A Utah HIE’s Path to Accreditation–and Beyond
As featured on Healthcare Informatics
By Mark Hagland
The Utah Health Information Network’s Jan Root has a lot to say in favor of accreditation processes for HIEs
Recently, HCI Editor-in-Chief Mark Hagland interviewed Lee Barrett, the executive director of the Electronic Healthcare Network Accreditation Commission (EHNAC), regarding that Farmington, Conn.-based organization’s having entered into an agreement with the federal government for development of for continued development and implementation of EHNAC’s accreditation program for health information exchange (HIE) organizations. EHNAC is now actively working with several health information exchanges (HIEs) to get those organizations accredited, as accreditation involves a rigorous process of assessment and site visitation in order for HIEs to ensure confidence in their core data-sharing processes.Among the organizations that EHNAC has worked with is the Utah Health Information Network (UHIN), a Salt Lake City-based HIE that has been in existence in some form for 20 years now, and that has achieved EHNAC accreditation. UHIN, which has 37 staff members, is also the statewide designated HIE for the state of Utah.Jan Root, Ph.D., is executive director of UHIN. She also believes so strongly in the mission of EHNAC that she is a member of EHNAC’s board of directors. Root spoke recently with HCI’s Hagland about UHIN’s ongoing journey as a data and information organization, and her perspectives on the path forward for UHIN and for HIEs more broadly. Below are excerpts from that interview.
You are a statewide HIE, clearly?
Yes, but we actually run several lines of business. We actually started as a CHIN [community health information network] back in 1993. We are a 501c3 not-for-profit organization, but my board is very business-oriented. And back in the 1990s, CHINs were basically trying to solve the same problems that HIEs are trying to solve today. Until 10 years ago, we focused on the part that had a strong business case, which was the clearinghouse side. So we run a not-for-profit clearinghouse; that was our first line of business. We started our HIE work about 10 years ago; we officially opened our doors as an HIE in 2009. So in that regard, we’re much younger, and more like the new group of HIEs.But we’re different in that we had an existing governance structure; an existing relationship with the state government; and an existing trusted relationship, as a neutral third party, with all of our members, which are payers, providers, hospitals, and state government. A lot of HIEs that are publicly funded are spending a lot of their time getting to governance; and we already had that. And between 2004 and 2008, we experimented with a number of forms of structure; but we decided on a query-based model, and launched that in 2009.
Tell me a bit more about your organization’s query-based model?
What we have is an HIE where what we call the data sources—the clinics and the hospitals—put data into a federated, central data repository. It is a centralized database, but the federated part means that everybody has their own bucket of data, so it’s not co-mingled, from an IT perspective. That was one of the board’s requirements. My board consists of competitors. We have the four major hospital systems—Intermountain, University of Utah, HCA, and Iasis—plus Regence, our local Blues plan; plus SelectHealth, the Intermountain payer arm; and DMBA, which is the Mormon Church’s insurance company (an ERISA company, for LDS [Latter-Day Saints] Church employees and missionaries); and the public employees’ health plan, PEHP (Public Employees’ Health Plan). And we have Medicaid; we have EMI Health, which is an educators’ health plan; and then we also have consumer representatives; we have three practicing physicians; we have the Utah Department of Health; we have the insurance commissioner; we have the Utah Department of Technology Services (Utah DTS); the Utah Hospital Association; the Utah Medical Association, and HealthInsight—that’s Utah’s QIO [quality improvement organization] and also the regional extension center.
So what does ‘query-based’ mean, in this case?
That means that the various data sources put data into our HIE, which is called the CHIE—which means Clinical Health Information Exchange. With regard to that terminology, I started sneaking the “C” out in front of the name, and for better or worse, it stuck. So the data sources put the data into the CHIE, and it’s secured and federated. We have a master person index. Meanwhile, the identity component goes to the master person index, and the person involved has their own record number. And the master person index has a record, where all the data is stored for each individual. So if you do a query, you make sure you’ve got the right John Smith—called co-identity adjudication; and if John has given permission, then you can look at all his data that’s in the CHIE, from the multiple sources.
How many persons’ data do you have?
We have identities on 3.3 million individuals; we have data on about 700,000 of those individuals.
