Understanding the HIE Landscape
The health information exchange (HIE) landscape has changed dramatically since HIE and the Nationwide Health Information Network (NwHIN) was first conceptualized in 2001. The National Committee on Vital and Health Statistics (NCVHS) published recommendations in 2001 on nationwide electronic health information exchange in the report titled “Information for Health, A Strategy for Building the National Health Information Infrastructure.” Formally codified by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, the Office of the National Coordinator for Health IT (ONC) has supported the development of standards, services, and policies for HIEs. The number of HIEs and HIE stakeholders exchanging information has grown exponentially as a result of ONC's efforts.
But both emerging and established HIEs continue to face challenges and barriers, such as:
In spite of the numerous challenges, the promise of improved patient care resulting from the availability of a longitudinal health record across the healthcare continuum provides the necessary incentive to continue working toward accurate, secure, and interoperable health information exchange.
The speed with which HIEs are developed and implemented across the US has impacted the health information management (HIM) profession. As key stakeholders in efforts such as privacy, security, and confidentiality, HIM professionals will be called upon to ensure the appropriate and accurate exchange of information. HIM professionals must be prepared to interact and provide guidance to HIEs in order to incorporate foundational information management and governance practices into this emerging arena.
This practice brief describes the current HIE landscape, provides best practices in information management, and identifies how HIM professionals can collaborate with and offer education to HIEs.
HIE Growing in Demand
The introduction of payment and delivery reforms, which range from the establishment of accountable care organizations (ACOs) to bundled payments and patient-centered medical homes, is creating a compelling business case for electronic exchange. In response to HIE-infused initiatives like the federal government’s “meaningful use” EHR Incentive Program, healthcare systems and small providers now desire to link to an HIE. Innovative approaches to electronic information exchange are emerging as a result, including private HIE networks advanced by hospital systems pursuing ACO status, exchange services offered by electronic health record (EHR) vendors, and regional- and state-level information exchange initiatives. According to a recent KLAS survey, the number of active private HIEs tripled from 52 in 2009 to 161 in 2010.1
Instead of waiting for state HIEs to mature, some larger health networks have begun contracting with IT vendors to develop their own proprietary health information exchanges focused on exchanging information between its own facilities and select outside partners. Concerns have been raised that, because of their narrow focus on providing services based on margin and competitive advantage, such private HIEs will drain customers and resources away from state and community HIEs.
State and community HIEs have seen a steady—although less dramatic—rate of growth. The eHealth Initiative (eHI) identified 255 HIE initiatives in 2011, up from 234 in 2010. Many HIE proponents are concerned that the rapid growth of private HIE activities will ultimately undercut the state and community HIE business model, decreasing the likelihood of their success and making the NwHIN dependent on nascent technologies for community-level functions, such as record locator services.
For the time being, ONC has adopted a wait-and-see attitude, contending that different models work best for different states. ONC has urged its grantees to try to leverage the private HIE development in their states, looking for ways to provide services not being offered by the private HIEs, such as linking private HIEs together, providing access to rural providers, or offering unique services as a platform through which innovative software developers could offer valuable new services to healthcare providers and other HIE participants. Other possible services include patient locator services, immunization registries, birth registries, and cancer registries. Proponents of state and community HIEs believe they are uniquely positioned to bring competitors together to achieve unmet service needs.
NwHIN Activities and Differences
The Direct Project is similar to secure e-mail or secure instant messaging. The NwHIN comprises multiple approaches one could use to electronically exchange health information among a variety of stakeholders. The variety of approaches to exchanging information may lower the cost of connections between providers. For example, Direct allows information to be pushed between providers and eliminates the cost of interfaces. The Direct Project specifies a simple, secure, scalable, standards-based way for participants to send authenticated and encrypted health information directly to known, trusted recipients over the Internet.
Consent and Directed Exchange
An ONC Privacy and Security Workgroup, known as the Tiger Team, recommended that fair information practices (FIPs) be followed.3,4 Because information sent from provider to provider is encrypted, directed exchange for treatment does not require patient consent beyond that which is already required in current law or has been customary practice. The Direct Project does not include complex patient scenarios, such as an unconscious patient brought to the emergency department. Rather, it is meant to be applied to the transport of health information from one provider to another, such as to facilitate the exchange of information for a patient seeking an opinion from a specialist.
For some providers, these communications are part of satisfying stage 1 meaningful use objectives. The Direct standards and services can be implemented by any two participants, organizations, or a community without a central governance structure. Each Direct user is provided with an e-mail address to push the relevant medical information to another user, using Internet standards.
