Health Information Exchanges
Health information exchanges (HIEs) are entities that bring together health care stakeholders generally within a defined geographic area and govern the electronic sharing of health information among them for the purpose of improving health and care in that community. The fundamental concept behind creating HIEs is that the ability to exchange health information electronically is critical to the efforts to improve the delivery of care in the United States.
The governance, structure and geographic scope of HIEs vary across the country. Some may serve a small geographic region, while others serve an entire state or multi-state region. HIEs also differ in technical models, with some acting as conduits of health information and others serving as repositories of health data. There is also wide variance in the types of clinical data exchanged and services offered by HIEs.
Participation in an HIE offers many potential gains in care quality and efficiency. However, physicians must thoroughly research an HIE to identify any potential disadvantages of participation before signing a contract. Major topics of concern regarding HIE participation include costs/risks, use of HIE data for purposes unrelated to treatment, unique liability situations, HIPAA compliance with privacy and data security requirements, and negative impact on physicians’ work flow. Additionally, the recent dissolution of several HIEs has raised concerns regarding HIE viability and sustainability. Physicians could invest in workflow changes and technology upgrades to participate in an HIE, only to see their investment wasted if the HIE collapses. All of these issues underscore the need for physicians to have a thorough understanding of the implications of joining the HIE before making a final decision.
Services offered by HIEs
The services available will vary with each individual HIE, but some of the possible functionalities for HIE initiatives include connectivity to electronic health records (EHRs), health summaries for continuity of care, clinical decision support tools, and more.*
There are many potential benefits for physicians and group practices in joining an HIE, both in terms of receiving and sending information. The inbound and outbound data provided by an HIE can benefit a physician/group’s operations in many ways, which may include improved quality and safety of patient care, availability of information where and when it is needed (at the point of care), reduced health care costs by minimizing service duplication, and more.*
The costs of participating in an HIE are dependent upon the specific initiative, and it is key for physicians to carefully investigate the direct and indirect costs of participating in a particular HIE. The fees associated with accessing HIE data are the obvious direct costs of participation, and the fees may be charged per transaction, monthly, annually, or a combination of transaction and subscription fees, depending on the specific HIE. The fees for HIE participation may change over time, particularly if the HIE is initially dependent upon federal funds. For this reason, physicians should be sure to inquire about how and when they will be notified of future price changes.
Additional costs for HIE participation may include the expense of upgrading the physician office’s IT systems to meet the system requirements of the HIE. Finally, the indirect costs of lost revenue and productivity due to changes in work flow processes during the implementation phase should be factored in when determining the overall cost of participating in an HIE.
Potential liability concerns
It is key for physicians to understand the potential liabilities involved in HIE participation and how those liabilities are shared among the participants. Primary liability concerns related to HIEs include: liability for data storage and management, liability for data accuracy and completeness, liability for decisions made with inaccurate data, duty to review, reproducibility of data available in the HIE at a particular moment in time, and availability of audit/access logs. While physicians should consider these issues before joining an HIE, it is important to note that HIE liability is a still-evolving field that generally lacks legal precedent.**
* HIEs vary widely in terms of capabilities and services, and may not offer all of the services and benefits listed above, making it critical for physicians to investigate an HIE’s services before agreeing to join. As with any legal document, physicians should consult with their legal counsel before signing an HIE contract. Additionally, the contract should be reviewed to ensure that the conditions are as favorable to the physician as possible. Visit the HIMSS website or e-Health Initiatives website for more information.
** Physicians participating in HIEs may face complex questions and many uncertainties related to liability. As the liability landscape related to HIEs continues to evolve, it is in physicians’ best interest to thoroughly research a potential HIE partner and clarify any special liability protection issues related to HIE participation prior to signing a contract. Physicians are encouraged to review and discuss their malpractice coverage in relationship to HIE participation with their insurance agent. Additionally, as with any legal document, physicians should consult with their legal counsel before signing an HIE contract.
Access to data
Access to the data within HIEs is a major issue for physicians and their patients. The exchange of clinical data among health care organizations offers the opportunity to improve the quality of care and care coordination, as well as the potential to reduce costs by minimizing duplication of services. However, there is concern that HIE data could be used for physician performance evaluation or profiling purposes.
Because data access and use can vary considerably between HIEs, it is critical for physicians to establish who has access to what data within the HIE (and how the information will be used) prior to signing an agreement to participate in an HIE.
Both federal and state laws and regulations apply to HIE activities, including governing the privacy and security of patient’s health care information. As noted above, federal legislation (i.e., the HITECH Act) has also provided significant funding for HIE creation, as well as established the criteria for meaningful use of health information technology. In addition to these federal regulations, some states have laws pertaining to HIEs, including laws to create and implement state-sponsored HIEs, establish a certification process for HIEs, and/or protect the privacy of information transmitted by or through an HIE.
Privacy and security concerns
Although HIEs are generally not covered entities under the Health Insurance Portability and Accountability Act (HIPAA), they are considered to be business associates of HIPAA covered entities. As such, an HIE must enter contracts or other agreements with participating covered entities—including physicians— that require the HIE, as a business associate, to safeguard and appropriately protect the privacy of protected health information. Thus, any system used by an HIE must comply with the privacy and security provisions of HIPAA. HIPAA may be superseded by more stringent state privacy laws and regulations. Physicians should ask about a potential HIE partner’s privacy and security safeguards and how data breaches will be managed before participating in an HIE. Visit the AMA’s HIPAA toolkit for additional information and resources.
