Towards Interoperability of EHR Systems: The Case of Italy

Mario Ciampi

, Angelo Esposito

1,2

, Roberto Guarasci

3,4

and Giuseppe De Pietro

Institute of High Performance Computing and Networking, National Research Council of Italy, Naples, Italy

Department of Engineering, University of Naples Parthenope, Naples, Italy

Institute for Informatics and Telematics, National Research Council of Italy, Rende, CS, Italy

Department of Linguistics, University of Calabria, Rende, CS, Italy

Keywords: Electronic Health Record, Interoperability, Architectural Model.

Abstract: The great benefits that Electronic Health Records are able to provide in terms of improvement of the quality

of care and reduction of costs have led many international organizations to implement enabling systems.

However, the systems designed and realized are very often not able to interoperate each other, due to several

reasons, varying from the existence of different local needs to the use of diverse health informatics standards.

The lack of interoperability among these systems can result in decreased levels of quality of patient care and

waste of financial resources. In Italy, the autonomy about healthcare delivered by the Italian Constitution to

each region caused the spread of heterogeneous regional EHR systems, thus not able to interoperate each

other. This paper presents the result of an effort made within a convention between the National Research

Council of Italy and the Agency for Digital Italy, for the specification of the Italian architecture for the

interoperability of regional EHR systems. Such an architecture has been defined according to the requirements

provided by Italian Laws recently issued and approved by a National Technical Board.

1 INTRODUCTION

In the last decades, many countries in the world have

made significant efforts to develop Electronic Health

Record (EHR) systems (Aminpour et al., 2014). The

main reasons are: i) improving the quality of care

services, and simultaneously ii) reducing health care

costs (Black et al., 2011; Shekelle et al., 2006). ISO

defines EHR as a “repository of patient data in digital

form, stored and exchanged securely, and accessible

by multiple authorized users”. It contains

retrospective, concurrent and prospective information

and its primary purpose is to support continuing,

efficient and quality integrated health care (ISO/TR

20514, 2015).

Despite such efforts in the realization of EHRs,

the systems developed, both at regional and national

level, are very often not able to interoperate each

other (Ludwick and Doucette, 2009), due to a

plethora of reasons. First, each country or regional

domain is characterized by its own legal

requirements, especially about privacy protection.

Second, countries or regions have typically different

needs, depending on their dimension, number of

citizens, number of healthcare facilities, etc. Finally,

the development of the systems have been started in

different periods, adopting or applying diverse

standards in different ways (Dogac et al., 2007).

The lack of interoperability among these systems

can result in decreased levels of quality of patient care

and waste of financial resources. In fact, when a

patient benefits from a health service outside her/his

health care domain, the health professional that treats

the patient is not able to access the patient health

information, due to the impossibility of cooperation

between the EHR system used by the health

professional and the one related to the patient.

Therefore, the health professional typically requires

the patient to repeat a clinical exam already executed.

With respect to interoperability, several levels of

interoperability have been defined in literature (Kalra

et al., 2007): technical interoperability, for which the

systems share the communication protocols making

possible, e.g., the exchange of bytes between them;

syntactic interoperability, which aims at making the

systems capable of communicating and exchanging

data through the sharing of data formats; semantic

interoperability, whose purpose is to enable systems

to exchange data and interpret the information

exchanged in the same way; organizations & services

Ciampi, M., Esposito, A., Guarasci, R. and Pietro, G.

Towards Interoperability of EHR Systems: The Case of Italy.

In Proceedings of the International Conference on Information and Communication Technologies for Ageing Well and e-Health (ICT4AWE 2016), pages 133-138

ISBN: 978-989-758-180-9

133

interoperability, where business processes are shared

between the systems.

The importance of making EHR systems able to

interoperate each other has motivated by the increase

of the phenomenon of the patient mobility for reasons

of care. For example, we can consider Italy where

570k hospitalizations are made by patients in a region

different from that they reside (Istat, 2015).

In Italy, the autonomy about healthcare delivered

by the Italian Constitution to each region caused the

spread of heterogeneous regional EHR systems. After

some national initiatives aimed at proposing a first

architectural model at national level, the emanation of

Italian norms has allowed defining both i) the national

architectural model of reference, and ii) the functional

and privacy requirements to be respected by all the

Italian regions. In this scenario, this paper presents

the Italian architecture designed for the

interoperability of EHR systems by a National

Technical Board, coordinated by the Agency for

Digital Italy (AgID) and the Ministry of Health, with

the technical support of the National Research

Council of Italy (CNR) and the participation of the

Ministry of Economy and Finance and Italian regions.

