Tone Southerland, Integrating the Healthcare Enterprise
Author(s): Scott Douglas Jacobsen
Publication (Outlet/Website): The Good Men Project
Publication Date (yyyy/mm/dd): 2024/12/17
Tone Southerland is a healthcare IT expert and the current PCC Domain Representative to the IHE International Board. With a career spanning over two decades, Tone has been deeply involved in shaping healthcare interoperability, particularly through his work with IHE (Integrating the Healthcare Enterprise). His expertise lies in navigating the complexities of healthcare data integration, policy, and security. Tone is passionate about ensuring that patients and providers have seamless access to accurate and timely health information. He has been a key figure in developing frameworks like TEFCA, and is committed to transforming healthcare quality through technology.
Southerland discusses the complexities of healthcare interoperability compared to other industries like finance. Southerland explains the challenges, including the human aspect of healthcare, complex workflows, and the role of government policies. He highlights the importance of healthcare data accessibility, security, and privacy, and then touches on HIPAA’s role in safeguarding patient data, Medicare fraud, and the efforts to protect against misuse. Southerland emphasizes the potential of interoperability in improving patient care and enabling whole-person care by integrating diverse data points. He also discusses the significance of the Connectathon and the potential of healthcare IT advancements.
Scott Douglas Jacobsen: How are you today?
Tone Southerland: I’m doing great. I’m excited to chat about IHE (Integrating the Healthcare Enterprise).
Jacobsen: Excellent. So, the first question is: Why is the healthcare industry slower in adopting advanced technologies compared to sectors like finance?
Southerland: Yes, that’s a great question, and it’s one that’s been asked a lot. Healthcare is different from other industries, and there’s much more complexity involved. Three key factors make it challenging.
First, there’s the human aspect of healthcare, which is difficult to codify into data that can be easily transferred and consumed electronically between systems. For example, when I visit my doctor, we have a relationship andhey know things about me that are difficult to express in coded medical terminology. This aspect of care is represented as “narrative text” in clinical notes. While there are ways to exchange that narrative, the human element will always remain essential in healthcare.
Second, the workflows in healthcare are more complex than in industries like banking or insurance. In those industries, the workflows are relatively finite. The tasks are straightforward, whether transferring money, buying stock, or granting account access. In healthcare, patients move between vastly different care settings. For instance, if you go for a radiology appointment, the workflow is controlled: you have an initial consultation, undergo scans, wait, and the radiologist reads your scans. But afterward, you’re referred back to your primary care doctor or to a specialist, and they continue interpreting the results, explaining them, and possibly sending you elsewhere for further care. Your healthcare journey might also transition to home care, adding even more complexity. That’s what IHE focuses on—standardizing workflows across these diverse care settings.
Third, policy plays a big role in how quickly healthcare interoperability progresses. Government policies and incentives encourage electronic health record (EHR) vendors and healthcare providers to exchange data and participate in electronic data collection. In some cases, there are penalties for not moving quickly enough. While these policies are complex, much progress is being made.
Jacobsen: Why is interoperability such a pressing issue in today’s healthcare landscape?
Southerland: I’ve been working in this field for about 18 to 20 years, and I was excited when I started—I’m still excited about it now.
I saw much opportunity then. I see many opportunities now. But I also see that through my lens as a technologist, not a clinician; clinicians I engage with still need help with some of the same issues when accessing data. They may have access to data, but how well can they use that data?
This year, a study published in the National Library of Medicine examined this issue. They surveyed about 2,000 physicians. Of those, 70% indicated they have access to healthcare data. Still, only about 23% said they have easy access, and only 8% said they have very easy access to the right data. So, they may have access to data, but do they have access to the right data in a way that they can use it effectively to improve health outcomes for their patients?
That’s a big challenge, and why healthcare interoperability is so important. IHE—Integrating the Healthcare Enterprise—is working to solve this problem. Our goal is to get the right data to the right doctor for the right patient at the right time, with the relevant level of detail, so that they can provide better care. Additionally, part of any data exchange is security and privacy.
Jacobsen: How do security and privacy concerns factor into this?
Southerland: It’s huge. Suppose you’ve followed any cybersecurity news over the past 10 to 20 years. In that case, you’ve noticed that security threats have only worsened. On the bright side, defenses have also improved, so it’s always a constant battle—what technology can we implement to protect data from hackers, and how do we stay ahead of new hacking methods?