CONNECT is open source software that can be used for local or nationwide health information exchange. CONNECT uses NwHIN standards and governance to make sure that health information exchanges are compatible with other exchanges being set up throughout the country.5
CONNECT solution is moving to a public/private governance model. Healtheway will operationally support the eHealth Exchange by onboarding new participants, conformance and interoperability testing, and operating policies and procedures. By transitioning to Healtheway, a public-private partnership, the goal is to create a sustainable business model. Initially, CONNECT was built as a single solution to allow federal agencies to tie their health IT systems into the Nationwide Health Information Network.
A collaborative approach was adopted to drive down development costs for each agency and ensure a solution was available that met federal regulations and requirements for health IT interoperability. Because CONNECT is built as an open source software, it has been made available for use throughout the healthcare industry. This helps to fulfill an added objective for CONNECT, which is to serve as a platform for innovation. The solution can be downloaded for free, and the industry is encouraged to download it, improve upon it, build additional solutions with it, and resell the product into the public and private sectors.
HIE Governance Assures Continuity
Governance is the mechanism that assures necessary policies, standards, and services are in place so organizations can manage business operations, services, and relationships with its stakeholders. This ensures the organization is appropriately established, coordinated, and overseen, and that its policies are enforced.
The first step in developing an HIE is to establish a governing structure. If the HIE will include facilities competing in the same local or regional market, a structure for building consensus on sharing patient information is imperative.
HIEs may establish a separate organization (either profit or nonprofit) with a board of directors. Board membership often includes equal representation from all facilities. However, maintaining the perfect balance of representation may be difficult. A board that is too large to work efficiently and effectively can become paralyzing. In addition, HIE membership may grow with the network’s success, so establishing a limit to the size of the board can deter future issues.
Enacted in February 2009, HITECH requires the ONC to establish a governance mechanism for the Nationwide Health Information Network.7 It also authorizes the Federal Health IT Policy Committee to recommend the areas in which standards, implementation specifications, and certification criteria are needed for the electronic exchange and use of health information.
The NwHIN should be:
Creating a formal leadership structure within the HIE may facilitate further organizational activities such as establishing mission and goals, strategic planning, policies, procedures, and accountability. Important decisions to be made at the initial development of the HIE include opt-in/opt-out models, privacy and security practices, and vendor selection.
In May 2012 the ONC issued a request for information (RFI) public comment period seeking input on a broad range of governance mechanisms. In response to the public comments received, ONC decided against issuing a formal regulatory governance structure and instead proposed the following four-step non-regulatory approach.
Opt-in and Opt-out Models
The healthcare industry has long debated what consent is required, or best, to transmit health information through an HIE. Consent models for health information exchange are often referred to as either opt-in or opt-out. Patients given the opportunity to opt-in to HIE may sign a state-defined consent form or give consent via an online patient portal. In the opt-in model, the patient must proactively agree to participate in the health information exchange before information is shared.
Patients given the opportunity to opt-out of a health information exchange must actively choose not to participate in the health information exchange by signing an opt-out form or through patient mailings/brochures, posted notices, or an online patient portal. The patient’s health information is exchanged through a network unless the patient formally elects to opt-out. Opt-out models typically exclude specially protected health information such as psychiatric records or drug and alcohol treatment covered in 42 CFR 2.8
Possible consent models include:9
Opt-out models tend to have increased patient participation because opt-in models require more effort on the part of the patient to provide consent. Opt-in models often include specially protected health information since the patient specifically consents to the information exchange. Patients should be able to decide how their electronic health information is exchanged. This decision could be made through a “meaningful choice,” either an opt-in or opt-out model, or a more granular consent as long as they are informed of how and why their information will be exchanged in advance of making the decision to participate.
Release of Information Challenges
Many laws and regulations currently govern how, when, what, and to whom protected health information is released. The Health Insurance Portability and Accountability Act (HIPAA) privacy rule and HITECH Act contain specific requirements for the management of personally identifiable health information that balance confidentiality of the individual with the need for complete and timely exchange of health information. These regulations create a new paradigm where we must adapt the traditional release of information functions.
Complete and timely information is critical to providing the best care possible, and excluding certain information from an exchange in certain cases could negatively impact patient care. The challenge of the current complex medical and legal environment is that clear and concise guidelines for release of information are not always provided, and standards may be put into place before the functionality exists to execute them. For example, in a free text discharge summary, the use of metadata tags to identify protected information is difficult.
Consideration of other federal regulations, such as 42 CFR 2 for drug and alcohol patient records, further complicate the HIE environment. The consent requirement for these records is often perceived as a barrier, but it is important for HIM professionals to understand the details of the regulation and assist in the development of business processes and application requirements.
Varying state regulations require HIEs to assume the burden of understanding and navigating many different and potentially conflicting requirements—especially if the HIE provides services to multiple states. State laws can also vary in focus and strictness of patient privacy.
