Case Study: Minn. HIE's Security PlanWhy HIE-Bridge Uses Digital Certificates, Federated Model
"We use a true federated model," says John Fraser, CEO of ApeniMED, the technology vendor for the project. "All of the clinical data that we exchange is taken from a hospital or clinic's clinical system and then encrypted and moved to another facility." This approach was taken, he explains, "because members didn't want any data copied out of their systems to a central location or to a location that wasn't under their control."
This approach makes sense for Minnesota because participating organizations indicated as far back as 1999, in the early stages of what was later to become the HIE, that "they wanted to control their own data," stresses Cheryl Stephens, Ph.D, CEO of Community Health Information Collaborative. "You have to spend time developing the trust of the stakeholders you work with," she says. "Otherwise, it doesn't matter what you build; they won't use it."
The collaborative, which runs HIE-Bridge, the statewide exchange, recently consolidated its operations with the Minnesota Health Exchange, which formerly ran another HIE in the state.
Other HIE ModelsUnlike HIE-Bridge, which uses a federated model, some statewide HIEs, including HealthInfoNet in Maine, have created centralized data repositories to ease access to patient data.
And other HIEs, including the MetroChicago HIE now in development, are relying on various cloud computing models.
"Our architecture will be a centralized data repository, although it will be logically federated so organizations who are participating in the HIE can put a copy of their data in that [cloud] repository, yet retain ownership and control of their own data," says Terri Jacobsen, director of the Chicago HIE. "The reason we wanted to do that is because there would be improved performance, especially because everyone is interested in being able to do real-time queries across patient cohorts of populations to see what's going on in public health."
But Fraser argues that the true federated model makes it far easier to accommodate additional participants and control access to data to protect privacy. "We can add hundreds or organizations without synchronizing data or copying data or exposing information," he says.
How HIE-Bridge WorksHIE-Bridge now has 10 participating healthcare organizations that represent more than 100 provider sites, including hospitals, clinics and long-term care facilities.
In the first phase of its rollout, HIE-Bridge focused on offering a record locator service through a secure portal. The service enables clinicians, especially those who work in hospital emergency departments, to make a query to determine whether information about a particular patient is available at any of the organizations linked to the HIE. Then the inquiring clinician can call the hospital that has the patient's data to request access.
In the second phase of the rollout, which began at one site last week, clinicians are using the HIE's secure portal to download a clinical summary document with such information as immunizations, procedures, visit dates, medications and healthcare directives.
HIE-Bridge also recently linked to the U.S. Social Security Administration using the emerging Nationwide Health Information Network standards. In that project, the Social Security Administration is using the HIE to query participating organizations for a continuity of care record to support disability determinations. Earlier, the collaborative was a pilot site for the NwHIN standards.
Security measuresUsing the federated approach requires a heavy reliance on such technologies as digital certificates for authentication and encrypted messages to ensure patient information remains private.
To log on to the HIE-Bridge's secure portal, organizations must present their digital certificate, rather than just a user name and password. "It's the approach we were all very comfortable with because it gives us a good audit trail and it's a good way to make sure anyone requesting information is identified down to the user level," Stephens says.
ApeniMed serves as the certificate authority that grants the digital certificates to individuals, who are assigned role-based access to information, he explains. Once users are authenticated with the certificates, communications are encrypted every step of the way.
Patti Dodgen,, CEO at Hielix, a consulting firm that works with HIEs, predicts that most HIEs eventually will adopt digital certificates because they enhance security. "Most HIE vendors ... are going with digital certificates and multi-level user authentication procedures. That is really going to become the de facto standard at some point."
Patient Consent IssueHIE-Bridge's privacy and security policies were dictated, in part, by Minnesota state regulations, which spelled out, for example, that patients must be given the opportunity to opt out of having their records exchanged.
When a patient receives various consent forms or a notice of privacy practices, they receive information about the opportunity to opt out of health information exchange. Staff at hospitals and clinics have been trained about how to answer patients' questions and educate them about the HIE, says Melinda Machones, director of projects for HIE-Bridge.
Following Minnesota's approach, the Maine legislature recently spelled out guidelines for a similar opt-out model for patient consent, rejecting the opt-in model, which calls for patients to give their explicit permission before any information can be exchanged. Hospitals and clinics told Maine legislators the opt-in model would prove impractical and would lead to fewer patients participating in the statewide HIE.