The Utah Health Information Network (UHIN) got its start in 1993 as an electronic administrative exchange, sharing claims, remits, eligibility orders, and other HIPAA-compliant data exchanges, and now covers 90 percent of the medical providers in Utah. Its clinical HIE (cHIE) is in the early stages of bringing its community’s major stakeholders online, which include HCA/MountainStar, IASIS, Intermountain Healthcare, and University of Utah Health Sciences Center (based in Cottonwood Heights, Utah; Franklin, Tenn.; Salt Lake City, Utah; and Salt Lake City, Utah, respectively). UHIN’s cHIE was recently the first HIE to be certified by the Electronic Healthcare Network Accreditation Commission’s (EHNAC) Health Information Exchange Accreditation Program (HIEAP). HCI Associate Editor Jennifer Prestigiacomo caught up with UHIN’s President and CEO Jan Root, Ph.D., to talk about the accreditation process and why it was necessary.
To read more about UHIN’s cHIE development strategies, stay tuned for the October issue.
Healthcare Informatics: Why did you decide to become HIEAP certified?
Jan Root, Ph.D.: The reason why we did the HIE certification is that UHIN has already been accredited under EHNAC for our administrative exchange. And when you look at the entities that do administrative exchanges like Emdeon [based in Nashville, Tenn.] and other big clearinghouses, they’re all accredited under EHNAC. It’s just a really good way to demonstrate to your customers, to your board, and the world at large that you have been heavily scrutinized by an independent third party, and that you’re up to snuff.
HCI: Can you tell me a little about what the accreditation process entailed?
Root: We have had the experience of working with EHNAC since 2004. Like Joint Commission [the Oakbrook Terrace, Ill.-based Joint Commission on accreditation], it’s a tremendous amount of work to put together all the documentation and line up all the people. EHNAC sends a person out and they personally visit all your data centers, so it’s very thorough. We knew that EHNAC was going to start a HIE accreditation, so I volunteered us to be the guinea pig. We were the first to do this. Part of the process was pointing out to EHNAC, ‘you need to add stuff here.’ HIE is different than clearinghouse [accreditation]; with exchanging clinical data, the processes are quite different.
So the criteria we go through: the first is privacy and confidentiality. Basically, what you’re trying to prove to EHNAC is that you have appropriate administrative, technical, and physical safeguards to make sure integrity is good and confidentiality is good for PHI [protected health information]. You have to protect against anticipated threats. Whatever you see the risks are, you have to have a level of security that is commensurate to that risk. It’s always the tension, having really good security and being able to use something. So we went through everything we do, administrative, technical, and physical. The physical part is why they have to visit the data centers. They also come to our offices.
What’s nice too about EHNAC is they give you a very detailed report card on each of the areas that you go through. There were a couple of things on the HIE side that they wanted us to improve on. Now on the HIE side, we have access to PHI, so you have to an extensive amount of testing with every new physician that you bring up.
The second major area is technical performance. You have to be able to transmit, process, and handle customer service inquiries. Things have to be timely and accurate. The system has to be available 99.9 percent of the time. You have to monitor your capacity; you have to look at your auditing. That’s a great big section. What you do to respond to most of this is you compile an enormous amount of documentation, all sorts of system and auditing logs, so that all gets evaluated.
The next section is business practices. This has to do with truth in advertising, measuring customer satisfaction, providing access to your system, adequately training your customers, having standard contracts and service agreements. So, we bring out our customer satisfaction surveys, and we show them all our advertising materials, so that everything we do is above board. They also require that your help desk be available 24/7.
The next area is resources; making sure you have the physical, human, and administrative necessary to maintain a high level of performance and customer service. Again this goes back to your data centers, which they take a look at and make sure they look at your volumes, all the traffic that is going through your network, and see if you have enough resources to maintain this. We have hired several people under the Beacon community grant [Beacon Community Cooperative Agreement Program]. We’re under a lot of pressure to bring up the HIE in Utah very rapidly. We almost have too many resources right now; we’re like ‘no more grants.’ We’re a business. I’m very grateful for the grant money. When we first started UHIN in 1993 we were running a modem bank for dial-up, and the total cost was like $150,000. Bringing up an Internet—with all the redundancy—it’s so much more expensive. So I’m very grateful for the funding, but it’s just a lot of pressure to get it all done. I’m bringing up a hospital now for example, even really well-organized hospitals like Intermountain are really glued together conglomerations of many, many IT systems, your lab, your pharmacy, your ordering. It’s just incredible to have hospitals link all that together, if they haven’t done it already, to export it out to an HIE. It’s a very complicated process.
