Effective Health Information Exchange Title of brochure

The First Step Toward Connected Health

Table of contents
Executive summary 1. Transforming the US health system: From fragmentation to a connected health ecosystem
Todays health systemand the promise of tomorrow Key The

3 5 6 8 11 16 20 21 34

characteristics of connected health connected health journey

2. The first step: Health information exchange 3. Information governance: Enabling effective health information exchange
The

Accenture Information Governance Framework for Health

4. Developing effective information governance: Next steps

Executive summary
Over the next decade, the US health system must change dramatically to address many challengessteadily rising costs, an aging population, the increasing incidence of chronic disease and peoples growing expectations for care that is more accessible, affordable, high quality and personalized. Although the health system has been slow to adapt, this situation is set to change. Health care reform and unprecedented investment in health ITparticularly connected health solutions, such as electronic medical records (EMRs) and health information exchanges (HIEs) are fundamentally reshaping the health care system. The current system is characterized by passive consumers, highly fragmented, episodic fee-for-service care delivered in costly settings, and physician remuneration based on quantity of care provided. Connected health solutions will support the transformation to a highly coordinated, connected health system characterized by a focus on long-term wellness, prevention and chronic care management, informed and engaged consumers and a payment system that rewards quality and incents providers to improve health outcomes. In this report, Accenture outlines the various stages of this transformation journey from the current health system to the new connected health ecosystem. An essential first step is the secure, efficient electronic capture and exchange of high-quality patient health information through electronic health records and health information exchanges that connect the various stakeholders. Health IT solutions will improve the quality and efficiency of care only if physicians and hospitals implement and operate them effectivelybetter enabling free and easy exchange of information among organizations. Consequently, the federal governments meaningful use criteria which encourage widespread adoption of EMR solutions that better enable secure, effective health information exchangewill be crucial. Over time, the application of analytics and predictive modeling tools to health information will help to better inform health care decisions and processes, enhance the patient experience and deliver better outcomes while reducing costs across the entire system. Research from the eHealth Initiative shows that progress on implementing HIE initiatives is accelerating rapidly.1 However, a number of persistent challenges could slow or even halt this progress. While the nature of the challenges identified in the eHealth Initiative survey is wide rangingfrom developing sustainable HIE business models and defining the value for users to protecting patient privacy and ensuring compliance with federal
1 eHealth Initiative, The State of Health Information Exchange in 2010: Connecting the Nation to Achieve Meaningful Use and Migrating Toward Meaningful Use: The State of Health Information Exchange.

and state regulationsmany of them typically trace back to information governance issues. These include:
Securitypreventing

the cost of information governance and reduces the effectiveness and flexibility of information governance provisions. Accenture believes that a strategic, coordinated and disciplined approach is critical to help address information governance challenges. Effective information governance requires a consolidated, enterprise-wide information governance architecturea layer of processes, functions, policies and solutions that ensure the effective and secure creation, storage, communication, valuation and use of information. Effective information governance architectures integrate disparate information, security, access control and content management architectures and include legal, clinical, administrative and IT work streams. In this report, we present the Accenture Information Governance Framework for Health as a possible tool for helping organizations design more effective, consolidated information governance architectures to ensure effective implementation and ongoing operation of HIE initiatives. Developed by Accenture and drawing on what we have learned through health IT implementations around the world, the framework provides a holistic model of information governance. The framework breaks the complexity of information governance into five interrelated componentseach of which has its own set of processes, functions, standards and technologieswithin one integrated model. The five components are:
Data privacyensuring patients medical

Data

and managing data breaches. Interoperabilityenabling systems to share information efficiently, effectively and securely. Consentdeveloping and implementing effective consent models. Access controlpreventing unauthorized access to and inappropriate use of data. Data qualityensuring data communicated between systems is accurate, meaningful and internally consistent. Complianceensuring compliance with privacy, data security and audit regulations. Failure to address these challenges will likely result in negative consequences for the efficiency and effectiveness of HIE. For instance, it could increase data breaches and reputational risk; limit adoption and undermine long-term sustainability; increase the cost of HIE implementation; limit the clinical and administrative value of health information exchange; and reduce system flexibility and performance. Key to helping address the challenges is effective information governancewhich Accenture defines as the processes, functions, standards and technologies that enable high-quality information to be created, stored, communicated, valued and used effectively and securely in support of an organizations strategic goals. With legal, administrative, clinical and IT dimensions, these challenges cut across virtually every part of a health care organization. Thus, developing effective solutions requires collaboration across organizational silos, functions and information systems. In the past, however, organizations have tended to adopt a siloed and tactical approach to information governance, addressing challenges as they arise. This fragmented, reactive approach significantly increases

qualityensuring information is meaningful, accurate and internally consistent so it can be used for its intended purpose. Data integritymaintaining the validity, accuracy and reliability of data after it has been stored, transferred, retrieved or processed. We believe that all HIE stakeholders, whether policymakers or those responsible for ground-level implementation, should consider these five components from the outset of their planning. Based on Accenture research and experience from e-health implementations around the world, we have identified four initial steps toward more effective information governance: 1. Conduct a comprehensive risk assessment and gap analysis of current information governance provisions. 2. Identify, analyze, evaluate and prioritize information governance challenges. 3. Design solutions and develop strategies to address these challenges. 4. Develop a detailed implementation plan. Accenture believes that to achieve high performance in the connected health ecosystem, health care organizations should make information governance a strategic priority. By creating a consolidated, enterprise-wide information governance architecture, organizations will be better able to improve data quality and data security. This, in turn, will help them to implement health information exchange solutions that address patients concerns over data privacy, ensure compliance with regulatory and legislative requirements, maximize the clinical and administrative benefits of health information exchange and increase physician adoption.

data can be accessed only with their consent. Data confidentialitypreventing unauthorized access to and improper use of information. Data securityproactively managing security risks, effectively identifying and prioritizing threats, and rapidly addressing vulnerabilities.

1.

Transforming the US health system: From fragmentation to a connected health ecosystem

Todays health systemand the promise of tomorrow

The US health system is at a critical juncture. Faced with a number of steadily intensifying challenges skyrocketing costs, an aging population, the increasing prevalence of chronic disease and growing expectations from patients for care that is more accessible, affordable, high quality and personalized a complete transformation of the traditional health care delivery model is needed to create a sustainable health system for the 21st century and beyond. To date, the health system has been slow to adapt. The provision of care remains fragmented, with little coordination among myriad stakeholdersincluding providers (doctors, hospitals, clinical laboratories and pharmacies), payers, government, employers and consumers. The system maintains its focus on episodic care delivered in costly traditional settings (hospitals and physicians offices) after people become sick rather than on preventive care and wellness. Consumers remain passive; lacking the knowledge and the inclination to manage their own care, they rely heavily on decisions made for them by their physicians. Further, the payment system compensates doctors not for the quality, but rather the quantity of care they provide offering little incentive for innovation or improved health outcomes. This situation is set to change over the next 10 years as the various stakeholders embrace new connected health solutions that will transform the health systemimproving the patient experience and delivering better health outcomes while reducing costs across the entire system. Connected health describes a new delivery model in which:
Services Patient

needs and sustainable health care organization business models come together to create appropriate pathways through care. The focus is on prevention, health and wellness rather than episodic care. Patients are no longer passive recipients of care but are informed and empowered to monitor their own health and make appropriate choices over the course of their lives. Care is available in diverse settings (including peoples own homes) to increase the efficiency and effectiveness of interventions. Providers remuneration is based on performance in improving health outcomes and there are clear rewards for innovation. The electronic capture of patient health information and the subsequent exchange of that information across the health system is an essential first step in the transformation to the connected health system. The superior use of health data will help create a more efficient, highquality, value-driven, evidence-based future for US health care.

offered by different stakeholders are provided in a coordinated and seamless way across all access points.