HIM professionals can assist HIEs in overall management of the release of information (ROI) process in order to ensure confidentiality, security, and compliance in releasing protected health information. It is crucial for policies and procedures to include guidance on those practices that support oversight of disclosures of information.
Meaningful Choice and HIE
The program information notice (PIN), introduced on March 22, 2012 by ONC, outlines privacy and security framework requirements and guidance for establishing robust privacy and security policies and practices for exchanging health information.10 This provides the common set of privacy and security rules of the road and assures provider and public trust in enabling progress in health information exchange to support patient care.
The individual choice section within the PIN outlines that an individual should be able to designate a family member, caregiver, domestic partner, or legal guardian to make decisions on their behalf. If the HIE stores, assembles, or aggregates information beyond a directed exchange (i.e., provider-to-provider via encrypted e-mail), it should ensure individuals have “meaningful choice” regarding the exchange of information through the HIE. Patient choice is not required if the HIE uses directed exchange and does not access or use the information.
Meaningful choice signifies:
Healthcare providers will be challenged to provide patients in advance with meaningful choice, and they have several options as to the method of provision, such as paper brochures or flyers, consents, and online patient portals. Ensuring patients are provided meaningful choice will require education and awareness.
Conduct Careful HIE Vendor Selection
A thorough vendor selection process should include a detailed request for proposal (RFP) that outlines the HIE’s key requirements—including the technical requirements of the system and privacy and security requirements.
The technical requirements may include such things as compatibility with Direct, CONNECT, record locator services, and master patient indexes. The technical requirements should be based upon the strategic and operational plan developed by the state HIE designated entity and approved by ONC.
As a starting point for vetting privacy and security requirements, the RFP should require the vendor to address functionality based upon the fair information practices:
For example, under the section “Individual Choice,” there are opt-in/opt-out models. The vendor should address if and how their system can facilitate each option. Additionally, they should identify how granular the system can get with their consent module. Can they limit specific information, such as an HIV test, or is the module limited to an “all-in” or “all-out” functionality? If it is the latter, the vendor should identify when and if they plan to add this functionality.
To ensure that the system has the necessary components to handle ROIs in accordance with HIPAA, HIM professionals must be involved in the development of the RFP and the vendor selection. Since each HIE is unique, no two HIEs will act or exchange information in the same manner and each may have different system requirements.
HIM’s HIE Responsibilities Defined
The HIM profession is changing each day. HIM roles and responsibilities are moving forward as advancements are made in healthcare delivery systems. Solid information management practices at the HIE level are vital to an HIE’s success. HIM professionals can facilitate the design and maintenance of privacy and security practices, record retention activities, release of information activities, and other fundamental core competencies of the profession in both new and established HIEs.
HIM professionals are assuming leadership roles within HIE organizations providing testimony, volunteering on HIE committees, and securing key leadership roles at the workgroup, staff, and board level within an HIE. HIM professionals, healthcare organizations, and physicians must work with component state associations to support the establishment of the HIE, develop HIE policies and procedures, and incorporate fundamental information management principles into HIE functions.
Patient Identification Management
Accurate patient identification and successful linking of electronic records is highly dependent on the accuracy of key demographic data. There are three different events that must occur in order to maintain patient identity data integrity:
Errors during any of these three events create opportunities for inaccurate patient identity. As the organization becomes larger, the volume of these events grows and there is a proportionately increased opportunity for patient identity errors. These errors become compounded when an organization becomes part of a larger network or incorporates other entities’ information into its own.
The underlying causes of identity errors are numerous. Some causes include people and process issues such as registration and scheduling staff selecting the wrong patient (causing an overlaid record) or the registrars entering the data to be searched incorrectly (causing either an overlay or a duplicate). Other identity errors are caused by technology challenges such as loose algorithmic record matching that causes incorrect electronic linking or auto-merging of records, or ineffective record search algorithms that prevent a registrar from finding the patient’s previous record.
Another common cause is data stored in the enterprise master patient index that is not current for the patient (i.e., last name change) and the searched data is different from the data stored in the system—resulting in a duplicate record. Related to this data integrity challenge, records in the historical database often have inadequate identifying information about the patient, causing the registrar to have to create yet another record for the patient—and therefore a duplicate. Many other data integrity scenarios exist, and combinations of all of these scenarios create even more complexity. As databases get larger, the complexity of the data integrity grows exponentially.
The HIM challenge is managing multitudes of detailed data on thousands of records and millions of transactions each and every year. A strong data quality and control program must be maintained or the data will get out of control quickly in a health information exchange environment.