The last area that we get scrutinized under with EHNAC is security. This requires standards, implementation, and specifications. Basically, you walk through the whole HIPAA security rule, and you prove you meet all the areas, like they have a risk management approach, a disaster recovery approach, encryption, monitoring the system for intrusions with firewalls, mirror databases, and background checks on our employees.
HCI: How long did the entire accreditation process take?
Root: Because this was the first time we did our HIE accreditation, it took about six months. [Next time] won’t be quite as lengthy. Actually, next time we do the HIE [accreditation], it will probably be worse because I am working with EHNAC to put more HIE stuff into the HIE accreditation. For example, there should be a section about operating a master person index. I want a good accreditation because I’m a believer in this.
HCI: What other feedback did you give EHNAC when you were going through the HIE accreditation process?
Root: I actually pulled together a group of about 15 operating HIEs from around the country, and we had a multi-week conversation. This is a brand new industry and the diversity is just amazing. So one of the pieces of feedback we gave them, at this point in time, given the diversity, some of the criteria need to be less rigid. For example consent, we need to add a whole section on consent. HIEs approach consent all over the place. When you draft these things initially, you usually pick one site and say ‘we’re going to take your stuff and use it as a starting point,’ which is great. In talking about it with all these other HIEs, the industry is not settled. It will eventually settle out, and a standard model will come out. So it’s an area that’s really exciting to be in.
HCI: What other HIEs were in this group?
Root: Capital Area Regional Health Information Organization [Okemos, Mich.], Cleveland Clinic, CORHIO [Colorado Regional Health Information Organization based in Denver], the Delaware Health Information Network [Dover], Maine [Portland], Nebraska [Nebraska Health Information Initiative, Omaha], New Mexico [New Mexico Health Information Collaborative, Albuquerque] Quality Health Network [Grand Junction, Colo.], Wisconsin Health Information Network [Franklin]. I wanted to pull together the people that are actually running an HIE.
HCI: What big issues were brought up in this discussion?
Root: Consent is probably the biggest. Definitions [was another one]. Even the terms ‘opt in’ and ‘opt out,’ those are being used in certain state legislation to mean very specific things. So you have to be very careful defining a new language. For example ‘break the glass’— ‘break the glass’ means everything from emergency only access to getting any data from anyone. One of the things I hope will happen is that the language will settle out. Another thing that has emerged is that HIEs should not tell doctors how to practice medicine. There is a temptation to say, “OK, if we give you all this data, then you must do X,Y, and Z.” And this group was pretty clear that HIEs were not in the business of telling doctors how to practice medicine.
HCI: Do you have future plans to reconvene the work group?
Root: They’re very interested in getting together to talk about MPIs [master person index], and try to put together a first crack at what constitutes a good MPI. What’s your dupe rate; what’s your match; how fast can you get a backlog of matches. I think we might use our group in Utah to start that list, and then take it to the larger group of HIEs.
HCI: Other than accreditation, what other new developments are going on with the cHIE?
Root: We’re just slogging through bringing up the big hospitals and the rurals. The rurals are really interested in this because it’s an inexpensive solution to a long-term problem, and they don’t have to buy a system. I think it costs the rurals around a couple thousand dollars to participate in the cHIE. It’s just a tremendous amount of back-breaking work, calling on doctors, calling on EMRs. It’s not very sexy right now, bringing up one hospital at a time.
We got some advice early on from the Grand Junction HIE [Quality Health Network], our big sister in all of this, and they said you gotta get the hospitals first. ‘The docs will want to do this, but not until you get the hospitals.’ And that has proven to be very sound advice.