A. Health Spending >> Health Cost Containment >> Improve Administration >> Health IT >> Governmental Health IT Initiatives >> Health Information Exchange (HIE) (last updated 8.27.16)
Lead Editor: Dana Beezley-Smith, Ph.D.
- 1 Overview
- 2 Nationwide Health Information Network (NwHIN) (now eHealth Exchange)
- 3 Statewide Health Information Exchange
- 4 Community Health Information Exchange
- 5 Health Information Exchange and Patient Privacy
- 5.1 Data Anonymization/De-identification
- 5.2 State HIE and Patient Privacy
- 5.3 Health Information Exchange and the Health Insurance Portability and Accountability Act (HIPAA)
- 5.4 Patient Consent to Share Information
- 6 Resources
The phrase “health information exchange” (or HIE) can have two meanings. As a verb, HIE refers to “the electronic movement of health-related information among organizations according to national standards.” As a noun, HIE describes “an organization that brings together various stakeholders within a defined geographical are and governs health information exchange among them for the purpose of improving health and care.” HIE is intended to be a national, regional, and even community-based effort. As conceived by the Office of the National Coordinator for Health Information Technology, the health information exchange process “allows doctors, nurses, pharmacists, other health care providers and patients to appropriately access and securely share a patient’s vital medical information electronically — improving the speed, quality, safety and cost of patient care.”
- There are currently three key forms of health information exchange processes (9.17.15):
- Directed Exchange – ability to send and receive secure information electronically between care providers to support coordinated care;
- Query-based Exchange – ability for providers to find and/or request information on a patient from other providers, often used for unplanned care;
- Consumer Mediated Exchange – ability for patients to aggregate and control the use of their health information among providers.
- HIEs “also provide the infrastructure for secondary use of clinical data for purposes such as public health, clinical, biomedical, and consumer health informatics research as well as institution and provider quality assessment and improvement.”
Types of Organizations That Drive HIE
- Providers – Dominant provider(s) in a given geographic or medical trading area determines the need for HIE.
- Employers – Large employer(s) with targeted business objectives (e.g., reducing costs, PHR offering to employees) coalesce around area providers.
- Payers – Dominant payer(s) may drive the process by sponsoring initial meetings, facilitating initial development activities, providing initial seed money or offering claims-based data or software.
- Private/Public Communities or Coalitions – Local/regional stakeholders coalesce around unique business and/or geographic interests.
- State-Sponsored/State-Directed Collaboration – States, acting as conveners, may organize state-wide HIE and/or encourage local/regional HIEs and may provide funding for these regional initiatives through grants for planning and implementation. (Healthcare Information and Management Systems Society, 2010)
Nationwide Health Information Network (NwHIN) (now eHealth Exchange)
The Nationwide Health Information Network (NwHIN) is sometimes described as a “network of networks” that allows participants (state level exchanges, federal entities, public health entities and health information organizations) to locate and exchange health information electronically. The initiative is sponsored by the Office of the National Coordinator (ONC) for Health Information Technology, which began developing the NwHIN in 2004.
- Department of Health and Human Services. (February 2009) “The Nationwide Health Information Network is a collection of standards, protocols, legal agreements, specifications, and services that enables the secure exchange of health information over the internet. The NHIN is a key component of the nationwide health information technology strategy and will provide a common platform for health information exchange across diverse entities, within communities and across the country, helping to achieve the goals of the HITECH Act. This critical part of the national health IT agenda will enable health information to follow the consumer, be available for clinical decision making, and support appropriate use of healthcare information beyond direct patient care so as to improve public health.”
- National Health Information Exchange: Why The Delay? “A public-private consortium is putting in place a system that should provide interoperability among disparate EHR systems and HIEs. If it’s successful, it will provide plug-and-play connectivity between EHRs and HIEs and between HIEs. This initiative would drastically cut the expense of interfaces and would let more than half of the U.S population and their healthcare providers access health data shared among multiple states and systems… Healtheway, the new private-sector entity that operates the eHealth Exchange (successor to the Nationwide Health Information Network), has partnered with a consortium of states, EHR vendors, and HIE vendors to implement standards that will make it easier to exchange health information. Despite this progress, there’s at least one issue no one wants to touch: the individual patient identifier code.” (InformationWeek Healthcare, 11.5.12)
Statewide Health Information Exchange
The State HIE Program launched in February 2010 and provided many grantees with funding and time to develop strategic and operational plans (SoPs) to enable statewide exchange prior to launching their implementation efforts. By early 2012, all grantees had ONC-approved SoPs and had launched implementation activities; thus reporting of implementation progress began in Q2 2012. See here for implementation charts compiled by the Office of the National Coordinator for Health Information Technology (ONC).