This is an ongoing challenge. When discussing security and privacy, it’s important to distinguish between them. Privacy is about consent—do I consent for someone to access my data, and to what degree? Consent can be granular. For example, I might only want to share information about my allergies but not my mental health data. I may choose to share it with one doctor but not another. I might allow my mother access, but not my spouse.
Consent can become complicated. IHE provides mechanisms to manage consent through various consent-based profiles, but that’s only one piece of the puzzle.
The security piece is about protecting the data itself. This includes encryption algorithms that safeguard data stored on servers. That technology has been around for a while and continues to evolve. What has become more prevalent in the last 10 to 15 years is the HITRUST framework, which requires healthcare organizations storing protected health information (PHI) to implement policies, procedures, and processes to protect that data. But there’s a human element as well.
It’s not just about having the right encryption; it’s about training your staff. Are they following least privilege principles? Are they adhering to OWASP’s top 10 security guidelines? There are many moving parts, but frameworks like HITRUST and SOC2 help ensure that organizations working with sensitive data protect it adequately.
Jacobsen: What are the risks of a data breach? When those instances happen, how do doctors, patients, and companies react to them? How do they manage damage control? Could you provide a real-world example of why this is important rather than just listing ways to protect oneself?
Southerland: Yes. HIPAA oversees all of this.
HIPAA, which became law in 1996, introduced regulations that set limits on how patient data should be protected. Provider organizations are required to report breaches, especially when a minimum threshold of patients’ data is involved. This is a deterrent because organizations don’t want to be on the front page of the news for a data breach. These breaches are published on the CMS (Centers for Medicare & Medicaid Services) site. Then, news agencies pick them up and share them further.
This incentivizes organizations to be on top of their security measures. As interoperability has advanced, there’s been a focus on limiting the shared data. For example, does all the data need to be stored or shared? Or do I only need to share the relevant information for the care I’m receiving? Going back to consent, patients may want to say, “I don’t want to share my mental health data because that’s sensitive. I only want to share the rest of my clinical record to receive help with my cancer, diabetes, or other conditions.”
Jacobsen: Should we be concerned about having all of our healthcare information in the cloud?
Southerland: That’s a nuanced question. Yes, we should always be concerned about our banking information, healthcare data, etc. It’s the reality of the world we live in. It’s stored on a server whenever we put something on social media.
Privacy today is very different from 80 or 100 years ago. Back then, having someone photograph you could be considered a privacy violation. Today, the game has changed.
We should have faith in the servers storing our data in the cloud. The four major cloud providers—Google, Microsoft, Oracle, and AWS—all have HITRUST certification as part of their solutions. So, when healthcare organizations leverage these cloud platforms, they incorporate these rigorous security programs into their overall security policies.
There’s even an argument that data is safer in the cloud. Cloud providers have dedicated teams to monitor and protect the data from hackers. Running your own servers—renting space at a local facility and managing the servers—takes extraordinary work, specialized skills, and knowledge. Knowing that I can rely on a provider like Microsoft Azure or AWS, knowing they operate under HITRUST guidelines, gives me more peace of mind as an IT professional working on healthcare solutions involving protected health information.
Jacobsen: How does IHE’s work impact healthcare providers and patient care?
Southerland: There are a lot of different use cases here. We’ve discussed providers having the right information at the right time. Doctors often discuss relevant information—they don’t need too much information. Too much information is almost worse than not having any at all. Often, clinicians will push it aside and start over because it’s information overload.
They need to get an understanding of where their patient is. Not only do they need to understand the clinical aspects of the patient, but this is also where we’re starting to see interoperability in IHE help. We need to start looking at other buckets of data, such as social determinants of health. For example, what social factors are happening in the patient’s life? Do they have financial or other daily stresses?
We know that stress, in general, can negatively affect health. Are they in an abusive situation? That’s going to impact their overall health. Do they lack access to exercise facilities or healthy food in their neighborhood, especially in impoverished areas? These factors play a strong role in a person’s overall health. IHE and other standards organizations focus on social determinants of health and other types of healthcare data that contribute to whole-person care.
Jacobsen: What is North America Connectathon Week, and why is it significant for healthcare IT?
Southerland: This coming year it’s happening in Toronto in February. It’s a week-long event where healthcare IT vendors come together. These vendors provide solutions for doctors, provider organizations, and hospitals. During the week, they test interoperability between their systems based on IHE profiles. I’ve been attending these events for 15+ years.
