HIE contracts should describe the process for fixing problems,
not just a remedy.
specifications needed for a successful health information exchange, Orth says. But conflicting state laws and other contractual issues have caused many HIEs to not implement a DURSA-based contract.
Some HIEs are organized solely by vendors, who create EHRs
that can exchange information with other products by that vendor. These exchange systems also have avoided DURSAs. Vendor Epic’s HIE function, for example, contains some “rules of
the road” for HIE, but it doesn’t specifically follow a DURSA-type trust agreement.
Even if a facility’s local HIE hasn’t implemented a DURSA, the
facility should ensure that the trust agreement in place meets at
least all of the above listed criteria. These trust contracts are not
just for a healthcare facility’s legal peace of mind, they are essential in assuring patients that their health information will be
safe and secure during HIE transport.
State Law versus HIPAA
Another legal HIE issue comes when state law is more strict than
HIPAA when it comes to exchanging and releasing medical records. This especially comes into play with state laws centered
on protecting specially protected records like substance abuse
and HIV/AIDS data.
Typically the trained HIM professional is responsible for dissecting a record request by a neighboring state and reconciling
the two state laws. But when requests come from unfamiliar
states, HIM professionals need to carefully consider the two
states’ laws and decide what is legal to send through the HIE.
EHR systems complicate matters as currently most cannot
truly segregate all parts of a person’s record that fall into a certain protective category. An HIM professional can pull complete
protected records, but usually hints to things like mental health
and disease are viewable in other sections of the record, like
medication history. HIV treatment records could be blocked,
but an HIV drug cocktail on the medication list might get sent
“When I transmit the medication history for a patient, I prob-
ably have not weeded out those medications that are only relat-
ed to the individual’s treatment for their mental health illness,”
Egan says. “That is the sort of crossover that folks really have to
sit down and figure out how they are going to do that.”
There are two current solutions to this legal risk. An organi-
zation can over-block records, excluding everything with a di-
agnosis code related to the specially protected information. Or
an organization can stretch their patient consent document to
cover multiple years and include consent for exchanging spe-
cially protected information in an HIE.
“That is harder on the lawyer side because you are really
stretching the knowing consent into ‘I agree that you can re-
lease this for anything that might come up in the next couple of
years,’” Egan says. “That is a little bit of a harder case.”
Intellectual Property Rights
Sometimes more than just a patient’s record gets exchanged
during health information exchange, like intellectual property.
Business processes, database details, facility-developed patient
data, and software details can all be revealed when an organization exchanges data through an HIE.
Facility management and staff lawyers need to be aware that
there are times that legal rights to this intellectual property can
be negated through health information exchange.
For example, a hospital purchases software that conducts data
mining and finds indicators for a patient’s risk of certain diseases or a need for preventive treatment. The software determines
a person needs to have diabetes sugar testing every four months
because of certain warning signs, even though the patient does
not yet have a diagnosis of diabetes. This information is then entered into the patient’s record, which could then be distributed
to competing hospitals in the local HIE.
“The hospital paid good money to create that sort of special
knowledge that they are using for treatment purposes,” Egan