- In February and March 2010, ONC granted 56 awards totaling $548 million to 56 states, eligible territories and and qualified State Designated Entities (SDE) to “develop and advance resources to facilitate the exchange of health information among health care providers and hospitals within their jurisdictions to ultimately encourage and support information exchange across states.” A list of awardees is found here.
- On January 27, 2011, an additional $16 million was made available to states through ONC’s HIE Challenge Grants program. This program tasked grantees to develop solutions to “create and implement up-to-date privacy and security requirements for HIE; coordinate with Medicaid and state public health programs to establish an integrated approach; monitor and track meaningful use HIE capabilities in their state; set strategy to meet gaps in HIE capabilities; and ensure consistency with national standards.”
State Health Information Exchange Cooperative Agreement Program
- Objective: In March 2010, ONC awarded cooperative agreements to a total of 56 states, eligible territories, and qualified State Designated Entities (SDEs) to support the establishment or expansion of HIE efforts [ONC 2014a]. Grantees were given several options for governing HIE activities to carry out their core duties: administrative coordination, managing progress toward technical program goals, and convening all relevant stakeholders to support the program.
- Outcome: There is general public consensus that the State HIE program encountered a number of both anticipated and unforeseen challenges which hampered its efforts in ensuring access to electronic information exchange for all eligible health professionals. While successes were realized in several states, wide variation in the governance, funding and technical implementation of HIEs produced mixed results in the program as a whole… In addition to legislation to support HIE, many states established an “opt-out” consent model (which automatically includes patient data in the health information exchange unless s/he explicitly opts out of participation) to increase patient participation in the exchange. Evaluating HITECH: Successes, Barriers, and Future Opportunities. Robert Wood Johnson Foundation (2015).
Community Health Information Exchange
According to health information exchange specialist Mark Anderson, the approach “that makes the most sense – and provides the greatest opportunity for scalability – is the community-based HIE, designed to facilitate interoperability among disparate EHR and other clinical information systems. Community-based HIEs provide the infrastructure and platform to share data not only across, but also beyond, a single enterprise.”
The Commonwealth Foundation (7.1.14) gives background on the effort, writing that communities are reacting to the “growing recognition that social factors—such as individual behavior, socioeconomic status, and the physical environment—have a greater impact on health outcomes than medical care.” Community-level efforts have begun to emerge to address “services that impact health, including social supports, housing, economic opportunities, education, public health, and community resources.” Cross-agency data-sharing enables “providers and community organizations to input and access patient- and population-level information.” The Affordable Care Act’s emphasis on improved health outcomes is seen as favorable to integration of health services and social services programs within communities.
Population Management (PM), also called Population Health Management (PHM), or Practice-Based Health Management (PCHM) is seen as an effective strategy for reducing costs while improving outcomes in communities. See Population Management.
Health Information Exchange and Patient Privacy
State HIE and Patient Privacy
- Federal Privacy and Security Requirements and Guidance for State HIE. In March 2012, ONC released its Program Information Notice for states and State Designated Entities (SDEs) on “approaches to ensuring private and secure health information exchange of individually identifiable health information (IIHI). It addresses concerns from State leaders and other stakeholders that health information exchange efforts have been hampered and slowed by the lack of consistent approaches to core privacy and security issues and responds to requests for clear national guidance.” These approaches can be compared to the more privacy-protective December 2008 Nationwide Privacy and Security Framework For Electronic Exchange of Individually Identifiable Health Information.
- Collection, Use and Disclosure Limitation. “In principle, a health care provider should only access the minimum amount of information needed for treatment of the patient. This guidance does not apply to de-identified data and would not otherwise apply to public health authorities that are legally authorized to receive the requested information.”
- Individual Choice: “Where HIE entities serve solely as information conduits for directed exchange of IIHI and do not access IIHI or use IIHI beyond what is required to encrypt and route it, patient choice is not required beyond existing law. Such sharing of IIHI from one health care provider directly to another is currently within patient expectations.
- “Where HIE entities store, assemble or aggregate IIHI beyond what is required for an initial directed transaction, HIE entities should ensure individuals have meaningful choice regarding whether their IIHI may be exchanged through the HIE entity. This type of exchange will likely occur in a query/response model or where information is aggregated for analytics or reporting purposes.
- A patient’s meaningful choice means that choice is: Made with advance knowledge/time; Not used for discriminatory purposes or as condition for receiving medical treatment; Made with full transparency and education; Commensurate with circumstances for why IIHI is exchanged; Consistent with patient expectations; and Revocable at any time.”
