Q&A: Nichole Sweeney, General Counsel/Chief Privacy Officer for CRISP Shared Services

A former Mitre Corp. executive, Nichole Sweeney, J.D., is the first in-house general counsel for Maryland-based CRISP Shared Services, which provides health information exchange infrastructure in several states. In a recent interview with Healthcare Innovation, Sweeney, who also serves as chief privacy officer, said she is spending a lot of her time focused on data segmentation and helping patients understand the risks and benefits of interoperability and data sharing. 

HCI: Does CRISP Shared Services deal with an increased level of complexity because it's operating in a bunch of different jurisdictions and states with different regulations on data sharing? 

Sweeney: Yes. CRISP Shared Services is a technology and resources provider for six HIEs across the country. I’m also the general counsel and chief privacy officer for CRISP Maryland and CRISP DC. For instance, I know that Maryland is working on specific data segmentation laws around reproductive health data, and DC has some sensitive health data requirements around mental health law. We are relying on the attorneys in other states to tell us enough so that we can help create an infrastructure that responds to the state-level needs.

HCI: I wanted to ask you a little bit more about that legislative proposal in Maryland around reproductive data privacy. Does that lend itself to having a statewide infrastructure or health data utility that can implement that data-sharing consent rather than individual organizations trying to figure out how to do that individually?

Sweeney: There is really this need for a state-level entity that understands the specific laws and needs of that state and the political atmosphere, and also has those relationships with the interested parties and the patience to be able to show up in places and to say we hear your concerns. 

One of my roles is to take calls from patients with concerns, and one of the things that I deal with most often and is sort of the most devastating, in my opinion, is when someone calls me and says, ‘Look, I opted out of CRISP. I know that I don't want to be a part of this interoperability network. And then I went to my clinician, and they have all this information, what's going on?’ I have to explain to them that Care Everywhere exists. There are 11 HIEs in the state of Maryland. It’s completely maddening for patients to have to understand that they have to go to each one of those HIEs to opt out. it's just it's too much, I think, unless you have that one centralized entity in each state.

HCI: Is this proposal about reproductive health data in Maryland that people would have more fine-grained consent capabilities about what they want to share about reproductive health?

Sweeney: I think that's definitely the end state where we want to be — and not just with reproductive health, but any sort of sensitive health data. If you were to ask me what the future of healthcare and patient privacy and patient safety looks like, I think it is a local health data utility in each state that has a front door for patients with categories such as Part 2 data, non-Part 2 mental health data, reproductive data, and gender-affirming services data. A patient can walk in through that front door and say, share this with these folks, or share this with everyone in Maryland, but don't share it with anyone beyond Maryland.
 
I know that there is very real concern on the part of clinicians, especially for patient safety folks, that they might be missing part of the equation. And I actually think the answer is giving patients more control, not less control, because I think when we give them an either/or option and don't give them enough information, they get too scared, and they just decide to opt out entirely, or even worse, not give their clinicians the relevant information. Contrary to popular belief, I think that the more control that you give folks, the more likely they are to share and to share in a way that makes sense.

HCI: On TEFCA, CRISP Shared Services is partnering with the eHealth Exchange. Does that mean that eHealth Exchange is doing a lot of the heavy lifting as far as meeting ONC and and Recognized Coordinating Entity (RCE) requirements? Is there less for you to have to worry about? 

Sweeney: TEFCA is necessary because it pushes the last mile of folks who weren't on the national networks, the last 10 percent who aren’t exchanging through a health information exchange or the Carequality Framework or aren't on Care Everywhere. But for most of us, we're already exchanging data through one of those networks, so it's just a matter of saying yes, we are already exchanging data through eHealth Exchange, and now they are going to be our official QHIN. So they interact with the RCE. They are the ones that have to deal with the common agreement and various things like that. And then we become a participant in their organization.

I do care a lot about TEFCA’s implications for public health. And I'm on a couple of those work groups. Public health laws are different in every state.

HCI: But do requirements that the RCE sets for the QHINs filter down to you as a sub-participant? 

Sweeney: The common agreement that is entered into between the RCE and a QHIN has specific clauses that say, as a sub-participant, you have to agree to certain flow-down clauses. And version two of the common agreement is actually taking out most of the flow-downs and putting them into standard operating procedures (SOPs) — this is how you exchange for these purposes. Instead of saying the flow-downs have to apply to everybody all the time, which I think is challenging for some folks. it's saying let's take out the appropriate flow-downs and put them in an operating procedure and tailor them a little bit more.