Figure 1. Transitioning the health system The current health system

Fragmented Care that is centered

The connected health system

Coordinated

around the needs of

the health system

Focused on episodic care Traditional health care settings

(hospitals, physician offices)

Passive consumers Most providers paid

on fee-for-service

basis Lack of incentives for innovation

through complex and flexible interdependent networks Care that is centered around the needs of the patient Focused on wellness, prevention and chronic care management Diverse health care settings Health consumerism Providers' reimbursement linked to performance Innovations improve service and reduce cost

What are the key drivers in the move toward connected health?
Recent government reform initiatives, such as the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Patient Protection and Affordable Care Act (PPACA), represent key milestones in setting the foundation for connected health. HITECH advocates the use of technology by incentivizing meaningful use of EMRs by physicians and hospitals, as well as the development of HIEs. PPACA includes provisions to move the system toward new payment models that reward value (cost and quality targets) rather than volume (fee for service) and encourages new models of care and accountability (such as Patient Centered Medical Homes and accountable care organizations). Financial drivers including health care inflation, resulting from the high cost of new drugs and treatments; wasteful spending (for example, redundant, inappropriate or unnecessary tests and procedures); inefficient health care administration; the rising incidence of costly conditions (such as heart disease and obesity); and the growing health care needs of an aging population. Rapid advances in health information technology (HIT), including electronic medical records, clinical decision support systems, computerized physician order entry (CPOE) and common standards and certification processes, are seen as key enablers for improving the overall quality, safety and efficiency of the health delivery system. A new generation of informed, empowered consumers are changing patient expectations. The increase in patient information and choice, demands for more convenient and personalized care, and acceptance of the need to take more personal responsibility for managing their own health are creating a strong impetus for change. (See sidebar on page 10: Connected health and peoples perspectives on the US health system.) A heightened focus on quality of health care and patient safety, which stems from growing concerns over clinical errors, adverse drug events and the continuing impact of inconsistent care standards resulting from uneven application of care protocols and evidence-based medicine. Changing physician attitudes toward technology are driving the adoption of new e-health solutions. For example, a recent Accenture survey of more than 1,000 physicians in small practices across the US2 found that almost 60 percent of all current nonusers intend to purchase an EMR system within the next two years. The figure rises to 80 percent for physicians under 55 years of age. The nation also faces a shortage of qualified medical professionals due to the recent decline in the number of US medical school graduates choosing primary care. At current graduation and training rates, the nation could face a shortage of as many as 150,000 doctors in the next 15 years, according to the Association of American Medical Colleges.
2 Accenture surveyed more than 1,000 physicians across the US in December 2009. The quantitative survey included randomly sampled physicians from offices of fewer than 10 practitioners.

Key characteristics of connected health

Connected health is a new approach to the delivery of health care services that leverages sophisticated health information technology (HIT), analytics and predictive modeling, new forms of integrated care delivery models, and a patient-centric approach to care delivery to improve the efficiency, quality and accessibility of health care services. The vision for connected health is one in which all parts of the health care system are seamlessly integrated through interoperable processes and technology, and where critical health information is available when and where it is needed.

Four key characteristics of the new connected health ecosystem differentiate it from the traditional health care delivery model. Ubiquitous health information technology (HIT) that enables key constituents to capture and share high-quality information securely and effectively HIT is a key enabler of connected health. It provides the tools to electronically capture, organize, share and analyze health information that can be used to improve health and wellness and to treat, cure and prevent illness. Effective, efficient and secure exchange of highquality health information across the health system is a prerequisite for patient-centric, integrated, evidencebased care. Connected health solutions support health data liquidity by capturing and sharing patient-identifiable clinical and administrative information and enabling authorized parties to exchange and/or access it.

Achieving and maximizing the value of data liquidity requires the widespread adoption and utilization of a number of HIT solutions:
Interoperable

Clinical

decision support systems (CDSSs) and CPOE systems that support collaborative patient-centric care delivery models. Smart health care that uses analytics and predictive modeling to improve clinical decision making, target resources more efficiently, develop more effective care delivery models and improve disease management Connected health solutions maximize the value of data liquidity by translating data into actionable insight that physicians, administrators, organizations and government can use to improve the quality of care, increase the efficiency of administrative and clinical processes, and target resources more

EMRs and EHRs, HIE solutions and Health Information Networks (HINs) that enable a range of health care organizations to capture and share information securely, efficiently and effectively. in-home monitoring and mobile health solutions that support the remote delivery of care, including monitoring and consultation. 2.0 sites, personal health records (PHRs) and wellness tools that encourage and empower patients to manage their health and health care more effectively. tools that help maximize the clinical, epidemiological and administrative value of data flowing through the connected health ecosystem.

Telemedicine,

Health

Analytics

effectively to improve clinical and public health outcomes. There are three main applications for analytics:
Health providers can leverage analytics

management setting. The new models avoid duplication and eliminate redundant processes by enabling a range of health professionals to coordinate care across the health system. One example is the Patient Centered Medical Home (PCMH). Through the PCMH model, a patients care is coordinated across the health system and across all stages of the patients life. Patients share responsibility for their health with primary care providers, who ensure the right care is delivered at the right time and in the most appropriate setting. The nonprofit National Committee for Quality Assurance (NCQA) offers physician practices the chance to attain formal recognition as a PCMH. NCQA created nine certification standards that encompass 30 elements and 189 data points, including care management, patient self-management support, electronic prescribing, performance reporting and improvement, and advanced electronic communications. Practices can receive one of three levels of recognition as a PCMH, depending on mastery of the standards. The success of integrated care delivery models depends on providers being rewarded appropriately for the time and effort spent in managing the coordination and the ongoing relationship with the patient. A results-based, rather than transaction-based, payment system links remuneration to outcomes, thereby encouraging care coordination, efficiency, quality improvement and a larger role for the patient in the health process. Patient-centric health care that is flexible and responsive to the individual needs of patients and enables patients to manage their health more effectively Connected health enables a more personalized approach to health care that puts the individuals needs at the center of the care process. By building a comprehensive picture of each

at the point of care to help determine the most clinically effective treatments for individual patients through the use of CDSSs. Treatment and diagnosis are based on proven clinical protocols that help physicians reduce the variability of care, ensure use of best practices and manage costs of care.
Analytics

patientpersonal and family medical history, surgeries, hospitalizations, lab test results, vaccinations, medications, allergies and adverse drug reactions, as well as lifestyle observationsand using evidence-based diagnostics, providers can ensure that individual patients receive the right care at the right time. The increasing liquidity of information is also transforming the individuals role in managing his or her own health more effectively. For example, patients are able to record and maintain their own health care information through patient health records, which they can share with health providers as appropriate. Through patient portals, patients can request appointments, review test results, access their medical records and send messages to their physicians. Patients are also empowered to manage their conditions through the use of online health risk assessment tools and remote patient monitoring devices that bring health care into the home setting. These technologies enable early detection of problems that might otherwise require treatment in more expensive care settings, such as hospitals. Increasingly, consumers are also demanding information on the cost and quality of health care services provided by hospitals and other health care facilities. With that information, they are able to make informed choices about treatment options and appropriate care providers. Consumer-friendly websites are emerging to give consumers a range of health care information, including physician finders, payment estimators, cost comparisons and quality indicators for health providers, such as length of stay, mortality rates, readmission rates, complication or infection rates and so on. Finally, new Web 2.0 toolssuch as social networking sites, blogs and online community forumsprovide the means for consumers to gain more information about their condition, choice of treatment options and so on.

plays a critical role in improving care processes and deploying resources more effectively to drive down costs. By analyzing clinical and administrative data (from medical records, claims processing, appointment scheduling, lab results and so on), organizations can obtain detailed insights into workflow and resource allocation across different parts of the patient care process. These insights can be used to optimize resource use and increase the efficiency of clinical processes. can be used to improve public health outcomes by evaluating population data sets to help identify patients most at risk from chronic diseases or other high-cost health conditions. Using predictive analytic techniques, patient conditions can be managed and monitored proactively to ensure preemptive interventions that avoid hospitalizations and related costs. Those patients identified as being most at risk receive additional care and can be educated to manage their own treatment or change their behavior in ways that may improve their condition.

Analytics

New integrated care delivery models that target improved health outcomes, prevention and wellness rather than reactive treatment Integrated care delivery models provide a means of organizing, financing and delivering a wide range of health services to meet an individuals health needs in a coordinated, accountable care

