The Office of the National Coordinator for Health IT has made available the draft of the 2024-2030 Federal Health IT Strategic Plan for public scrutiny and commentary.

WHY IT MATTERS
The plan, which extends through the rest of this decade, is organized around four key goals to improve the experiences and outcomes for health IT users – and the policy and technology aspects needed to support health IT and electronic health information users.  

The comment period is open for 60 days, with May 28 as the deadline for review and comments on the draft plan.

This draft plan puts an emphasis on the importance of an equitable integration of healthcare IT across public health sectors and highlights the significance of emerging technologies including artificial intelligence.

At its core, the draft plan delineates a series of goals, objectives, and strategies intended to guide federal endeavors in the realm of healthcare IT, with emphases on scientific innovation and revitalizing the nation's public health infrastructure.

Central to its vision is the recognition of the pivotal role played by policy and technological advancements in ensuring the secure handling of diverse data requirements across all strata of health IT stakeholders.

Emphasis is placed on providing improved patient access to EHI across communities and improve education on patient-facing health IT capabilities, particularly through mobile devices, along with outreach efforts on the use of AI in healthcare. 

The report notes policies and tools should support the rapid and scalable reporting and utilization of public health data, and efforts should focus on developing, aligning, testing and implementing data standards to bolster interoperability across public health systems.

Other focuses are on the advancements in forecasting and predictive analytics to enable more efficient decision-making in response to outbreaks and emerging threats and on the enhancement of data linkages to provide health IT users with evidence-based information.

Additionally, the report said efforts should be made to bolster the data science capacity and capabilities of the public health workforce to ensure access to and effective utilization of EHI.

Once finalized, the 2024-2030 strategic blueprint will serve as a guide for federal agencies and empower them to streamline resource allocation, synchronize interagency efforts, convey priorities to private-sector partners and establish yardsticks for evaluating progress over time.

The evolution of IT and the ongoing wave of digitalization in healthcare – from internet-enabled medical devices to electronic health records – have fundamentally changed delivery and management of care.

The establishment of standardized protocols, exemplified by initiatives such as the United States Core Data for Interoperability (USCDI) and Health Level Seven International (HL7) Fast Healthcare Interoperability Resources (FHIR), has been a critical component of this digital evolution.

The ONC is also seeking input on its draft United States Core Data for Interoperability, Version 5, along with examples of code sets utilized by health IT developers and implementers, with comments accepted until April 15.

These standardized frameworks have revolutionized the accessibility, interoperability and utility of health information, cultivating a landscape where data exchange is not only feasible, but also efficient.

A recent survey found that more than 88% of hospitals now engage in electronic transmission and retrieval of patient health records.

Meanwhile, more than 60% of healthcare institutions have successfully integrated this information into their EHRs, thus streamlining clinical workflows and enhancing patient care.

ON THE RECORD
“The role of health IT and readily available access to health data have become increasingly essential to the administration of public health activities,” Jim Jirjis, director of CDC's data policy and standards division, said in a statement.

“CDC appreciates how the draft 2024-2030 Federal Health IT Strategic Plan addresses the need to continue to advance the nation’s public health data infrastructure, while making sure that it is benefiting the communities that need it most.”

Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Email the writer: nathaneddy@gmail.com
Twitter: @dropdeaded209

Leidos' Partnership for Defense Health announced the deployment of MHS-Genesis, the U.S. Defense Department's Federal Electronic Health Record system, at the Captain James A. Lovell Federal Health Care Center (Lovell FHCC) in Chicago.

The deployment was the first time DoD and Department of Veterans Affairs, the Federal Electronic Health Record Modernization office and the Leidos team have collaborated on a joint government EHR implementation, the company says.

The FHCC integrated joint sharing site serves both DoD and VA patient populations. This deployment added 1,200 DoD and 2,000 VA clinicians, providers and other end-users.

MHS GENESIS is now operational at over 3,890 locations worldwide with over 197,200 end-users serving more than 9.5 million beneficiaries.

For the VA, the deployment represents a key step forward in their EHR implementation efforts.

Leidos is the lead systems integrator and prime contractor for the MHS Genesis deployment, with the Leidos Partnership for Defense Health (LPDH) consisting of industry leaders including Oracle Health, Accenture, Henry Schein One and dozens of supporting businesses.

Leidos provides leadership and daily oversight to all programmatic functions as well the overall architecture and deployment strategy.

This includes virtual/in-person training during system deployments as well as providing critical cybersecurity expertise to ensure the MHS GENESIS system meets the requirements necessary to protect DOD information.

