The Trust Framework in HIE

One of the major barriers to more rapid expansion of health information exchange has been concern about protection of patient privacy. Therefore it is critical for the health IT community to develop foundational policies and procedures to provide reasonable assurance that private information of patients will be protected. On the one hand, there is no lack of regulatory privacy protections currently. Consider the HIPAA privacy rule and Meaningful Use stage 1 requirements, for example. However, some question whether current policies and technologies are mature enough to adequately protect personal health information. The frequent media coverage of large and small data breaches, including those that are the responsibility of health care entities, does little to engender public confidence. So what efforts are currently underway?



There are numerous governmental, public, and private groups working on this challenge. The Office of the President produced a draft federal plan that addressed cyber security issues in 2006. More recently the Privacy and Security Tiger Team of the Health Information Technology Policy Committee (HITPC) and the Privacy and Security Standards Workgroup of the Health Information Technology Standards Committee (HITSC) have each been tackling various aspects of protecting information privacy. The archives of previous meetings available at the ONC website are a rich source of information concerning their work. A recurrent theme is the need for an underlying trust framework to enable wider adoption of electronic health information exchange, especially if transport will utilize the public Internet infrastructure. Let's learn more about the meaning of a trust framework.


There are numerous components to a trust framework. The purpose of the framework at its most basic level is to ensure that partners involved in health information exchange can trust each other. One of the first steps is developing the policies, governance, procedures, and technology needed to authenticate one party to the other in order to facilitate access control decisions. A good explanation of a trust framework is provided in a course produced last year by the National eHealth Collaborative. NHIN 104 explains how the federal government has chosen to develop a trust framework to support NHIN Exchange. This trust framework concept can be scaled to encompass general health information exchange across the US. The subject for my next post will be Trusted Identity.