BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Health information exchange (HIE) is the electronic transmission of healthcare-related data among medical facilities, health information organizations -- companies that oversee and govern the exchange of this data -- and government agencies according to national standards.
The purpose of HIE is to promote the appropriate and secure access and retrieval of a patient's health information to improve the cost, quality, safety and speed of patient care. While HIE typically refers to the act of exchanging information between two or more healthcare organizations or providers, it may also refer to an organization that is responsible for facilitating the exchange.
In 2004, the ONC (Office of the National Coordinator for Health Information Technology) created the Nationwide Health Information Network (NHIN) to establish standards, services and policies for HIE. Federal agencies, HIEs and healthcare providers agreed to adopt NHIN standards for secure HIE at a local and national level. NHIN became known as the eHealth Exchange in 2012.
According to the eHealth Exchange, participants agree to send health information to other participating organizations, match patients to their data without the use of a national patient identifier, and find and request copies of healthcare information from other participating organizations when permitted by law and policy.
Why health information exchanges are important
HIE helps enable care coordination, which the Agency for Healthcare Research and Quality defines as "the deliberate organization of patient care activities between two or more participants involved in a patient's care to facilitate the appropriate delivery of healthcare services." This enhanced communication offers healthcare providers a more complete view of a patient's health and reduces the risk of errors, duplicate treatments or tests, and readmissions, while improving patient safety and outcomes.
HIE can be used to improve population health, as well. Healthix, a New York-based HIE, helped the New York State Department of Health's AIDS Institute monitor and manage the HIV-positive population in that state. Long-term care is critical for this population, so Healthix identified HIV-positive individuals and the care they were receiving. The Department of Health used that data to focus on public health surveillance initiatives that would provide links to care and necessary therapies for the HIV-positive population.
There are several benefits of HIE for patients. For example, HIE enables patient engagement, offering patients an electronic copy of their medical information that they can share with their healthcare providers. Research has also found that HIE use can improve patient-provider communication and patient satisfaction.
How data is stored and shared
There are three HIE architecture types: federated or decentralized, centralized, and hybrid.
In a federated model, health records are stored in independent databases or repositories. Each healthcare organization or provider maintains ownership of and control over the health records; access to the health record is granted to users only when needed.
In a centralized model, health records are collected from participants in the HIE and stored in a single repository or database.
A hybrid model combines centralized and decentralized aspects.
There are two methods of data exchange in HIE: push and pull.
When a message or document, such as a lab result, is sent from one participant to another, this is called a push exchange. When a provider searches for or queries a patient's health information, this is called a pull exchange.
The types of data that can be exchanged include clinical, claims, public health, quality and reporting data.
Compliance with HIPAA and other acts
All HIEs must, at a minimum, comply with HIPAA. According to the U.S. Department of Health and Human Services (HHS), the HIPAA Privacy Rule establishes a federal baseline that is applied consistently to covered entities across all 50 states, but it does not pre-empt individual state laws that place greater privacy rights and protections on the information in an exchange.
The Health Information Technology for Economic and Clinical Health (HITECH) Act expands the federal protections for personal health information (PHI) privacy and security under HIPAA and extends business associate status to HIEs. HITECH also requires electronic health records to be "connected in a manner that provides for the electronic exchange of health information to improve the quality of healthcare."
Intermountain Healthcare CIO Marc Probst discusses the importance of standards
States may have either an opt-in or opt-out consent policy for participation in an HIE, although there are some states that have no policy.
In states with an opt-out policy, patients may be automatically enrolled in the HIE, but can choose to opt out of having their information stored or disclosed by the HIE.
Opt-in states require patient consent before patient health information can be stored or disclosed by the HIE. There may also be additional requirements, such as an opt-in for sensitive PHI or an opt-in to allow a new healthcare provider to access PHI.
According to the American Health Information Management Association, other laws that affect HIE include:
- Privacy Act of 1974
- Family Educational Rights and Privacy Act
- Gramm-Leach-Bliley Act
- Food, Drug and Cosmetic Act
The exchange of patient data brings with it the risk of breaches, either through unintended access or hacker theft.
In July 2016, the Codman Square Health Center in Dorchester, Mass., notified patients that a person accessed an HIE -- the New England Healthcare Exchange Network -- without authorization.
The individual, an employee of an outside vendor, used a Codman employee's credentials to obtain access to the HIE and patient information, such as names, addresses and dates of birth. In addition to Codman's 140 patients, the individual also accessed the records of 4,000 other patients in the HIE.
Challenges with HIE
In a 2014 report to Congress, the U.S. Government Accountability Office (GAO) found four specific challenges related to HIE.
- Insufficient standards. Standards for electronically exchanging information within EHRs exist, but providers reported that the standards were insufficient in some areas. GAO concluded that information that is exchanged electronically between providers must adhere to consistent standards in order to be interpreted and used in the EHR.
- Variations in privacy rules. Providers reported that exchanging health information with providers in other states can be difficult because of a limited understanding of variations in state privacy rules.
- Difficulty of accurately matching patients to their health records. Providers reported that they were unable to accurately and efficiently match patients to their records when exchanging health information electronically.
- Cost of exchanging health information. Providers reported challenges covering the costs associated with HIE, including the cost to participate in state or local health information organizations, as well as per-transaction fees charged by some HIE vendors.