This paper is organized as follows. Section 2

provides a background on the main standards and

projects on e-health data interoperability. Section 3

describes the main features of the national

interoperability architecture, highlighting the cross-

border business processes. Section 4 presents the

technical details about the architecture. Finally,

Section 5 concludes the paper with some final

remarks and indications for future works.

2 BACKGROUND

2.1 Health Informatics Standards

HL7 is a non-profit organization involved in the

development of international health informatics

interoperability standards. Version 2 of the standard

is currently implemented in numerous health

organizations, whereas Version 3 is based on an

object-oriented model named Reference Information

Model (RIM). From the RIM, it was derived the

Clinical Document Architecture (CDA) standard,

which specifies the structure and semantics of clinical

documents. Currently, HL7 is involved in the

definition of a new health interoperability standard,

named FHIR, which combines the best features of the

previous versions (HL7 [online], 2016).

IHE is an international initiative founded by

RSNA and HIMSS with the goal of supporting the

integration of health information systems through

existing standards. IHE constantly defines integration

profiles, which aim to solve problems related to

specific use cases. In this context, the profile more

relevant in the IT Infrastructure domain is XDS,

which has the scope of facilitating the sharing of

patient electronic health records across health

enterprises (IHE [online], 2016).

2.2 International and National Projects

Canada Health Infoway is an independent, federally-

funded, not-for-profit organization with the

responsibility of accelerating the adoption of digital

health solutions across Canada. Along with the

Canadian provinces and territories, Infoway provided

a national framework called EHR Blueprint, with the

aim of guiding the development of the systems in

each different province. The key elements of the

framework, built following a Service-Oriented

Architecture (SOA) based on the HL7 Version 3

standard, are: gateways, data repositories, registry

services, infostructure, access mechanisms (Canada

Health Infoway [online], 2016).

U.S. Healtheway (now Sequoia) is a non-profit,

public-private partnership that operationally supports

the eHealth Exchange project. With production

starting in 2007, eHealth Exchange has become a

rapidly growing community of public and private

organizations, with the aim of facilitating the

exchange of health information in a trusted, secure,

and scalable manner. The exchange is realized

through Web Services conforming to specifications

based on IHE integration profiles. Finally, in order to

support the health information exchange at local and

national level, an open-source software named

CONNECT has been developed (The Sequoia Project

eHealth Exchange [online], 2016).

In Europe, each country has developed or is

developing its national EHR system. The aim of the

epSOS project, which involved 25 different European

countries, was to realize a large-scale pilot testing the

cross-border sharing of two kinds of health

documents: patient summary and electronic

prescription. To achieve such an objective, a service

infrastructure was designed, built, and evaluated. The

national EHR systems communicate each other by

means of gateways, named National Contact Points

(NCPs), by exchanging: i) messages based on IHE

specifications, and ii) clinical documents in the HL7

CDA format (epSOS Project [online], 2016).

In Italy, a first prototypal architectural model for

the realization of an interoperability secure EHR

infrastructure, named InFSE (Ciampi et al., 2012),

ICT4AWE 2016 - 2nd International Conference on Information and Communication Technologies for Ageing Well and e-Health

134

was defined and developed within three conjunct

projects between the Department of Technological

Innovation of the Presidency of the Council of

Ministers and CNR. The infrastructure, in absence of

a norm, was designed with the aim of enabling

interoperability among regional EHR systems. The

components of the infrastructure were implemented

and used in experimentations that have had the scope

of enable the interchange of clinical documents by

means of the interoperability of some regional EHR

systems. The software components of the InFSE

infrastructure were also used within the national IPSE

project linked to epSOS, in which 10 Italian regions

were involved. The aim of the project was to make

regional EHR systems able to interoperate each other

for the interchange of patient summaries.

3 NATIONAL EHR

ARCHITECTURE

In Italy, the Laws 179/2012 and 98/2013, and the

subsequent decree DPCM 178/2015 (Decree 178,

2015), have provided the Italian legal system of a

definition of EHR, meant as the set of digital health

and social-health data and documents generated from

present and past clinical events, about the patient.

According to the norms, EHR can be used for three

finalities: a) prevention, diagnosis, treatment and

rehabilitation; b) study and scientific research in the

medical, biomedical and epidemiological field; c)

health planning, verification of the quality of care and

evaluation of health care.

