CRISP Shared Services (CSS) is a non-profit organization that provides technology infrastructure and services to support Health Information Exchanges (HIEs) across multiple states. Pulse 2.0 interviewed CRISP Shared Services General Counsel and Chief Privacy Officer Nichole Sweeney to gain a better understanding of the non-profit.
Nichole Sweeney’s Background
Could you tell me more about your background? Sweeney said:
“I took a circuitous route to healthcare, but I’m glad I’m here. I graduated from Georgetown University Law Center and began my career at a large law firm, focusing on regulatory energy. I quickly realized that large law firm life wasn’t for me, but I didn’t know what I wanted to do next.”
“A family member worked for The MITRE Corporation, a federally funded research and development corporation. The Affordable Care Act (ACA) was signed into law about six months before I left the law firm, and MITRE had begun to get involved in healthcare in a big way. I was lucky in that I was in the right place at the right time, helping agencies with the big task of implementing the ACA. In a decade, we grew from a department of four to 63 people. I became department head of the health policy department. I guided overall strategy, business development, and client engagement, managing 10 healthcare policy, interoperability, and operations projects worth more than $25 million.”
“A great deal of my work at MITRE focused on health interoperability, but I was feeling disconnected from what was actually happening on the ground. Helping agencies implement laws and regulations is very different from putting those regulations into play. Because I lived in Maryland, I knew about the Chesapeake Regional Information System for Our Patients (CRISP), Maryland’s HIE, and they happened to be hiring for an in-house counsel position. So I reached out. I became vice president, general counsel, and chief privacy officer three years ago.”
“My background in working with a federally funded organization blends perfectly with my work for regional HIEs. It helps me understand local and state solutions, how they work in the overall federal landscape, and what levers you can and can’t push in each. It also fuels my passion for helping patients ensure the information they want to keep private remains so without presenting barriers to national interoperability.”
“My work at CSS supports not only the CRISP HIE, but also HIEs in over 10 other jurisdictions. I provide legal and policy advice for health information exchanges and health data utilities across the country, including how to interface with patients and consumer advocates, partner with technologists to shape products and services while protecting patient privacy, and interfacing with state lawmakers on emerging privacy laws. I also work with public health authorities and advise federal lawmakers on emerging trends impacting interoperability and privacy.”
“Most recently, a great deal of my career and time is spent trying to navigate how to share data when some states have criminalized or otherwise stigmatized certain care. In Maryland, we have a new law and regulations that CRISP implemented this past year. It requires that certain information in patient records is pulled out of that record before the record is shared to help make sure it doesn’t end up in other states where this information could criminalize the person receiving or giving the care. It is tricky to balance competing privacy and data sharing laws to make these types of laws reality.”
“I’m humbled to be considered one of the nation’s leading experts in health data interoperability, reproductive health data exchange, and protecting the privacy of sensitive health data. More and more states and territories are interested in how we share most data across state lines without sharing data elements, and I’m honored to be a resource to them as they draft laws, regulations, and policies.”
Volunteering
You also volunteer your time with several groups working on interoperability. Tell us more about that. Sweeney shared:
“I’m a representative for the eHealth Exchange QHIN and also one of 15 representatives on the TEFCA Transitional Council—and one of the few with a policy and legal background. The Transitional Council was chartered to stand up what will become the governance council for TEFCA.”
“I’m also a member of the Carequality Steering Committee, a national interoperability network that predates TEFCA. I’m intrigued by the ways in which Carequality will evolve as TEFCA ramps up; it’s a great time to be engaged across multiple networks.”
“As part of my role at CSS, I’ve also been engaging with public health agencies across the country to figure out how we can get providers comfortable exchanging data with public health agencies through a national network. Right now, providers aren’t required to exchange data with public health entities via TEFCA or other national networks; it’s voluntary. I’ve been engaging with public health folks, the Centers for Disease Control and Prevention, ASTP / ONC and others to say, “OK, this needs to happen. How can we start to pilot initiatives like this?” Right now, CSS is involved with a pilot projects across the country to see how we can get both providers and public health officials comfortable with this type of data sharing in a way that’s scalable from a technology perspective.”
“The ability to apply my policy expertise and advocacy skills to bring a cross-section of industry, public health, and patients together to improve healthcare access and outcomes really excites me and keeps me going.”
Favorite Memory
What has been your favorite memory working for CSS so far? Sweeney reflected:
“I’m very proud of the relationship I’ve forged with what have traditionally been considered “difficult” interested parties, like privacy advocates that have wanted to shut down HIEs. My favorite memory is the first time one of these privacy advocates called my personal number and said, “Hey, I have an idea I want to talk to you about. How do we make this happen?” It still gives me good bumps thinking about how potential opponents are now collaboration partners. At the end of the day, we’re all patients, and we all will benefit from interoperability done the right way.”
Significant Milestones
What have been some of your non-profit’s most significant recent milestones? Sweeney cited:
“Our ability to share disparate data across a range of entities is a distinguishing factor, and that’s what makes us successful. In the past couple of years, we’ve grown from five HIEs to advancing data exchange in more than 10 states and jurisdictions. We’ve engineered governance and technical structures to support this rapid growth, and we’ve mapped policy and legal guidelines to data streams across HIEs.”
