By Chris Smith

NHIN – The Nationwide Health Information Network, is the Federally backed, secure, interoperable nationwide health information infrastructure that connects all of healthcare.  The goal of NHIN is secure data exchange nationwide in a ‘network of networks’ model.

Providers, Payors, HIE’s, and other healthcare trading partners can derive value from NHIN connectivity, and finally have one connectivity interface for trading partner communication.

The goal of healthcare interoperability and connectivity is not new, however, finally having a standards based connectivity infrastructure for trading partner connectivity is exciting for the healthcare community.  With Federal oversight and Federal agency participation, NHIN is poised for explosive growth in 2009 and beyond!  HIE’s and provider communities nationwide are connecting or planning their connectivity to and with NHIN.

Healthcare interoperability, with secure nationwide connectivity, saves time, money, and improves overall care.  NHIN brings a much needed nationwide, secure infrastructure to healthcare.

If you would like to learn more about NHIN, HIE’s and HIE building, or privacy and security in a healthcare environment, please register for our FREE Webinar below!

Monthly Webinar – FREE Informational Webinar, registration required – June 11th,  2pm EST

Register on our website by clicking HERE!

By John Fraser, CEO of MEDNETWorld.com

What does HIE stand for?

HIE is the abbreviation of “Health Information Exchange”.  In the past an HIE was often referred to as a “Regional Health Information Organization”, or RHIO, but many people believe as we do that the term HIE is more generic and easier to understand, so we’ll use the term “HIE” in the rest of this article.  We consider both terms to be synonymous.

What are driving HIEs?

Thirty (30) billion new stimulus dollars are driving HIE formations!  Referred to as “Enterprise Integration” in the stimulus bill, these dollars will be available to hospitals and providers starting in 2011 but it requires three upgrades (especially for hospitals)  (1) that providers  wire up internally with “meaningful use” of electronic health records, (2) that they report “clinical quality measures and other measures” and (3) that hospitals and providers connect to an HIE.  While the stimulus dollars are accelerating the HIE movement many HIEs were springing up even before the stimulus bill passed to focus on better connectivity to improve patient care.

Who is in an HIE?

An HIE is simply a group of hospitals and/or clinics and/or public health or federal and state organizations that want to exchange health care information.  There are no rules about what an HIE is or could be.  HIE groups can be regional (like the 500 plus participants in the Community Health Information Collaborative in N.E. Minnesota), or national in scope.

How do they work?

An HIE typically provides two basic services to share health care information.  The first services allow providers to go online to find where a patient has information stored, such as in their primary care clinic or hospital.  In Minnesota this service is called a “Record Locator Service” and is now covered by state law.  The second service allows providers, once they know where the patient information is located, to electronically request information on that patient and retrieve the information.  HIEs may also support services such as receiving lab results, securely communicating with patients, reporting to public health systems and related services.

An interesting feature of HIEs is their focus on clinical exchanges.  This is in contrast to the traditional billing services and clearinghouse services that were the first services to come on-line for health care.  While HIEs were traditionally focused on clinical information, Medicare is talking about starting an EDI pilot using the NHIN system that would connect to existing HIEs, so the distinction between traditional billing and EDI services and HIEs may be blurring.

How will HIEs connect together?

Once you build an HIE and start sharing information, you will eventually want to communicate with other HIEs, perhaps in neighboring states or with organizations in other HIEs that you refer patients to.  For example in Minnesota we have a large number of “snow birds”.  These are primarily retired Minnesotans that “fly” south to overwinter in their favorite nesting grounds in Arizona and Florida.  It would be very convenient if these people could have a seamless exchange of their medical records between their Minnesota clinics like the well known Mayo Clinic, and other clinics in Arizona and Florida.  To accomplish this type of exchange, the federal government is working on an HIE – to – HIE connector, called the Nationwide Health Information Exchange, or NHIN.  It is expected that HIEs will interconnect via the NHIN.  This will allow anyone connected to an HIE that is connected to NHIN, to be able to communicate with any other HIE across the US.  This is an exciting vision!

