HIT Policy Committee

Nationwide Health Information Network Governance Workgroup
Appendix: Supporting Details to Recommendations
Presented to the HITPC on 12/13/10
Draft 12/10/10 v5

Pre-Decisional Draft
Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

Appendix: Table of Contents
1. 2. 3. 4. 5. 6. Governance principles and functions NW-HIN as preferred approach Federal, ONC and shared responsibilities Conditions of Trust and Interoperability Validation Public comments

Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

Recommendations to the HITPC 10/20/10


NW-HIN Governance Principles (1)
1. Transparency and openness
± Maximize to extent possible in developing governance; in the structures, standards, services and policies, including privacy protections themselves; in information sharing, oversight, enforcement and accountability. ± Support engagement of the general public and those exchanging information.

2. Inclusive participation and adequate representation
± Explicit preference for inclusion of diverse stakeholders over exclusion. ± Permit and encourage robust participation in governance by diverse stakeholders, including consumers. If necessary for scalability, support representative models.
Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

NW-HIN Governance Principles (2)
3. Effectiveness and efficiency
± Form should follow function. Functions should be conducted with goal of maximizing efficiency and effectiveness. ± Responsiveness and minimization.

4. Accountability
± Participating stakeholders and governance mechanisms should be accountable and, as part of the national health agenda, be understood to have some responsibility to the nation at large.

Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

NW-HIN Governance Principles (3)
5. Federated governance and devolution
± Multiple functions may be distributed across multiple entities, with national-level coordination. ± Decisions should be made by those closest to the issue and with the greatest stake in successful resolution and NW-HIN goals. ± Federal government should perform those functions that require centralized governmental control, particularly in areas essential to maintaining public trust and assuring the NW-HIN meets stated national HIT goals.



Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

NW-HIN Governance Principles (4)
6. Clarity of mission and consistency of actions
± Rights, responsibilities and obligations should be welldocumented and clear to all stakeholders. Consistency in decision-making is helpful for stakeholder planning, but should not be an obstacle to innovation or improvement.

7. Fairness and due process
± Governance must be fair to those that participate or are affected by governance decisions. Governance processes should include due process to assure fairness and responsiveness.

Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

NW-HIN Governance Principles (5)
8. Promote and support innovation
± Governance should be consistent with creating conditions for innovation, and focus on those issues that require uniform treatment. Administrative burdens should be minimized and voluntary agreements, in principle, preferred. ± Degree of uniformity in policies and standards should reflect the needs for that particular issue and consider where necessary to enable and not inhibit innovation. Technical standards should not set policy, but support and be in service to policy goals.

9. Evaluation, learning and continuous improvement
± Governance should be evaluated based upon appropriate performance and effectiveness measures, with ongoing evaluation and adaptations and improvements to meet evolving NW-HIN. ± Given critical nature of healthcare and sensitivity of health information, particular attention should be paid to issues 8 implication safety.

Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

NW-HIN Governance Objectives and Functions

Establish NW-HIN policies and eligibility criteria

Establish NW-HIN technical requirements

Governance Objectives: - Engender trust - Encourage interoperability - Foster innovation

Oversee NW-HIN governance

Assure compliance, accountability, enforcement

Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

Establish policies and practices for NW-HIN
‡ There should be a uniform set of NW-HIN policies and practices that are followed as a condition of exchanging health information through the NW-HIN and that should be reflected in technical design.
‡ Privacy, security, interoperability, eligibility criteria, compliance expectations and jurisdiction.

‡ There should be mechanisms to:
± Address gaps in policies and practices ± Coordinate to assure policies and technical requirements are consistent.

‡ Necessary to assure that sufficient privacy protections and safeguards are in place to facilitate and promote nationwide exchange, interoperability and to remove barriers to nationwide exchange of health information 10
Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

Establish technical requirements
‡ Adopt technical requirements for the NW-HIN through a recognized process that coordinates and harmonizes standards and that provides for stakeholder input, including consumers. ‡ There should be mechanisms to address:
± Transition processes as technical requirements change. ± Authorization of technical resources for use in NW-HIN (e.g. provider directories, certificate authority, registries.)