The regulatory framework has permitted to a

National Technical Board to define a set of reference

guidelines for the implementation of the EHR

systems (Chiaravalloti et al., 2015). Then, a set of

technical specifications, which establish the main

requirements to be met by the regions, have been

defined to guarantee interoperability at different

levels: technical interoperability is assured by

sharing communication protocols among services

interfaces; syntactic interoperability is reached by the

use of common data formats; semantic

interoperability is guaranteed by adopting both same

data formats and coding systems; organizations &

services interoperability is enabled by the sharing of

common cross-border processes.

3.1 Key Principles of EHRs

Each regional EHR system is been developing in

accordance with the requirements specified by the

norm, guidelines and specifications. The main

architectural constraints imposed are the following:

 Patient Consent: every patient can take

advantage of the functionalities offered by the

EHR system of the health care provider region

of the patient. To this aim, she/he has to express

two types of consent: i) a consent enabling the

population of the EHR with her/his clinical

documents by the health facilities; ii) a consent

enabling the consultation of the EHR by health

professionals. Specifically, the patient is

allowed choosing the professional roles

permitted to access her/his EHR by defining

specific privacy policies.

 Index Metadata Model: the health care

provider region of the patient has the

responsibility of mantaining index metadata

related to all the documents related to its

patients, even if such documents are produced

and maintained by health facilities sited outside

the region.

 Proxy-based Interoperability Model: the

system of the health care provider region has to

operate as a mediator with the other regional

systems in all the cross-border processes in

which its patients are involved.

 First Implementation of EHRs: even if EHRs

can contain a multitude of tipologies of

information, the first mandatory kinds of

clinical documents to be accessible via EHR

are patient summary and laboratory report.

Then, in this first phase, only details about the

finality of care of the patient are defined.

3.2 Cross-border Processes

In order to enable communication among regional

EHR systems, cross-border services have to be

implemented according to a SOA paradigm.

Such services have to satisfy a set of national

business processes, according to them each region

may assume a different role: the health care provider

region assumes a role named RDA; the region that

stores a document of a patient, whose RDA is

represented by another region, takes the role of RCD;

the region that provides a health service to a patient

whose RDA is another region is named RDE; finally,

the region that does not act anymore as the health care

provider region assumes the role of RPDA.

The cross-border processes, shown in Figure 1,

are based on the assumption that a health professional

intends to consult the EHR of a patient whose health

care provider region is different from the one in which

the health professional operates.

Towards Interoperability of EHR Systems: The Case of Italy

135

Figure 1: Roles in the cross-border processes.

All the business processes (described below),

before their execution, require to identify

preliminarly the patient and the health professional:

 Searching for Documents: RDE requires RDA

to consult the EHR of the patient. RDA returns the

list of documents for which the user has access

rights.

 Retrieving a Document: RDE, after obtaining

the list of documents, requires RDA retrieving a

document. RDA returns the document if the user

has access rights. Eventually, RDA forwards the

request to RCD if the document is available

outside.

 Creating or Updating a Document: RDE

transmits to RDA the list of metadata of a

document created/updated for a patient of this one

(the document is stored in RDE, which therefore

serves as RCD). RDA stores the metadata in its

system.

 Invalidating a Document: RCD requires RDA to

perform a logical deletion of metadata related to a

document, due to the invalidation of this one.

 Transferring of Index: a new RDA requires

RPDA to transfer the index of the EHR (list of all

metadata and privacy policies) associated with the

patient. RPDA returns the index, which is

registered in the new RDA, and then disable it.

In order to achieve semantic interoperability,

several standards in different domains exists, e.g.

CIDOC-CRM (CIDOC-CRM [online], 2016) in the

cultural domain. Due to its specificity, to assure

semantic interoperability for the e-health domain,

suitable standards have been individuated: HL7 CDA

Rel. 2 specifies the structure and semantics of clinical

documents, whereas clinical content is represented by

using a set of coding systems, like ICD9-CM,

LOINC, ATC, and AIC.

3.3 Architecture Components

All the regional EHR systems are based on the

registry/repository paradigm. The clinical documents

produced by the health facilities are stored in

repositories and indexed in a regional registry by

means of appropriate metadata.

The mandatory metadata are: document type,

document state, document identifier, creation date,

author identifier, patient identifier, repository

reference.

Figure 2: Architecture of a regional EHR system.

