Regulation of Medicine


Health Information Exchange (HIE): What to Look for When Considering an HIE

Healthcare data continues to see growth in both its size and value. Healthcare data is so valuable that companies like Google are investing in agreements with companies like Ascension for access to health information. The future of healthcare data is moving toward more alliances such as Google’s, but also toward more provider agreements to exchange health information.

Health Information Exchange (HIE) can be beneficial to all parties, providing for increased efficiency in patient care and reduced healthcare costs. An electronic HIE allows providers to efficiently access and share a patient’s medical records quickly from appointment to appointment, better coordinating care between providers through connected electronic health records (EHRs). This can benefit providers by avoiding medication errors and improving diagnosis with better access to their patient’s medical history. While an HIE can be a useful tool that allows health care professionals to securely access and share patients’ medical history, of course, there are also risks. If your organization is considering entering into an HIE, there are certain things you should consider.

  • What is the cost? Some HIE options have certain transaction or subscription fees that can come in the form of monthly costs. Additionally, your organization may need to perform technology upgrades to enter an HIE or more routine maintenance of your existing system. Some electronic health record systems can already enter an HIE, but the sustainability of the HIE should be considered.  
  • What is your current cybersecurity? You could be liable for a breach of any private patient information your organization might store, and you need the necessary security to protect it, which might mean an upgrade from your current security. An example of this liability is the potential unlawful disclosure of patient information received through the exchange. Your organization needs the right technology and security to support patient privacy in the HIE. You should also be familiar with the cybersecurity of the HIE and be comfortable with the security process, as an HIE is considered a business associate under HIPAA.
  • How will the data be used? It is important to clarify who can access patient data within the HIE and how it will be used. You should set a procedure for using the HIE data that still protects patient privacy. This can include an authentication and password system for those allowed to access the information. Routine audits can also ensure the appropriate use of the data and patient PHI. 
  • What will your patients think? Consider what concerns your patients might have or how they might perceive the HIE. Be open about the use of the HIE and perhaps include some information in your lobby so they can learn about the HIE. Your organization must receive patients' signed consent to access their health information through an HIE. This could be included in your organization’s existing HIPAA consent form or on a new form, as long as it is clear to the patient that the consent is for their participation in HIE. All patients must give consent before sharing or accessing their information through HIE and must be allowed to choose if they wish to participate. You should review your consent form with your organization’s counsel to ensure all the necessary elements for a patient to make an informed decision are included.


Want to learn more?

Interested in how MagMutual can help?

View our products


The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.