Through MHS GENESIS, service members and their family members receive an integrated health record that follows them throughout their lives and helps support their health decisions and healthy lifestyles.

The platform is designed to help improve care outcomes by seamlessly exchanging health information across the federal government.

With MHS GENESIS, clinicians no longer toggle between two systems – patient records are available in a single, common federal EHR.

This means patients spend less time repeating health history to providers, undergoing duplicative tests, or managing printed health records.

In addition, providers have access to patient data such as service treatment records, service medals and honors, housing status and other information to ensure patients receive earned benefits when they transition to civilian life.

The platform also provides a more seamless care experience for patients, regardless of whether they receive care from the DoD, VA, Department of Homeland Security's U.S. Coast Guard or another health care system participating in the joint health information exchange.

"The integration helps patient providers make more informed decisions about patient care as they have access to more relevant data," Alyssa Pettus, Leidos director of external communications, told HealthcareITNews via email.

She noted additional federal agencies are expected to adopt it soon.

In 2015, Leidos was awarded the $4.3 billion contract to modernize the DoD’s legacy healthcare systems.

Beyond DoD garrison facilities and VA sites, the Leidos team has deployed Genesis to U.S. United States Military Entrance Processing Command, the U.S. Coast Guard, and the National Oceanic and Atmospheric Administration.

"Beyond achieving 100 percent DoD deployment, the FHCC deployment represents a key milestone for the VA’s overall EHR implementation efforts, as well as DoD-VA connectivity, driving forward their future deployment efforts," Pettus said.

Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Email the writer: nathaneddy@gmail.com
Twitter: @dropdeaded209

The Trusted Exchange Framework and Common Agreement, created by the Office of the National Coordinator for Health IT under the 21st Century Cures Act, holds huge promise for interoperability and information exchange. 

It also has big implications for privacy and security.

"It's possible that a TEFCA security incident is also a HIPAA security incident, and it's possible that a HIPAA security incident may or may not be a TEFCA security incident," said Johnathan Coleman, principal at Security Risk Solutions and the chief information security officer at the Sequoia Project, TEFCA's recognized coordinating entity.

At HIMSS24, this past month, Coleman, alongside Zoe Barber, Sequoia's policy director, provided an overview of TEFCA's incident response and incident reporting flows, focusing on developing areas that could trip up non-HIPAA-covered entities.

New agility, new security requirements

Barber said requirements securing protected data exchange under TEFCA would not see significant updates in the upcoming second version of the common agreement. 

"Privacy and security obligations apply to all, and they are consistent across the framework," she said during a brief TEFCA overview before Coleman dove into TEFCA's cybersecurity incident reporting nuances.

While Sequoia, as RCE, is making it easier to exchange data by simplifying how participants connect to the network, under TEFCA, an individual participant can use an app of their choice to request access to their health information. 

Since the Office of the National Coordinator for Health IT drafted the TEFCA interoperability proposal, it's also gotten easier for principal delegates – a vendor, health information exchange or another business associate working for primary authorities that provide clinical services and maintain patient data – to exchange and simplify their connection to the network, Barber explained.

Creating more agility for participants means that exchange is not just QHIN-to-QHIN, but interoperability can happen directly between participants through APIs. 

"We previously had a pretty hard requirement that you could only participate with one [qualified health information network], but now we're breaking that open a little bit to allow for participation among multiple QHINs – as long as you're using a different system," she said.

Encryption for HIEs, BAs and others

Changes to support wider use of Health Level Seven's Fast Healthcare Interoperability Resources-based transactions have driven terminology updates in TEFCA standards of practice, Barber noted. 

The draft TEFCA updates were released for public comment in January and the comment period closed in February. Micky Tripathi, ONC national coordinator, told HealthcareITNews in January that the arrival for TEFCA 2.0 would come early in ONC's interoperability 2024 roadmap.

To enable FHIR exchange, the RCE requires identity proofing on two levels, Coleman noted.

"They have to use an app that has a contract and a working relationship with the credential service provider so that the appropriate level of security can be applied to those transactions as they then query for their health information through the TEFCA network and it gets responded to," he said. 

Further, for individual access service providers that may not be a HIPAA-covered entity, such as a business associate, "we wanted to make sure that the individually identifiable information that an individual access service provider organization stores, maintains and uses in that role is encrypted both at rest and transit."

Incident reporting protocols

Coleman said that for incident reporting, it's going to be critical for these entities to know if they have to follow the TEFCA security incident reporting protocol as well as HIPAA incident reporting protocols that they have in place, "or if they just follow, for example, the HIPAA incident reporting protocols."

There are four exclusions modeled "in a similar fashion" to the HIPAA security rules – "Solutions that exist, not intended to replace them in any way," he said. 