- Openness and Transparency: “Individuals should be able to determine what information exists about them, how it is collected, used or disclosed and whether they can exercise choice over any of these elements. Where HIE entities store, assemble or aggregate IIHI, individuals should have the ability to request and review documentation to determine who has accessed their information or to whom it has been disclosed. All policies and procedures consistent with the recipient’s Privacy and Security Framework should be communicated to individuals in a manner that is appropriate and understandable.”
- Protecting Patient Privacy: Strategies for Regulating Electronic Health Records Exchange. “Electronic sharing of health records promises significant benefits. Ensuring that patients are able to control who has access to what parts of their medical histories is vital to this endeavor. Providers and public health advocates consider indispensable unfettered access to individual medical records that technology now makes possible. However, well-established law and policy have recognized that patients have the right to control access to their private medical information… Allowing patients to retain a measure of control over their medical records will increase confidence in the system’s ability to safeguard confidentiality. This, in turn, will likely result in increased patient and provider willingness to participate in electronic health information exchange. It is the position of the NYCLU that the state should revisit policy choices that affect the ability of patients to control the dissemination of their personal medical information. Accordingly, we offer 10 specific recommendations designed to accommodate patient concerns, and in turn, create a more reliable information-sharing system.” (New York Civil Liberties Union, March, 2012)
- HIE Implementation Creates Patient Privacy Issues. “You have greater privacy rights regarding the size of a shirt you purchased online than you do about information in your mental health records under the Consumer Privacy Bill of Rights, issued by the White House in February 2012… The Health Information Privacy Bill of Rights, developed with the American Psychoanalytic Association, comes at a critical time when, with the nationwide implementation of Electronic Health Records (EHRs) and Health Information Exchanges (HIEs), the issue of patient privacy is more important than ever. With the advent of electronic records, Mr. Pyles and others point out that it’s possible to improperly disclose identifiable electronic health information of millions of patients almost instantly… Mr. Pyles notes that the Consumer Privacy Bill of Rights excludes patients to the extent their health information is covered by HIPAA, while offering greater privacy rights with respect to health information not covered by HIPAA. He cites the year-long study by ANSI and others that uncovered the ‘inadequacies’ of HIPAA, including the fact that the HIPAA Privacy Rule was not even intended by the Department of Health and Human Services to serve as a ‘best practices’ standard for privacy protection. This means that HIPAA-protected PHI does not benefit from the Consumer Privacy Bill of Rights and is subject to the same privacy pitfalls as before.” (HIE Answers, 7.30.12)
Health Information Exchange and the Health Insurance Portability and Accountability Act (HIPAA)
Also see Governmental Health IT Initiatives, Health Insurance Portability and Accountability Act (HIPAA).
- Personal Health Records and the HIPAA Privacy Rule. “The Privacy Rule’s use and disclosure provisions were designed with the typical business or clinical health care record in mind, whether paper or electronic, and the uses and disclosures covered entities would need to make of this information for their core health care functions. Thus, the Privacy Rule generally allows covered entities to use and disclose an individual’s PHI (Protected Health Information) for treatment, payment of health care, and health care operations (certain functions that support treatment and payment). See 45 C.F.R. § 164.506. Also, in recognition that there are certain legitimate and important additional uses of an individual’s health information, the Privacy Rule allows a covered entity to disclose, subject to conditions, an individual’s PHI for certain other purposes, such as” Research, Emergency Preparedness, and Public Health. See 45 C.F.R. §§ 164.510, 164.512, 164.514(e).” (HHS Office for Civil Rights, 2008)
- Keeping Strong HIE Security Through Interoperability Push. “As reported by HealthITSecurity.com, the HIPAA Privacy Rule has a series of guidelines to ensure PHI security in HIE. Most notably, this includes minimum necessary standards, which means that there are standards for how much PHI can be disclosed via HIE… ‘In some cases, the Privacy Rule does not require that the minimum necessary standard be applied, such as, for example, to disclosures to or requests by a healthcare provider for treatment purposes.” (HealthIT Security, 9.17.15)
- Eleven Different Myths About HIPAA, Patients and Medical Records Privacy. “The Health Insurance Portability Accountability Act (HIPAA) was passed by the US Congress in 1996. It was originally intended to protect a patient’s access to insurance, ensuring that even if someone lost his job, he would be able to get insurance without regard to a pre-existing condition. Later, security policies were added to cover the electronic sharing of medical records. Today HIPAA is comprised of an unwieldy set of policies and laws that are confusing and too easily misunderstood by patients and health professionals alike.” (Patients.About.com, 1.31.16)
Shortly after the state health information exchange effort began, stakeholders debated how patients could be involved in decisions about which entities could access their private health information. Some have advocated that patients “opt in,” while others see informed consent as impractical and argue that patients have only the option to “opt out” of health data sharing (also called “implicit consent”).