Connected health and peoples perspectives on the US health system

In December 2009, the Accenture Institute for Health & Public Service Value conducted a survey of 1,019 US citizens to explore their perceptions of health and health care.3 The survey was part of a global study involving people in 16 geographies. The findings show strong support among US respondents for connected health, which will provide a real impetus for change. The survey revealed that US citizens are very concerned about costs and efficiency in the health care system. More than half of those surveyed (54 percent) believe that one of the three biggest challenges facing the health care system is that medical costs are too expensive, and almost four in 10 (38 percent) cite too much inefficiency or bureaucracy in the system. People recognize that steps should be taken to cut the cost of health care. Many are willing to accept alternative models of care. For instance, more than four in 10 people surveyed support the idea of seeing health professionals other than doctors for routine care. Around 30 percent support more online and telephone consultations with doctors, rather than having to see them face to face. People also believe that preventive care and personal responsibility for health is important to relieve pressure on the health system. Fifty-nine percent of people believe that to improve health care in the United States, it is essential or very important for government to put more emphasis on preventive care. Meanwhile, 63 percent believe it is essential or very important for government to encourage and educate people to take more personal responsibility for improving their own health and that of their families. People want to play a greater role in managing their own health but feel they need easier access to healthrelated information to do so. Eighty-six percent of people agree their health depends largely on how well they take care of themselves. However, while two-thirds of people believe it is essential or very important for government to ensure that they are provided with reliable and trustworthy information and advice about health and health services, only one in five think government is doing this well. People rely heavily on health professionals as key sources of information. Two-thirds of respondents rely on doctors and other health care professionals for information and advice on managing their health, putting an enormous strain on primary care physicians time. People want more control over their treatment options and easily accessible information on providers performance so they are better able to make appropriate choices. Only half of respondents say they feel well informed about the performance of health providers. More than eight in 10 people would like to know more about how different health service providers are performing so they can make decisions about where to go for treatment. Further, 63 percent want to be able to make the decision themselves on where to go for treatment. Only 18 percent say they have no need for information as they leave it solely to their doctors to make decisions. People strongly support the adoption of electronic medical records. Almost 70 percent of survey respondents think it is very or fairly important for health providers to adopt EMRs.
3 The fieldwork was conducted between December 10 and December 21, 2009, a period of great debate and media attention on US health care legislation. Interviews were conducted online, with quota controls placed on sample. Data were weighted to be representative of the general population of US residents aged 18 and over.

10

The connected health journey

Widespread adoption and utilization of connected health solutions over the next five to 10 years will drive development of a national connected health architecture (see Figure 2). While there will be a number of critical junctures in the construction of this architecture, Accenture believes the most important will be:
Stage 1: Realizing ubiquitous health information exchange Stage 2: Constructing a national health network of networks Stage 3: Enabling evidence-based health care Stage 4: Implementing connected health strategies

11

The Connected Health Architecture

The Connected Health Architecture illustrates how different connected health solutions and strategies will enable the delivery of more integrated health care services and will support the transition to a connected health system. Each layer of the Connected Health Architecture has a number of components that represent the most important solutions, functions and processes in enabling connected health. 1. Connected health infrastructure: A distributed, nonhierarchical, nonproprietary national networkconstituted by local, state and regional health information networksthat enables organizations to share clinical and administrative information.
Network

3. Analytics: Solutions, processes and functions that analyze and visualize high-quality aggregated information to improve decision making in the health care system.

Clinicalsolutions such as CDSSs that leverage patient-identifiable information in longitudinal medical records to enable evidence-based medicine. Also, solutions that enable de-identified clinical information to be used in clinical trials. that leverage clinical and administrative data to enable payers to develop more effective care management, member incentive and wellness strategies; improve the efficiency of claims processing and auditing; and manage provider performance more effectively. Public healthsolutions that use aggregated clinical and administrative data to support disease management, biosurveillance and care quality monitoring.

Payersolutions

development and managementa centralized function responsible for developing and managing an Internet-based network constituted by local, state and regional health networks. interoperabilitycentralized services, common policies and enforceable standards that ensure syntactic interoperability between distributed subsystems.

Syntactic

Securitysecurity standards, certification criteria, common data handling policies and standardized IT security audit and system hardening processes that proactively manage network security risks and rapidly address vulnerabilities.

4. Connected health transformation: Evidence-based collaborative care delivery models and integrated health care strategies that target improved health and clinical outcomes, greater patient empowerment and more effective preventive lifestyle interventions.

2. Effective health information exchange: Solutions such as interoperable EMRs, EHRs, PHRs and HIEs that enable health data liquidity across distributed subsystems by supporting the secure, efficient exchange of high-quality health information.

New models of collaborative, patient-centric care organizations, solutions and processes that support seamless patient transitions across care settings and enable more personalized, flexible care responsive to patient need. Care management transformationintegrated care management strategies in which payers, providers and regulators collaborate to reduce the duration, frequency and cost of interventions. empowermenttools (such as Health 2.0 websites and mobile health solutions), policies and approaches that educate and engage patients as well as empower them to manage their health and health care more effectively. effectivenessresearch programs, solutions and governance arrangements that support evidencebased decision making across the health system.

Development and governanceorganizations that design, implement and manage health information exchange solutions and develop and/or implement standards, policies, processes, services and certification criteria across health information exchange networks to ensure data security and quality. Security, privacy and confidentialityaccess control and data security solutions, consent models and data handling policies that minimize data breach risk and prevent unauthorized access to or use of information. Semantic and process interoperabilitystandards, processes, policies and solutions that enable semantic and process interoperability across subsystems and organizations within HIE networks.

Patient

Comparative

12

Figure 2. The Connected Health Architecture

Connected health transformation

New approaches to care delivery that target more efficient, effective and accessible health care for all Component 1 New models of collaborative care Component 2 Care management transformation Component 3 Patient empowerment Component 4 Comparative effectiveness

Provides actionable insight and intelligence

Analytics
Technologies and organizations that maximize the value of shared information Component 1 Clinical (provider and research) Component 2 Payer Component 3 Public health and quality reporting

Provides comprehensive, high-quality administrative, clinical and wellness data for patients and populations

Effective health information exchange

Organizations and systems that enable the secure, efficient and effective exchange of high-quality information Component 1 Development and governance Component 2 Security, privacy and confidentiality Component 3 Semantic and process interoperability

Enables information sharing between standalone enterprise or regional health information systems

Connected health infrastructure

A distributed, nonhierarchical, nonproprietary network of networks Component 1 Network development and management Component 2 Syntactic interoperability Component 3 Security

13

Stage 1: Realizing ubiquitous health information exchange

This stage includes the near-universal adoption of interoperable EMRs and local, state and/or regional health information networks that enable the semantic exchange of highquality patient-identifiable clinical and administrative data in longitudinal medical records. These networks enable patient data to follow patients across the continuum of care; support the use of clinical, public health and business analytics; and improve the efficiency of administrative and clinical processes.
The first step in the connected health journey involves collecting the right data in a secure, efficient way that guarantees patient privacy and sharing that information across the health system.

Achieving data liquidity within local, state and regional health information networks is an important goal for the Office of the National Coordinator for Health Information Technology (ONC) and health care organizations. While several of the Centers for Medicare & Medicaid Services (CMS) stage 1 meaningful use objectives imply the use of HIE, the stage 2 and 3 objectives will put considerably greater emphasis on the role of HIE. Moreover, to increase health information exchange in the long term, the federal government is investing heavily in state HIE, Regional Extension Centers and Beacon Communities through the HITECH Act. Through the CMS meaningful use criteria, HITECH funding and the ONC, the federal government is seeking to improve data liquidity by supporting and incentivizing health care organizations to focus on the secure, efficient exchange of high-quality health information. As a result, progress on health information exchange has accelerated rapidly. According to the eHealth Initiative, 73 HIE initiatives reported being operational (defined as transmitting data that is being used by health care stakeholders) in 2010, an increase of nearly 30 percent over 2009.4 This trend is set to continue as compliance with meaningful use criteria drives EMR adoption among physicians over the next two years. A recent Accenture survey of physicians in the United States suggests that 60 percent of current nonusers will implement an EMR in the next two years. Rising EMR adoption rates will increase demand for health information exchange as physicians seek to maximize the return on their EMR investments.

Even so, some critical issues must be addressed before ubiquitous health information exchange can be realized:
Sustainability.

To ensure long-term viability, an HIE must develop sustainable business models that enable them to operate without government funding.

Semantic

interoperability. To maximize clinical and administrative value, an HIE should enable a level of semantic information sharing between distributed subsystems.

Data

quality and integrity. To minimize the impact of poor data quality on patient safety, physician adoption, care quality and process efficiency, an HIE should implement solutions, standards and policies that effectively prevent, identify and remedy data quality and integrity issues.

Data

privacy, confidentiality and security. To ensure compliance and minimize security risks, HIE and network constituents should develop robust data privacy and security solutions, frameworks, policies and processes. adoption and utilization. To ensure ubiquitous health information exchange, providers must adopt interoperable EMRs and/or EHRs. Just as important, an HIE should engage them early on to ensure compliance with relevant standards, processes and policies for the exchange of health information.
4 eHealth Initiative, The State of Health Information Exchange in 2010: Connecting the Nation to Achieve Meaningful Use. A Report Based on the Results of the eHealth Initiatives 2010 Seventh Annual Survey of Health Information Exchange.

