Managing opt-in and opt-out policies between different states can become problematic for healthcare organizations trying to exchange data as well as health information exchange (HIE) organization itself.
This has been one of Healtheway’s, a non-profit, public-private collaborative that operationally supports the eHealth Exchange main initiatives. Previously referred to as the Nationwide Health Information Network Exchange, Healtheway does a lot of work with interoperability standards, while not losing sight of privacy and security needs. Starting out as an Office of the National Coordinator for Health Information Technology (ONC) nationwide health information network program in 2007, now there are thousands of public and private organizations now participate in the eHealth Exchange. Mariann Yeager, Executive Director of Healtheway, Inc., explained to HealthITSecurity.com how Healtheway approaches the variety of opt-in and opt-out policies in different states.
Yeager said that it became pretty clear in the early days when eHealth exchange started as an ONC initiative that it would be challenging for the organization to come up with a single policy that could harmonize privacy and security requirements. While the national policy issue was is currently being addressed at ONC, Yeager said Healtheway prefers to keep things simple.
The approach that’s being employed [at Healtheway] is very simple and we’re finding that it works because there are basically two principles: (1) You have to comply with whatever applicable laws pertain to you. If you’re doing business in a particular state that requires consent, then of course you’re going to have to meet your consent requirements before you can disclose data. And (2) there’s the principle of local autonomy, recognizing that there are different policies at a local level. And there’s a respect that the decision to release this information should be local based on the laws they’re subject to.
Having these standards in place helps Healtheway ensure organizations to have confidence that they can exchange data as is permitted by their individual state’s law without having to abide by other states’ laws.
And the same holds true for having to share data between private and government entities, Yeager added. “There are going to be differences, but we weren’t in a position to be in a regulatory authority,” she explained. “So it made sense to work within the legal and regulatory frameworks rather than create something new.”