HCI: Weren’t there also questions about FHIR data and whether that was going to be in the first version or maybe the second version?

Sweeney: I think the requirements for sending data at first are going to involve CCDs, like stable documentation, and that's a little bit of the issue with data segmentation. Most providers and other entities don't have the capabilities, let alone the time, to take out sensitive information related to Maryland, and then send it on to the national network. Because we are sending stable documents right now instead of specific data elements, if they want to take things out, it involves either blocking the entire document or having a person redact things.

HCI: So how are they going to to resolve that?

Sweeney: They’re either not going to send it at all — and they're going to say that that is a privacy issue, which they can do under information blocking, or they're going to send it and just say, we did our best. I don't want to imply that folks are ignoring local laws. But those are really the two options that they have — block everything or share everything — unless they have somebody like a CRISP that can be their node, so to speak. I think the common agreement is talking about nodes that could have the capability to parse data based on certain codes and then reconstitute the CCDs or the ADTs, but it seems unrealistic to ask every organization to do that rather than just having a central point handle it. 

HCI: HHS just came out with these disincentives around information blocking. What’s your impression of that? And is there anything that's still unclear or open to interpretation about the information blocking regulations?

Sweeney: I think it's gonna be interesting to see how they're enforced. At least once a week I have a conversation with somebody where I explain that you can't take somebody to court for information blocking. Just like HIPAA, it has to be enforced by a government entity. I think it's going to be really interesting to see what CMS, ONC and the OIG decide to actually go after. I think it is appropriate for ONC, CMS and HHS, not to enforce everything because when I bring up information blocking to many providers — hopefully in a very non-threatening but just educational way — they say, ‘What are you talking about? When does this go into effect?’

There are going to be interesting questions around what is considered a reasonable fee. Also, the burden of proof is on the information blocker to show that they have an exception. Anyone who is considered an actor and even people that are actor-adjacent should really be thinking through the exceptions and thinking through documenting each one of those, saying we had to do it because of XYZ and here's where the exception comes in.

HCI: What about sharing data with patients’ third-party apps? HIEs have not traditionally been a source of sharing data directly with patients. But Is that likely to start happening more? Or are the health systems themselves going to have to get more nimble at responding to those type of requests? 

Sweeney: Absolutely. Part of information blocking is if you're an actor and a patient asks for their data, unless an exception applies, you’ve got to give it to them. HIE s are considered actors. We have not typically been, as you say, a part of the ecosystem of patient access, right? We typically say — and I continue to believe this is true — your clinician is the best source of that information. However, if you go into your Apple Health right now, and you're giving your credentials to log into Care Everywhere, it’s not pulling from across all of the networks in a way to say my information is here, here and here. You have to know where your information is. So I think that's where HIEs can play an enormous and important role. If we're queried through TEFCA or through the CareQuality Framework, we could say, you got hits here, here and here. Let us aggregate that for you, or let us at least point the way so that you can get that information. I think that's where HIEs are very vital. 

HCI: Is there anything that the federal regulators could do to make life easier for CRISP Shared Services? 

Sweeney: I think with issues like granular consent and reproductive health data, I have felt an overwhelming sense that people think this is too complicated, right? Or if it's not perfect, we can't do it. And my message has been try anything! People aren't looking for the perfect solution. I mean, I would like the perfect solution, but it is not helping patients and it is not engendering confidence in EHR systems, HIEs or the federal government that the overwhelming consensus seems to be that this is too hard. Just try something. And at least, be willing to come out and say we're not going to get it right the first time. This is complicated, but we know this is a priority. This is important to us. And so these are the things that we're doing.

HCI: And within the federal government, where does the leadership on that come from? Is it from ONC? Or is it some somewhere else in HHS?

Sweeney: I think ONC is always in a tough spot, because they technically don't really regulate anything. Well, they regulate EHR systems, which are then regulated by CMS. So it's a very complicated web of regulation. I do think ONC — and I've said this to them directly — could take a more active role in saying, we know this is an issue, and these are the four things we're doing about it, or offering an innovation grant or something. I think that the ONC could have some influence with the EHR developers to say ‘Hey, look we understand all of your excuses. We understand how interoperability works. We know how complicated this is. And you putting up all these smoke screens isn't cutting it anymore. You have to give us at least one solution. You’re smart people. Figure out one thing.’ So I think it can come from there. And then it's a matter of CMS saying to providers — just like how everything else works — unless you have something that has the capability to do X, Y and Z, you don't get these incentives. I think that's how it would have to work.