The RFI states that the NwHIN is: “the set of standards, services, and policies that enable secure health information exchange over the Internet.” Later, it indicates that ONC intends to use the regulatory process “to establish structures, processes and initial requirements that would be necessary for the governance mechanism to operate.” It further indicates that ONC would retain certain responsibilities to ensure … proper implementation, but would also seek to delegate … certain other responsibilities”. Other discussion reflects on the need for “rulemaking every two years”, alternating with “with regulations published for EHR Incentive Programs…”
It isn’t really clear what responsibilities ONC is planning to delegate, and it appears that it plans on holding onto as much of its regulatory authority as possible. It would appear that ONC plans to adopt a two years cycle of regulation defining the standards, services and policies that would define the NwHIN for the next two years.
In the end, the NwHIN would appear to be whatever ONC says it is. How is this governance?
Let's look at a definition of governance first. If you are an HL7 co-chair (or if you happen to have a copy), dig out the copy of SOA Governance that you got at the last Working Group Meeting, and turn to page 122. You can see clearly near the bottom of the page that Governance is "not just a means by which the organization makes decisions, it is the means by which an organization makes decisions about decision-making." It is, as the authors write: "a meta-decision system".
So to answer my own question, it really isn't governance to set the rules (as the RFI tries to do), but rather to set the rules that set the rules.
The building blocks of a Governance system identify precepts that define the rules for decision making, people (and in the NwHIN case, organizations) that make the decisions, the processes for coordination, and the metrics ensuring compliance (same book, page 127).
The CTEs in the NwHIN RFI are based on certain precepts, but those precepts have not really been well identified. Clearly, trust, transparency and security are all important. So is cost reduction, consumer protection, and innovation and efficiency. But what are the precepts of NwHIN Governance? How do we weigh benefits and disadvantages for a particular exchange mechanism (e.g., what if exchange mechanism X increases security, but reduces efficiency)? The precepts would help us make these trade-offs. Shouldn't we start there?
What are precepts governing the NwHIN? A synonym for precept is principle, and the United States Conformity Assessment Principles published by ANSI is a really good example of the kinds of principles we should be trying to espouse in the Nationwide Health Information Network. In fact, many of the principles we could just outright adopt with respect to conformity assessment, or even better yet, given that ANSI has done a fine job, perhaps even delegate the authority to establish principles for conformity assessment (the NwHIN RFI calls this validation).
I happen to love Principle 13(h): Bilateral or multilateral agreements (MLAs) among conformity assessment bodies or their accreditors should incorporate the use of the least burdensome, time consuming, and costly form of conformity assessment that is recognized and accepted as meeting the needs of all stakeholders.
One of the things I really like about ANSI's discussion of Conformity Assessment is that it recognizes that there are several different levels of "validation". Each of them provide a different level of assurance, and consequent costs. Let's look at a couple of examples:
- Self Attestation: This is the lowest cost mechanism, and is the same kind of assurance that you have when I tell you that my Atom Feed is compliant using this logo:
- Voluntary Testing: This is a higher cost mechanism, involving third parties, but does not provide a "certification" of compliance. It only demonstrates that something has passed a test. Click the button above to test this site's Atom feed. It's a third party test, and you have an even higher level of assurance especially since you can perform it yourself!
- Certification: I'm not going to bother to certify this site's atom feed. The value in it for me is marginal, and to my readers as well. The infrastructure is made by a well trusted company for whom it is beneficial to be "atom-compliant". But if I did, that would provide an even higher level of assurance. It would also cost me something that I don't have a budget for (my entire web-presence is based on free tools).
One of the biggest questions I have about the RFI is "who decides?" (Recall the earlier discussion about people in SOA Governance.) There's going to be a lot of jostling for increased importance of organizations in the decision making process as a result of this RFI. One important precept should be that no significant decision is made without the involvement of all effected stakeholders, including governments, providers, vendors and patients (Nothing about me without me!). In fact, the first three principles in ANSI Essential Rules are Openness to all affected stakeholders, lack of dominance by any one stakeholder, and balanced participation by all stakeholders.
I think some of these principles could be very difficult for ONC to apply to themselves. Can you imaging ONC being put into a position where it is but one of many stakeholders in this national process? In order for ONC to give up some of its dominance, it has to trust in the process, and so must the other stakeholders. If ONC sets up too many rules at the outset, it could alienate other stakeholders in NwHIN Governance.
On the metrics side, I think one of the very important points made in SOA Governance is that metrics are used to verify compliance with precepts. In order for metrics to be effective, they must be objective. I applaud some of the recent efforts of the HIT Standards Committee NwHIN Power Team in attempting to come up with objective criteria (see Appendix A of their presentation last week). Karen Witting make a point that some criteria are inherently subjective (e.g., ease of use) in this guest post over at John Moehrke's blog. She also makes the point that it is important that we have a model of governance that people can trust.
I have some thoughts on the Interoperability and Security side that I'll share later this week on a trusted model of governance might look like.