Knowing that one's exchange partners share a desire to remain trusted entities provides some degree of assurance that these partners will have an incentive to behave appropriately.
To continue participating, they will have to continue operating in a way that supports the trust fabric.
Activity must have acknowledged and appreciated value for participants to have incentive to engage and comply with expectations (because exchange is voluntary).
2. Validation of information exchange partners
Parties will not exchange information with just anyone. Each party has to be confident they are exchanging information with whom they intend to exchange information and that their counter-party is trustworthy.
Each exchange partner will therefore have to validate (and maintain an audit log of) the identity of those with whom it exchanges information
Validation can occur in a number of ways (e.g., using identity proofing and digital credentials to validate authorized members of a network)
Each exchange partner must know that those with whom it is exchanging health information meet certain minimum technical requirements for secure routing. In all exchanges, partners will have to follow some technical standards to allow for the secure, electronic exchange of health information.
Non-compliance with the technical requirements will prevent an exchange from occurring making non-compliance readily apparent.
Agreed upon and mutually understood set of expectations, obligations, policies and rules around how partners will conduct their business generally and their exchange-related activities specifically.
Assumes participants will obey applicable law
Beyond that, assumes that they will act in a way that protects the privacy and security of the information exchanged.
Varies depending upon the type of exchange, the parties involved (including relationship of partners), the purposes for which data are exchanged (including secondary and future use) and other factors.
Confirming, detecting and enforcing compliance with code of conduct may be hard for exchange partners to enforce on their own. Various methods available (e.g. self-certification, self-attestation, third party intermediary, etc.)
- Provide solutions, services and/or or support to enable partners to meet minimal technical requirements.
Comply with requirements recognized by government
- Identify set of expectations that participating exchange partners will meet - Confirm that exchange partners agree on the expectations in the code of conduct. - Implement and maintain measures to assure TEO complies with code of conduct
- Manage and oversee exchange activities and compliance with the minimum technical requirements and code of conduct
Monitor and audit exchange activities
TEOs certify exchange partner compliance
- Potential gov’t oversight of the TEO?
Help to implement measures that promote answerability among exchange partners
If paid for services, potential for loss of business
Loss of quasi-govt’l status
Authority will vary depending upon role and agreement of participants
-Formal trust agreements between TEO and each exchange partners - Quasi-gov’tl status may reduce need for TEO-exchange partner agreements
IMPLICATIONS OF NHIN DIRECT FOR STATES AND EXISTING STATE HIE GRANTEES
Potential Role of States in Enabling Secure Routing Through NHIN Direct
Clarifying any state-level privacy and security requirements for secure routing of patient information for treatment purposes