The State of HIE in 2011
A 2011 report from the eHealth Initiative found that 2011 brought significant change in the health information exchange environment.11
Privacy, Security, and Audits
According to research from RTI International, the biggest challenges to establishing an HIE are varying interpretations and applications of HIPAA privacy and security rules, inconsistencies between state and federal privacy laws, and lack of trust.
The lack of a clear and consistent HIE approach to privacy and security may hinder US ability to realize the benefits of electronic HIE. In an effort to bridge the gap on privacy and security within HIEs, ONC published “The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information” in 2008. The framework was based on a review of numerous domestic and international privacy and security documents and practices.
The report outlines eight principles that public- and private-sector entities should use when engaging in electronic HIE. The framework also includes compliance and enforcement approaches.
The principles are designed to complement current state, federal, and local laws and regulations. They provide detail on such issues as:
ONC initiated the Strategic Health IT Advanced Research Projects (SHARP) in late 2009 as an American Recovery and Reinvestment Act initiative.12 This initiative provides funding for research that focuses on addressing problems that have impeded providers’ ability to adopt and meaningfully use health IT. The program itself is led by collaborative efforts at the University of Illinois at Urbana-Champaign, the University of Texas at Houston, Harvard University, the Mayo Clinic of Medicine, and Massachusetts General Hospital. Research is currently being conducted in several areas, including security of health information technology.
The University of Illinois at Urbana-Champaign is helping to develop technologies and policy recommendations that reduce privacy and security risks and increase public trust. This research encompasses three projects: EHRs within a single healthcare delivery organization, telemedicine, and HIE. The HIE project is concerned with security and privacy of health records as they are exchanged between care delivery organizations or individuals. The Secure Health Information Exchange project addresses the inadequacy of current exchange service models. The Experienced-based Access Management project limits insider threats through a continuously evolving model for access control rules. And the Personal Health Records project address third-party personal health record (PHR) privacy standards with PHR stakeholders.
HIM professionals have a responsibility to maintain a keen awareness of the developing HIE environment so they can develop, implement, and update systemwide policies and procedures that address the privacy and security of all individually identifiable health information—regardless of the medium used to capture, store, and transmit it.
ARRA Spurs HIE Development
ARRA-authorized incentive programs under the Centers for Medicare and Medicaid Services began to pay bonuses to “meaningful users” of certified EHRs beginning in fiscal year (FY) 2011, but will phase in penalties for those failing to meet “meaningful use” beginning in FY 2015. To be eligible for the incentives and avoid future payment penalties, hospitals and physicians must use EHRs that have been certified through a federal certification process established by ONC to meet specific meaningful use quality measurement requirements.
The Centers for Medicare and Medicaid Services’ stage 2 meaningful use final rule and ONC’s standards and certification final rule were published in the Federal Register on September 6, 2012.13,14 Taken together, these regulations raise the bar on EHR adoption requirements that hospitals and physicians must meet under ARRA to continue to qualify for additional Medicare and Medicaid incentive payments, as well as to avoid significant payment penalties starting in 2015.
The EHR Incentive Program has dramatically increased the number of HIEs throughout the US. In stage 1 of the program, providers must show that their EHR systems could exchange health information. The final rule for stage 2 involves higher expectations for HIEs, such as tougher requirements for e-prescribing, structured laboratory results, and expectations that providers will electronically transmit patient care summaries to support care transitions. The increasingly robust expectations for health information exchange expected in stage 3 will support the overall goal of having information follow the patient.
The lack of standards has created challenges for connecting HIEs. In addition to state and federal rules and regulations imposed on HIE systems, industry and vendor standards may vary, making it nearly impossible for HIEs to connect within the same local area—much less across states. The currently optional standards for HIEs greatly reduces the ability to share patient information when needed.
Stage 2 sends us down a path of having more consistent standards and operational processes to support this work. Additional information on the Medicare and Medicaid EHR Incentive Programs can be found at www.cms.gov/EHRIncentivePrograms.
The following three appendices are available in the online version of this practice brief only.
ONC. “State Health Information Exchange Cooperative Agreement Program.” August 11, 2012. http://healthit.hhs.gov/portal/server.pt?open=512&objID=1488&parentname=CommunityPage&parentid=58&mode=2&in_hi_userid=11113&cached=true.
RTI International. “States and Territories Begin to Reduce Challenges to Electronic Health Information Exchange.” August 1, 2007. www.rti.org/news.cfmnav-7&objectid=D7331450-F4ID-435A-84CA2FAA80518822.
Kathy M. Callan, RHIA
Ben Burton, JD, MBA, RHIA, CHP
The information contained in this practice brief reflects the consensus opinion of the professionals who developed it. It has not been validated through scientific research.