How long have you actually been exchanging clinical data?
For about two years now. But I will tell you that the fly in the ointment is that the board has made the CHIE “opt-in.” We have to collect about 3 million signatures now, and so we’re working on that.
Why did you decide to pursue accreditation through EHNAC?
As I mentioned, we started out as a clearinghouse. And the first executive director of our HIE was a gentleman who came from the aerospace industry, and really believed in the power of an outside entity to check on processes and policies, in order to engender trust. As I had mentioned, my board and members are composed of very intense competitors; so developing and maintaining trust in that somewhat inherently hostile environment, is very important. So we actually got our first accreditation in 2004, from EHNAC, for the clearinghouse part of what we do. EHNAC accredits every other year. And I myself am an EHNAC commissioner. Because EHNAC is all about an independent, rigorous, third-party set of eyeballs, on your privacy and security, your customer service, and the performance of your network. And back in the 1990s, when EHNAC first started, the accreditation was mostly around clearinghouse activity. So that’s where they started, and they’ve consistently moved into new areas, as appropriate. And I became a commissioner in 2009.So we were accredited every year from 2004. And as a commissioner, I began to push EHNAC to accredit HIEs, and I helped them design the HIE accreditation; it was a lot of work. And how you secure a clearinghouse is very similar to how you secure an HIE. But the processes weren’t identical; a lot of the EHNAC processes for clearinghouses have to do with criteria around the 4010 and 5010 forms, for example; but there’s a lot about connections and how you give people access, that are similar.So we took the clearinghouse accreditation and mapped it into HIE and added a bunch of stuff. So we’ve now been accredited twice on the HIE side, and continue to get accredited on the clearinghouse side every other year. And as you may know, the Office of Civil Rights, which has the responsibility for monitoring HIPAA, started auditing people last year. They audited 112 or 115 organizations; well, they picked our name out of a hat. And the week after we were reaccredited for HIE, the OCR showed up, but they were looking at us as a clearinghouse. Our EHNAC accreditation was for both HIE and for clearinghouse, and we had just finished both processes, and the OCR showed up.And the good thing is that most of the EHNAC accreditation is based on HIPAA. So as OCR started asking us the HIPAA-related questions, we’d show them what we had done. So it was a lot of work, but we were one of the very few entities among the group of 112 or 115 entities that had an audit of no findings. We came out with a completely clean bill of health. That was a ‘wow.’ And so the lesson here is, if you are a covered entity—and in truth, most of the larger clearinghouses are EHNAC-accredited now.
That seems like a built-in endorsement of the accreditation process.
Yes. If you look at the fines involved in the HIPAA [Health Insurance Portability and Accountability Act of 1996] process, the EHNAC accreditation fees are very reasonable. You start with a self-evaluation that’s about 600 pages. And the EHNAC person comes and does a site visit of your headquarters and of your data centers. And we have data centers all over the country; that’s the expensive part, actually, is all the plane tickets! But it’s very worth it. The point of audits is to make sure you’re doing things right. And I don’t believe in hiding audits; I embrace audit processes.
What would you say to HIE leaders who might think of accreditation as an “extra” or a “nice-to-have”?
Yes, or else, they might think of it as an awful thing to have to do! And when I talk to leaders who are just starting to get going, they’ll say, well, we don’t have the bandwidth to do this right now. But for UHIN, it made sense, because our members are competitors with one another, and so we had to establish that level of trust. So it’s a good thing to do. And yes, it is a lot of work, but yes, it’s worth it. And we were the first organization to get accredited. And I created the criteria, so I felt it was only fair that I be the one to test-drive it. And we modified the criteria after we were accredited. We were the guinea pig. But the criteria have continued to be updated and improved. And that’s one of the good things about EHNAC. The people on the commission are a restless, driven bunch of people! And they’re very committed to creating an accreditation process that will stand up to these kinds of tests, and that will remain germane and relevant in this rapidly changing world.And as informatics explodes, there will be good products, and not-so-good products. There will be the unfortunate, fly-by-night people; but also some really good organizations. And accreditation can really help people discriminate between the solid organizations and those not so solid. It’s a really hard thing to do, but so appropriate.