Ensuring Privacy and Confidentiality
The increasing use of electronic health records enables providers to send a patient’s personal health information wherever it’s needed, both easily and quickly. With the capabilities of health information exchange, all aspects of patient information can be widely disseminated, if necessary.
That’s both the blessing and the curse of digital information and the various modes available to share it. From a patient privacy and confidentiality standpoint, this mobility of information creates new risks and concerns in safeguarding personal health information.
Weighing Connectivity Vs. Privacy Concerns
Provider organizations and their HIT executives face several levels of concern. First and foremost, they are responsible for protecting information within their organization and complying with all federal privacy requirements, particularly the Health Insurance Portability and Accountability Act (HIPAA) as well as state laws.
The success of health information exchange is dependent on many factors, including the trust that patients and providers have in the accuracy of health information made accessible through HIE, and the confidence that the health information organization is facilitating appropriately authorized and authenticated access to the health information in accordance with the patient's consent.
The passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act provisions, within ARRA, represented a significant change in the applicability of HIPAA to HIE. Under the HITECH Act, HIOs will be directly obligated to comply with the HIPAA regulations as HIPAA "business associates" of healthcare providers. Up until HITECH, HIOs were subject to privacy and security rules only indirectly through their contracts with providers. As Business Associates, HIOs will need to have extensive policies and procedures in place to comply with the HIPAA Privacy and Security regulations, and will have to have contracts in place with their subcontractors that receive health information. HIOs are required to demonstrate the same rigor required of healthcare provider organizations. They will need to have policies that control how the HIOs use and disclose health information and how they will protect patient rights.
HIOs will be required to notify their participating healthcare providers of data breaches. Also, HIOs will be required to comply with state privacy regulations, particularly in those states where laws are more stringent on patient privacy.
As new federal HIPAA rules raise requirements for HIOs, healthcare organizations that are participating in HIE can expect them to be well versed in their privacy and confidentiality obligations. However, because of the potential damage that could result from being even tangentially related to a release of patients’ personal health information, healthcare organizations must be extremely careful in entering into partnerships with HIOs, ensuring that they have clear privacy and security policies for accountability, transparency, consent, access, and use and disclosure of personal health information.
The Importance of Protecting Patient Privacy in Health Information Exchange
To ensure trust in the HIO, among both providers and patients, the HIO must demonstrate it will take the protection of patient privacy seriously. The protection of privacy, as part of the mission of the HIO, makes it clear to all stakeholders that the clinical or administrative value of HIE and the protection of health information are irrevocably linked by all participants. A clear statement of privacy and security principles and information about privacy and security policies, communicated in terms that patients understand and available in multiple mediums to facilitate patient access, will underscore the importance of patient privacy and the patient-centeredness of HIE.
There are two models for gaining consent from patients to have their data shared via an HIE:
"Opt-in consent" usually requires affirmative authorization from the patient, often through signing a standardized consent form, before a patient's health information may be exchanged through the network.
"Opt-out consent" may include, but does not require, that an organization gives notice, via a mailing, brochures or posted notice, at which point the patient can object to having his or her health information exchanged through the network.
Hybrid models of consent are available as well, such as allowing patients to opt out of health information flowing to the HIO, but requiring opt-in consent to take health information out of the HIO.
The decision about which consent model to adopt is complicated and involves several factors, including:
The education and outreach to patients about their options for consent, to facilitate informed decision making
HIOs’ Approaches for Communicating with Patients
Many HIOs are seeking to achieve best practices in communicating their privacy and security policies with other entities in the care delivery network and patients, to seek a market advantage and achieve competitive advantage, as well as offering the highest potential assurance to those involved with HIE.
The Health Information Security and Privacy Collaboration (HISPC/2007-2009) brought stakeholders from several states together to address and make recommendations on the privacy and security challenges in HIE, with the goal of identifying replicable steps that can build patient understanding and trust in HIE. Many communities have taken the recommendations and customized them to address the particular needs of their states to inform patients about HIE privacy, security and confidentiality policies, how complaints will be handled, how individuals will be informed of a violation and existing remedies available to them.
A review of several HIE specific materials identified key themes:
Make the principles available in plain language
Make the policies available in multiple mediums – print brochures, websites with information including self-directed tutorials
Develop FAQs and a glossary of terms
Utilize media to amplify the message to the larger public – posters, print ads, PSAs, videos
Consider the literacy levels and languages spoken by the patients receiving the information
Develop a process to measure and improve on the effectiveness of patient education about privacy and security policies
Healthcare organizations looking to contract with an HIO should determine their degree of commitment to following good security and privacy practices and their effectiveness in communicating that information to patients.