The prospect of truly interoperable patient health data leapt forward in February when the Department of Health and Human Services announced six entities in line to be qualified to serve as data exchange hubs.

If each interoperability step is a building block to the patient data equivalent of an interstate, this announcement forms a key connector for the nationwide data highway. But the interstate is nowhere near complete, so celebrations are premature. It’s a critical and encouraging step, to be sure, but connecting provider systems is a complicated business.

The healthcare industry remains a prime target for cybersecurity attacks, with 700 incidents in 2022 compromising 51.4 million patient records. Connecting networks across the country will exacerbate the vulnerabilities — unless sufficient care is taken at every step to ensure data protection and privacy.
    
Interoperability carries with it the possibility of transforming patient care and improving outcomes by expanding data access. Imagine accurate and up-to-date data flowing among caregivers as a patient moves from care setting to care setting, provider to provider, with providers and staff spending less time locating, aggregating, and digesting data and more time on direct patient care. Free-flowing data eliminates much of the paperwork patients must fill out over and over again.

Yes, the promise of interoperability is real and exciting, and the healthcare industry is closer than ever to achieving this elusive aim. The next steps will be equally as critical in making interoperability a reality that serves both providers and patients.

Interoperability Will Improve Patient Care Outcomes
Imagine the all too frequent example: an individual is transported to the local emergency department after an automobile accident and needs immediate surgery. They are unresponsive, and their driver’s license indicates the individual is not local. Personnel can’t find in case of emergency (ICE) information on their phone, and there was no one else in the vehicle who could provide any medical details.

The patient needs immediate surgery, but any procedure could be deadly absent information about medical conditions such as whether the patient is taking blood thinners or has comorbidities that could impact the surgery and outcome. But the patient cannot wait, so the surgery proceeds.

Now imagine the same scenario with national interoperability of patient records. With a driver’s license, personnel quickly locate the patient’s record, see the patient isn’t taking a blood thinner and doesn’t have comorbidities that could affect the needed surgery, which proceeds in full knowledge of the person’s health status.

A patient doesn’t need to suffer a life-threatening accident to fall victim to bad or incomplete information. In 2017, the Joint Commission issued a Sentinel Event Alert on the potential for patient harm arising from insufficient patient handoffs. Caregivers along the continuum must understand a patient’s condition, treatment, medications, comorbidities, and more to start the next step on a patient’s care journey. Federal mandates for admission, discharge, and transfer (ADT) notifications are helping in this area. There’s no doubt interoperability can make those handoffs more meaningful and improve overall patient outcomes.

Meaningful Data Exchange Closer than Ever
The Trusted Exchange Framework and Common Agreement (TEFCA) was born out of the 21st Century Cures Act, passed on a bipartisan basis in the closing days of the Obama administration. The legislation did several things, including defining and making information blocking illegal and allowing patients to access their health data through application programming interfaces (APIs) and an “app of their choosing.” It also set up the initial framework for TEFCA, although the first draft of guidelines wasn’t released until 2018.

Even before the Cures Act, the industry was moving toward interoperability on its own. Providers in geographic areas were coming together to form local, regional, or state health information exchanges (HIEs), and health systems were promoting interoperability among member facilities. The CommonWell Health Alliance got its start in 2013, with the intention to build a shared infrastructure for members, followed a few months later by Carequality and its common standards used by vendor-based networks. In 2015, CommonWell and Carequality created a bridge allowing exchange between the two.

The culminating action for TEFCA is the application acceptance of the first qualified health information networks (QHINs) in February: CommonWell, eHealth Exchange, Epic TEFCA Interoperability Services, Health Gorilla, Kno2, and KONZA National Network. Together the prospective QHINs cover all 50 states, conducting billions of transactions for most hospitals and tens of thousands of providers. The final approval and ramp-up process is expected to take a year.

National Coordinator for Health IT Micky Tripathi also recognized the next big challenge, saying that “strong privacy and security protections are required of QHINs.” He noted that greater interoperability “will help improve the quality, safety, affordability, efficiency, and equitability of health care across the country.”

Data Duplication, Integration Issues Still to be Solved
Getting QHINs up and running will not completely solve the interoperability challenge, for several reasons. Data duplication is the first issue that needs to be tackled. Think about the new patient paperwork completed on a first visit and then annually, multiplied by the number of physicians, specialists, and facilities that a patient visits. Who remembers what year that surgery took place or what Grandpa died from and when? When presented with duplicative information that may be contradictory, what takes precedence?