It’s a robust testing environment. There are testing monitors who validate system transactions, and there’s also great interaction between vendors. It’s the best quality assurance (QA) software testing lab globally for interoperability. Solving problems through emails or scheduling conference calls can take weeks or months. At Connectathon, everyone is in the same room. You have focused time to solve the same problems in minutes to hours.
There’s such a strong sense of collaboration at Connectathon Week. You have companies that are normally competitors working together. That’s the goal—we’re looking past market competition because if we can’t make our systems interoperable, we all fail. There isn’t one big health record system that will take over the country or the world. We all have to interoperate, and that collaboration is key to success.
Southerland: There’s also much other content there that talks about healthcare events and initiatives, like TEFCA (Trusted Exchange Framework and Common Agreement), a national health information network initiative in the U.S. Connectathon Week is also international. For example, we have members and participants from Europe – France, Germany, Japan, and others – sharing their initiatives so we can learn from other parts of the world.
I’m in the U.S., so that’s where my primary focus is, but I want to know what’s happening globally because we are all trying to solve many of the same problems.
Jacobsen: What is the Connectathon seal? How does this have significance for military vendors?
Southerland: The Connectathon seal has been in the works for quite some time. It’s a recent certification that we’ve just introduced. If you look back at the history of IHE Connectathons, which started in the early 2000s, they began as part of a grassroots testing initiative to bring systems together, as we discussed earlier. Over the years, the events have become more robust and have moved toward a more formal conformity assessment approach.
In IHE we actually developed a conformity assessment scheme about 10 years ago. I’ve always seen this program as a sort of stepping stone to the new Connectathon Seal. It incorporated ISO certification processes, and the Seal builds on that. The idea was to give more substance to interoperability testing
The Connectathon seal takes this to the next level. It gives vendors something to put on their product that says, “I went through a rigorous interoperability testing process. I did all the required things. I passed the tests, and my system is ready to go.” This allows vendors to make a statement “about their product. When a provider organization, such as a hospital, is purchasing an EHR, lab system, or other healthcare technology, they can have confidence that this system has base-level interoperability capabilities.
Jacobsen: Can you elaborate on how IHE interacts with healthcare providers, patients, and business organizations to overcome barriers in data sharing while ensuring security and privacy, as discussed earlier? You mentioned that it’s not just data in the cloud that’s stolen but data in general, especially in today’s information era.
Southerland: There are many ways we could approach this topic. One of the biggest challenges is consumer access to data and data access for treatment. HIPAA regulations define different “purposes of use.” For example, HIPAA provides treatment-based access to data, as well as access for research and other healthcare industry reasons.
Consumer access, on the other hand, is regulated by the Federal Trade Commission (FTC). The FTC governs consumer apps, while HIPAA governs healthcare apps. There are different actors in this space, and they face barriers. The barriers faced by a healthcare provider differ from those faced by an individual patient or a large organization.
A lot of work has been done to bridge the gap and protect patient data. As a patient consumer, this ensures that I can’t just do wildcard searches and get a content match by guessing someone’s name or address. Much discussion and work has been done within the U.S. national exchange frameworks, like CommonWell Health Alliance and TEFCA to address this.
Scaling back to the broader part of your question, IHE does well in partnering with local and national governments. We have something called national extensions built into our Profile templates. These Profiles are implementation guides for healthcare standards. To clarify, IHE doesn’t create healthcare standards; We provide implementation guidance on how to use existing standards to solve interoperability problems.
We approach this from an international perspective, but the national extension sections within the Profiles allow for further customization based on a particular region’s needs. For example, due to different governmental policies, France might use different healthcare code sets than the U.S. – IHE allows for that flexibility through national extensions. We’ve also created regional deployment domains that oversee deployments in various countries.
Here in the U.S., we have a group called the Sequoia Project, established as the RCE—recognized coordinating entity—for TEFCA. I’m sorry; I know a lot of acronyms.
Jacobsen: That’s right. IT folks love acronyms.
Southerland: I spent a lot of time programming and grew up in that world. Now I’ve moved out of it, but I still need acronyms. The Sequoia Project is responsible for delivering the TEFCA program in the U.S., and they partner with IHE USA and IHE International to help with that. TEFCA (Trusted Exchange Framework and Common Agreement) is the Federated National Exchange Program, and it’s all built on IHE profiles.
