HIEs can threaten privacy and security
Executive Summary
Participating in a health information exchange (HIE) brings the potential for violations of HIPAA. Risk managers should assess security issues when considering HIE participation.
HIE participation exposes patient information to a number of providers who must be trusted to protect it.
Some providers might not have HIPAA compliance programs as robust as your own.
Patients should be fully educated about the HIE to avoid resistance and complaints.
Health information exchanges (HIEs) are one of the latest efforts to improve patient safety and quality, enabling providers to share patients’ medical information technology to coordinate care.
The exchanges promise to offer many benefits both to providers and to patients, but they also can lead to violations of the Health Insurance Portability and Accountability Act (HIPAA) and other security issues.
There are many varieties of HIEs, but most use either a "centralized" model or a "federated" model, explains Holly Carnell, JD, an associate with the law firm of McGuireWoods in Chicago. In the centralized model, the HIE acts as a central data repository for participating providers. In the federated model, the data remains in the computer systems of the individual providers, and the HIE facilitates requests and transmissions of information.
The security and privacy concerns stem from the fact that in an HIE a hospital’s patient information will be accessible to a much larger group of entities than before joining the HIE, Carnell explains. With more access comes more risk.
"This means that the risk manager has to educate the organization’s internal stakeholders about the change in risk profile," she says. "In general there is not a lot of flexibility in changing the risk allocation in the HIE agreement. So you have to explain that along with all the benefits, here’s how HIE participation changes the risk we’re operating with."
In addition to having your own patients’ data more accessible, the hospital is taking on responsibility for protecting the data obtained from other HIE participants, Carnell says. If your hospital were responsible for a data breach, you could be liable for not just the normal costs of a breach but possibly any costs incurred by the hospital where the data originated.
The HIPAA compliance concerns are the same with information in an HIE as they are within your own organization, Carnell explains. Data must be protected the same way, and the release of data is governed by the same criteria. The volume and the comingling of data with other organizations are what ups the ante.
Educate patients about HIEs
Carnell also cautions that a hospital must be careful about communicating the HIE participation to patients. Patients are more sensitive to privacy issues than in the past, and some might not respond well to the idea of sharing their information with other providers. Patients who don’t trust the security of the HIE can complain to the Office of Civil Rights, which will only cause headaches for hospital administrators.
Risk managers should ensure that notification of HIE participation is fully explained to patients through direct conversations, posters, and other public notices, says John C. Saran, JD, also an associate with McGuireWoods in Chicago.
"This is not something you want to be just another paper hidden in the packet of admission forms," he says. "Patients need to understand the benefits of HIE participation, how it could help them, and the safeguards in place to protect their privacy."
The type of HIE participants also affects the risk exposure, Saran notes. Your hospital might be a large organization or part of a health system that has a rock solid HIPAA compliance program, but other HIE participants might be smaller hospitals or physician practices that do not have the same resources or dedication to compliance.
"They have the same access rights as a major health system, but they can be weak links in the chain," Saran says.
Assessing the trustworthiness of other participants should be one step in deciding to join an HIE, Carnell says. The risk might be managed by getting involved with the HIE administration, such as sitting on a compliance committee, but in some cases that will not be enough to alleviate worries about taking on the risks from other participants.
"This can be where the risk manager has to tell people there is a hard decision to be made," Carnell says. "Leadership should know that there are these weak links in the chain and decide whether the benefits of participation outweigh the risks."
- Holly Carnell, JD, Associate, McGuireWoods, Chicago. Telephone: (312) 849-3687. Email: [email protected].
- John C. Saran, JD, Associate, McGuireWoods, Chicago. Telephone: (312) 849-8166. Email: jsaran@mcguire
woods.com.
