NHIN / HISPC / SLHIE Joint Conference
“Developing Trust Agreements to Support Exchange of Health Information”
Steven D. Gravely, M.H.A., J.D.
Partner and Healthcare Practice Group Leader
Troutman Sanders LLP
Purpose of the DURSA
- Enable the secure exchange of electronic information about individuals for appropriate purposes among persons and organizations involved in the health and care of that individual.
- The exchange could occur with a minimum requirement for human intervention.
- The agreement will clearly spell out rights and responsibilities among the parties and provide for audibility and accountability to maintain the trust of consumers and organizations involved in the exchange.
Nationwide Health Information Network (NHIN)
- Currently most electronic exchange of health data is “point to point”
- Data originator and a data recipient
- Challenges when this differs
- Regulation and/or data use documents define their exchange
- State laws and regulations can usually be applied
- Data originator and a data recipient
- Each network can include multiple organizations and partners with different roles and authorities
- Data exchange can include more than one exchange intermediary
- NHIN data exchange may be between organizations in a region or between different regions or states
NHIN HIEs – Common Trust Agreement
NHIN HIEs – Multiple Data Intermediaries (example)
NHIN - Possible Tools for Ensuring Policies and Standards
- State and federal law and regulations
- Certification (CCHIT) - common functionality, technical security, interoperability
- Accreditation - onsite assessment of implemented policies and practices
- Governance (e.g. AHIC 2.0) - ongoing leadership and supervision of participant relationships
- Data use and reciprocal support agreement (DURSA) - common agreement among participants
Data Use and Reciprocal Support Agreement
- A multi-party agreement among participating HIEs that defines how the HIEs relate to each other
- DURSA is being designed to accommodate many kinds of HIE organizations
- Creates the legal framework within which HIEs can exchange data
- Assumes that each HIE has trust relationships in place with its participants
- Participants expect the HIE to protect their interests when exchanging data with other HIEs
NHIN DURSA Status
- Data use and reciprocal support agreement for “test data” (not PHI)
- Submitted to ONC April 2008
- Data use and reciprocal support agreement for “live, production data”
- November 2008
- Beginning big push to work though issues in multiple federal agencies
Challenges to Development of Trust Agreements
- Compliance with Applicable Federal Law
- HIPAA
- Privacy Act
- FOIA
- Federal Torts Claims Act
- Federal Information Security Management Act
- Reconciliation of and Compliance with Varying State Law
- Health records privacy laws
- Basic contract law
- Accommodation of Multiple Participants
- Structure and Governance
- Capabilities
- Policies and Procedures
Key Components of the DURSA [slide 1 of 6]
- Delineation of “Permitted Purposes” for Exchange
- For what reason can a Participant make a request for data?
- Test Data: only for Trial Implementation Core Services and Use Cases
- Possible Purposes for Live Data:
- Treatment only
- PTO
- Disease management
- Quality assurance
- Research
Key Components of the DURSA [slide 2 of 6]
- Delineation of the Uses of Exchanged Data
- What can a Participant do with data it receives from another Participant?
- Primary use will be along the lines of the “permitted purposes”
- Secondary use: What else can the Participant do with the data?
- Keep as part of record
- PTO
- Re-Disclose
- Research
- Public Health reporting
- Disease management
- Quality assurance
- Research
Key Components of the DURSA [slide 3 of 6]
- HIPAA Compliance
- Exchanging Personal Health Information (PHI)
- Participants are either Covered Entities or Business Associates of Covered Entities
- Compliance with HIPAA Privacy and Security Regulations is essential
- Consent or Authorization
- Will depend on “Permitted Purposes”
- Accommodate differing Participant perspectives and policies
- Account for differing state laws
Key Components of the DURSA [slide 4 of 6]
- Performance Specifications:
- Test Data DURSA incorporates the interoperability performance specifications being developed by the NHIN
- Participants must comply with these specifications
- Specifications for Live Data DURSA have yet to be determined
- Reciprocal Duties
- Duty to only forward data in response to an authenticated request for data from a bona fide Participant
- Duty to respond to a valid request
- For test data, Participants are bona fide by the fact of their participation
- For live data, unclear how Participants will establish bona fides and authenticate request
Key Components of the DURSA [slide 5 of 6]
- Representations and Warranties
- Comprehensive representations and warranties
- Participant warrants that it is sending complete and accurate copy of the information that it has
- Participant represents that it has the authority to exchange the data
- Dispute resolution:
- Test Data DURSA relies first on ONC Trial Implementation Dispute Resolution Process
- Not clear whether the Live Data DURSA will have a first layer of alternative dispute resolution
- Difficult for state and federal Participants
Key Components of the DURSA [slide 6 of 6]
- Entity Protection:
- Not included in Test Data DURSA because use of non-PHI makes risk very small
- Goal for Live Data DURSA is that each Participant is financially and legally protected from damages caused by another Participant’s breach of the DURSA
- Challenge due to restriction on government Participants’ ability to indemnify private parties
- Possibility of differing levels of protection based on the type of breach
Next Steps in Drafting Production Ready DURSA
- Resolve Highest Priority Live Data Issues
- Permitted Purposes
- Uses of data
- Consent and authorization based on Permitted Purposes and Uses
- Entity Protection/Liability
- Reconciliation of conflicting state laws
- Continue Workgroup process for addressing remaining live data issues