Handling sensitive patient data
Sensitive patient information can be exchanged via HIEs. However, special patient consent may be required to share certain types of sensitive health records (related to HIV/AIDS status, sexually transmitted diseases, mental health, etc.) within the HIE, and it must comport with HIPAA requirements. The more stringent of federal or state laws regarding disclosure of these specially protected types of data will govern the exchange of the information via the HIE. Physicians should inquire if the HIE requires special patient consents for disclosure of sensitive information. Additionally, physicians should be aware that sensitive health information may not be included in the patient’s records from the HIE if the patient has not provided the necessary consent. In such cases, HIE data do not represent the patient’s complete health record.
In most cases, points of service (e.g., physician offices) are required to inform patients of the provider’s participation in an HIE. Physicians should check their HIE contract to see what patient authorizations they are required to obtain related to HIE participation and the retention/update requirements related to this authorization. Patient notification regarding HIE participation frequently occurs through the provider’s HIPAA-mandated Notice of Privacy Practices, which provides patients with information about how the provider will use and disclose the patient’s health information, as well as the provider’s obligations to protect this information. The content of the patient notification regarding the HIE will depend on the HIE’s patient participation policy. In opt-in HIE models, patients must give consent to have their data included in the HIE; in opt-out systems, patients’ data are automatically included in the HIE, but patients may choose to withdraw from HIE participation. Special consent may be required to share sensitive patient information (related to HIV/AIDS status, sexually transmitted diseases, mental health, etc.) within the HIE. To date, opt-out HIE systems have generally been more successful in gaining patient participation than opt-in models.
In addition to the mandatory notification regarding HIE participation, physicians may also wish to discuss the benefits of HIE participation with their patients. Some HIE initiatives offer services directly to patients, such as allowing patients to review their health data, add information to their health status, or communicate electronically with providers. HIEs may also provide educational information on health and health care to patients. Physicians may wish to share these potential benefits with patients to encourage patient consent to HIE participation and support patients’ efforts to be active partners in their care. Visit the eHealth Initiative website for additional information.
Along with the more general reasons supporting HIE development, federal funding has driven the recent activity in this area—including improving the quality, safety, and cost efficiency of care—federal funding has driven the recent activity in this area. The Health Information Technology for Economic and Clinical Health (HITECH) Act is a subset of the 2009 American Recovery and Reinvestment Act (ARRA) that, along with offering Medicare and Medicaid incentive payments to health care providers who adopt EHRs, provided $2 billion to help advance the creation and expansion of HIE infrastructure and services across the United States. These federal funding opportunities for HIEs have significantly increased HIE creation and development over the past few years, however, as noted above this funding source has dried up and some HIEs have not been able to remain solvent.
The Medicare and Medicaid EHR Incentive Program, most commonly referred to as Meaningful Use, currently spans two stages with each stage intended to focus two separate areas. Stage 1 was developed to incentivize eligible hospitals and professionals to purchase and meaningfully use certified EHR technology. Starting in 2011, this Stage 1 helped drive the uptake of digital medical records across the nation. Following a three year cycle, Stage 2 requires participating hospitals and physicians to exchange health information between each other, sites of service, and with their patients. Although Stage 2 measures are considerably more complex and participating remains low, the use of an HIE can help meet some of the measures. HIMSS has compiled a complete matrix of where an HIE can help hospitals and physicians meet some of the Meaningful Use Stage 2 measures. View a summary table of where Stage 2 and HIE intersect.
Certain EHR vendors allow physicians to exchange data with other physician practices that use the same vendor’s product. As such, some EHR vendors may offer some of the same functions and features as an HIE. However, this model is only useful if the hospitals and physician practices that share patients use the same EHR product.
The Direct Project, which launched in March 2010 as a part of the Nationwide Health Information Network, also offers opportunities for simple information sharing between physicians and other health care providers. The Direct Project “specifies a simple, secure, scalable, standards-based way for participants to send authenticated, encrypted health information directly to known, trusted recipients over the Internet.” Users of Direct Project-enabled technology (e.g., EHRs) can send and receive secure information, such as summaries of patient records, if both parties have systems that support the Direct Project. Unlike a fully functional HIE, physicians cannot query for certain information loaded into a network. However, the Direct Project does allow for the secure exchange of data between two points (e.g., physician to physician or physician to hospital). The Direct Project sends electronic messages much like email, except that these messages are encrypted to meet HIPAA standards. The Direct Project’s capabilities are obviously not as sophisticated as a fully operational HIE, but this initiative does offer some opportunities for basic electronic health information exchange between providers.
Featured resources: The AMA and HIMSS produced a series of podcasts on health information exchanges (HIEs). Listen to the audio or read full transcripts on the HIMSS website:
- "Episode #5 - Physician engagement with HIE" discusses the benefits for physician practices to using HIEs, recommendations for overcoming common challenges and requirements for participation.
- "Episode #7 - Information exchange and stage 2 meaningful use (Part I)" addresses requirements for HIE participation, meaningful use requirements, public health departments and clinical decision support.
- "Episode #8 - Information exchange and stage 2 meaningful use (Part II)" addresses medication reconciliation, registries, health information service providers (HISPs) and the business case for hospitals and commercial labs to engage with HIE.