practice guidelines for managing health information
HIE Management and
Introducing the AHIMA Compendium
http://compendium.ahima.org Throughout this brief, sentences marked with the † symbol indicate AHIMA best practices in health information management. These practices are collected in the new AHIMA Compendium, offering health information management professionals “just in time” guidance as they research and address practice challenges.
THE PRIMARY FUNCTION of a health information exchange (HIE) is to permit access to clinical information on demand at the point of care. HIEs enable health information to be ex- changed electronically between disparate healthcare informa- tion systems while ensuring information integrity. HIEs may also provide a structure for purposes like public health report- ing, clinical quality measurements, biomedical surveillance, and consumer health informatics research.
1 A successful HIE depends on trust between the patient, the healthcare provider, and the HIE. In order to build trust, HIEs must develop and implement policies and procedures guiding their operations, including how they will maintain and secure
protected health information (PHI).
;is practice brief identi;es the policies, procedures, and best
practices essential for successful HIE management and operations. It serves as a resource and reference guide for HIM professionals and subject matter experts involved with HIEs. (
Appendix A in the online version of this practice brief provides a
glossary of terms commonly used in HIEs.)
Federal Rules and Regulations That Affect HIE
Many federal laws and regulations govern the exchange of PHI.
;e Privacy Act of 1974, HIPAA, and the HITECH Act all include
provisions to safeguard the con;dentiality and integrity of PHI.
HIEs must review every federal law and regulation that a;ects
their operations to ensure compliance.
;e HITECH Act expands the current federal protections for
the privacy and security of PHI under HIPAA.
2 It requires business associates comply with HIPAA, an obligation that originally was restricted to covered entities. It also extends business
associate status to HIEs and authorizes state attorneys general
to enforce HIPAA by initiating lawsuits on behalf of victims of
Other federal laws and regulations that a;ect the exchange of
health information include the Medicare Conditions of Participation, the federal regulations regarding Con;dentiality of Alcohol and Drug Abuse Patient Records, the Family Educational
Rights and Privacy Act, the Gramm-Leach-Bliley Act, and the
Food, Drug, and Cosmetic Act.
;ere should be few con;icts among these laws; however,
when state laws do con;ict with federal laws, pre-emption applies. HIEs must consult with legal counsel to ensure appropriate compliance is met.
Resolving State Laws That Affect HIE
Many states have enacted their own, more stringent laws to govern and manage the privacy and security of PHI. As with the federal rules and regulations, HIEs must review state laws to ensure
compliance across networks and states (when applicable) for
compliant HIE operations.
HIEs must take into account state laws pre-empting federal
laws when two similar state and federal laws coincide. ;ey
should consult legal counsel for guidance on these matters. Resolving these di;erences will ensure information and data sharing, especially in times of public health emergencies.
;e federal government is also working with state governments to help enable e;cient HIE management and operations.
For example, the O;ce of the National Coordinator for Health
IT (ONC) has launched the State Health Information Exchange
Cooperative Agreement Program to work with states to advance
interoperability and health information exchange through a variety of activities, including:
; Collaborating with states and state-designated entities to
promote, monitor, and share e;cient, scalable, and sustainable mechanisms for HIE within and across states
; Helping coordinate and share information regarding federal health IT investments and programs across agencies
(e.g., Centers for Disease Control and Prevention, Centers
for Medicare and Medicaid Services, Agency for Healthcare Research and Quality, and non-HHS federal agencies)
; Conducting a national program evaluation and o;ering
technical assistance for state-level evaluations
; Adopting standards and certi;cation criteria to enable interoperability and HIE
; Providing technical assistance to states and state-designated entities
; Coordinating information sharing across states
; Advancing standards-based HIEs through Nationwide
Health Information Network standards, services, and
HIE Guidance for Patient Rights
;e HIPAA privacy rule a;ords patients speci;c individual rights
to the uses and disclosures of their PHI. HIEs must clearly communicate these rights and their signi;cance to patients participating in the HIE. Successful communication of patient rights is