Provider

14

Stage 2: Constructing a national health network of networks

This stage includes the construction of an Internetbased national health network of networks that connects public and private health information networks at the local, state and regional levels. The goal: to enable health information networks to share patientidentifiable and de-identified health information to support the delivery of care, improve process efficiency and facilitate evidence-based decision making.
The ONC, through the embryonic National Health Information Network (NHIN), is likely to play an integral role in the development of a distributed, nonhierarchical, nonproprietary national network of networks. It is imperative that constituent networks provider and payer HIE, EHR and PHRhave system architectures that are or can be aligned to the core services and standards of the NHIN. This alignment will reduce the time and resources required to construct a broad national health network that will enable health care organizations across the country to share information.

Stage 3: Enabling evidence-based health care

This stage includes the widespread adoption of analytics and predictive modeling solutions that analyze and visualize health information to produce actionable insight and intelligence. The goal: to enable providers, payers, regulators and public health organizations to strengthen their decision-making capabilities.
The majority of health care organizations are currently focused on health information exchange and ensuring compliance with meaningful use criteria to avoid financial penalties. While some high-performance organizations use analytics, most do not and are not explicitly considering how system design will impact future analytics programs. Analytics platforms should have access to semantically normalized, aggregated health information, which requires HIE networks to develop semantically interoperable enterprise architectures. Therefore, to maximize long-term value, an HIE should focus on developing semantically interoperable enterprise architectures to support future analytics solutions.

Stage 4: Implementing connected health strategies

This stage includes the implementation of collaborative care delivery models and integrated approaches to health care. The goal: seamless, personalized care across care settings; more effective preventive lifestyle interventions; collaborative care management to improve the efficiency and effectiveness of care; and patient engagement, education and empowerment to enable individuals to take greater responsibility for managing their own health and health care.
Health care reform is likely to drive the implementation of connected health strategies across the health system. Provider payment reform and pilots of new provider modelssuch as community-based collaborative care networks, Accountable Care Organizations (ACOs) and Patient Centered Medical Homes (PCMHs)are likely to increase the adoption of collaborative, patient-centric care delivery models. The evolution will vary based on local markets, but these new collaborative models are already in operation in a number of states. Health care reform will also encourage organizations to focus on prevention rather than treatment. Simultaneously, health care inflation and increasing demand will put unsustainable pressures on payers, health plans and providers, forcing them to develop innovative collaborative care management strategies to reduce the need for medical care and lower the cost of care delivery.

15

2.

The first step: Health information exchange

sustainability, an HIE should enable stakeholders to maximize these benefits while reducing the cost of achieving them.
Health

The United States is at the beginning of the connected health journey. Connected health maturity varies across the health system: Some payers are nearing stage 4 in using analytics to develop nextgeneration care management models, while many parts of the country are still in the early stages of adopting EMR and implementing health information networks. In general, however, organizations are focused on health information exchangethat is, the construction of local, state and regional public and private health information networks that enable secure, efficient and effective health information exchange. Public and private HIEs are important leaders in this field and their long-term success will determine progress toward connected health. The potential administrative and clinical benefits of health information exchange to a variety of stakeholders are well documented. To help ensure long-term

information exchange will better enable providers to: - Improve care quality by reducing prescribing errors, strengthening clinical decisions and diagnosis, improving patient compliance and enabling a holistic view of patients medical records. - Improve the efficiency of clinical and administrative processes by limiting the number of interfaces with other providers and payers and reducing the time staff spend following up on test results, handling lab and radiology reports, making and responding to information requests, managing prescriptions and undertaking clerical tasks.

- Reduce costs by improving reimbursement management leading to reduced denial rates and bad debt write-offs and improved eligibility verification and clean submission ratesand reducing unnecessary testing.
Health

information exchange will help payers realize significant cost savings by improving the efficiency of administrative processes and reducing readmissions, testing and acute care episodes. information exchange will better enable public health organizations to improve long-term health outcomes by strengthening care quality and clinical performance reporting, improving disease management strategies and biosurveillance, and enabling more effective targeted public health campaigns.

Health

16

Clinical information systems: Improving clinical outcomes

While there are few studies into the impact of regional health information exchange on clinical outcomes, there is evidence to suggest that Clinical Information Systems (CISs) in hospitals improve clinical outcomes. A multiple-hospital study5 published in 2009 found that advanced clinical information technologies, such as electronic medical records, CPOE systems and Clinical Decision Support Systems, improve inpatient outcomes in a number of ways:

Improved order entry capabilities decreased the riskadjusted odds of death for coronary artery bypass graft procedures by 55 percent. Improved physician decision support decreased the risk-adjusted odds of complications for all causes of hospitalization by 16 percent.

For all medical conditions studied, an increase in the automation of notes and records was associated with a 15 percent decrease in the risk-adjusted odds of fatal hospitalizations. Improved order entry capabilities decreased the riskadjusted odds of death for myocardial infarction by 9 percent.

Connecting CIS through HIE will increase the clinical value of CIS by enabling physicians to access patients entire medical records and by supporting more robust evidence-based clinical decision making.
5 Clinical Information Technologies and Inpatient Outcomes: A Mul-

tiple Hospital Study," Journal: Archives of Internal Medicine, January 26, 2009, 169(2):10814.

Progress on health information exchange is accelerating rapidly as a result of American Recovery and Reinvestment Act funding, and the importance and benefits of health information exchange are becoming widely recognized. However, organizations should be very cautious when establishing an HIE and implementing HIE solutions. In the past, complex technical, organizational, regulatory and cultural challenges have increased implementation risks, led to relatively high solution failure rates and limited the administrative and clinical value of HIE solutions once operational. The challenges range from developing sustainable HIE business models and defining the value for stakeholders to protecting patient privacy and supporting compliance with federal and state regulations.

Since 2004, the eHealth Initiative (eHI), based in Washington, D.C., has tracked the efforts, successes and failures of organizations across the country working on health information exchange. Sustainability has regularly been cited as the top challenge for HIE initiatives. However, in the most recent 2010 survey,6 initiatives identified addressing government policy and mandates as an emerging challenge in light of the impending meaningful use regulations. According to the survey, the most significant challenges affecting HIE initiatives today are:
Developing

Defining

the value that accrues to the users of the HIE. Addressing privacy and confidentiality issues (HIPAA and others). Addressing technical aspects including architecture, applications and connectivity. Addressing organization and governance issues. To help ensure that these challenges do not slow or even halt the progress of HIE implementations, organizations should give sufficient attention to addressing the critical issue of information governance.
6 eHealth Initiative, The State of Health

a sustainable business model. Addressing government policy and mandates.

Information Exchange in 2010: Connecting the Nation to Achieve Meaningful Use. A Report Based on the Results of the eHealth Initiatives 2010 Seventh Annual Survey of Health Information Exchange."

17

An HIE should develop adequate information governance capabilities up front. Failure to do so will likely:
Increase data breaches and reputational

risk. To maintain public and stakeholder confidence, HIEs should prevent highprofile data breaches and ensure compliance with state, HIPAA, HITECH, consumer privacy and other data security and consent requirements.
Limit

A recent Accenture survey found that 42 percent of Americans are concerned about providers sharing their health information with other providers, and 64 percent are concerned about their health information being shared with government agencies. Of those who are concerned about health information exchange, two-thirds are concerned because they cannot be sure that only authorized people will see their information.7

adoption and undermine longterm sustainability. To attract constituent organizations and ensure their long-term commitment, HIEs should enable the exchange of high-quality data and support a level of interoperability among constituents that delivers real clinical, administrative and/or efficiency benefits to them. the cost of health information exchange. To reduce the cost of health information exchange to constituents and develop a sustainable business model, HIEs should limit the cost of achieving interoperability, maintaining data quality and ensuring data security, privacy and confidentiality.

Increase

More than 100 health data breaches affecting more than 500 people were reported to the Department of Health and Human Services between September 2009 and July 2010. In a handful of cases, more than a million people were affected by the breach.8

Limit

the clinical and administrative value of health information exchange. To ensure constituents are able to realize the clinical, administrative and efficiency benefits of health information exchange, constituents should be able to use data exchanged through an HIE for its intended purpose. That requires the HIE to ensure high data quality and enable an adequate level of interoperability between subsystems. system flexibility and performance. To ensure that HIE networks can be extended and altered over time, an HIE should implement a consolidated, stable enterprise architecture and provide centralized services and governance processes that ensure compliance with HIE standards. In the next section, we describe how health organizations can take steps to overcome many of the critical challenges by developing robust information governance capabilities.

It has been estimated that between 44,000 and 98,000 Americans die each year as a result of medical errors. Up to 18 percent of all patient safety errors and 70 percent of adverse drug events could be eliminated if physicians had timely access to accurate information.9
7 http://www.accenture.com/Global/Research_and_Insights/Institute_For_Public_ Service_Value/Research/2010-Citizen-Experience-Study/default.htm. 8 http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/ postedbreaches.html. 9 "Health information exchange and patient safety," Journal of Biomedical Informatics archive, Volume 40, Issue 6 (December 2007), pages: S40-S45, year of publication: 2007, ISSN:1532-0464.