Other elements are incorporated, but the foundation is IHE profiles. Within TEFCA, there’s something called Qualified Health Information Networks (QHINs), which basically operate as health information exchange (HIE) networks participating within TEFCA. So far, seven organizations have been designated to serve in this role. These networks undergo rigorous testing and certification processes to ensure they’re able to safely and effectively exchange data with other QHINs. They have participants that share data through their QHIN, and the QHINs acts as a gateway to exchange data across the broader ecosystem.
The system-to-system and gateway-to-gateway connections are all built on IHE profiles. So, to answer your question about how IHE helps with this, we partner with regional and local deployments to promote and advance the use of our profiles.
Jacobsen: Now, this isn’t necessarily positively framed; it is neutrally framed with the appropriate acronyms, initialisms, organization names, and real-world examples. What about the entities that are predatory when it comes to user data, organizational data, or patient data? What are the most significant and dangerous predatory actors in this space?
Southerland: That’s a good question. I’m considering how to phrase it carefully.
There are organizations out there looking to misuse healthcare data for all kinds of fraud. This is common knowledge. For instance, Medicare fraud is a big issue. In some cases, claims are filed, and payouts are made for deceased patients. Fraud like this happens.
Trust frameworks are among the mechanisms that IHE and others have built to protect against such fraud. Carequality is a great example. When you sign up to participate in Carequality, you become a network steward with legal obligations to protect the data. Given the context of this interview and its focus on IHE, that’s probably as far as I want to go, but it’s an important question.
Jacobsen: Any thoughts or feelings based on today’s conversation?
Southerland: Today I think we should have discussed the significance of healthcare interoperability. We touched on it briefly, but I’d like to expand on that.
Jacobsen: What is the potential now, and why must we focus on it?
Southerland: First, it’s important to understand that it has much potential. I would have said the same thing if you had asked me 15 years ago. But what does that mean? It means there are still many challenges to overcome in healthcare IT and interoperability. We’ve already overcome a lot, but there’s more to go.
I break it down into three stages. The first stage is building systems that can collect data. The second stage is integrating those systems—data from disparate systems and systems from different vendors and companies. In the third stage, we analyze the data, apply big data concepts, and use it on a population health scale. This is where we get into clinical research, curing diseases, and identifying trends over large populations. We can use that information to set the next generation of best practices in healthcare.
In the next 10 years, I believe we’ll see a major focus on the whole person. We talk about social determinants of health, and that’s one piece of it, but more is needed as a patient; more is needed to know what medication fits what clinical problem. I need to factor in all the other elements of my life. What’s my diet like? What’s my environment? My doctor might ask me questions during my visit, but the system must be more comprehensive and cohesive to collect and use all the facts relevant to my care. You go from one specialist to another—an orthopedist and a chiropractor—and get different answers. It leaves the patient confused about what’s best for them.
Interoperability with all that data together in a way that makes sense to the patient. It will enable patients to have better conversations with their doctors, and it will enable doctors to make better assessments because they’ll have access to the relevant data. And that’s what we’re trying to achieve in healthcare interoperability: it’s having the right data at the right time for the right patient, ultimately to improve health outcomes.
Jacobsen: Thank you very much for your time today. I appreciate it.
Southerland: Thank you.
Last updated May 3, 2025. These terms govern all In Sight Publishing content—past, present, and future—and supersede any prior notices. In Sight Publishing by Scott Douglas Jacobsen is licensed under a Creative Commons BY‑NC‑ND 4.0; © In Sight Publishing by Scott Douglas Jacobsen 2012–Present. All trademarks, performances, databases & branding are owned by their rights holders; no use without permission. Unauthorized copying, modification, framing or public communication is prohibited. External links are not endorsed. Cookies & tracking require consent, and data processing complies with PIPEDA & GDPR; no data from children < 13 (COPPA). Content meets WCAG 2.1 AA under the Accessible Canada Act & is preserved in open archival formats with backups. Excerpts & links require full credit & hyperlink; limited quoting under fair-dealing & fair-use. All content is informational; no liability for errors or omissions: Feedback welcome, and verified errors corrected promptly. For permissions or DMCA notices, email: scott.jacobsen2025@gmail.com. Site use is governed by BC laws; content is “as‑is,” liability limited, users indemnify us; moral, performers’ & database sui generis rights reserved.
In-Sight Publishing 