The interoperability of the regional EHR systems

is based on a nationwide federated model, based on a

System-of-Systems approach, where each regional

system is realized by taking into account local needs.

In order to make the regional systems able to

interoperate each other, each EHR system exposes a

set of cross-border services, which preliminarly

verify the possession of the rights by the user and

provide all the functionalities needed to manage,

search, and consult metadata and documents.

The architecture of the distributed system at

national level is shown in Figure 3.

Figure 3: Architecture of the national system.

The security model adopted is based on a Circle

of Trust among the regions. Each region is

responsible for the claims made in the process of

request of the cross-border services provided by the

other regions. In addition, all the communications

among the regional systems are exchanged through

the Public Connectivity System (SPC), the Italian

technological infrastructure for exchanging

information assets and data between Public

Administrations.

Specifically, every cross-border service is linked

ICT4AWE 2016 - 2nd International Conference on Information and Communication Technologies for Ageing Well and e-Health

136

to the SPC infrastructure by means of specific

software components called Domain Ports.

4 TECHNICAL DETAILS

4.1 Cross-border Services

The cross-border services to be implemented

according to the business processes described above

have to be able to exchange messages compliant to

IHE XDS.b transactions, opportunely localized at

Italian level. IHE XDS profile provides specifications

for managing the exchange of documents that care

delivery organizations have decided to share.

A brief description of the structure defined for the

communication with the services is provided below:

 Document Search: allows authorized users

retrieving the index metadata related to

documents satisfying specified search criteria

(patient id, date, document type and status). The

communication protocol of this service is

compliant to the IHE ITI-18 transaction (Registry

Stored Query).

 Document Retrieval: allows authorized users

retrieving a specified document from its id. The

communication protocol of this service is

compliant to the IHE ITI-43 transaction (Retrieve

Document Set).

 Metadata Communication: allows authorized

users sending index metadata to the health care

provider region of the patient to which a

created/updated document refers to. The

communication protocol of this service is

compliant to the IHE ITI-42 transaction (Register

Document Set-b).

 Metadata Cancellation: allows authorized users

requesting logic cancellations of index metadata

relating to a document invalidated. The

communication protocol of this service is

compliant to the IHE ITI-62 transaction (Delete

Document Set).

 Index Transfer: allows transferring the index of

the EHR related to a patient from a regional

system to another, after the change of the health

care provider region by the patient. The

communication protocol of this service is

compliant to the IHE ITI-18 transaction (Registry

Stored Query).

4.2 Security Aspects

The main security aspects treated concern user

identification and access control, in that issues like

integrity, confidentiality and auditing are assured by

the use of the SPC infrastructure as a secure channel

of communication among the Italian Public

Administrations.

To this aim, the claims to be transmitted by every

region in the SOAP messages exchanged among the

cross-border services are attested by digitally signed

SAML 2.0 assertions. A brief description of such

assertions is reported below:

 Identification Assertion: certifies the

identification data of a patient and her/his

health care provider region; the assertion is

issued by a national Identity Provider.

 Attribute Assertion: certifies the data relating

to the user making the request, the operating

environment and the type of activities to

perform; the assertion is issued by the region

that intends to use a cross-border service

offered by another region.

 Identity Assertion of the RDA: certifies the

identity of the health care provider region of the

patient (RDA). This assertion, issued by RDA,

is used in case of a request sent by RDE for

retrieving a document available in RCD,

through RDA, which acts as a proxy. RCD uses

this assertion to verify if the request is really

sent by RDA.

4.3 National Framework Services

In order to support the cooperation among the EHR

systems, a national technical framework providing a

set of central services has been realized by CNR in

collaboration with AgID.

The services offered by the framework have been

identified analyzing the needs indicated by the

regions in their project plans for the realization of the

EHRs. The purposes of these services vary from

managing service endpoints, to enabling the

homogeneous presentation of the clinical documents

represented according to the XML-based HL7 CDA

format by means of national style sheets, to handling

the terminologies.

Besides, in order to support the correct

development of the cross-border services by the

regions, a test environment realizing the business

processes described above has been implemented.

Such a test environment is able to simulate the

behavior of a typical regional EHR system and allows

regional domains verifying the correctness of the

request messages for the invocation of the cross-

border services.

Towards Interoperability of EHR Systems: The Case of Italy

137

5 CONCLUSIONS

In this paper, the architectural model of reference for

the realization of the EHR in Italy was presented. The

architectural model was formalized by a National

Technical Board in order to meet the organizational,

functional, privacy, and technical requirements

provided by Italian norms recently emanated.