"All QHINs have to abide by the HIPAA security rule, as do participants and sub-participants, even if they're not a HIPAA entity," he said, and there are additional requirements for QHIN cybersecurity coverage that must be certified by an independent third party.

HITRUST certification, for example, is "extremely comprehensive, time-consuming and very thorough," particularly in certification maintenance requirements.

"It is no small accomplishment," said Coleman.

QHINs "have to actively move forward on anything that is on their corrective action plan or plan of action and milestones, and they have to be addressing their identified weaknesses," he said.

They are also obligated to share that information with participants and sub-participants, "so that collectively, the tech ecosystem can start really raising the floor on security best practices and implementing those security best practices."

For a non-HIPAA-covered entity, "it's all individually identifiable information that they maintain, not just TEFCA information," said Coleman. 

"Because they don't have OCR looking over their shoulders…we want to make sure that they're doing the right thing and encrypting their healthcare information at risk and transit."

When a participant who is affected by a TEFCA security incident makes their required report of that incident to their QHIN, "the QHIN would have an obligation to report that to the RCE, and to other QHINs that are impacted by the breach or by the incident," Coleman explained.

Additionally, affected entities would have to report down, notifying their participants and sub-participants. These TEFCA flow-down requirements ensure that "we get good communication flowing – in a timely manner – so that those that need to know, get notified as soon as possible," he said.

TEFCA incident, HIPAA incident or both? 

While they are still considered works in progress, Coleman shared Sequoia Project resources for identifying security incident types for non-HIPAA-covered entities.

If an incident affected individually identifiable information and the information was not encrypted, "then it's automatically a TEFCA security incident," he said. 

"Not only is there a TEFCA security incident, but they're in violation of their terms of participation within TEFCA because they failed to encrypt in transit and at rest," he said. "That's a big no-no." 

Meanwhile, if individual identifier information was encrypted, it might still be a TEFCA security incident, he said. 

It's when an incident affects any healthcare data, and that data had been incorporated into a system like electronic health records, "according to the definitions, it's no longer TEFCA information," Coleman clarified. "Now it's HIPAA information, right?" 

He then discussed how an incident could be a TEFCA security incident – even when it does not involve TEFCA information. 

"If it adversely affects that organization's ability to participate in the TEFCA exchange, if they're no longer able to respond to queries – even though nothing was disclosed under the definition of TEFCA information – it's still affecting their ability to participate." 

There is a whole "purple decision tree" for that protocol, which walks users through if the incident meets one of the TEFCA exceptions, such as when a doctor sends information to the wrong doctor. 

"They're both authorized to receive healthcare information," Coleman said. When the receiving provider does nothing further with the patient's information and they clear it up, it's not a TEFCA incident.

"However, if it doesn't meet one of these exceptions and it also falls into the threshold of other security, other reportable incidents, then it is something that we would want to know about," he said. "So that becomes a TEFCA security incident, as well as a HIPAA security incident," where duplicative notification to affected individual patients would not be required. 

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.

Healthcare information technology is quite complex. The process for evaluating vendors is nuanced and hinges on simplicity, alignment and risk sharing, said Craig Richardville, chief digital and information officer at Intermountain Healthcare.

More than just contracting for a product, healthcare CIOs should be focused on choosing "partners" that help organizations find tools that simplify work and enhance the patient experience, companies that work together to achieve common goals, Richardville advised.

Healthcare IT News sat down with Richardville of the famous health system that always has been ahead of the pack in health IT to gain his expertise on vendor selection.

Q. You say the process for evaluating vendors hinges on simplicity, alignment and risk sharing. Please elaborate.

A. Healthcare technology is complex and often needs to accommodate many different departments and specialties. At the same time, we've all experienced technology advancing rapidly and to the point of being outdated faster than we anticipate.

When we look at technology or services vendors, we often find ourselves evaluating in two different categories – short-term and long-term service vendors, the latter being more like a partnership relationship.

Those tenets of simplicity, alignment and risk sharing become important when determining if a vendor will fulfill a short-term need or will be with us for a longer haul. When we talk about simplification, we're often looking for organizations that can help us take the complexity of our processes and use health technology to make it simple – for our patients, members and caregivers.

This could be about significantly improving a workflow, or it could be providing a seamless experience based on interoperability, for example, as we grow. In an organization as large and advanced as Intermountain Health, the ability to grow or shrink a solution is vital for long-term success.

In terms of alignment, we will often take the time to ensure the vendor's goals and values align with ours. Not only does this help improve workflow, it fosters a cooperative environment where we know the partner-like vendor is working toward the same paradigm we are.

