Ken Willett

Healthcare IT, integration, and making patient care better

Managing A State HIE Is Going To Get Tougher

The ONC has recently published guidelines for patient security, privacy and access related to HIEs funded by the ARRA program. Given the case that sustainable funding for HIEs is already a serious issue, anything that increases HIE complexity is going to make that situation worse. The new ONC guidelines do exactly that, because they add a strong requirement for individual patient access and control to the HIE.

HIPAA already requires that patients have the ability to request EHR data from their providers, to determine who has accessed their data, and to correct any errors. The ONC guidelines now apply those same requirements to any HIE funded through the State Health Information Exchange Cooperative Agreement Program.

One of the major consequences of this rule is that the HIE will require a patient portal. Given the level of access that patients are entitled to, it’s unrealistic to expect that the state or State Designated Entity (SDE) can respond to patient access requirements any other way. Along with the portal will be a requirement for a reliable way to identify patients who are attempting to access the information in the HIE. The policy also requires that patients can designate others to access this data on their behalf.

The policy requires that individuals have meaningful choices as to whether to share their data with the HIE, and to be able to restrict access by provider. There is a strong recommendation (though not a requirement) that this control can be exercised at a finer granularity than “all or nothing”. This will place a burden on providers to either receive opt-in permission, or give the patient an opt-out opportunity, before sharing that patient’s data with the HIE. A blanket notification that data will be shared with the HIE unless the patient objects isn’t sufficient according to these guidelines.

An interesting requirement is that, in order to access data about a patient stored in the HIE, a provider must have or be in the process of establishing a treatment relationship with the patient. Presumably this is to prevent providers from using the HIE to search for new customers. But it will require very strict controls on who is allowed to access data, and leaves open the question of how the HIE would verify that a provider has a right to access the data for a particular patient.

It is important to note that these regulations only affect HIEs funded through the federal program, and specifically excludes HIEs that only support directed exchange between known parties. So one side-effect of these regulations may be to weaken state-level HIEs that “store, assemble and aggregate” data and drive providers to private HIEs, commercial clinical hubs (such as the Surescripts ePrescribing hub or the Ignis lab and radiology hub) or directed exchange networks, which aren’t governed by these policies.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: