What to Look for When Considering a Health Information Exchange

Executive Summary 

A health information exchange (HIE) allows healthcare professionals to securely access and share a patient’s medical information electronically. Thus, HIEs can improve the quality of healthcare delivery by coordinating care among unaffiliated providers. Despite many benefits, there are risks with incorporating a HIE that providers must be aware of to mitigate their liability. 

Recommended Actions 

• Evaluate your existing cybersecurity system before entering into an HIE to assess any weaknesses or patches in your IT system. 
• Ensure that your healthcare organization has a procedure for discussing the potential for an HIE with patients. 
• Consider posting notice of the potential for an HIE in highly visible areas of your practice, such as a waiting room. 
• Monitor your state and local regulations regarding exchanging patient information since these rules can be even stricter than HIPAA.  

Healthcare data continues to grow in both size and value. Healthcare data is so valuable that companies such as Google are investing in agreements with companies like Ascension for access to health information. The future of healthcare data is moving toward more alliances such as Google’s, but also toward more provider agreements to exchange health information. 

Health information exchanges (HIE) can benefit all parties, providing for increased efficiency in patient care and reduced healthcare costs. An electronic HIE allows providers to efficiently access and share a patient’s medical records quickly from appointment to appointment, better coordinating care between providers through connected electronic health records (EHRs). This can benefit providers by avoiding medication errors and improving diagnosis with better access to their patient’s medical history. 

However, while an HIE can be a useful tool that allows healthcare professionals to securely access and share patients’ medical history, they also come with risks. If your organization is considering entering into an HIE, there are certain things you should consider.  

What is the cost?

Some HIE options have certain transaction or subscription fees that can come in the form of monthly costs. Additionally, your healthcare organization may need to perform technology upgrades to enter an HIE or more routine maintenance of your existing system. Some electronic health record systems can already enter an HIE, but the sustainability of the HIE should be considered.  

Will your current cybersecurity need an upgrade?

You could be liable for a breach of any private patient information your organization might store, and you need the necessary security to protect it, which might mean an upgrade from your current security. An example of cybersecurity breach liability is the potential unlawful disclosure of patient information received through the exchange. Your healthcare organization needs the right technology and cybersecurity to support patient privacy in the HIE. You should also be familiar with the cybersecurity risks of the HIE and be comfortable with the security process, as an HIE is considered a business associate under HIPAA. 

How will the data be used?

It is important to clarify who can access patient data within the HIE and how it will be used. You should set a procedure for using the HIE data that still protects patient privacy. This can include an authentication and password system for those allowed to access the information. Routine audits can also ensure the appropriate use of the data and patient PHI.  

What will your patients think?

Consider what concerns your patients might have or how they might perceive the HIE. Be open about the use of the HIE and perhaps include some information in your lobby so they can learn about it. Your healthcare organization must receive patients' signed consent to access their health information through an HIE. This could be included in your organization’s existing HIPAA consent form or on a new form, as long as it is clear to the patient that the consent is for their participation in HIE. All patients must give consent before sharing or accessing their information through HIE and must be given a choice to participate. You should review your consent form with your organization’s counsel to ensure that all the necessary elements for a patient to make an informed decision are included. 

Lessons Learned 

• Ensure that your practice has a HIPAA-compliant HIE that all HIE partners have signed.   
• Vet the company you’re considering before entering into a HIE by consulting with at least two other providers who use that same vendor. 
• Ensure that the company your healthcare practice creates a HIE with understands HIPAA’s privacy and security rules prior to entering the HIE. 

Potential Damages 

Healthcare organizations that exchange patient’s protected health information without the proper safeguards and procedures in place run the risk of HIPAA violations and the associated fines and financial penalties. Although HIPAA violations specifically related to HIEs are relatively infrequent, the damages resulting from such a violation can quickly add up.