Shared goals and values also help when evaluating through risk sharing. Technology always comes with risk, whether it be system reliability, interoperability, or compliance and data security. Evaluating risk sharing entails a mutual understanding of those potential risks and balancing the responsibilities for each, where both parties share the burden and work together to mitigate risks effectively.

Q. You say vendors who strike successful relationships with provider organizations engage in collaborative relationships, aiming for long-term synergy and shared success. Please describe what this looks like.

A. The most successful relationships contain positive collaboration toward long-term improvement and shared success. This involves open communication, mutual respect and a commitment to achieving common goals.

Vendor partners actively engage with us to understand our unique challenges and needs, offering tailored solutions within their framework to fit those needs and offer continuous support for the challenges that may arise. They view our success as their own and are dedicated to fostering a sustainable and mutually beneficial relationship over time.

Q. You suggest healthcare organizations must find vendors that simplify work, enhance the patient experience and work together to achieve common goals. Please give an example of how you achieved this with one of your vendors.

A. While this is always the goal, sometimes it doesn't always work that way. Each situation is unique and sometimes we just need an immediate solution or need to solve a specific problem. When all those things do come together, the result is a solution where everyone wins.

In one instance, we partnered with a software vendor to enhance our patient scheduling system. Instead of merely providing a solution, the vendor took the time to understand our unique workflows and diverse patient populations.

Together, we identified pain points in the existing system and collaborated to design a customized solution that streamlined scheduling, improved patient access and enhanced the overall patient experience. The proof was in a 20% increase in conversions through our website navigation.

Through regular communication and feedback loops, we iteratively refined the solution to ensure it met our evolving needs. This collaborative approach not only simplified our work processes but also directly contributed to better patient outcomes and satisfaction.

Q. What advice can you offer your peers at other hospitals and health systems when it comes to evaluating and selecting vendors?

A. When conducting risk assessments for potential longer-term vendor relationships, it's essential to approach it comprehensively and collaboratively. I advise my peers to include the following in their evaluation process:

• Involve stakeholders from various departments, including IT, legal and compliance, to assess risks from different perspectives. It's crucial to thoroughly evaluate the vendor's security protocols, compliance with regulations, financial stability and past performance.
• Fostering open communication with the vendor and establishing clear expectations from the outset can help identify and mitigate potential risks effectively.
• Emphasize the importance of continuous monitoring and reassessment of risks throughout the relationship to ensure ongoing compliance and alignment with organizational goals.

Follow Bill's HIT coverage on LinkedIn: Bill Siwicki
Email him: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication.

Digitalisation in healthcare holds the promise of optimising processes and expanding access to care. In some European countries such as Slovenia, Croatia, Estonia, Poland and Hungary, patients can access national portals that contain their prescriptions, referrals, discharge letters, etc. In other countries such as Belgium and Spain, patients can access regional portals. In the Netherlands, Germany and Switzerland, individual healthcare providers offer their own patient portals. This means if a person visits multiple facilities, they must use different portals to access their health data. The European Health Data Space (EHDS) legislation aims to improve access to and control by individuals of their electronic health data, expand healthcare data accessibility across borders, and use healthcare data for patient acute care and research.

The range of changes tech could in theory bring to healthcare is extensive, including the following:

• Faster access to and improved coordination of care by having a more direct channel with clinicians through an online portal.
• Time saved by opting for telemedicine over an in-person visit.
• More precise diagnoses with the help of AI.
• Reduced burden on frontline staff due to tech-enabled capacity optimisations.

On the dark side, there are patient concerns: Will my data be exploited? Is it safe? Will I lose the connection with my doctor? After all, people, especially those in vulnerable health situations, crave human touch and a reassuring voice.

What do patients worry about?

The European Patients' Forum is an umbrella organisation of patient organisations across Europe, with its 79 members including disease-specific patient groups active on the EU and national levels in Europe.

Patients have a number of concerns about the digital transformation of healthcare, according to Gözde Susuzlu Briggs, programme manager at the European Patients' Forum: 

• Digitalisation could exacerbate existing health inequalities, especially where there is a significant digital divide.
• There is a risk of unauthorized access to or breaches of patients' personal health information (PHI).
• A lack of interoperability is hindering effective care.
• There are worries about the affordability and accessibility of digital health solutions.
• The shift to digital health requires an adjustment in how patients interact with healthcare systems.
• It is very difficult to stay on top of innovation in digital health.

"Patient communities know their disease areas quite well, but in terms of other advanced technologies or work that's around legislations and legal frameworks are topics that are quite new unless it's their profession," Briggs said.