Reduce

18

Critical information governance challenges

Security Preventing and managing data breaches and unauthorized access to clinical data; ensuring compliance with relevant regulations and legislation (such as HIPAA privacy and security rules, HITECH Act breach notification rules and state privacy regulations); guaranteeing the availability of security services; and maintaining network integrity are imperative if HIEs are to overcome privacy concerns and ensure their long-term survival. Interoperability Achieving semantic interoperability without open or common standards across HIE networks in which subsystems use non-interoperable standards is a major challenge. However, to maximize clinical and administrative value, HIEs must enable a level of semantic interoperability where there is a use case to support it. To achieve partial interoperability, organizations will focus on developing state or HIE standards, standardsdriven architectures, translation or terminology services and certification services. Consent Developing and implementing effective consent models to meet the expectations of patients, administrators and physicians is difficult. Patients, patient advocates and regulators reasonably expect consent models to focus on protecting data privacy and confidentiality by restricting the use and dissemination of information. Such restrictions can limit the clinical value of health information exchange; clinicians may be unable to access medical information relevant to diagnosis or treatment. Finding and articulating the consent basis for data sharing is critically important to HIE success. Data integrity Maintaining the meaning, structure and other characteristics of clinical and administrative data when it is stored, modified, processed and communicated between systems is a major challenge, particularly in highly distributed environments. Poor data integrity limits the clinical and administrative value of health information exchange. Access control Controlling access to clinical data and enabling patients to determine who can access data are important technical and compliance challenges that require robust access control solutions and permissioning regimes. Data handling Compliance with HIPAA, HITECH and other regulatory and legislative requirements involves the implementation of stringent data handling policies across HIE networks. Compliance may require organizations to invest in mandatory data handling training, establish enterprise-wide data risk and monitoring functions, and develop and enforce certified data handling policies. Data quality Ensuring that data exchanged through an HIE network is accurate, meaningful and internally consistent is extremely important. Poor-quality data affects patient safety, limits the clinical and administrative value of health information exchange and undermines analytics-driven improvements to processes and care quality. Ensuring data quality is a major challenge in complex multisystem environments particularly when subsystems use non-interoperable standards and clinical terminologies. Compliance Compliance with privacy, confidentiality, data security, data loss, data protection, data handling and audit regulations is an important issue for all health care organizations. Organizations should manage information risks effectively in accordance with legal and regulatory obligations. Addressing compliance requires a coordinated approach across organizations. Enabling IT organizations to collaborate effectively with legal departments, clinicians and administrators to design and implement systems and processes that ensure compliance is a major challenge.

19

3.

Information governance: Enabling effective health information exchange

20

Effective information governance the processes, functions, standards and technologies that enable highquality information to be created, stored, communicated, valued and used effectively and securely in support of an organizations strategic goalsis the key to addressing critical information governance challenges that prevent efficient, effective and secure health information exchange.

In the past, organizations have adopted a siloed and tactical approach to information governanceallowing organizational and information silos to address information governance challenges as they arise. For example, an organization might implement stringent data handling policies after a data breach, periodically launch data cleansing programs to address poor data quality, and invest in ad-hoc terminology and translation services to enable interoperability between systems. While it is important for organizations to address issues as they arise, this fragmented and reactive approach significantly increases the cost of information governance and reduces the effectiveness and flexibility of such provisions.

To help ensure effective information governance, an HIE should develop a consolidated, network-wide information governance architecturethat is, a layer of processes, functions, policies and solutions that ensure the effective, secure creation, storage, communication, valuation and use of information. Effective information governance architectures integrate disparate information, security, access control and content management architectures and include legal, clinical, administrative and IT work streams.

The Accenture Information Governance Framework for Health

The Accenture Information Governance Framework for Health provides a holistic model of information governance helping organizations establishing health information exchanges and implementing HIE solutions to assess and overcome key challenges by designing more effective information governance architectures. Developed by Accenture and drawing on what we have learned through health IT implementations around the world, the framework disaggregates information governance into five highly interrelated disciplines:
Data Data

Each discipline has multiple solution componentsthat is, the most important processes, functions and technologies within an information governance architecture that better enable organizations to develop effective information governance capabilities.

Using the Accenture Information Governance Framework for Health, we are working with organizations to develop specific tools tailored to their needs. These toolkits consist of direct controls, risk assessment frameworks and other components to make information governance a tangible part of an organization. These toolkits help organizations to focus on providing patient care while supporting compliance with patient, regulatory and legislative requirements.

privacy confidentiality Data security Data quality Data integrity

21

Figure 3. The Accenture Information Governance Framework for Health

Information Governance Disciplines Data privacy

Information Governance Solution Components

Patient consent models and mechanisms Patient-provider relationship-based access controls Patient access controls Effective data security and data handling policies

Data confidentiality

Role-based access control models Patient and provider record sealing Identification and authentication Anonymization and pseudonymization

Data security

Message integrity and communications security Event audit and alerting IT security audit Network integrity

Data quality

Error correction Data validation System and interface certification Standards-driven architecture

Data integrity

Code integrity System hardening Interoperability governance Standards-driven architecture and standards management

22

Data privacy
For regulators, watchdogs, legislative bodies, patients, patient advocates and the public, data privacythat is, ensuring patients medical data can be accessed only with their consent is the most important issue associated with health information exchange. Failure to convince these stakeholders that their data is private increases implementation, compliance and reputational risk. To ensure data privacy, effective information governance architectures should include four components: 1. Patient consent models and mechanismshigh-level frameworks that outline how and in what circumstances organizations will seek patient consent for their medical data to be stored, disseminated, accessed and used. Patient consent mechanisms are authorization or permissioning regimes that are part of access control models. These mechanisms should allow patients to specify which parts of their medical records they do not wish particular user groups to have full access to. 2. Patient-provider relationship-based access controlssolutions that restrict access to a specified patients medical data based on an existing relationship between the patient and the clinician or care provider requesting access to that patients data. 3. Patient access controlssolutions that provide patients with secure access to their medical data. Access control solutions have three key elements: registration, authentication and authorization. 4. Effective data security and data handling policiespolicies that minimize information security risk and prevent unauthorized access to information by placing patient interest at the center of information governance policy and by encouraging desirable behaviors among users. Communicate the purpose of data privacy measures to clinicians and patients Organizations should develop effective communication strategies to ensure that HIE network constituents, clinicians and patients understand why and how data privacy will be maintained. Communication strategies should demonstrate organizations commitment to data privacy and the effectiveness of data privacy solutions while convincing clinicians and other stakeholders that data privacy controls will not reduce the clinical value of health information exchange. Educate patients so they understand data privacy controls For consent-based access controls to be effective, patients must be able to make informed judgments regarding data use. At a minimum, patients should understand how their medical data will be used, how widely it will be disseminated and what the benefits and potential drawbacks are. Patients should also understand the processes through which they can restrict and authorize access to data.

Recommendations
Implementing effective data privacy solutions is a major challenge. Designing solutions that meet the expectations of regulators, clinicians, administrators, managers, patients, the public, politicians and other stakeholders is the most common challenge. However, organizations tend to concentrate on the technical and clinical aspects of data privacy while neglecting the strategic, organizational and cultural dimensions. To address these issues, HIEs should: Consult clinicians, patients and the public when designing consent models Designing consent models should be a transparent, collaborative process involving a broad range of stakeholders. By adopting a collaborative approach, organizations design more effective consent models that are fit for purpose. Further, by engaging stakeholders early in the process, organizations reduce resistance from patients, clinicians and regulators. This reduces the risk of subsequentand expensivesystem changes to access controls and data privacy solutions.

