HIEs create privacy issues for providers

Health information exchanges (HIEs), which support secure electronic sharing of patient health information among caregivers, patients, public health authorities, and health care and payment services providers across different setting and geographical areas, are among the most promising initiatives in health care, but there are privacy and security issues that should concern risk managers.

On a large scale, HIEs make it possible to create a nationwide health information infrastructure through which providers can access any patient data that they need, regardless of location. The Health Information Technology for Economic and Clinical Health (HITECH) Act provides up to $36 billion of financial incentives to providers for using electronic health records that have the capability to support HIE through "meaningful use." The HITECH Act also gives more than $300 million in funding to regional or local health IT efforts and instructs the Health and Human Services Secretary to invest in the infrastructure necessary to enable the electronic exchange and use of health information for each individual.

But the benefits of HIEs can only be as good as the patients' willingness to share their health information, and some are reluctant to participate, since this level of sharing can increase the risks of unauthorized access to information, says Jared Rhoads, senior research analyst with CSC, a technology consulting company based in Falls Church, VA. Without patient trust and consent to share data, the usefulness and sustainability of an HIE is severely undermined, making privacy and security critical to its success, Rhoads says.

"Ensuring privacy is a challenge when you're talking about something like an HIE, which is premised on the idea of giving someone a person's personal health information, but providers are addressing the challenge; and we're seeing that they're coming up with solutions that work [for] them," Rhoads says. "They are drawing on the experience they've had with HIPAA to develop ways to make that information useful and still make sure that it doesn't get misused or used in a way for which the patient did not give permission."

The key benefit of an HIE is the ability to send and request health information. An authorized physician can access a patient's medical history and obtain a list of current medications, known allergies, and other vital information, regardless of where it was originally recorded, Rhoads says. To make the systems secure and win the trust and consent of patients, Rhoads says health care organizations must take these steps:

• Determine which data to share and how to share them.

• Develop practices to manage authorized access.

• Adopt policies and practices to prevent unauthorized access.

• Gain informed consent from patients.

• Be prepared to address breaches.

HIPAA may be revised

Some caution is warranted when establishing or joining an HIE, but providers should be careful not to focus excessively on privacy concerns, says Greg DeBor, client partner for health delivery with CSC, who developed and oversaw the New England Healthcare Exchange Network (NEHEN), a consortium of regional payers and providers that includes 55 hospitals, eight health insurance plans, and tens of thousands of practitioners. NEHEN started in 1998, first with only administrative data and then clinical data also, and it is one of longest-running HIEs in the country.

DeBor notes that implementation of HIEs can be hampered by concerns over how to share data while still meeting the privacy and confidentiality requirements in the Health Information Portability and Accountability Act (HIPAA). Much of that concern is justified, he says, but it is clear that the government wants to encourage HIEs and won't let HIPAA stand in the way. With providers wondering how they can comply with HIPAA and still meet the goals of an HIE, DeBor says there likely will be changes to HIPAA to address those problems.

"The privacy section of HITECH says that the federal government will have to tighten up some things that were first specified in HIPAA to make these HIEs possible," he says. "First, there has to be a much more [prescriptive] definition of what constitutes operations, because HIPAA allows sharing of data if it's related to payment, treatment, and operations, but the operations part of that has been loosely interpreted by the industry. Also, the government needs to hire a chief privacy officer for the nation and to give the industry more guidance on privacy and security."

Risk managers involved in developing an HIE should consult with the business side of the health care operation to understand what kind of data requests are received from business partners, DeBor says. The meaningful use policy requires that the provider share significant amounts of data to earn incentives, but the types of data will vary from one provider to the next, he says.

Another issue involves consent from patients. If HIPAA is refined to indicate that HIE data is included in the "operations" definition, consent may not be as necessary, but as the law stands, it appears that each patient will need to consent to having data included in the exchange, DeBor says.

"Making patient data available to others opens up a lot of questions about how that data is used and who will be responsible if it is misused. If you exchange data and that data is misused by someone else down the line, are you liable?" DeBor says. "You had better be able to document your disclosures, at least, so that you can document who you shared data with and create an audit trail on that. That's one place to start when looking at liability issues, building that into the system and taking into consideration with the design of the exchange."

[CSC has made a white paper on HIE confidentiality and security available on its website at no charge. Go to www.csc.com/health_services/insights/30034-hitech_s_impact_on_health_information_exchanges_key_decision_points_for_privacy_and_security.]

Sources

For more information on HIEs, contact:

• Jared Rhoads, Senior Research Analyst, CSC, Falls Church, VA. Telephone: (781) 290-1740. E-mail: jrhoads@csc.com.

• Greg DeBor, Client Partner for Health Delivery, CSC, Falls Church, VA. Telephone: (781) 290-1308. E-mail:gdebor@csc.com.