AHIMA, 2010: “Within an opt-in model, patients or consumers actively choose to allow their health information to be exchanged with the HIE. The HIE, and therefore the organizations and providers, can presume that every patient made an informed decision to participate. The burden of agreement is placed with the organization or provider, who will ask patients to sign an agreement at the time of treatment. In this model the HIE assumes that patients will be adequately educated at the organizational level and understand what the exchange of their information means. Organizations must also manage those patients who choose not to share information. Patients who do not want information shared will require organizations and providers to implement policies and procedures that ensure the exchange does not occur. If relatively few patients choose to participate in the HIE, it is unlikely that its data will become a useful resource. It will not realize the full potential of a longitudinal patient care record designed to improve the quality of healthcare.”
AHIMA, 2010: “In opt-out models, patients must choose to restrict their information if they do not want it shared within the HIE. As a result, the HIE likely offers a greater number of records than it would if it recruited patients individually through an opt-in model. The HIE still assumes that patients are adequately educated at the point of care and that those who opt out have been adequately educated on the consequences of not sharing information.”
AHIMA, 2010: “A key challenge for both models is communicating the current process for exchanging information. Currently the HIPAA privacy rule allows healthcare facilities to share patient information for treatment purposes with other organizations or providers without a patient’s authorization; however, individual state laws may prohibit this exchange.
“Consumers may not understand that the HIE provides the same exchange of patient information in a potentially easier format because it combines information from multiple organizations and providers at one time. Thus, patients who elect to exclude their information from the HIE do not prevent their information from being shared; it is just shared in a slower media such as faxes from each individual organization or provider.”
- Policy Group Wrestles with Opt-in Versus Opt-out. “At its monthly meeting held Wednesday, the HIT Policy Committee wrestled with patients’ rights to opt in or opt out of health information exchange…The debate comes down to whether or not patients’ electronic health records, even de-identifed, should automatically be included in HIEs, with the patients opting out if they do not want to participate. The other school of thinking says all patients’ records should not be sent anywhere, unless patients choose to opt in. ‘This is a challenging and contentious topic,’ Tang said. ‘Patients should not be surprised by where their records go.’ Committee member Judy Faulkner from Epic Systems said it comes down to a moral and ethical decision. She recommended that policy on the issue be based on evidence, not on the ‘vocal minority’ of privacy activists. Gayle Harrell, former Florida state legislator was adamant. ‘Giving people an ‘opt-out only’ is not a choice.’ It is a constitutional and legal right to have your health information private, Harrell said. Once it is breached, it can’t be retreived and the damage can’t be repaired. ‘There should be a full public debate on this,’ she said, ‘beginning in state legislatures.’ Neil Calman, the Institute for Family Health, was of the opposite opinion. ‘Opting in is not a reality,’ he said. There are hundreds of thousands of patients on some medical practices’ rosters, Calman said. How will they get time to sit down and help each patient make an informed decision? Doctors can’t take on that burden. Calman said the ultimate decision could be made by a patient choosing to not see a doctor who uses electronic health records. Use of EHRs implies data exchange, he said.” (HealthCare It News, 7.22.10)
- Protecting Patient Privacy: Strategies for Regulating Electronic Health Records Exchange. “Once a patient’s medical information is included in the network, the state should offer three clear options regarding provider access to such information: Opt in: Patients consent to make information in their medical records available to specific, designated providers through electronic information networks. Opt out: Patients prohibit under all circumstances access to their medical information through electronic information networks. Opt out with exception: Patients consent to make information in their medical records available through electronic information networks only in the case of a medical emergency. In addition to offering these patient consent options, patients must be notified in advance of a provider’s joining an electronic records exchange. This notice must clearly explain the manner in which electronic medical records will be accessible, as well as the steps a patient can take to exclude or limit the release of their medical information through an HIE. This same notice requirement should apply when the network of providers with access expands, as for example, when a hospital that has previously obtained consent from a patient adds new affiliates. Under current consent policies, these affiliated providers may gain access to the patient’s records. It should not be left to the patient to continually check a website to find out whether new providers have joined an exchange network.” (New York Civil Liberties Union, March, 2012)
- Joining an HIE or RHIO? Navigate the Opt-In/Opt-Out Decision Carefully. “Whether you’re joining a statewide HIE network or a regional health information organization (RHIO), you’ll be communicating the transition to your patients, who must be notified of the change in accordance with state laws. Some states, such as Tennessee and New York, have legally mandated the framework for HIE patient consent methodology. If yours hasn’t, you’ll need to choose your approach and should be prepared for the consequences of what you select…If you’re going with an ‘opt-in’ method, each of your patients must express their authorization to take part in the HIE program or RHIO in order to become enrolled. Usually, a consent form is presented to patients, which they sign and return to participate in the network. Consumer rights activists and patients with strong concerns about health information privacy – such as those with illnesses they consider stigmatizing – advocate for the opt-in approach. With the ‘opt-out’ method, patients are notified that their provider is joining an HIE network and informed that unless they formally and explicitly request to be excluded, they’re automatically enrolled in it. Following notification, their health information becomes exchangeable through the program… There are other consent models, including ‘opt-in with exceptions’-type blended methods and the ‘notice only’ no-consent approach – still legal in some states – which does not present patients with the option of declining participation.” (Power Your Practice, July 2013)
- By the end of 2013, most states had chosen the opt-out (or implied consent) approach to the sharing of personal health data.
