Health information exchanges (HIEs) continue to play an important role in healthcare, allowing the quick, easy exchange of patient information between physicians, providers, hospitals, pharmacies, payers, and other healthcare professionals while working to reduce the cost of healthcare.
Because these partnerships involve the transfer of protected health information (PHI), HIEs are under increased pressure to ensure that their networks are complying with HIPAA and safe from breaches. Those are not the only concerns for HIEs, however. Through various interviews on HealthITSecurity.com, other considerations have been highlighted and every HIE ought to be keeping them in mind when creating and updating policy.
Training and certification
Some states, including Massachusetts, Rhode Island, New Hampshire, and Minnesota all have individual rules concerning privacy and security that affect the exchange of health information. Minnesota requires all exchange participants to be certified by the state, according to Community Health Information Collaborative (CHIC) President and CEO Cheryl Stephens. Being familiar with each state’s privacy laws and requirements is essential, especially if the exchange is being conducted interstate.
Stephens, in an interview with HealthITSecurity.com, also noted the importance of training staff on patient HIE education. Minnesota’s system is opt-out, requiring patients who do not wish to participate to notify healthcare workers. Says Stephens, “In the training that we give to the ward clerks or emergency room admissions staff, when somebody says they don’t want to share they do indicate then that if you come in for an emergency there will be no information available on you, period. When they hear that’s what it means, they tend to say, ‘Well, no, that’s not what I want to happen.’”
Policy clarity
As seen with Stephens’ explanation of the importance of training, there is sometimes a misunderstanding of exactly what an HIE does with the information and the importance of patient participation. HIEs should be transparent, offering patients a clear picture of how the system works and the way their information is being used. The ONC has offered a few tips on what good HIE policy looks like, including:
• simple explanations of the privacy and security policies (who has access to what PHI, what safeguards are in place, etc.)
• assurance of correct patient matching
• patient ability to request corrections to their information
• creation a “Notice of Data Practices”explaining which personally identifiable information (PII) and de-identified data would or could be electronically exchanged.
• patient consent of PHI transfer
• allow patients to limit what information is exchanged.
Patient Participation
The personal health record (PHR), which allows patients to have control over their informations’ access and distribution, is an efficient alternative to HIEs. It also eliminates the need for consent forms, which take time and can delay the transmission of information. HIEs can take note from this success when creating policy on patient access. Engaging patients in their own healthcare is certainly a positive step, and may help to ensure patient-matching and the accuracy of what files are being sent to which provider.
Patient privacy
In addition to educating patients on the work of HIEs, it is also important to ensure them that their information is well-protected. Data breaches are a common occurrence, and even with HIPAA compliance being a large part of healthcare, patient data continues to run the risk of falling into the wrong hands. Not everyone is required to comply with HIPAA (HIOs, for example), but requiring business associate agreements (BAAs) from all HIE participants is a step in a good direction. These agreements lay out clear guidelines on how to handle what kind of PHI and who has access to the most sensitive pieces. BAAs may require all parties to be HIPAA-complaint, or to cover all costs of a data breach, should one occur. Informing patients of the basic details of BAAs is certainly a way to gain their trust in the system.
Information security
A critical aspect of a HIE is the security of the information being transferred. A seemingly obvious idea is to only send information between trusted entities. The fact that a provider has the ability to send and receive EHR does not mean that is it secure and trustworthy. Systems should also be secure and encrypted. Lynn O’Mara, a state health IT coordinator in Nevada, highlighted these and other points in a July 2013 interview. While changing state and federal regulations may cause changes to security and privacy policies, staying on top of those changes and updating system security limits the chances for unauthorized access to PHI.