According to such requirements, a patient can choose:

i) whether she/he intends to benefit from the EHR

provided by her/his health care provider region, and

ii) the privacy policies that regulate the access to

her/his EHR. In order to support patient mobility,

regional EHR systems have to interoperate each other

in order to execute five main cross-border processes:

searching for documents, retrieving a document,

creating or updating a document, invalidating a

document, transferring of index. These processes are

realized by a set of cross-border services that every

regional EHR system has to make available. The

services have to be able to analyze SAML assertions

transmitted by the requesting regions in order to

verify if the user possesses the rights established by

the patient in exam. Then, some central services have

been realized and shared for supporting the

interoperability among the regional EHR systems and

the implementation of the cross-border processes. As

future work, it is planned to specify further technical

details about some relevant aspects, like digital

signatures, style sheets, patient identification. Some

critical aspects concerning the adoption of cloud

computing technologies for EHR services need a deep

investigation, in order to both i) individuate

appropriate deployment and service models, and ii)

assure suitable privacy level agreements. Finally,

additional work will concern the extension of the

architecture for executing processes able to use the

EHR for finalities of research and government, after

that a new decree will define the main requirements.

ACKNOWLEDGEMENTS

The work presented in this paper has been partially

supported by two joint projects between the Agency

for Digital Italy and the National Research Council of

Italy: “Interventions to support the realization of the

Electronic Health Record”, prot. CNR 25751/2014,

and “Realization of services of the national

interoperability infrastructure for the Electronic

Health Record”, det. AgID 61/2015.

REFERENCES

Aminpour, F., Sadoughi, F., Ahamdi, M., 2014. Utilization

of open source electronic health record around the

world: A systematic review. International Journal of

Research in Medical Sciences, vol. 19, no. 1, pp. 57-64.

Black, A. D., Car, J., Pagliari C., et al., 2011. The impact of

eHealth on the quality and safety of health care: a

systematic overview. PLOS Medicine, vol. 8, no.

e1000387.

Canada Health Infoway, 2016. https://www.infoway-

inforoute.ca/en/.

Chiaravalloti, M.T., Ciampi, M., Pasceri, E., Sicuranza, M.,

De Pietro, G., Guarasci, R., 2015. A model for realizing

interoperable EHR systems in Italy. 15th International

HL7 Interoperability Conference.

CIDOC-CRM, 2016.

http://www.cidoc-crm.org/official_release_cidoc.html

Ciampi, M., De Pietro, G., Esposito, C., Sicuranza, M.,

Donzelli, P., 2012. On federating health information

systems. GUT 2012: International Conference in Green

and Ubiquitous Technology, pp. 139-143.

Decree 178, 2015. http://www.gazzettaufficiale.it/eli/

id/2015/ 11/11/15G00192/sg.

Dogac, A., Laleci, G., Aden, T., Eichelberg M., 2007.

Enhancing IHE XDS for federated clinical affinity

domain support. IEEE Transactions on Information

Technology in Biomedicine, vol. 11, no. 2, pp.213 -221.

epSOS Project, 2016. Available at: http://www.epsos.eu/.

HL7 Int., Health Level Seven International, 2016.

http://www.hl7.org/.

IHE, Integrating the Healthcare Enterprise, 2016.

http://www.ihe.net/.

ISO/TR 20514, 2005. Health informatics -- Electronic

health record -- Definition, scope and context.

Istat, 2015. Le dimensioni della salute in Italia (Italian).

http://www.istat.it/it/files/2015/09/Dimensioni-

salute.pdf.

Kalra D., Blobel B.G., 2007. Semantic interoperability of

EHR systems. Studies in Health Technology and

Informatics, vol. 127, pp. 231-245.

Ludwick, D.A., Doucette, J., 2009. Adopting electronic

medical records in primary care: lessons learned from

health information systems implementation experience

in seven countries. International Journal of Medical

Informatics, vol. 78, no. 1, pp. 22–31.

Shekelle, P.G., Morton, S.C., Keeler, E.B., 2006. Costs and

benefits of health information technology. Evidence

Report/Technology Assessment, no. 132, pp. 1-71.

The Sequoia Project eHealth Exchange, 2016. Available at:

http://sequoiaproject.org/ehealth-exchange/.

ICT4AWE 2016 - 2nd International Conference on Information and Communication Technologies for Ageing Well and e-Health

138