23

Data confidentiality
Ensuring the confidentiality of data by preventing unauthorized access to and improper use of information is an important part of information governance. The goal: to minimize information security risks (such as data loss and unauthorized or inappropriate use and dissemination of information), thereby mitigating compliance and reputational risks and protecting data privacy. Ensuring that data is confidential requires a range of security solutions that monitor, restrict and prevent unauthorized access to information. Moreover, solutions should be able to obscure patients identity when data from their medical record is used for purposes other than delivery of care. To help ensure data confidentiality, effective HIE information governance architectures should include four components: 1. Role-based access control models access levels, permissioning and authorization regimes, and access controls that are based on complex real-world job functions (roles) and patient-provider relationships. 2. Patient and provider record sealing solutions that enable patients and providers to restrict or prevent access to information compartments in medical records. 3. Identification and authentication solutions that enable the robust authentication of health care professionals to health care systems, as well as the linking of real-world identity to system identity, to ensure that only authorized users can access patient data. 4. Anonymization and pseudonymization solutions that obscure patients' identities by modifying patient-identifiable clinical data while maintaining data quality. Thus, the data can be used for secondary purposes without compromising confidentiality. those controls are likely to be less effective and cost more than those developed through a collaborative approach. To avoid these problems, HIEs should enable IT, legal, clinical and administrative functions from a range of stakeholder organizations to collaborate in designing access controls and data handling policies. Develop processes and solutions to manage and report data breaches effectively The financial, organizational, reputational and regulatory consequences of data loss and misuseincluding litigation, fines imposed by regulators, a collapse in patient confidence, and data corruptioncan be very serious for an HIE. To minimize the impact of data confidentiality failures and ensure compliance, organizations should implement effective processes to manage and report data breaches. HIEs should go beyond simply reporting data breaches; it should also develop an integrated mechanism to proactively manage such breaches. These solutions detect and analyze breaches as quickly as possible to mitigate their impact on patient confidentiality while identifying vulnerabilities that can be addressed immediately.

Recommendations
There are a range of technical challenges associated with implementing effective data confidentiality solutions across complex architectures in distributed environments. However, vendors, systems integrators and health care organizations are developing effective solutions to address these issues. Increasingly, the most important challenges organizations face when implementing data confidentiality solutions are related to organizational and process issues. To help ensure data confidentiality, we believe HIEs should: Implement processes that enable IT, legal, clinical and administrative functions from a range of stakeholders to work together effectively in developing data handling policies and role-based access control models Effective data handling policies and access controls should conform and be adapted to meet regulatory and legal requirements and reduce information security risks while minimizing disruption to clinical and administrative processes. If data handling policies and access controls have a significant impact on clinical and administrative processes, users are unlikely to adopt desirable behaviors, care quality may suffer and processes are likely to become less efficient. Moreover, if IT and legal teams design and implement access controls in an organizational vacuum,

24

Data security
Data privacy, confidentiality, quality and integrity depend on the ability of solutions to maintain data security. Moreover, the security of clinical data is a growing compliance challenge for organizations. The HITECH Act has introduced more stringent guidelines, and the ONC is likely to implement more robust data security certification processes. Ensuring the security of data requires HIE and network constituents to develop security architectures that proactively manage security risks, effectively identify and prioritize threats, and promptly address vulnerabilities. To help ensure data security, HIE information governance architectures should have four components: 1. Message integrity and communications securitysolutions that maintain the integrity of data transferred between systems in messages and prevent unauthorized access to and/or modification of messages. 2. Event audit and alertingfunctionality that enables systems to monitor, log and report security-relevant events. 3. IT security auditmanual and automatic processes that test and evaluate the effectiveness of solutions information security measures. 4. Network integritysolutions that enable networks to maintain expected functionality, performance and service availability despite unexpected events, such as security threats and spikes in demand.

Recommendations
An HIEs security architecture plays a vital role in maintaining data privacy, confidentiality, quality and integrity by identifying and addressing security risks and vulnerabilities. However, data security is not just a technical issue; users behavior, organizations corporate strategy and changing market conditions are often major factors in creating or exacerbating information security risks. We believe that HIEs should, at minimum, take the following actions to help ensure data security: Launch a proactive and comprehensive data security assessment To ensure that data is secure, HIE and network constituents must have an accurate and comprehensive understanding of current and potential security risks and vulnerabilities. A data security assessment should deliver a detailed inventory of data assets and should document current data management practices, regulatory requirements and key vulnerabilities, along with the probability and possible impact of threats. The aim of a data security assessment is to develop a risk-based view of data assets, a strategic awareness of vulnerabilities and threats, a clear understanding of the severity of impacts and a foundation for investment in data security.

Ensure adequate audit capabilities To reduce compliance and reputational risk, HIEs should automatically monitor and record all permission changes, data errors, access requests, data transfers, alterations to medical records and data breaches. With this monitoring and recording, HIEs can efficiently and effectively develop detailed audit trails as needed. Failure to implement adequate automated capabilities will increase the cost of complying with auditing requirements in future certification criteria. Inadequate auditing can also significantly impair an organizations ability to maintain data quality and integrity as access controls and security measures are less effective. Develop a comprehensive change program to drive user compliance with data handling and IT security policies To minimize security risks, users should follow data security and data handling policies. However, driving changes in clinicians behavior and making training stick can be major challenges. Compounding the challenge: Normal change management strategieseven those based on best practices for organizations outside health careare often ineffective. To address these issues, HIEs should encourage network constituents to develop long-term change programs that target changes in organizational culture and user attitudes toward security and confidentiality. Organizations should engage senior clinicians early on to act as change championsencouraging the clinical workforce to follow data security policies.

25

Data quality
High-quality data is meaningful, accurate and internally consistent; it can be used for its intended purpose. Poorquality clinical data affects patient safety, quality of care and user adoption. It also increases compliance and implementation risks. However, ensuring data quality is a major challengeparticularly in complex, multisystem environments in which subsystems do not share common technical, data, communication or terminology standards. The key to ensuring data quality in these environments is to develop solutions with intelligent data handling functionality and to implement standardized interfaces and data models that enable subsystems to share information more effectively. With that in mind, effective HIE information governance architectures should include four components: 1. Error correctionmanual and automatic processes that detect and correct errors in information efficiently and effectively. 2. Data validationvalidation rules that verify that data conforms to a set of specifications regarding format, quality, integrity, accuracy and structure. 3. System and interface certification roles, processes and solutions that verify that systems and interfaces conform to specifications defined by regulators and Standards Development Organizations (SDOs). 4. Standards-driven architecture system architectures that leverage open standards for the recording and coding of data, thereby promoting a high level of data quality through similar data processing across multiple component systems.

Recommendations
Data quality can be affected by a range of factors, including data entry standards and practices and information security. However, in most cases, the most important factor affecting data quality is the ability of subsystems to share meaningful and accurate information. Enabling semantic data sharing between subsystems that use different terminology and data standards is a major challenge. In the long term, HIEs will act as standards development and/or profile enforcement organizations within health information exchange networks. However, to achieve a level of interoperability and improve data quality in the short term, we recommend that HIEs: Consider a service-oriented architecture Achieving interoperability by enforcing common standards and implementing complex interfaces can be prohibitively disruptive and expensive in the short term. A more efficient approach: gradually implementing open standards over time as legacy systems are retired or integrated, infrastructure is updated and new applications are developed. However, to meet the short-term need for interoperability, HIEs should consider developing a service-oriented architecture (SOA). In the long term, full semantic interoperability will be achieved by implementing common HIE standards. In the short term, a level of interoperability can be achieved through an SOA.

Involve clinicians in designing and configuring applications data handling functionality Applications data validation and error detection rules should reflect realworld logic in terms of understanding relationships between concepts such as treatments and diagnoses; identifying illogical and inaccurate information using fine-grained parameters; and detecting incomplete data or information that lacks meaning through rules based on clinical and business logic. To achieve this level of intelligent data handling, clinical subject matter experts should be involved in the design and configuration of applications. Even off-the-shelf products should be carefully configured to reflect local clinical practices and processes.

26

Data integrity
Data integrity refers to the validity, accuracy and reliability of data after it has been stored, transferred, retrieved or processed. Failure to ensure the integrity of clinical data has an adverse affect on data quality, system flexibility and performance. To maintain data integrity, the infrastructure underlying solutions must maintain data quality and characteristics (format, meaning, rules, relationships and latency, for example) during such operations as storage, retrieval, communication and transfer. Data integrity can be affected by a range of factors. Among them: unauthorized modification of data, poor-quality source code and noninteroperable subsystems. To address these issues, effective HIE information governance architectures should include four components: 1. Code integrityprocesses that test source code to eliminate bugs that may result in data loss or data corruption during data storage or transfer. 2. System hardeningperiodic or ongoing processes that reduce security risks by evaluating the effectiveness of security architectures, identifying security risks and undertaking security improvements. 3. Interoperability governancea function that works across organizational and information silos to develop and enforce common standards, protocols and processes to enable syntactic, semantic and/or process interoperability. 4. Standards-driven architecture and standards managementa standardsdriven system architecture that conforms to open or common messaging, infrastructure, communication, application, data and clinical terminology standards. Standards management includes the roles, processes and solutions that develop, manage and enforce common technical, communication, messaging and data standards that enable subsystems to share information more effectively.

