Achieving Privacy & Security with Electronic Health Information Exchange

Originally published Friday, January 11, 2008

In 2004, President Bush issued a directive for interoperable electronic health records to be a nation-wide reality by 2014. Since then, health information exchange (HIE) has received significant national attention, and HIE initiatives are gaining momentum across the nation.

There are many potential benefits to making patient information more readily available to providers at the point of care through electronic HIE. First, the quality of care may be improved through greater access to relevant information. This can lead to improved patient experience with the provider and result in higher patient satisfaction overall. Costs may be reduced through both efficiency and productivity gains because finding, faxing, and managing paper records takes more time and administrative support. Costs also may be reduced because redundant provider and diagnostic services can be avoided. Finally, providers participating in state-wide HIE or a "Regional Health Information Organization" or "RHIO" may find opportunities for new revenue streams through potential business opportunities that can be created through the network.

In New Jersey more and more providers are participating in cooperative HIE. Currently, there is increased movement and discussion to potentially create a state-wide HIE system through the establishment of a RHIO. Although the functions and purposes of RHIOs vary, if a New Jersey RHIO is established, this is one source that providers could look to for guidance on developing best practices regarding maintaining the privacy and security of health information in connection with electronic HIE.

HIPAA Privacy

The Health Information Portability and Accountability Act of 1996 and its related regulations set forth the minimum protections and standards for health information that is created, used and disclosed by covered entities, which include most health care providers. Under HIPAA, a provider cannot disclose health information about an individual unless the disclosure is permitted under one of the several exceptions and is not otherwise prohibited under state law. If a particular disclosure does not fit within one of the enumerated HIPAA exceptions, a written authorization must be obtained from the individual.

Treatment, Payment, Health Care Operations

The broadest exception under HIPAA allows providers to use and disclose health information to third parties for purposes of treatment, payment, or health care operations.

With regard to treatment, HIPAA does not require a provider to obtain written authorization from the individual before using and/or disclosing an individual's health information for treatment activities with respect to such individual (the Treatment Exception). HIPAA defines "treatment" activities to include the provision, coordination, or management of health care and related services by one or more health...