Posted by: SteveGonHIT
governance, health IT, NHIN, ONC, privacy, security
According to an article yesterday from Government Health IT, the Office of the National Coordinator is getting ready to address a more complete set of rules of behavior and other requirements for participation in the Nationwide Health Information Network (NHIN), and to establish the governance processes and capabilities to manage, monitor, and enforce them. While current participation in the NHIN Exchange is limited to federal agencies and federal contractors or grant recipients, the long-term vision for participation includes a wide range of state, regional, and federal government entities, commercial health care enterprises, and potentially researchers and other relevant organizations. For NHIN Exchange, there is a NHIN Coordinating Committee serving in an oversight capacity, with representation from ONC as well as each active participant, but as the number of participants grows from its current single-digit level of active NHIN-participating entities and the focus shifts from building the NHIN to managing an operational infrastructure, a different sort of model is likely to be needed. Formal governance procedures, not to mention a governing body (ONC personnel and documentation typically use the term “NHIN governing authority”) with fully specified roles and responsibilities, are needed initially facilitate the participation of entities that aren’t necessarily bound by the legal requirements that apply to current participants, to evaluate whether applicants to participate should be able to do so, and to oversee the monitoring of the NHIN that is implied in the DURSA and other participant agreements. A key topic area that governance rules must address is the set of security and privacy provisions NHIN participants are able to support, including obvious security needs like secure communication, entity authentication and authorization, and audits, but also likely including practices like consent management.
ONC will engage the public and all interested stakeholders in the process of developing NHIN governance rules and capabilities, beginning with a request for information to be issued later this summer, and then through a comment period on a draft rule to be published early next year. From a practical standpoint, some of the areas that will need to be addressed in any governance framework will be functions and processes already in place for NHIN Exchange, but for which formal criteria or standards have not yet been developed. For example, part of the “on-boarding” process for a new applicant is to apply for a digital certificate (this actually occurs twice, as a temporary cert is issued to be used for validation and testing, and then a production version), something that is not supposed to happen until the prospective participant’s application has been received and the participant has been approved for membership in NHIN Exchange. The decision to approve a prospective NHIN participant is a core governance function, but to date this process has been handled on a case-by-case basis, so to scale to a production-capable process, formal governance rules and standards are certainly needed, not to mention decision criteria. There are a number of functional areas ONC is working to support, but most of these also presume the existence of some sort of governing authority. ONC went so far as to issue a request for proposals in late January to award a contract for NHIN Operational and Infrastructure Support, with a variety of tasking that either presume or directly depend on the existence of a NHIN governing authority. These tasks included administering and operating technical infrastructure supporting the NHIN (“infrastructure” in this context means the certificate authority, directories, and network infrastructure), implementing a support center to provide assistance to participating entities throughout the process of joining the NHIN and of participating once they are on board, and creating and maintaining the on-boarding process itself.
To move forward with a larger-scale NHIN that still leverages some of the core features of NHIN Exchange, it is essential for the governance processes and criteria associated with the NHIN (and with ONC, if ONC will own the governance function) to be robust and transparent enough to give entities the confidence they need to participate. With the central governance model and single multi-party legal agreement used to date with the NHIN, participants theoretically have no need to trust each other, as long as they have confidence in the central authority that approves applicants for participation, and in the criteria used to make those approval decisions. This means that the key relationship for each NHIN participant is with the NHIN governing authority, since the NHIN asks participants to set aside their own judgment about other participants, and substitute the NHIN’s judgment instead. Even with a robust governance function in place, this task is likely to prove very challenging, but without effective governance in place, it’s not even feasible.