Recommendations
Maintaining and improving data integrity without affecting system flexibility, reliability and performance are complex challenges. However, given the potential impact of low data integrity on care quality, compliance, adoption and efficiency, these are challenges every HIE should strive to meet. To improve data integrity, organizations can use a number of strategies, solutions and standards as part of a comprehensive data management strategy. From Accentures research and experience, we recommend the following actions: Aim to achieve a level of interoperability that will deliver tangible clinical and administrative benefits by developing specific use cases Too often, health care organizations invest in interoperability without a set of specific use cases that demonstrate how interoperability will add value by improving clinical decision making, care quality and process efficiency. In such cases, HIEs may target an inadequate or unnecessary level of interoperability that either limits the clinical and administrative value of interoperability or needlessly increases the cost of achieving it. Often, the most efficient solution is for HIEs to target different levels of interoperability across systems, clinical workflows and functions depending on specific use cases. This approach enables HIEs to concentrate resources on achieving high levels of interoperability where it will deliver the most significant clinical or administrative benefits.

Implement effective data integrity checkpoints and edit checks To maintain data integrity and quality, HIEs should develop a library of standard data elements and use data integrity checkpoints and edit checks to ensure data conforms to data standards. Checkpoints verify that datas characteristics meet data integrity specifications after it has been created, stored, processed or used. Edit checks enforce data rules and standards and are an important part of data cleansing; they detect and correct, delete or highlight errors, inconsistencies and missing data. Target process interoperability through comprehensive clinical transformation and process optimization strategies Organizations often fail to maximize the clinical and administrative value of syntactic or semantic interoperability because clinical and administrative processes and workflows arent interoperable. In other words, data created, used or modified by discrete processes cannot be used effectively by other processes. Achieving process interoperability requires clinicians and administrators to use applications in the same way for the same purpose, to refer to concepts using the same terms, to use terms consistently and to adopt common data entry practices and rules regarding content, format and frequency of updates. Such interoperability also involves process reengineering to create efficient touchpoints and synergies between processes that enable the flow of meaningful, accurate and up-to-date information. To that end, HIEs should support constituents in the development of clinical transformation and process optimization strategies, supported by adequate clinical change management programs, to maximize user adoption, encourage desirable user behavior and reengineer clinical processes.

27

Information governance in practice

28

The ONC Privacy & Security Tiger Team

In June 2010, the Office of the National Coordinator for Health Information Technology (ONC) launched a workgroup under the auspices of the HIT Policy Committee to move forward on a range of privacy and security issues. The Privacy & Security Tiger Team works to address privacy and security issues raised by ONC-funded programs related to health information exchange. So far, the Tiger Team has focused on developing recommendations relevant to the exchange of patient-identifiable health information to meet stage 1 meaningful use criteria. In speaking with Accenture, Deven McGraw, chair of the Privacy & Security Tiger Team and Director of the Health Privacy Project at the Center for Democracy & Technology, highlighted a number of good practices that organizations involved in health information exchange should consider: 1. Establishing the foundation for trustEnsuring patient trust in the exchange of health information is critical. The relationship between the patient and his or her health care provider is the foundation for trust in health information exchange. The direct exchange of health information between a provider and another health care organization for treatment preserves this foundation for trust. However, where an intermediary plays a substantial role in health information exchange and takes over control of disclosure of records from a health care provider, explicit patient consent should be required for the exchange of his or her health information. 2. Focusing on informed patient consentIn use cases where explicit patient consent is required for health information exchange, patients should be able to make well informed judgments on granting or withholding consent. Ensuring patients are able to provide informed, meaningful consent for health information exchange when required is as important as designing and deploying effective patient consent models. 3. Educating patientsInformed patient consent requires comprehensive, long-term patient engagement and education programs to ensure patients have a secure understanding of privacy controls and the implications of granting or withholding consent. Educating patients effectively requires providers and other organizations to enter into a meaningful dialogue with patients that goes beyond superficial, short-term information campaigns. 4. Preventing data leakageIdeally, patients should be able to exercise consent at a granular level by restricting access to different categories or compartments of information that may be related to a particular treatment, provider, episode of care, diagnosis or medical specialism. Such granular consent is already required by law in some instancesfor example, federal law that allows individuals to restrict disclosures to health plans of episodes of care paid for out of pocket. Enabling patients to exercise consent at a granular level requires data that is highly structured so it can be effectively segmented. However, providers and patients should understand the limitations of granular consent or data segmentation technology, particularly the problem of implied data, which occurs when restricted information on a treatment or diagnosis can be inferred from other information in a medical record. 5. Adopting a comprehensive approachPrivacy and security requires organizations handling patient-identifiable information to follow a broad range of fair information practices including enabling patients to access and correct errors in their information; ensuring openness and transparency about policies, processes and technologies that directly affect patients; only collecting, exchanging and storing identifiable information for the specified purpose(s); and ensuring adequate privacy and security safeguards are in place. Although organizations tend to privilege patient consent above other fair information practices, in fact, all fair information practices are equally important because they are highly interdependent. Unless all fair information practices are followed, patient privacy and security will suffer.

29

Data Use and Reciprocal Support Agreement (DURSA): Good practice in developing a legal framework for health information exchange
The Nationwide Health Information Network (NHIN) Cooperative DURSA Workgroup was launched in 2008 as part of the NHIN Trial Implementations with the aim of developing a comprehensive agreement that would provide the legal framework for the exchange of health data through the NHIN. The first executable version of the DURSA was published in November 2009 and, to date, it has been signed by 10 participants, including five federal agencies. The DURSA is an agreement that codifies a common set of trust expectations into an enforceable legal framework and establishes the obligations to which all NHIN participants agree. Many of these obligations relate directly to information governance. While the DURSA is a legal framework for data exchange among the participants, it can be used as a starting point for the development of legal frameworks to govern health information exchange at the regional and state levels. Steven Gravely, Chair of the DURSA Workgroup, believes that one of the key components of the success of the DURSA is that it was developed through a collaborative process that involved a wide range of legal and business representatives from a number of state, federal and private organizations. This collaborative approach ensures that the agreement reflects a broad consensus across a range of stakeholders that may have very different agendas and priorities. This will strengthen information governance capabilities across participants, as all participants will follow common information governance standards. It will also minimize, if not eliminate, the need for point-to-point agreements. The DURSA includes a common set of terms and conditions that establish participants obligations and the trust fabric to support the privacy, confidentiality and security of the health data that is exchanged. These terms and conditions cover a broad range of areas from participants privacy and security obligations to breach notification processes to conformance with a defined set of technical specifications and operating policies and procedures. By developing a broad set of terms and conditions, Gravely believes the DURSA Workgroup has been able to build a robust consensus across a range of diverse stakeholders that can act as a foundation for other types of exchange agreements in the future.

30

MedVirginia: Developing an effective trust framework

MedVirginia is one of the countrys most advanced and integrated health information exchange communities, providing access to over 900,000 patient records for 1,200 users in the Richmond, Va., metro area. MedVirginia Solution, MedVirginias HIE, enables secure access to a range of clinical and administrative data types via a secure Web portal. MedVirginia was the first HIE to be live on the Nationwide Health Information Network (NHIN), using the NHIN as a secure and interoperable transport environment for the exchange of patient information with the Social Security Administration. This project was the very first production exchange of health information across the NHIN. Developing robust and effective information governance capabilities is a key cornerstone of MedVirginias success. Michael Matthews, MedVirginias CEO, believes a framework of trust is critical for health information exchange." MedVirginia has developed a robust trust framework based on agreements with data suppliers, data recipients and users that ensure common data privacy and security standards are followed across the HIE network. These agreements ensure compliance with HIPAA and relevant state privacy laws; ensure access to health information is based on an established treatment relationship between provider and patient; and restrict and audit access to sensitive information such as HIV test results and psychotherapy notes. These agreements are supported by sophisticated auditing, security and access control capabilities that encourage compliance by monitoring and restricting data access. Data supplier, data recipient and user agreements have been in place for a number of years. MedVirginia developed these agreements and then refined them based on feedback from providers legal and management functions; enabling constituents of the HIE network to influence the requirements and conditions that govern health information exchange. Through this collaborative process, MedVirginia has created a robust policy framework that data suppliers, recipients and users are willing to subscribe to and that ensures the privacy and security of personal health information.