Who Owns Patient Data?
- The Consent Conundrum. “Decades after a woman’s cervical cancer cells were taken without her permission, we’re still trying to determine what rights researchers have to your body…[E]ven today, Henrietta Lacks would not have had to be informed about the research done on her cells: Tissue research is among the fields with the fewest regulations about consent, and the sample was initially taken for diagnostic purposes. Disregard for something so basic as consent is still disturbingly common.” (Slate, 2.2.10)
- Obama Says People Who Give Genetic Samples for Research Should Own Their Own Data. “On Thursday the White House held a summit to discuss progress on its Precision Medicine Initiative, first announced last year… Sharon F. Terry, CEO of the Genetic Alliance, told the New York Times, ‘I had not heard this before from the president or anyone high-up at the White House… The Precision Medicine Initiative has been trying to shift the conversation toward the idea that participants should be partners, but this is a really, really hard issue.’… [M]ost research institutions do consider genetic findings to be their intellectual property, even though experiments are usually based on data from real people. And cases like that of Henrietta Lacks—whose cervical cancer cells were collected in 1951 and have lived on as research cell lines ever since—show how complicated and enduring these ownership disputes can be.” (Slate, 2.26.16)
- Patient Records: The Struggle for Ownership. “There is no consensus on who owns medical records. The Health Insurance Portability and Accountability Act (HIPAA) does not specify ownership, and state laws are inconsistent. Only New Hampshire has a law stating that patients own their medical records. In 20 other states, providers own them. The rest of the states have no legislation addressing the matter, according to an analysis of state laws by Health Information & The Law, a project of the George Washington University’s Hirsh Health Law and Policy Program and the Robert Wood Johnson Foundation. Legal opinions on the matter differ as well. Daniel Shay, JD, an attorney with Alice Gosfield & Associates in Philadelphia, says, ‘The general understanding of the legal community is that patients own their records, or it’s their interests that are ultimately paramount.’ Michael Bossenbroek, JD, a partner in Wachler & Associates, of Royal Oak, Michigan, says Michigan doesn’t have a clear rule regarding record ownership. ‘The default setting is that the records belong to the provider who has the control over it,’ he says.” (Medical Economics, 12.10.15)
- NYCLU Warns of Serious Privacy Concerns in Proposed Electronic Health Records Regulation. “The Statewide Health Information Network for New York allows health care providers to share medical information with each other. The proposed regulation, submitted for public comment in November, would provide rules for how health records within the network could be shared and with whom. As proposed, the regulation would not give patients adequate control over their medical information, while ignoring state laws which provide added protections, including protections regarding the medical records of minors. They would also give the government broad access to health records beyond what current law requires and they would allow health care providers emergency access to health records despite there being no state law authorizing such access… The Health Department should require consent to upload data or, at the very least, guarantee patients a choice to opt out of upload.” (New York Civil Liberties Union, 12.22.15)
- AHIMA. “Understanding the HIE Landscape.” Journal of AHIMA 81, no.9 (September 2010): 60-65.
- Health Information Exchange: Persistent Challenges and New Strategies. Details the history of attempts at HIE since the 1990’s and provides recommendations for regional and community-based HIE. (JAMA, May/June, 2010)
- Managing Information Privacy & Security in Healthcare: RHIOs and HIPAA. HIMSS RHIO Guidebook Task Force, 2007.