Health Information Exchange or HIE is a system, which allows the immediate electronic access of a person's health information records by a health provider (Fricton and Davies, 2008). The overall objective is to improve the safety and quality of health, especially for emergency care. This is the response to the problem of poor communication and exchange of medical information from one provider to another. This has resulted in many medical errors and undesirable drug effects (Fricton and Davies).
The use of the personal health record or PHR has been brought up as an innovative solution to this problem concerning diverse electronic medical record systems or EMR (Fricton and Davies, 2008). It becomes the only source for authentication and remote access of health information data from these systems. A voluntary survey revealed an almost popular interest among patients and health provides in its regular use in accessing these data. The information includes medication and medical history reconciliation and patient education (Fricton & Davies).
Modifications were proposed for the HIPAA Privacy & Security Rules to implement and enforce the pertinent provisions of the HITECH Act of 2009 on protection (Jones et al., 2011). These would do so by extending the Office for Civil Rights' enforcement to business associates and other agencies; upholding individual rights to seek and obtain medical information in electronic form, and limit the use and sale of information. This coordinated effort with the Office of the National Coordinator for Health Information Technology will assure or improve the privacy and security of the exchange (Jones et al.).
Health Information Exchange or HIE is a network community of healthcare entities, which use interoperable electronic health record systems to swap health information (Carter, 2006). These entities include regional health information organizations, HIE as the nationwide health information network, and community health information organizations. An HIE can be a federated model with shared repositories or peer-to-peer network, non-federated peer-to-peer network, and centralized database or data warehouse. The 2005 report on Connecting for Health listed the 9 guiding principles in insuring the confidentiality of patient data in this system. These principles are openness and transparency, purpose specification and minimization, collection limitation, use limitation, individual participation and control, data integrity and quality, security safeguards and controls, accountability and oversight, and remedies. These are necessary in assuring the success of HIE. Certain issues have, however, been raised concerning several of them (Carter).
Many State and federal laws require a thorough analysis on the requirements for the release of information (Carter, 2008). When settled, an agreement must be made on HIE participation. At this point, problems may be encountered because of variations in State law or there are federal laws still existing and affecting the exchange of health information. Examples are Medicare Conditions of Participation, Confidentiality of Alcohol and Drug Abuse Patient Records Regulation, Family Educational Rights and Privacy Act, and the Food, Drug, and Cosmetic Act. Any conflicting law should be interpreted in order to assure compliance. Still another legal issue concern HIE participation agreements. These agreements must address HIPAA business associate provisions, protecting proprietary information, intellectual property rights, software licensing, insurance, indemnification, audit rights, and dispute resolution (Carter).
HIPAA security and security rules protect health information for patient access; maintain patient privacy, security, and data integrity; and release information according to State and federal laws (Carter, 2008). Health information professionals confront certain operational issues concerning these requirements. These are the minimum necessary regulation under HIPAA privacy rule, access to health information, identity management, opt in or opt out, quality of information, security and communication standards, operational impact of variations in State law, notice of privacy practices, and patient education (Carter).
The full-blown adoption of automated information was a strong likelihood even in the past, but was among the slowest areas in the industry to develop it (Kuperman, 2011). Huge costs are a major consideration. Another delay was the lack of appropriate privacy and structure design. But the benefits are large, although there are many problems in connection with automating healthcare (Kuperman).
These include ease of data access, substantially large storage capability, statistically enhanced modeling, and a large capacity of information for setting patterns and drawing conclusions (Kuperman, 2011). The benefits from the exchange's design include the ability for information to go with the patient from system node to node. The technology used in the exchange is meant to access records across counties and hospitals as a primary function. HIE promises potential benefits for the individual patient and the healthcare system. These include improved clinical care and reduced cost (Kuperman).
While providing these benefits, HIE also poses some issues and opportunities (Kuperman, 2011). If patients or others lack trust in the electronic exchange because of some real or perceived or actual risks to one's identifiable health information, accuracy or completeness, he may refuse to reveal these information. This could have fatal consequences (Kuperman).
Privacy and Security
These principles are premier in HIE as it improves quality, reduce errors, increase the level of administrative efficiency, and widen access to health care services (Fricton, 2008). Confidential healthcare records are now being conveyed electronically and thus require strict standard to protect patient privacy. The HIPAA Act of 1996 guaranteed the privacy of a patient's health information through the Patient Security Rule and the Patient Safety Rule, enforced by the Office of Civil Rights. HIPAA's Security Rule became the basis for the electronic transfer of the information. The Patient Safety Rule, on the other hand, protects identifiable information when used to improve patient safety. Advances in the electronic transfer of patient information led to the use of EMRs, which eliminated the use of paper patient charts. HIPAA creates the framework for this information transfer and technology for the transfer to the requesting patient. This is done at the HIPAA website where common questions by a healthcare professional are asked. A Health Information Organization or HIO electronically processes the medical records. A HIO is the legal identity, which oversees and manages the exchange among health organizations, guides the request through questions about health information technology (Fricton).
Privacy and Security Gaps at HIE
The Healthcare Information and Management Systems Society and the American health Information Management Association collaborated in identifying issues surrounding privacy and security in HIE activities (AHIMA, 2011). The objective was to highlight these gaps within the HIE environment, which must be considered in organizing an HIO or implementing an HIE. These are regulatory issues, administrative issues, technological and physical security, access management, public health or population health, and consumer privacy (AHIMA).
Regulatory issues include policies covering personal health information or PHI; the need for consistent data-sharing agreements and standards; interstate exchange of health information; and compliance with meaningful use (AHIMA, 2011). Administrative issues include implementation of a strong governance framework; clearly defined and implementing policies for changing demographic and clinical data; defined roles and responsibilities over data stewardship; providers-data stewardship; HIE/HIO data stewardship; requirement for unique user identification; restricting access to data by role and other user attributes; unique patient identifier; identity management; authentication; and industry adoption. Technical and physical security issues include risk assessment of HIOs and HIE participants' accountability and lack of technical or physical standards for HIPAA covered entities. Access management issues include authorization, federated access management; access to personal health information or disease management by health plans; HIPAA security standard for employee health plans; third-party use of PHI for wellness programs; access to PHI for research purposes; third-party access; and health plan user access. Public or population health issues include multi-stakeholder considerations for authorization and health oversight agencies not required to comply with HIPAA security standards. And consumer privacy issues include consent; restricting access to "sensitive" portions of the record; HIT privacy and security tiger team recommendations; meaningful consent; the mechanics of consent; opt-in; opt-out; resources and timing; and technical constraint (AHIMA).
Challenges and Strategies
A loud observation more than a decade ago reverberated that the main obstacle is the lack of a sustainable business model (Vest and Gamm, 2010). RHIOs may need $12 million for development and $2-3 million for annual operating costs. And hospitals are organizations, which are hard-pressed to show a return on investment. Other obstacles are the collaborative nature of HIE; distrust and control over information; the persistent need for RHOs to insure patient privacy despite the allowed sharing of information between organizations; and fears of liability from unlawful disclosure. Lessons learned so far are that technological progress is not a ready-made solution to problems in healthcare information sharing; grant funding was not a viable alternative to self-sustaining revenues; and long-term financial uncertainties present enough risk to defeat the most technologically advanced offensive (Vest & Gamm).
The following have been suggested for continued HIE development, which complements the mixed economy of the U.S. health service…