31

Health information exchange in Rhode Island: Developing an effective information governance framework
Currentcare is Rhode Islands HIE that, once operational in early 2011, will enable providers and physicians to access integrated patient-identifiable information from participating organizations through a secure Web portal. Once fully implemented, currentcare will enable authorized access to a range of information categories including laboratory results, radiology reports and discharge summaries. Today, around 80,000 patients are enrolled in currentcare. Currentcare has been developed by the Rhode Island Quality Institute (RIQI), a nonprofit community-based group and the states Regional Health Information Organization (RHIO), working in close partnership with the Rhode Island Department of Health. RIQI has recently been awarded Beacon, Regional Extension Center and HIE funding from the ONC. To help build patient trust and confidence in health information exchange in Rhode Island, the Department of Health and RIQI have worked extensively with a diverse range of stakeholders in creating a robust and stringent data privacy, confidentiality and security framework to govern information exchange. Dr. David Gifford, Director of Health for Rhode Island and the states Health IT Coordinator, believes that getting the information governance framework right up front is crucial in addressing the publics real concerns over the security and privacy of their health information when it is stored and exchanged electronically. Rhode Island has adopted a stringent opt-in consent model that requires explicit patient consent for health information to be stored by and exchanged through the HIE. Moreover, patients must designate which provider participant(s) are authorized to access his/her health information through the HIE. Dr. Gifford believes that while the costs associated with adopting a stringent consent model are highincluding increasing the administrative burden on participants, driving up the cost of developing the HIE and increasing the time taken to achieve a critical mass of patient data in the HIEpatients concerns over the privacy and security of their health information are such that an inadequate consent model could undermine public trust in the HIE and prevent further progress on health information exchange in Rhode Island. Developing an effective information governance framework that all HIE participants are willing to subscribe to is a major challenge. Rhode Island has developed a robust consensus around information governance across the health information exchange ecosystem by adopting a transparent, collaborative and stakeholder-driven approach to the development of a common information governance framework supported by legislation in the form of the Rhode Island Health Information Exchange Act of 2008. This collaborative process was led by RIQI supported by the Department of Health, lasted 18 months and involved consumers, consumer advocate organizations, physicians and other providers, insurers, hospitals, universities, employers and state officials. The process involved a comprehensive broad-based community engagement program that provided 20 separate opportunities for committees and community members to provide feedback, including an online survey tool and a half-day workshop bringing people together to work through the issues. This transparent and collaborative approach was so successful in forging a robust consensus around information governance that the Rhode Island Health Information Exchange Act passed on the first attempt, despite the highly sensitive and potentially divisive nature of the legislation.

32

New England Healthcare Exchange Network (NEHEN): Achieving effective and secure health information exchange
NEHEN, a consortium of regional payers and providers, has designed and implemented a regional HIE that enables the secure and effective exchange of clinical and administrative data between members. Today, NEHENs HIE connects nearly 50 organizations and handles over 8 million transactions a month, which includes all HIPAA Administrative Transactions and a range of clinical data transactions to help meet stage 1 meaningful use criteria. NEHEN continues to increase the number of administrative and clinical transaction types the HIE can support. As a result of the robust data privacy, security and quality framework NEHEN has developed, there has never been a major data privacy or security breach since the HIE became operational in 1998. NEHEN has also adopted a stringent opt-in patient consent model to comply with Massachusetts state law but has still achieved a 95 percent patient opt-in as a result of highly effective patient education and engagement. Dr. John Halamka, Chairman of the NEHEN, attributes the success of NEHENs HIE to a number of critical factors: A democratic governance structure. NEHEN is built on the principle of "one member one vote." As a result, every organization, irrespective of size, has the same influence over the direction of the organization and the principles, regulations and obligations that govern health information exchange. This has built trust within the HIE community and enables organizations with divergent interests to work together effectively in designing and implementing a common information governance framework. A centralized and effective management organization. Strong central governance has enabled NEHEN to develop a common set of data privacy, security and quality standards that all members must adhere to and that are enforced through robust technology and business process certification processes. A distributed peer-to-peer architecture. NEHENs HIE does not store any data and only acts as a routing and delivery service. This greatly reduces privacy and security risks and vulnerabilities. A culture of cooperation. NEHEN has forged a culture of cooperation between members that enables disparate organizations to work together effectively either as members of the Board of Directors or various advisory groups. This culture of cooperation is based on an innovative, "common good" approach to health information exchange that seeks to avoid unproductive competition between members. As part of this "common good" approach to health information exchange, NEHEN has adopted a subscription-based charging model to encourage members to use the HIE for as many transactions as possible, and the HIE itself is based on nonproprietary technology and uses open, industry-standard protocols and formats to avoid vendor lock-in.

33

4.

Developing effective information governance: Next steps

34

Information governance is a major challenge for an HIE. Failure to develop effective information governance capabilities limits the clinical and administrative value of health information exchange and will undermine the long-term sustainability of an HIE. Developing an effective HIE information governance architecture requires collaboration across organizational silos, functions and information systems. Based on Accenture research and experience gained from health IT implementations around the world, we believe there are four initial steps toward effective HIE information governance:

2) Identify, analyze, evaluate and prioritize information governance challenges

For an HIE, the second step toward improved information governance is developing detailed insight into the various information governance challenges it faces. This requires a comprehensive program involving IT, legal, clinical and administrative functions to:
Identify

4) Develop a detailed implementation plan

Developing the right implementation plan up front is the key to minimizing implementation risk, ensuring long-term stakeholder engagement, reducing the cost of implementation and developing effective information governance. In clinical environments, solution implementation can be challenging, especially if programs disrupt processes integral to the delivery of care or impose new ways of working on clinicians. Implementation plans should include:
A

a broad range of current and future compliance, security, data quality and system integration challenges.

1) Conduct a comprehensive risk assessment and gap analysis of current information governance provisions
Most constituent organizations within an HIE network will have a range of existing information governance provisions across information and organizational silos. However, this potentially fragmented and disjointed approach to information governance can make it difficult for an HIE to develop a clear understanding of how effective and efficient the organizations information governance provisions are and the information risks they face. An HIE should conduct a comprehensive risk assessment and gap analysis to enable a single, networkwide view of information governance performance and information risks. Using a structured approach to assessing information governance, such as the Accenture Information Governance Framework for Health, an HIE should create a consolidated inventory of information governance provisions, build a model to assess their performance and develop strategies to address weaknesses and improve information governance performance.

Analyze

these challenges to develop a detailed understanding of their root causes.

Evaluate

the impact these challenges are having or are likely to have on quality of care, efficiency, costs, strategic priorities, the workforce, and administrative and clinical processes.

high level of detail around targets, benchmarks, critical success factors, timetables, release schedules, reporting, coordinating activity and implementation management roles for specific programs and work streams.

A long-term clinical change management

Prioritize

the challenges based on their likely impact and the ability of organizations to address them.

plan that includes communications strategies and programs that support clinical transformation, process reengineering, user acceptance and training to support specific work streams.
A

3) Design solutions and develop strategies to address these challenges

Once an HIE has a detailed understanding of the information governance challenges it faces, it should develop high-level strategies and design solutions to address these challenges. An HIE should conceive of these solutions and strategies as components of an integrated information governance architecture. The ultimate goal: creating an efficient, effective and sustainable information governance function as part of a comprehensive IT governance framework. In most cases, information governance challenges cut across information and organizational silos. Thus, solution design and strategy development should be collaborative processes that involve IT, legal, clinical, administrative and strategic functions from constituent organizations.

comprehensive systems integration plan; from a technical perspective, it should define how information governance solutions will be integrated into organizations systems architectures, how solutions will be procured efficiently and how integration programs will be managed.

35

About the Accenture Institute for Health & Public Service Value
The Accenture Institute for Health & Public Service Value is dedicated to promoting high performance in the health care sector and in public service delivery, policy-making and governance. Through research and development initiatives, the Institute aims to help health care and public service organizations deliver better social, economic and health outcomes for the people they serve. Its home page is www.accenture.com/ healthpublicservicevalue.

About Accenture
Accenture is a global management consulting, technology services and outsourcing company, with more than 190,000 people serving clients in more than 120 countries. Combining unparalleled experience, comprehensive capabilities across all industries and business functions, and extensive research on the worlds most successful companies, Accenture collaborates with clients to help them become high-performance businesses and governments. The company generated net revenues of US $21.58 billion for the fiscal year ended August 31, 2009. Its home page is www.accenture.com.

For more information, please contact:

Rick Ratliff Global Managing Director Connected Health IT Solutions richard.ratliff@accenture.com +1 703 947 2525 Dr. Kevin Carr Clinical Director Connected Health IT Solutions kevin.carr@accenture.com +1 917 452 5134

Copyright 2010 Accenture All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. This document makes reference to trademarks that may be owned by others. The use of such trademarks herein is not an assertion of ownership of such trademarks by Accenture and is not intended to represent or imply the existence of an association between Accenture and the lawful owners of such trademarks.

Project Team
Andrew Truscott Health IT Solution Architect Accenture Health Practice Giles Randle Researcher, Institute for Health & Public Service Value Julie McQueen Director of Research, Institute for Health & Public Service Value Greg Parston Director, Institute for Health & Public Service Value