and historically, clinical laboratories provide data to health information exchanges under authorization from ordering providers (at the provider level, rather than patient by patient), and any “blocking, hiding, or other access management” to a particular patient’s data is the responsibility of the exchange itself. ACLA believes that this approach should be maintained. Our members believe that opt-out models provide meaningful choice without the significantly reduced participation levels that opt-in models typically yield.
Question 33: Would an NVE be able to accurately disclose all of the activities it may need to include in its notice? Should some type of summarization be permitted?
Response: Current HIPAA privacy rules should be sufficient, and their use would cut down on duplication and/or conflicts with new requirements developed as part of the governance mechanism.
Question 35: Should this CTE require that an NVE disclose its activities related to de- identified and aggregated data?
Response: ACLA does not see any reason to disclose activities related to de-identified and/or aggregated data, as long as those activities comply with HIPAA requirements.
Question 37: What impact, if any, would this CTE have on various evolving business models? Would the additional trust gained from this CTE outweigh the potential impact on these models?
Response: This CTE, prohibiting the use or disclosure of de-identified data for any commercial purpose, would have a negative effect on evolving business models for health information exchange and should be rejected. De-identified information can be used for numerous legitimate purposes that have a commercial application. Health information exchange will not develop and mature without financial sustainability, and commercial use of de-identified information is one way to bolster the financial position of exchanges. ACLA does not believe that whatever additional trust that might be gained through this CTE would outweigh the negative impact.
Question 38: On what other entities would this have an effect?
Response: Any other entity supplying information to the NVE also would be affected, because NVEs that cannot commercialize de-identified data will be unwilling to purchase it from those who have it.
Question 39: What standard of availability [for exchange services], if any, is appropriate?
Response: ACLA believes that NVE service offerings that are considered alternatives to existing regulated services must adhere to whatever applicable regulatory requirements exist for availability. As more health care providers opt to receive information directly from NVEs instead of from clinical laboratories themselves, the existing applicable standards and the exchange standards may have to evolve.
Question 41: If an NVE were to honor an individual’s request for a correction to the unique set of IIHI that it maintains, what impact could such a correction have if the corrected information was accessible by health care providers and not used solely for the NVE’s own business processes?
Response: ACLA believes that NVE should not be involved in correcting IIHI that came from another source, and allowing an NVE to correct IIHI might result in inconsistent data sets. Any corrections to IIHI (or determinations whether or not to correct it) should be made by the original source of the information, which is in a position to evaluate the correction request.
Question 43: What method or methods would be least burdensome but still appropriate for verifying a treatment relationship?
Response: An entirely new method is unnecessary; an NVE should comply with HIPAA requirements.
Question 44: Are there circumstances where a provider should be allowed to access through the NVE the health information of one or more individuals with whom it does not have a treatment relationship for the purpose of treating one of its patients?
Response: As a threshold matter, we believe the ONC and the HHS Office for Civil Rights should provide joint guidance on whether an NVE should be permitted to provide access to a health care provider to IIHI on an individual with whom it does not have a treatment relationship. That having been said, we can think of several instances in which a provider would need access to such information. One such circumstance would be when a physician is treating an individual who has been exposed to a body fluid of another person who does or may have a serious infectious disease, such as HIV. If the physician is given more information about the person with the disease, he or she can more effectively treat his patient. Another circumstance would be a physician treating a patient with a possible genetic disease. The physician could more effectively diagnose and perhaps treat the disease with information about the patient’s family members.
Question 49: Should we adopt a CTE that requires NVEs to employ matching algorithms that meet a specific accuracy level or a CTE that limits false positives to certain minimum ratio? What should required levels be?
Response: Our members are reluctant to recommend adopting specific required matching algorithms as opposed to having providers adopt the algorithms that, in their own judgment, are appropriate to their databases.
Question 52: Should this CTE be limited to only preventing one NVE from imposing a financial precondition on another NVE (such as fees), or should it be broader to cover other instances in which an NVE could create an inequitable electronic exchange environment?
Response: The issues or fees and financial preconditions must be addressed broadly, including the amount of the fees and financial or other preconditions that providers of information, such as laboratories, must meet to provide information to an NVE. Due to market penetration or for other reasons, NVEs could be in a position to control patient and provider access to an exchange and could use exorbitant fees as a way to limit what should be an open exchange mechanism. There should be a fair and open approach to participation in NVEs and charges should be imposed on all parties and participants in a non-arbitrary basis related to the NVE’s costs. We feel there should be some way to appeal denials of access or exorbitant fees and financial preconditions imposed by NVEs.
Question 56: Which CTEs would you revise or delete and why? Are there other CTEs not listed here that we also should consider?
Response: Condition [S-6] should be deleted, and Condition [S-10] should be revised or deleted, for the reasons explained in our responses to Questions 37, 38, and 44, above. One CTE that is not included in the RFI and that should be considered is a condition that an NVE must ensure that its standards, implementation specifications, and operations comply in all respects with the Clinical Laboratory Improvement Amendments (“CLIA”). One example of the importance of this condition is that laboratories are obligated under CLIA to have an adequate manual or electronic system in place to ensure test results and other patient-specific data are sent accurately and reliably from the point of data entry (whether interfaced or entered manually) to the final report destination in a timely manner.4 Where an NVE serves as an intermediary between a laboratory and the final destination of test results, the laboratory would be unable to meet its obligation under CLIA unless the NVE provides validation of its receipt and delivery of results.
Question 62: Should we consider a process outside of our advisory committees through which the identification and development to frame new CTEs could be done?
Response: If clinical laboratories continue to be excluded from direct representation on the ONC advisory committees, ACLA urges ONC to consider a process outside its advisory committees to develop CTEs with adequate laboratory input.
We look forward to continuing to work with ONC to develop and facilitate the exchange of clinical laboratory data and other health information in a nationwide exchange network. Thank you for your consideration of ACLA’s comments.