Policy and Procedure Considerations for Health Information Exchange Organizations

Policies and procedures govern the operations of health information exchange (HIE), and many factors must be taken into consideration during their development or revision. They set expectations for the workforce, delineate staff training and accountability, and must be part of an ongoing education and compliance program, enforced by leadership.

A health information organization (HIO) is defined by the National Alliance for Health Information Technology as “an organization that supports, oversees, or governs the exchange of health-related information among organizations according to nationally recognized standards.” Ensuring compliance can be a daunting task, especially related to HIO participation agreement requirements and federal and state laws with corresponding and existing policies and procedures.

In today’s landscape, healthcare providers may participate in the exchange of protected health information (PHI) either internally within an organization or externally with various HIOs or other key stakeholders.

Existing resources, such as those available through the website HealthIT.gov, the Agency for Healthcare Research and Quality (AHRQ), and the Electronic Healthcare Network Accreditation Commission (EHNAC) accreditation guidelines, provide healthcare organizations and individual healthcare providers guidance on first considerations when forming or joining a health information exchange.1 Connecting for Health Common Framework provides a policy matrix that includes strategies for developing HIE policies and procedures with lessons learned.2,3

HIE accreditation through EHNAC ensures compliance that the company has the appropriate administrative, technical, and physical policies and procedures.4 These are in place to ensure the integrity and confidentiality of PHI and protection against any anticipated threats or hazards to the security or integrity of such information.

Health information management (HIM) professionals possess the expertise and experience in developing policies, procedures, standards, and guidelines that add value to effective planning and implementation of HIOs, while ensuring compliance with the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules. A collaborative relationship between HIM professionals and clinical and administrative stakeholders will help the HIO achieve successful implementation and sustainability.

The following list takes the existing federal resources into account and outlines additional considerations for HIM professionals to assist healthcare organizations and other key stakeholders—such as individual providers—in identifying issues and developing pertinent HIE policies and procedures.

This sample checklist may be used as a starting point when developing policies and procedures for health information organizations (HIOs). This resource is not a replacement for seeking legal counsel and does not include all possible considerations.

1. Review Existing Policies and Procedures

1.1 Identify overlaps and gaps. Gather all stakeholders involved in the process to meet and discuss the design.

1.2 Create an oversight committee structure that is supported and held accountable by the C-suite (senior leadership, executive sponsors, and board of directors).

1.3 Catalog all current policies and procedures and participation agreements that are related to HIE and prepare for review by committee.

1.4 Center initial review on any overlap of policy or contractual language that may create operational inconsistencies or potential compliance issues.

1.5 Review internal organizational policies not related to the HIO that may conflict with HIO policies.

1.6 Conduct a comprehensive review of all workflows that may potentially interfere with current or proposed policies and procedures.

1.7 Include associated internal actions within the policy documents for enhanced data integrity and coordination of versioning.

1.8 Include management of patient’s opt in or opt out decisions.

1.9 Include general rules of the road for participating in the HIO.

2. Revise Participation Agreements to reflect AHIMA’s Information Governance Principles for Healthcare™

2.1 Adopt AHIMA’s Information Governance Principles for Healthcare (IGPHC)™, adapted from ARMA International’s Generally Accepted Recordkeeping Principles and available at www.ahima.org/~/media/AHIMA/Files/HIM-Trends/IG_Principles.ashx, and use standardized, non-prescriptive information governance approaches in current and future agreements.

2.2 Conduct an inventory of all participation agreements within the HCO.

2.3 Familiarize yourself with the participation agreement requirements.

3. Establish HIPAA Structure for Provider Relations

3.1 Form an Organized Health Care Arrangement (OHCA), which is an arrangement or relationship, recognized in the HIPAA privacy rules, that allows two or more covered entities (CEs) who participate in joint activities to share PHI about their patients in order to manage and benefit from their joint operations.5

3.2 Establish joint Notice of Privacy Practices. Covered entities that participate in an OHCA may choose to produce a single joint notice if certain requirements are met. For example, the joint notice must describe the covered entities and the service delivery sites to which it applies.6

3.3 Complete a Business Associate Agreement (BAA) with each provider. For more information, refer to the Guidelines for a Compliant Business Associate Agreement in AHIMA’s HIM Body of Knowledge.

4. Review Compliance Processes

4.1 Review handling of privacy, security incidents.

4.2 Review breach investigation and responses.

4.3 Review identification of privacy official or person responsible for oversight.

4.4 Review identification of security official or person responsible for oversight.

4.5 Review business associate agreement process.

4.6 Review management of patient data integrity issues identified.

4.7 Review should include requirements for “meaningful use” protection of patient health information from the Office of the National Coordinator for Health IT. Providers must conduct a risk analysis each year to assess the vulnerabilities of their patients’ information, which includes an annual report.

5. Manage Patient Consent

5.1 Check state law requirements, which may specify one consent model option over another and how they relate to authorization.

5.2 Check consistency of consent model being built off the core domains found in the Nationwide Privacy and Security Framework for Electronic Exchange of individually identifiable health information.7

5.3 Consumer education is a critical piece regardless of which consent model is adopted. Patients must understand their rights and responsibilities and clearly understand the potential ramifications of including or excluding all or portions of their health information.

5.4 Understand different types of authorization forms, including state level development and management of standardized consent forms.

6. Manage Access to PHI

6.1 Review process for requesting, reviewing, granting, and revoking proxy access to health information; adult child, parent, guardian, or significant other.

6.2 Review privacy/security officer reporting and access requirements.

6.3 Review “break the glass” procedures.

6.4 Review identifying and approving access policies and procedures.

6.5 Monitor access activity.

6.6 Monitor inactivity.

6.7 Monitor and review inappropriate access activity.

6.8 Monitor and review deactivating activity.

7. Other Considerations

7.1 Provide a standardized consent form to all data sharing partners for consistency.

7.2 Ensure that the consumer consent form is written with varied literacy levels in mind.

Above all a collaborative relationship between HIM professionals and clinical and administrative stakeholders is paramount. Equally important is knowing where to start. Developing HIE policies and procedures begins with solid review of what you have to work with, identification of where changes or clarifications need to be made, and then making the necessary changes. Success is sure to follow when HIM representatives are integrated into the planning and implementation process.


1 Agency for Healthcare Research and Quality. “Health Information Exchange Policy Issues.” US Department of Health and Human Services website. http://healthit.ahrq.gov/key-topics/health-information-exchange-policy-issues.

2 Markle. “Connecting for Health Common Framework for Health Information Exchange.” August 25, 2008. www.markle.org/publications/274-connecting-health-common-framework-health-information-exchange.

3 Agency for Healthcare Research and Quality. “Health Information Exchange Policy Issues.”

4 Electronic Healthcare Network Accreditation Commission. “Health Information Exchanges.” 2014. www.ehnac.org/health-information-exchange/.

5 American Medical Association. “Organized Health Care Arrangement.” www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-privacy-standards/organized-health-care-arrangement.page.

6 Office for Civil Rights. “Notice of Privacy Practices for Protected Health Information.” US Department of Health and Human Services website. www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/notice.html.

7 Office of the National Coordinator for Health Information Technology. “Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information.” December 15, 2008. www.healthit.gov/sites/default/files/nationwide-ps-framework-5.pdf.


AHIMA. 2014 Information Governance in Healthcare Benchmarking White Paper. 2014. www.ahima.org/topics/infogovernance/igbasics?tabid=resources.

AHIMA. “Guidelines for a Compliant Business Associate Agreement.” Journal of AHIMA 84, no. 11 (November–December 2013): expanded web version.

AHIMA. “HIE Management and Operational Considerations.” Journal of AHIMA 82, no. 5 (May 2011): 56-61.

AHIMA. “Managing the Integrity of Patient Identity in Health Information Exchange (Updated).” Journal of AHIMA 85, no. 5 (May 2014): 60-65.

AHIMA. Pocket Glossary of Health Information Management and Technology, Fourth Edition. Chicago, IL: AHIMA Press, 2014.

AHIMA e-HIM Workgroup on HIM in Health Information Exchange. “HIM Principles in Health Information Exchange.” Journal of AHIMA 78, no. 8 (September 2007): online version.

Brodnik, Melanie S. et al. Fundamentals of Law for Health Informatics and Information Management, Second Edition. Chicago, IL: AHIMA Press, 2012.

Substance Abuse and Mental Health Services Administration. ”Applying the Substance Abuse Confidentiality Regulations.” April 28, 2015. www.samhsa.gov/about-us/who-we-are/laws/confidentiality-regulations-faqs.

Prepared By

Rita Bowen, MA, RHIA, CHPS, SSGB
Alisa Chestler, JD
Donna F. Coomes, MBA, RHIA, CHPS, CPHQ, CCS
Julie A. Dooling, RHIA, CHDA
Brenda Fuller, MSL, RHIA, CHC
Christina Grijalva, RHIA
Annessa Kirby
Tanya Kuehnast, MA, RHIA, CHPS
Elizabeth Stewart, RHIA, CCS, CRCA


Becky Buegel, RHIA, CHP, CDIP, CHC
Kenneth D. Clyburn, RHIA, CHPS
Marlisa Coloso, RHIA, CCS
Angie Comfort, RHIA, CDIP, CCS
Katherine Downing, MA, RHIA, CHPS, PMP
Elisa Gorton, MAHSM, RHIA, CHPS
Dorothy M. Hendrix, PhD, RHIT
Lesley Kadlec, MA, RHIA
Jeanne Mansell, RHIT
Kelly McLendon, RHIA, CHPS
Bibiana VonMalder, RHIT
Diana Warner, MS, RHIA, CHPS, FAHIMA
Henri Wynne, MA, RHIT

Article citation:
Bowen, Rita K.; Chestler, Alisa; Coomes, Donna; Dooling, Julie A; Fuller, Brenda; Grijalva, Christine; Kirby, Annessa; Kuehnast, Tanya; Stewart, Elizabeth. "Policy and Procedure Considerations for Health Information Exchange Organizations" Journal of AHIMA 86, no.8 (August 2015): 36-39.