The future of HIEs

The development of HIEs has been rocky.  Many HIEs have struggled with a sustainable business model and others have been internally torn with competitive pressures from competing members.  Another problem is scaling HIEs to a national system.  While the NHIN provides a model for HIE connectivity, how will individual HIEs grow quickly enough to connect the 500,000+ health care organizations in the US?  It is our belief that some type of utility model will have to arise, which will provide services like the electrical “grid”.  In this model health care organizations should be able to call up a grid provider and just “plug in” to a state-wide or national HIE, just as a home owner plugs into the electrical grid.

Conclusion

Only time will tell how we’ll connect health care in the US.  However emerging health information exchanges and the new NHIN architecture could provide us with the tools we need to finally wire up health care, just as other industries have done long ago!

By Jesse Erdmann, CISSP, Semantic Web Architect for MEDNETWorld.com

One of the primary concerns in the public eye when it comes to Electronic Medical Records is the privacy of their personal information.  Some privacy groups claim the risk is too great regardless of the benefit in saving both lives and lowering health care expenses.  Certainly news such as last week’s disclosure by the state of Virginia that its prescription records were accessed and the perpetrator demanding a ransom for the safe release of the information do not help move the public opinion in a positive direction.  In such cases in present day America it’s hard to forget the threat of potential lawsuits.

So, how do you improve the care of and the cost to patients without putting their information and your assets at risk?  Learn the basics and ensure the people you work with have the background to do the job right.  In this article, Jesse Erdmann, a Certified Information Systems Security Professional (CISSP), will give you a high level introduction to basic security concepts.

The key aspects of security begin with knowing who is trying to access your systems, what they should be allowed to access and being able to prove what they accessed in the future.  In security circles, these aspects are known as AAA security services, or authentication, authorization and audit.

Authentication takes primacy in this triumvirate for good reason.  Unless you mean for your data to be publically available, anyone whose identity you are unsure of should not have access to your data.  While usernames and passwords have been the defacto standard for authentication over the past decade, there are many problems with such a scheme.  Users often have to trade off between having passwords easy enough to remember and yet difficult to guess.  These tradeoffs can lead to using insecure passwords, storing difficult passwords in an insecure manner or other behavior that leads to attackers exploiting the system to gain access.  The preferred mechanism by security experts is Public Key Infrastructure (PKI).  PKI relies on cryptographic credentials being issued to individuals and systems to allow them to prove their identity.  These tools are used to protect the most sensitive of military, financial and health information worldwide.

Once a user is positively identified, the next step is to determine what they have access to.  This can include simple mechanisms such as firewalls to allow access to certain services or more fine grained controls to determine what actions a user can perform on a system or what types of data they can access.  Usually what is being referred to as authorization in this context is role-based access controls.  Users are assigned a set of roles and each role is assigned rights.  This helps to simplify the difficult task of managing complex relationships for many individuals.  For example, an administrative assistant might be given access to insurance and billing information and the functions to verify eligibility during patient admissions.  Meanwhile, a nurse or a doctor would be given access to a detailed medical history including prescriptions, previous test results and diagnoses.

Finally, each action by a user needs to be recorded and non-repudiatable.  This means that audit logs are treated the same as any other valuable information, regularly backed up and the backups are stored off site.  Non-repudiation is another benefit of PKI.  By using the credentials provided by the user or system to sign each transmission it can be proved in a dispute that the user or system was indeed the source of the transmission.

This has only been a high level introduction of some of the primary concepts in security infrastructure.  Each area has a great deal of depth and many facets to consider.  If you’d like to go a little further in your introduction, there are several other good introductions to security including some with a focus on health IT.  One I would recommend is Managing Information Privacy & Security in Healthcare: A Primer on Health Information Security by Greer Stevenson.