Providers are often tasked with making medical decision without complete information. A recent study found that only 32% of providers share medical records outside of their organization.

The challenge is compounded by the fact that medical information also scattered across many different providers. Each provider has a piece of puzzle, but no one has the complete picture. Without a complete picture, there’s a big risk of the patient being given care that’s either ineffective or harmful. Medical data needs to be shared more easily between providers.

But medical data is highly sensitive, and should only be shared with people, institutions, and software tools that you trust.

So, what are the best ways to establish that trust so that you can share medical records between providers?

Our founder and CEO, Linda Van Horn, covered this very issue in a recent webinar titled: Secure Sharing and Sending of Medical Data - What Providers Need to Know in 2020.  While this article summarizes the highlights of the webinar, you can get the detailed step-by-step instructions regarding the trusted sharing of medical data by requesting the webinar on demand here.

What are the 3 Foundations of Digital Trust Needed to Share Medical Records Between Providers?

Let’s review them:

1. HIPAA Compliance

HIPAA is the Health Insurance Portability and Accountability Act of 1996. For the uninitiated, HIPAA is a series of regulatory standards that outline the lawful use and disclosure of medical information. It’s become a buzzword that many people throw around, but don’t actually understand.

There are four rules under HIPAA’s, they are:

Only specific entities are allowed to access medical information -- the patient has the individual right of access to their own medical data and HIPAA outlines who has rights to access the patient medical data. HIPAA outlines the rules when someone who is not the patient or acting on behalf of the patient can access the patients' medical record.

These rules fall under three exceptions that we referred to as the payment, treatment, and operations entities (PTO).

• 1. A payment entity is someone like an insurance company, who needs access to medical records in order to provide a claim or provide prior authorization. A payer is considered a "Covered Entity".

• 2. A treatment entity is the treating physician, who needs that data to provide care. A treating physicians Is also called a "Covered Entity".

• 3. An operations entity is a business associate or business associate sub-contract of one of the Covered Entities. For example, iShare Medical is a business associate of Covered Entities such as payers and treating providers and a business associate sub-contract to EHR's and analytics companies who act on behalf of the Covered Entity to share medical data throughout the healthcare system. By being a business associate or business associate sub-contractor, iShare Medical is required to comply with HIPAA strict rules around privacy, security, and breech notification.

But working with a payment or treatment entity doesn’t necessarily unlock carte blanche access to a patient’s medical data. Operational access carries specific conditions.

2. Known Digital Identity

The second foundation needed is known digital identity. We need to know who we are communicating with in order to establish trust. This is especially true in the digital world.

How do you know that person is really who they say they are? For example, a person could create an account stating they are the Easter Bunny, but are they really the Easter Bunny?

Creating a false identity can't happen under iShare Medical performs ID proofing such that the identity is always known. Once a person is ID proofed then iShare Medical binds their identity to two pairs of cryptographic keys; one key pair is used for encryption and the other for digital signature.

This creates the Known Digital Identity.

We need to have high levels of security and trust in place in order to share (send and receive) medical information. Both sides of the conversation need to be absolutely certain of the digital identity of whoever they’re talking to.

The way this verification is normally accomplished is through a public key infrastructure.

What is a PKI?

A public key infrastructure (PKI) is a set of roles, procedures, and software tools needed to manage digital certificates and encryption. It facilitates the secure transfer of sensitive information and is used in nearly every online application, such as banking or even email. 

Each sender and receiver has two pairs of cryptographic keys. One is used for the encryption and the other is used for signature.

The way that basically works is a sender creates the message, and then uses the receiver’s public encryption key to encrypt the information. And then they use the sender’s private signature key to sign that, and then they send the message.

Let's use the analogy of a house key to explain further. 

Think of the keys as the key to the front door. A lot of people might have the address to your house, but they don't have a key to your front door.

The public key is the address to your house, and the private key is the key to the front door. Then when the receiver receives that message, they’re going to use the sender's public signature key to decrypt the signature, and then they're going to use their own private key, to decrypt the message to that it can be read.

In other words, the messages sharing digital health information are bound with the keys of the sender and receiver, and only the sender and receiver can read the message.

3. Interoperability Compliance

Lastly, in order to securely share and send medical data between providers, patients and payers, you must have interoperability compliance.

Interoperability compliance refers to a system or device’s ability to securely work or communicate with other systems or devices.

To explore what this means, let’s look at the analogy of air travel.

When you go to the airport and you're traveling on the plane, the first thing you do is show your trust credential. That trust credential is a driver's license or a passport. That’s your authentication. That proves who you are, but it does not get you on the plane.

In order to get on the plane, you have to have a ticket to where you're going. You have to have an origination and a destination. That's your direct address. That’s your authorization.

In addition, interoperability also involves policy rules about what you can and cannot do over the network.  For example, the iShare Medical network is used to communicate medical information and cannot be used to advertise products or services.

Tip of the Iceberg: Watch the Webinar to Learn More

The three foundations covered here aren’t the only considerations that providers should know about sharing medical data between providers, patients, and payers.

In the webinar, we also cover the different protocols and networks that are available for healthcare direct secure messaging and how they’re being used.

Watch the entire webinar Secure Sharing and Sending of Medical Data - What Providers Need to Know in 2020 to get the full picture of what you need to know in 2020 and beyond when to comes to the sharing and sending of medical data!