Opt-in can help protect hospital from HIE risks

When participating in a health information exchange (HIE), the primary exposure for a hospital is the potential breach of a patient’s protected information, which would violate HIPAA (the Health Insurance Portability and Accountability Act), says James M. Kunick, JD, chair of the Intellectual Property & Technology group at the Chicago-based law firm Much Shelist.

“The hospital has the responsibility to protect the information, and if they provide it to the HIE without the patient understanding that the information might go there, when there is a breach in confidentiality, the hospital is likely to end up one of the defendants in a lawsuit,” Kunick says. “Even though they really did nothing wrong, they still have to defend themselves for providing information to an exchange that did not adequately protect the data.”

In such a case, the hospital would have to prove that it did due diligence before entering into a relationship with the HIE, Kunick says. The best way for a hospital to protect itself is to establish an opt-in program for HIE participation, even if the state does not require it, he suggests.

“You already will give them the HIPAA consent form in which they acknowledge that you have their personal health information, but you can add an opt-in for them to agree that you may provide that information to a health information exchange,” he says. “You don’t require it, but you inform them up front and you tell them what the risks are, and you ask them to opt in. Some will say no, and with the others, you have that to rely on if anything happens later.”