In addition to playing a crucial role in transforming the healthcare industry by enabling the sharing of information between disparate clinical systems and stakeholders, Health information exchanges (HIEs) offer patients a unique and convenient method in deciding how their health data is exchanged. They offer significant benefits and can result in improved patient care and reduced healthcare costs across a large geographic area. Most importantly, they are able to provide complete and accurate patient data, resulting in a more coordinated care process.
While the number and breadth of HIEs is growing across the United States, the issue of privacy and security offered by them has become a hot topic. Just as an HIE enables an environment with new capabilities and opportunities, it also brings about new challenges. To address these challenges, HIEs must have safeguards and guidelines in place to ensure high levels of privacy and security across the board. Although such guidelines are not foolproof, they serve to heighten the level of patient trust, which in turn adds to the success of HIEs.
A survey run recently by the National eHealth Collaborative (NeHC) polled healthcare providers, government units, HIE operators and other officials and found that the issue they believed was most likely to potential derail HIEs was privacy and security. The United States government is taking steps and performing research to combat this issue. For example, Office of the National Coordinator for Health IT (ONC) is working with President Obama’s cybersecurity initiative to obtain input from security experts across the country, input which will then be used by the ONC to offer standards for HIEs to follow.
There are Federal regulations in place for the exchange of patient health data, and some states have their own laws targeted toward the privacy of such information. As for HIPAA, the law follows the Federal government in that it provides specific rules for the protection of patient data, although it does not override state-level laws which offer higher levels of privacy protection for patients. The privacy and security rules of HIPAA require that protected health data is accessible to patients, released according to both state and Federal laws and maintains the privacy, security and integrity of patient data.
Even with these laws and regulations in place, HIEs should follow a set of guidelines to ensure the privacy and security of their data is handled appropriately and with the right amount of protection. By tackling this issue in the planning stages of the HIE, the correct policies will be in place to offer the most secure solution to protect patient data. Although these guidelines aren’t state or national-level law, they should work with the specific rules and regulations of the area(s) in which they serve.
First, an HIE should draft an agreement outlining the specific rules and requirements for the parties involved. This agreement should include the terms of inclusion in the HIE along with the rights and responsibilities of all involved. All stakeholders have a right to have a say on the structure of the HIE, especially patients. Without the involvement of patients and their trust, the success of an HIE is severely threatened.
Along the same lines, patients need to be educated on the advantages of HIEs and what safeguards are in place to secure their data so that it doesn’t fall into the wrong hands. They need to know what data is included in the HIE, what purpose it serves and who has access to it. Those who are authorized to view patient data must have in place specific accounting for disclosures, risk management and control, limited use statements and an appropriate opt-out procedure. Patient data should be protected by safeguards for unlikely but possible risks including unauthorized access, unnecessary disclosure, loss, significant changes and more.
Patient data for an HIE should be obtained with the consent of the patient and used only for the purposes for which it was received. To provide another layer of security, the HIE should draft a list of who can access the data. Also, the HIE needs to make sure that the people on that list are equipped with appropriate authorization. Unnecessary and/or unlawful use of such patient data can only hurt public opinion on HIEs, placing an unfortunate obstacle to an otherwise comprehensive and innovative system and solution.
Again, while not all security and privacy measures in an HIE are foolproof, having the appropriate guidelines in place to address this issue is integral to the success of an HIE. With the growth of HIEs, the potential benefits they offer can only help improve the delivery of healthcare in this country.