Improving digital literacy and involving patients in the development of solutions are crucial for building public trust and ensuring a positive user experience.

Education, explanation, collaboration

On the EU level, several organisations work with and for patients on inclusion in data management and improving digital literacy. Non-profit organisation EUPATI (European Patients Academy on Therapeutic Innovation) provides education and training to increase the capacity and capability of patients and patient representatives in medicines R&D. In 2023, EUPATI designed a Digital Health module that provides an overview on digital health and its regulatory framework.

"Based on the feedback so far, real-world evidence and real-world data seem to be specific areas where patients struggle to fully understand their role and relevant opportunities for involvement," said Maria Dutarte, executive director at EUPATI.

More workshops and … national marketing?

"I haven't yet met a patient who wants all their healthcare from a computer, including myself," said Kristof Vanfraechem, founder and CEO of Data for Patients– a European organisation focused on bringing data/digital experts who are also patients/caregivers into strategic change initiatives. "We see digital as an opportunity to enhance human healthcare – tools to bring the humans – frontline workers and patients – closer together more efficiently and effectively to get or, even better, keep patients as healthy as possible at all times," he said. Vanfraechem emphasized that digital transformation is a complex change at the society level. Data for Patients invests in supporting patient organisations in an approach close to them.

Education and awareness may seem to be a straightforward solution to increasing knowledge, managing expectations about digitalisation in the patient population, improving utilization of solutions and decreasing unnecessary tech-related fears, but someone needs to do the groundwork. Since not all patients are deeply involved with patient organisations, this leaves many responsibilities to decision-makers implementing and introducing new digital solutions. Laws and regulations are only a starting point for successful digital transformations.

Gözde Susuzlu Briggs is the programme advisor for the "Empowering Patients" track at the 2024 HIMSS European Health Conference & Exhibition, which is scheduled for 29-31 May 2024 in Rome. Kristof Vanfraechem is moderating the session "Leveling Up! Harnessing Health Literacy to Achieve Equity." Learn more and register.

The Office of the National Coordinator for Health IT and the Sequoia Project on Monday announced the launch of Common Agreement Version 2.0, an update to the document most recently released this past November.

ONC also published new Participant and Subparticipant Terms of Participation, which set forth the requirements that participants must agree to and comply with to exchange data under the Trusted Exchange Framework and Common Agreement.

WHY IT MATTERS
ONC and Sequoia say the seven designated Qualified Health Information Networks under TEFCA can now adopt and begin implementing the new version, CA v2.0, which has been updated to require support for API exchange using HL7's FHIR spec.

That will allow TEFCA participants and subparticipants to more easily exchange health information among themselves and will help individuals to more easily access their own data using devices and apps of their choice.

TEFCA's common agreement sets up the technical infrastructure model and governing approach for different health information networks and their users to securely share clinical information with each other – all under commonly agreed-to rules-of-the-road.

The new enhancements and updates "mark a huge step forward for TEFCA as it meets the promise of seamless nationwide exchange at scale," according to ONC lists some concepts that have evolved from Common Agreement v1.1 to v2.0.

Meanwhile, new Participant and Subparticipant Terms of Participation for TEFCA will improve the framework by providing a standalone document that participants can incorporate into existing data use agreements – helping reduce legal costs and other burdens for organizations looking to connect

THE LARGER TREND
This past December, ONC and Sequoia Project, TEFCA's recognized coordinating entity, announced that it was live and ready to exchange data via five QHINs: eHealth Exchange, Epic Nexus, Health Gorilla, KONZA and MedAllies.

"The initial exchange of clinical data began within 24 hours of the nation's first Qualified Health Information Networks achieving designation in December 2023," said Mariann Yeager, The Sequoia Project CEO and RCE lead.

Two months ago, two more QHINs, CommonWell and Kno2, were also onboarded.

The Sequoia Project had been seeking stakeholder feedback this year on updates to the Common Agreement and new terms of participation, also publishing a series of drafts to support wider use of FHIR and improving operating procedures for electronic case reporting and improving the framework more generally.

ON THE RECORD
"Today's release includes framework enhancements, including greater use of FHIR, better support for use cases beyond treatment, and simplified onboarding for participants like clinicians, digital health apps, public health agencies and other end users of health data," said Yeager.

"We have long intended for TEFCA to have the capacity to enable FHIR API exchange," said National Coordinator for Health IT Micky Tripathi. "This is in direct response to the health IT industry's move toward standardized APIs with modern privacy and security safeguards, and allows TEFCA to keep pace with the advanced, secure data services approaches used by the tech industry."

Mike Miliard is executive editor of Healthcare IT News
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.