In U.S. health care institutions, the current model for gathering health information tends to result in a provider-focused view of the patient's history. Health care IT initiatives seek to change that model by building a national health IT infrastructure that will result in a more comprehensive, patient-focused view of this information.
Health information exchange is also crucial to meeting meaningful use requirements, which mandate that electronic health record (EHR) systems be able to exchange health information electronically among a variety of health organizations. According to the requirements for meaningful use, patient data must be submitted to public health agencies and be capable of being exchanged with other care providers and patient-authorized entities.
- What is health information exchange?
- Why do we need health information exchange?
- How does health information exchange work?
- Who sets the standards for national health information exchange?
- How is patient data secured when exchanged through HIE?
The term health information exchange, or HIE, refers to the process of sharing health-related information among organizations according to nationally recognized standards. HIE is one of the key building blocks needed to create an electronic health information technology infrastructure. The term is often used interchangeably to refer to both a process and an entity, with many organizations referring to themselves as health information exchanges.
The federal government has awarded grants to all 50 states -- along with Washington, D.C. and five federally administered territories -- to build state HIEs. The government has also been leading the development of CONNECT, open source software that enables health information exchange.
Despite these efforts by the federal government, there is currently no single model of health information exchange, leading some experts to suggest that we are still many years away from achieving a nationwide HIE. In this video, one industry expert explains some of the forces in play that will help drive the creation of a national network of health information exchange:
HIE is considered to be one of the key components of the national health IT infrastructure being established by the HITECH Act. Policymakers and health care providers believe this health IT infrastructure will produce a number of benefits, many of which are directly related to HIE.
The eHealth Initiative, a nonprofit organization devoted to improving health care through IT, conducts an annual survey to assess the state of health information exchange. The most recent survey highlights some of the benefits being reported by active HIE initiatives, including the following:
- Improved coordination of patient care, because HIE provides better access to test results and can reduce medication errors.
- Cost savings, because health care providers spend fewer dollars on repeat tests.
- Public health research, because anonymous patient data can be transmitted to public health agencies to help monitor and improve the health of the community.
- Increased patient engagement, because patients can access their own health data, input their personal health and wellness information, and maintain health records for dependent family members.
Independent of the health information exchanges created by the HITECH Act, many hospitals have already begun creating their own regional HIEs in an attempt to become more efficient.
To exchange patient health information electronically and meet federal requirements, health care providers must be using an electronic health record (EHR) system that supports the Continuity of Care Document (CCD) or the Continuity of Care Record (CCR) document format. Nationally-recognized HIE standards are also needed, to ensure that health information is formatted correctly and secured, and that the systems containing the data can actually communicate with one another.
With these two components in place, organizations theoretically can participate in health information exchange. This is easier said than done, however, as the infrastructure needed to support interoperable EHR systems is expensive, and the funds provided by government HIT grants are limited. Differences in privacy laws across states can also complicate state HIE initiatives.
The U.S. Department of Health & Human Services (HHS) is ultimately responsible for setting the standards for national health information exchange. Within the HHS, the Office of the National Coordinator for Health Information Technology (ONC) is the principal agency responsible for recommending HIE standards.
In July, 2010 the ONC issued a Standards and Certification Criteria Final Rule, which provides the initial set of standards, specifications and certification criteria for EHR technology. The standards set by HHS will ensure that health information exchange via EHR systems is secure, confidential and functional. The ONC also oversees several initiatives working to establish HIE standards:
- The Nationwide Health Information Network, a set of standards, protocols, specifications and services that will allow health IT vendors and developers to plug into nationwide HIE.
- The Direct Project, an exchange model that lets solo and small-practice physicians implement simple health data exchanges.
- The State Health Information Exchange Program, a Federal-State collaboration aimed at the long-term goal of nationwide HIE and interoperability.
The Agency for Healthcare Research & Quality (AHRQ) is also trying to help drive HIE adoption by sharing best practices among the states that are developing their exchanges.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates the privacy of health information. Patient information being exchanged through HIE must be secured according to the Security Standards for the Protection of Electronic Protected Health Information, also known as the HIPAA Security Rule. This rule was added to HIPAA to establish a set of national security standards for patient data being held or exchanged in electronic format.
The HIPAA Security Rule recommends three safeguards to ensure the security of electronic health information:
- Administrative safeguards require that health organizations identify potential security risks, establish a designated security official, implement policies and procedures regarding access to patient data, train all workforce members on security policies, and periodically evaluate compliance with established security policies and procedures.
- Physical safeguards should be established to ensure that access to facilities and computer equipment is authorized. Policies and procedures should be in place to specify the proper use and disposal of electronic media containing patient health information.
- Technical safeguards must be built into EHR systems. These include industry-standard login practices to authenticate users, audit logs, role-based access control to allow for different levels of access to patient information, and integrity controls to ensure that patient data is not altered in an unauthorized manner.
Meanwhile, the Certification Commission for Healthcare Information Technology's security requirements for EHR system certification call for access control, audit records, authentication, data protection and technical security.
Let us know what you think about this briefing; email Anne Steciw, Associate Editor.
This was first published in May 2011