The provider experience also cannot be overlooked. The goal is to bring data together and present it in a way that’s useful for providers. However, providers are notorious for dis-adopting technology that doesn’t conform to their workflows. How many times has the death knell tolled for the fax machine amid technology advances designed to transmit data more reliably and securely?

Although the industry is moving toward value-based care, we aren’t there yet. In a fee-for-service environment, exchanging data with other providers is often seen as “leakage,” as patients move among providers and care settings.

At this time, interoperability is essentially voluntary. The federal government used financial incentives to achieve the widespread adoption of EHRs and e-prescribing. Until financial incentives are provided for interoperability, adoption may lag.

Cyber Threats Undermine Trust and Inhibit Exchange
One of the most pressing issues slowing widespread interoperability is the security of networks that will exchange data. A research brief from the ONC shows many organizations already have multiple connections to other data networks, with 6% reporting four or more connections. That doesn’t include the connections among provider systems, which can number in the hundreds for a single hospital.

Every data connection opens up another possible penetration point for hackers and bad actors. Health data is highly prized, and the average cost of remediation among healthcare organizations passed $10 million in 2022 — twice the cost of financial services, the second-most breached industry. Because of significant payouts, cyber insurance companies are tightening coverage requirements, and we believe insurers soon will routinely require third-party risk management to attest to the security of a hospital’s network infrastructure, including devices and business associates.

It's not a question of if an organization gets breached: It’s a question of when and how significant the impact will be on patient care. Organizations must have appropriate and rigorous policies and procedures in place. Ideally, they would be certified by a third party based on cybersecurity standards adopted by the National Institute of Standards and Technology.

Among trusted communication methods, sending and receiving data using Direct Secure Messaging (often called Direct) over the DirectTrust network operated by accredited organizations had the most universal usage, with adoption by 90% of hospitals. Direct is a proven technology that serves more than 282,000 organizations. In Q4 2022, 213 million messages flowed through the DirectTrust network. It is the inherent security of the protocol itself and the certification of network operators that has enabled such broad adoption.

The final unanswered question is how consumers will access their own data while maintaining privacy and security. App developers are governed by the Federal Trade Commission, not HIPAA, so it’s critical the right guardrails be developed so patients can confidently access their data. DirectTrust is working with The CARIN Alliance, a consumer-directed data exchange collaborative, on a new accreditation program to help bring that confidence to consumers.

Conclusion
The naming of the first QHINs represents a giant step forward for the interoperability and access of patient data. But the data exchange highway isn’t yet complete. The healthcare industry needs continued diligence to solve the remaining issues, including how to maintain the privacy and security of data as it flows through an increasing number of IT networks.

Third-party certification can provide the right security guardrails by setting high, yet achievable standards around IT networks and their ability to access and exchange data.

About the Authors

Scott Stuewe
President and CEO
DirectTrust

Scott Stuewe is a 25+ year veteran of the healthcare information technology industry. As President and CEO of DirectTrust, Scott drives visibility and utilization of the Direct Standard™ to contribute to nationwide interoperability. Under his tenure, the organization achieved the landmark milestones of one, two, and three billion Direct Secure Messages sent and received over the DirectTrust Network. Previously, Stuewe was Director of Strategy and Interoperability at DataFile Technologies, a health information management company, and served more than 24 years at Cerner, including as Cerner Network’s Director of National Interoperability Strategy, where he drove participation in the CommonWell Health Alliance and the bridge with Carequality.

Lee Barrett
Commission Executive Director
DirectTrust

Lee Barrett is the Commission Executive Director for DirectTrust. He previously served as CEO and Executive Director of the Electronic Healthcare Network Accreditation Commission (EHNAC), which merged into DirectTrust in January of 2023. He was appointed by the Office of the National Coordinator for Health Information Technology (ONC) as FAST co-lead of the Testing and Certification Tiger Team and as a member of the Executive Committee. Barrett currently serves as a member of the HHS 405(d) Cybersecurity Information Sharing Act (CISA), the FAST/HL7 Accelerator, the Healthcare Sector Cybersecurity Council (HSCC), and the EHI Leadership Council, and is also a board member for The Sequoia Project and co-chair of the Sequoia Interoperability Matters Leadership Council.