‡ Necessary to assure that technical requirements are established to accomplish interoperability and policy objectives for trust, including a defined security level of assurance.
Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

Compliance, accountability and enforcement
‡ Assure that eligibility criteria are satisfied and that compliance with conditions for trust and interoperability are met, as well as clear accountability and appropriate enforcement.
± Establish and conduct validation to determine eligibility and verify compliance with policy and technical requirements as a condition of exchanging information through the NW-HIN. ± Determine consequences of non-compliance with policies, practices and technical requirements. ± Provide a mechanism to address disputes, concerns or complaints, taking into account measures provided for under existing law. ± Determine how mechanisms for redress, remedies and sanctions would be applied. ± Consider need for coordinated investigation, enforcement and 12 breach notification.
Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

Oversight of the governance mechanisms
‡ Oversight is necessary to assure governance objectives are met and are effective and able to adapt over time.
± Track or measure certain issues or activities in support of overseeing the effectiveness and efficiency of NW-HIN governance. ± Oversee ongoing compliance. ± Conduct ongoing assessments of risks and benefits for the NW-HIN governance, including prevention of harm. ± Periodically evaluate the performance of the overall governance mechanisms and incorporate the findings into continuous improvement. ± Resolve disputes regarding decision rights among federated governance functions.
Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10



Nationwide Health Information Network
‡ ONC Definition: A set of policies, standards and services that enable
the Internet to be used for secure and meaningful exchange of health information to improve health and health care.

Private and secure health information exchange enables information to follow the patient when and where it is needed for better care. The Federal government is working to enable a wide range of innovative and complementary approaches that will allow secure and meaningful exchange within and across states, but all of our efforts must be grounded in a common foundation of standards, technical specifications, and policies. Our efforts must also encourage trust among participants and provide assurance to consumers about the security and privacy of their information. This foundation is the essence of the nationwide health information network.
» David Blumenthal, May 14, 2010

Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

Workgroup Consideration of NW-HIN for Governance (1)
‡ What is NW-HIN?
± An environment of trust and interoperability created by NW-HIN standards, services and policies, and ± A preferred approach for exchange of health information nationwide supported by the federal government, with strong incentives to vigorously promote adoption.

‡ When is exchange considered NW-HIN and subject to NW-HIN governance?
± When that exchange complies with applicable NW-HIN standards, services and policies (i.e. NW-HIN conditions of trust and interoperability (COTIs); and ± When those exchanging health information assert they are doing so under the auspices of NW-HIN.

‡ When is exchange not considered NW-HIN and, therefore, not subject to NW-HIN governance?
± When not asserted to be NW-HIN compliant. ± If there is only compliance with a portion of the applicable NW-HIN requirements (e.g. exchange complies with NW-HIN technical requirements, but not NW-HIN policies, or vice versa)
Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

Workgroup Consideration of NW-HIN for Governance (2)
‡ Who is part of NW-HIN?
± Any entity, large or small, or aggregation of entities, large or small, that engages in the exchange of health information, asserts itself as being NW-HIN compliant and is recognized to have met NWHIN conditions of trust and interoperability (COTIs).

‡ Why would entities want to be part of NW-HIN?
± Entities will be more willing and able to exchange with unfamiliar partners who are recognized as meeting NW-HIN COTIs. ± Provides a benchmark for entities who wish to qualify for Federal contracts, exchange with federal entities, and be eligible for other federally-supported incentives. ± Entities may believe that they would be advantaged competitively in the marketplace if they meet widely recognized conditions of trust and interoperability.
Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10


Federal Leadership and Shared Responsibilities
‡ For the NW-HIN to be successful and to ensure the public good, the federal government should:
± Provide strong federal leadership, support and engagement in the NW-HIN environment and its governance. ± Establish fundamental requirements for trust and interoperability.

‡ Other entities should have specific appropriate roles with respect to NW-HIN governance. ‡ Certain aspects of governance (e.g. accountability, enforcement, oversight) should apply across NW-HIN governance roles.

Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

Governance Framework
‡ ONC should establish a national framework for governance of the NW-HIN that:
± ± ± ± Assures trust and interoperability. Reflects ³governance of governances.´ Is based upon the nine sound governance principles. Includes national-level coordination and oversight across a set of core functions. ± Provides opportunities for broad stakeholder input, including consumers.

Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

Specific Federal Responsibilities
‡ The federal government should:
± Leverage existing governance and enforcement mechanisms as applicable. ± Recognize existing state authorities across all relevant domains, facilitating coordination and harmonization with states and other entities as needed.

‡ Federal agencies should:
± Participate fully and directly in the NW-HIN, including in appropriate governance mechanisms. ± Meet NW-HIN COTIs when exchanging in NW-HIN environment. ± Condition federal information exchange upon compliance with NW-HIN requirements.
Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

ONC Responsibilities
ONC specifically should: ‡ Facilitate coordination
± Across federal activities /authorities, and identify needs to strengthen. ± Identify incentives that vigorously promote use of the NW-HIN. ± Optimize broad stakeholder input, including consumers.

‡ Establish core NW-HIN elements
± NW-HIN Conditions of Trust and Interoperability (COTIs). ± Criteria and mechanisms to verify compliance with NW-HIN COTIs.

‡ Oversee NW-HIN governance and assure accountability
± Monitor and highlight innovation and address governance barriers. ± Provide ongoing evaluation and continuous improvement.
Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10


NW-HIN Conditions of Trust and Interoperability
‡ There should be a defined set of conditions of trust and interoperability established for the NW-HIN (NW-HIN COTIs):
± Include policies, eligibility criteria* and technical requirements for the NW-HIN. ± Engender trust, promote interoperability, address barriers to nationwide exchange while remaining technology agnostic.

‡ NW-HIN COTIs should provide a baseline and address the need for variability:
± Universally required NW-HIN COTIs should apply across all NW-HIN scenarios. ± Other NW-HIN COTIs may be required in particular circumstances.

‡ The Governance rule should establish an initial set of COTIs and processes for adding and modifying.
Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10 * The federal government should determine whether any factor should preclude an entity from eligibility, temporarily or permanently.


NW-HIN COTI Considerations
‡ How should NW-HIN COTIs be developed and maintained?
± Should COTIs be established only through rulemaking? ± Should categories of COTIs be established in the rule, with a federally-guided process for developing and approving them? ± Should a non-governmental entity (e.g. similar to the role of SDOs in HIPAA) do some or all of the developmental work, following federally-set process requirements, and bring COTIs to ONC for approval?

‡ How should final acceptance of the COTIs be addressed?
‡ Through rulemaking? ‡ Through an approval process established in the rule?
Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

NW-HIN COTI Process (1)
‡ When developing and maintaining NW-HIN COTIs, obtain input from a broad range of stakeholder communities, including consumers. ‡ Establish COTIs through a multi-phased process.
± NW-HIN COTIs that are available at the time of rulemaking should be adopted for the NW-HIN. ± There should be a process for adding other NW-HIN COTIs. ± There should be a process for maintaining NW-HIN COTIs, including those established in the rule itself and others adopted for the NW-HIN.

Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

NW-HIN COTI Process (2): Example
‡ Following is an example of a process in which NW-HIN COTIs could be initiated, developed, proposed, reviewed and approved through a combination of rulemaking and other processes:
± Define categories of COTIs for which new/modified COTIs should be subject to rulemaking. ± Work with other agencies having appropriate jurisdiction when modifications in those agencies¶ rules are desired. ± Specify which categories of NW-HIN COTIs should be subject to another process, including the criteria by which a candidate NW-HIN COTI would be evaluated. ± Define a process by which proposed, new / modified conditions would be reviewed and included as part of NW-HIN COTIs by the federal government.
Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10




