Journal of AHIMA - May 2011

PRACTICE BRIEF

practice guidelines for managing health information

HIE Management and
Operational Considerations

Introducing the AHIMA Compendium http://compendium.ahima.org Throughout this brief, sentences marked with the † symbol indicate AHIMA best practices in health information management. These practices are collected in the new AHIMA Compendium, offering health information management professionals “just in time” guidance as they research and address practice challenges.

THE PRIMARY FUNCTION of a health information exchange (HIE) is to permit access to clinical information on demand at the point of care. HIEs enable health information to be ex- changed electronically between disparate healthcare informa- tion systems while ensuring information integrity. HIEs may also provide a structure for purposes like public health report- ing, clinical quality measurements, biomedical surveillance, and consumer health informatics research. 1 A successful HIE depends on trust between the patient, the healthcare provider, and the HIE. In order to build trust, HIEs must develop and implement policies and procedures guiding their operations, including how they will maintain and secure protected health information (PHI).

;is practice brief identi;es the policies, procedures, and best practices essential for successful HIE management and operations. It serves as a resource and reference guide for HIM professionals and subject matter experts involved with HIEs. ( Appendix A in the online version of this practice brief provides a glossary of terms commonly used in HIEs.)

Federal Rules and Regulations That Affect HIE

Many federal laws and regulations govern the exchange of PHI. ;e Privacy Act of 1974, HIPAA, and the HITECH Act all include provisions to safeguard the con;dentiality and integrity of PHI. HIEs must review every federal law and regulation that a;ects their operations to ensure compliance.

;e HITECH Act expands the current federal protections for the privacy and security of PHI under HIPAA. 2 It requires business associates comply with HIPAA, an obligation that originally was restricted to covered entities. It also extends business associate status to HIEs and authorizes state attorneys general to enforce HIPAA by initiating lawsuits on behalf of victims of security breaches.

Other federal laws and regulations that a;ect the exchange of health information include the Medicare Conditions of Participation, the federal regulations regarding Con;dentiality of Alcohol and Drug Abuse Patient Records, the Family Educational Rights and Privacy Act, the Gramm-Leach-Bliley Act, and the Food, Drug, and Cosmetic Act.

;ere should be few con;icts among these laws; however, when state laws do con;ict with federal laws, pre-emption applies. HIEs must consult with legal counsel to ensure appropriate compliance is met.

Resolving State Laws That Affect HIE

Many states have enacted their own, more stringent laws to govern and manage the privacy and security of PHI. As with the federal rules and regulations, HIEs must review state laws to ensure compliance across networks and states (when applicable) for compliant HIE operations.

HIEs must take into account state laws pre-empting federal laws when two similar state and federal laws coincide. ;ey should consult legal counsel for guidance on these matters. Resolving these di;erences will ensure information and data sharing, especially in times of public health emergencies.

;e federal government is also working with state governments to help enable e;cient HIE management and operations. For example, the O;ce of the National Coordinator for Health IT (ONC) has launched the State Health Information Exchange Cooperative Agreement Program to work with states to advance interoperability and health information exchange through a variety of activities, including:

; Collaborating with states and state-designated entities to promote, monitor, and share e;cient, scalable, and sustainable mechanisms for HIE within and across states

; Helping coordinate and share information regarding federal health IT investments and programs across agencies (e.g., Centers for Disease Control and Prevention, Centers for Medicare and Medicaid Services, Agency for Healthcare Research and Quality, and non-HHS federal agencies)

; Conducting a national program evaluation and o;ering technical assistance for state-level evaluations

; Adopting standards and certi;cation criteria to enable interoperability and HIE

; Providing technical assistance to states and state-designated entities

; Coordinating information sharing across states

; Advancing standards-based HIEs through Nationwide Health Information Network standards, services, and policies3

HIE Guidance for Patient Rights ;e HIPAA privacy rule a;ords patients speci;c individual rights to the uses and disclosures of their PHI. HIEs must clearly communicate these rights and their signi;cance to patients participating in the HIE. Successful communication of patient rights is