Journal of AHIMA - May 2011

essential and demonstrates strong organizational commitment to build trust and gain consumer confidence.

ONC’s “Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information” outlines principles that, when taken together, constitute good data stewardship and form a foundation of public trust in the collection, access, use, and disclosure of personal information by HIEs. To complement the framework, the Office for Civil Rights (OCR) published a series of fact sheets that clarify how the HIPAA privacy rule applies to and can be used to help structure privacy policies behind electronic HIE.

ONC’s framework and OCR’s fact sheets call for the following principles in an HIE:

Individual Access: HIEs should provide consumers with a “simple and timely means to access and obtain their individually identifiable health information in a readable form and format,” according to ONC’s framework. 4 OCR’s guidance further states, “An individual’s right to access his or her PHI is a critical aspect of the Privacy Rule, the application of which naturally extends to an electronic environment. The Privacy Rule’s specific standards address individuals’ requests for access and timely action by the covered entity, including the provision of access, denial of access, and documentation.”

Correction: HIEs should provide patients “a timely means to dispute the accuracy or integrity of their individually identifiable health information, and to have erroneous information corrected or to have a dispute documented if their requests are denied.” 6 OCR notes the privacy rule provides individuals with the “right to have their protected health information (PHI) amended in a manner that is fully consistent” with the framework. 7

Openness and Transparency: Policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information should be open and transparent, according to ONC and OCR. Entities that participate in HIEs should provide “clear notice of their policies and procedures regarding how an individual’s identifiable health information” is protected, used, and disclosed. 8

Individual Choice: HIEs should provide individuals with “a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their individually identifiable health information.” 9 (This is commonly referred to as the individual’s right to consent to identifiable health information exchange.) OCR further notes the framework “emphasizes the opportunity and ability of an individual to make choices with respect to the electronic exchange of their individually identifiable health information.” 10

Collection, Use, and Disclosure Limitation: “Individually identifiable health information should be collected, used, and/ or disclosed only to the extent necessary to accomplish a specified purpose.” 11 OCR notes that the framework “emphasized that appropriate limits should be set on the type and amount of information collected, used, and disclosed, and that authorized persons and entities should only collect, use, and disclose infor-

Practice Brief

HIE Operations across Different States

IN A MULTISTATE exchange, the technology available may not easily support variations in state laws and may require manual intervention. For example, an HIE operating in state A may need to respond differently to requests for information than an HIE operating in state B, depending on the laws of the two states. More specifically, HIV or mental health data may need to be suppressed to comply with the law of state A, but in the case of state B, full disclosure may be provided.

In states that require suppression of specific clinical information, HIEs must decide if or when to include a notice to clinicians that certain types of data have been redacted and that the information provided may be incomplete.†

mation necessary to accomplish a specified purpose.” 12

Safeguards: “Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards (HIPAA security rule) to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.” 13 OCR notes that the HIPAA privacy rule “supports the Safeguards Principle by requiring covered entities to implement appropriate safeguards to protect the privacy of protected health information (PHI).” 14

HIE Governance Policies and Procedures

Policies and procedures govern the operations of the HIE, and many factors must be taken into consideration during their development or revision. For example, the HIPAA privacy and security rules require PHI be accessible to patients; maintained in a manner that secures patient privacy, security, and data integrity; and released in accordance with state and federal laws. Appendix B, available in the online version of this practice brief, outlines the areas that must be taken into account when establishing policies and procedures for HIE operations.

The policies and procedures also set expectations for the workforce. Training and accountability for the workforce members must be clearly delineated. Access to all available resources (including policies and procedures) must be part of an ongoing education and compliance program, which must be enforced by management.

HIE Contracts

HIEs typically contract with vendors for the technology they use to exchange health information. According to Randall E. Sermons, an attorney with HIE experience, when contracting with technology vendors, HIEs must consider how the technology is delivered, the licensing required to use the technology, and the technology’s ability to protect data. Unique liability concerns within HIEs, such as liability for technology malfunctions and vicarious liability for acts of a data participant, must also be taken into consideration.