NW-HIN Validation*
‡ NW-HIN COTIs are established to assure trust and interoperability. A mechanism should be established to verify that the conditions have been satisfied (i.e. ³NWHIN Validation´). ‡ NW-HIN validation should:
± Be required for exchanging in NW-HIN environment and asserting NW-HIN compliance. ± Include appropriate validation processes and criteria, including process to address non-compliance. ± Maintain appropriate balance between assuring that COTIs have been satisfied and cost and burden of validation.
* Validation is used to generally refer to the process for verifying compliance. This could include a broad array of possible methods (e.g. self attestation, testing, certification of systems, accreditation of entities, etc.) 29
Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

Scope of NW-HIN Validation
‡ NW-HIN validation is a process to verify that NW-HIN COTIs have been satisfied.
± NW-HIN validation should leverage existing validation methods, processes and entities where appropriate. ± Validation facilitated by other entities (e.g. by states, other networks, etc.) may satisfy NW-HIN validation.

‡ There may be different methods of validation depending upon the nature of the COTIs. For example:
± Validation methods for trust and interoperability will likely differ and should be appropriate for the NW-HIN COTI.
‡ Validation of systems to assess system conformance with NW-HIN technical requirements (e.g. testing, certification, etc.) ‡ Validation that an entity meets NW-HIN requirements (e.g. self-attestation, legal agreements, accreditation, etc.)

‡ There may be different methods of validation depending upon the level of certainty needed to assure that COTIs and other NW-HIN requirements are met. 30
Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

Example Interactions: NW-HIN Validation
Establish NWHIN validation process and criteria Establish mechanism to authorize NWHIN validation body(ies) / equivalency
Feedback Loop


Oversee NWHIN validation efforts; serve as ³court of appeals´

Validation Body(ies)

Recognized as authorized NW-HIN validating body

Approve, deny or revoke compliance recognition

Oversee and enforce ongoing compliance

Appeal decision

Validated Party
Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10


Example: Federal Responsibilities - Validation
‡ Federal responsibilities:
± Establish and maintain validation criteria. ± Assure the validation criteria reflect the COTIs. ± Establish a mechanism to authorize NW-HIN validation body(ies) and a process by which existing and equivalent validations are recognized. ± Maintain appropriate balance between assuring that COTIs have been satisfied and cost and burden of validation. ± Coordinate and oversee NW-HIN validation body(ies) to assure NW-HIN goals and principles of NW governance are met. ± Serve as ³court of appeals´ for decisions by validation body(ies) to approve, deny, revoke recognition of compliance

Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

Potential Responsibilities of NW-HIN Validation Body(ies)
‡ Apply established and applicable eligibility criteria to determine eligibility. ‡ Verify that practices are consistent with applicable NW-HIN policies. ‡ Verify that systems used to exchange through the NW-HIN environment meet NW-HIN COTIs, including technical requirements. ‡ Issue validation decision to approve, deny, revoke NW-HIN recognition of NW-HIN compliance. ‡ Investigate possible non-conformance with COTIs and take appropriate remedial action including revoking NW-HIN compliance recognition when warranted, with provision for appeals.
Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10



Public Hearing: Example Models of Governance
‡ ‡ ‡ ‡ ‡ ‡ ‡ Financial Services / Payment Card Industry HIPAA Federal Trade Commission Federal initiatives National Quality Forum (NQF) Lessons from NW-HIN Exchange Standards and Interoperability Framework

Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

Key Findings Regarding Governance Roles: Public Hearing
‡ Leverage and coordinate across existing federal authorities. ‡ Provide strong federal leadership, engagement and participation. ‡ Federal role needed to:
± Set national-level policy and adopt interoperability standards only where critical to enable trust and interoperability for nationwide exchange. ± Oversee and coordinate across a set of governance processes that, together, comprise NW-HIN governance. ± Assure NW-HIN governance includes ability to evaluate, learn and adapt on an ongoing basis.
Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

Key Findings Regarding Governance Roles: Public Hearing (cont¶d)
‡ Recognize that there will likely be a variety of approaches and multiple levels of coordination, validation, and enforcement:
± Different views expressed regarding need for national-level validation mechanisms, such as certification and accreditation. Some recommended it; others cautioned that it was premature to do this. ± Need for national-level coordination across wide range of stakeholders to build consensus and inform development of NW-HIN requirements. ± Recognition that enforcement occurs at various levels, through other federal authorities (e.g. FTC, OCR) states, local, and exchange partners, often through contractual mechanisms.
Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

Blog 1: Where to Leverage?
‡ Are there existing entities or processes performing a particular governance function? If so:
± Does it accomplish the NW HIN governance objectives and principles? ± Can it scale to meet NW-HIN needs?