“The future of health interoperability is not just to send all the data to a specific type of entity. It’s to send this data to a variety of types of entities in different ways based on what that entity needs and can see. We’ve looked at every data stream at a granular level to determine the HIPAA-permitted purposes for data sharing and the instances where we need affirmative consent from patients before the data can be shared. At CRISP and for the state of Maryland in particular, I’ve provided the policy and legal expertise to create consent paradigms based on data types.”
“One of the major public health breakthroughs we celebrated this past year was our selection by the Maryland Dept. of Health to support the state’s public health technology and data modernization needs as it became the first in the nation to implement the Trusted Exchange Framework and Common Agreement (TEFCA). CSS, in partnership with eHealth Exchange, helped engineer a custom portal that successfully demonstrated TEFCA utilization for the first public health use case. This work has been foundational to achieving critical national public health priorities established by federal agencies, including the CDC and Office of the National Coordinator for Health Information Technology.”
“In addition, CSS tech supported other public health authorities as the CDC’s early demonstrators of TEFCA, including the Alaska Dept. of Health and Fairfax County Dept. of Health. We’re still learning, and, as I noted above, the data is not as readily available through TEFCA as public health officials want it to be, but we are making progress in a hugely meaningful way.”
Success Stories
Would you like to share any specific success stories? Sweeney highlighted:
“I’m really proud of our work in filtering and parsing data in the CRISP HIE to allow more restrictive data sharing for abortion data in Maryland. The model and infrastructure we’ve built in Maryland is becoming a national model—and other states are paying attention.”
“I helped provide educational technical assistance for legislators in Maryland, giving them firm examples of how this type of data parsing could work. It’s heartening to see that the legislation passed in such a way that allows data parsing to be implemented at a scalable level, striking a delicate balance that protects patients’ right to privacy without shutting down national interoperability.”
“I’m also proud to be part of a company that digs in. We’re a nonprofit organization of 200 people, and when this legislation passed, we immediately said, “We can do this; it’s tough, but we can figure it out.” There were larger health IT companies with billions in revenue and thousands of employees in the room who were saying the opposite. I think if we had said we couldn’t do it, either, the legislation may not have made it through or would have made it through in a way that was difficult to implement in a scalable way.”
Notable Metrics
Can you discuss any notable metrics? Sweeney pointed out:
“Last July, CSS was selected by the CDC as one of three awardees under the newly launched $255 million National Implementation Center Program to provide infrastructure and implementation services to public health agencies across the country. The goal is to help public health accelerate modern data exchange and make public health data interoperable. CSS is providing end-to-end technical support, including ensuring that health departments adopt and successfully use TEFCA and other data exchange standards such as electronic case reporting.”
“As of October 2024, CRISP serviced 4,899 organizations and 63,303 users, who performed, on average, 1.4 million queries per month.”
Differentiation From Other Nonprofits
What differentiates your nonprofit from others? Sweeney affirmed:
“We are use case-driven, and we are policy-driven. What we build is built upon fixing what keeps people up at night and how we can fix it. If it requires technology, then we’ll build technology. But if it requires an Excel spreadsheet that I drop off to someone once a week in a secure file transfer, then that’s what I’m going to do. We’re not going to build something or overcomplicate something for the sake of making a cool thing.”
“We build most of our technology in house. The thing I’m most proud of is that we don’t build something and then bring in our attorneys and say, “Did we do it right?” My team partners with the technologists from stage one, when we start to understand a problem and how to address it. I’m in every requirements review board meeting. I’m in every change control board meeting. I am in most requirement gathering meetings saying, “If you want to build this, this is what we have to do from a policy perspective.” So it’s really that partnership of technology and policy that makes transformational change happen.”
Challenges Faced
What are some of the challenges you’ve faced at CSS? Sweeney acknowledged:
“Access to resources, without a doubt. We’re a nonprofit, and we often are the little folks in the room, driving from behind. Sometimes that’s great, because we get to work on interesting projects as a team, often stretching our skillsets as we go. But often, we have to build a coalition of folks to get things done.”
Goals
What are some of your goals? Sweeney concluded:
“As an organization, we want CSS to remain the go-to technology partner for HIEs across the country, offering advice to other agencies and organizations that want to build a robust, secure, patient-centered HIE that respects the data sharing frameworks in their jurisdictions and leaves patients in charge of their health data.”
“One national goal that CSS can help facilitate is to establish a governance engine: a not-for-profit or public/private entity in each state that allows for the governance of data at the state level as data enters the state and leaves the state. We can help policymakers understand that for health data interoperability to work and for patients to trust it, there need to be tight privacy controls that reflect the policies in each state.”
“It can still look like the Wild West out there, but the right policies — thoughtfully created and stringently enforced — can build trust. The right interoperability policies don’t just do something because it’s possible, we do it because it’s right for patients and people.”