‡ Which essential functions or activities are not currently addressed, but are needed now to overcome barriers and to promote exchange through the NW-HIN?
± Should the federal government perform that function directly or delegate it? ± If delegated, to whom? ± If a new entity is needed, what type of structure / attributes should it have?
Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

Key Findings: Blog 1 (10/25/10) - 1
‡ 234 Commenters (33 ± blog; 201 - E-mail) ‡ Need for public education and use of plain language
± Commenters generally seemed unclear over the function and role of the NW-HIN.

‡ More emphasis should be placed on safety. ‡ Greatest concern was privacy and security of protected health information (PHI), and need for strong privacy and security protections, e.g. mechanisms for consent, control, authorization, and explicit policies for data reuse. ‡ Public comments varied but mainly sought to leverage existing mechanisms where appropriate.
Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

Key Findings: Blog 1 (10/25/10) - 2
‡ Specific suggestions for:
± State / federal partnership. ± Need for national-level policies and standards, with input from HITPC. ± National accreditation program for qualified entities. ± Public-private collaborative structure to act as a convener and support adoption of NW-HIN.

‡ Suggestions for leveraging existing governance structures:
± For policies and practices: FCC, state regulatory frameworks, Exchange Coordinating Committee. ± For interoperability requirements: Standards Development Organizations (SDOs). ± For validation: CCHIT, EHNAC, ONC-ATCB model.
Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

Blog 2: Roles and Responsibilities
‡ Focus on federal and ONC responsibilities, development and validation of NW-HIN COTIs ‡ Blog for additional public input (11/30/10)
± Which activities should be tightly held by the federal government? ± Should there be an overarching entity to accredit NW-HIN validation bodies? ± Is there a need for a governance mechanism in the near-term to address implementation support and coordination? If so, what type of entity should facilitate this?

Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

Key Findings: Blog 2 (11/30/10) - 1
‡ There should be a well formed committee to supervise these standards or make the standards (and the development process of standards) more open; a proposal based approach. ‡ It is absolutely critical that standard file formats be developed for any systems funded, in whole or part, with federal dollars. ‡ Support for delegating areas of accreditation and certification and using a more federated, governance of governances, approach. Recognition that government is not usually the best place for innovation to occur, but acts best when it is a platform for innovation.
Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

Key Findings: Blog 2 (11/30/10) - 2
‡ Information should be communicated to all people involved. Responsive governance shouldn¶t be confused with reactionary approach. ‡ Government and non-government roles should be addressed equally. ‡ Governance must remain tightly controlled at the federal level to the extent that it sets policy and defines the principles for participation. ‡ There should be an overarching validation entity, with implementation and day to day operation of certification / accreditation handled by multiple other entities, many of which already exist within and outside government. ‡ The federal government should certify these various entities as valid certification / accreditation entities for HIT to assure trust in the overall system.
Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

Key Findings: Blog 2 (11/30/10) - 3
‡ The federal government must establish an oversight body that will be able to support current efforts being made throughout the nation to implement HIT. At the very least, individuals and entities adopting HIT should be able to look for support and advice as to whether what they are implementing is valid in terms of governance structures and privacy and security practices. ‡ There should be an overarching governance committee that includes representatives across the various NWHIN projects, with representatives from the Security and Trust developers.
Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

Examples of Other Governance Models
‡ Other models of governance suggested through diverse input
± OMB HIT Task Force ± International models (UK and Canada) ± ISO ± OECD Principles of Corporate Governance

Pre-decisional DRAFT. For HITPC Consideration ± 12/13/10

Sign up to vote on this title
UsefulNot useful