Health Information Exchanges: What Your Client Needs You To Know
By Karen Chrisman, GOEHI, Cabinet for Health and Family Services, Frankfurt, KY
The HITECH Act, part of the American Recovery and Reinvestment Act of 2009 (ARRA), signed into law by President Barack Obama on February 17, 2009, authorizes funding for the development of health information exchanges in the United States.1 The Office of the National Coordinator for Health Information Technology (ONC) is the principal federal office coordinating nationwide efforts to implement and advance health information technology and the electronic exchange of health information.2
The ONC administers HITECH funds and specifically the State Health Information Exchange (HIE) Cooperative Agreement Program funds. These funds are conceptualized as a means to “rapidly build capacity for exchanging health information across health care systems within the states and across state lines. The program is to concentrate on state-level exchange while moving toward nationwide interoperability.” Each state designates an entity to receive ONC funding to facilitate state HIE efforts, including meeting the meaningful use requirements that can be addressed by HIE connectivity.3
The State Health Information Exchange Cooperative Agreement Program required the establishment of two positions. 1) A State Government Health Information Technology Coordinator (State HIT Coordinator), an individual who is a state government official and who must coordinate state government participation in HIE, and 2) a State Designated Entity (SDE) that may be either a component of state government or a not-for-profit entity. This entity must be designated by a letter from the governor of the state it represents and must have the necessary authority to execute the ONC approved State Strategic and Operational Plan.4
On July 6, 2010 the ONC issued a Program Information Notice (PIN) to State Information Exchange Cooperative Agreement Program Award recipients. The PIN required the SDE receiving ONC funding to outline in its State Strategic and Operational Plan “a concrete and operationally feasible plan to address and enable these three HIE capabilities in the next year:
- Receipt of structured lab results
- Sharing patient care summaries across unaffiliated organizations.”5
These three goals are designed to guide the work of the Cooperative Agreement Award recipients, the State (HIT) Coordinators and the SDEs during their first year. Each state is to work toward the goal of eventually developing the functionality to connect to the national health information exchange, the National Health Information Network (NHIN). 6
HEALTHCARE PROVIDERS AND THEIR LEGAL COUNSEL
This is an innovative initiative and uncharted territory. Healthcare providers are positioned to connect to existing and evolving exchanges. The recent federal funding may organize the market since the purpose of the SDE is to provide at least one option for HIE connectivity. However many states have already existing exchanges and providers will have a choice in HIE connection.7 Several issues for providers and their counsel to think about when considering HIE connectivity include:
- The governance structure of the HIE and required HIE contracting
- Policy framework of the HIE
- Consent policy of the HIE
- Meaningful Use and added value elements offered by the HIE
HIEs are structured as varying legal entities, including for-profits, non-profits and state agencies. Their governance structures also vary. A recently released white paper studying the governance structure of the 56 SDE8 strategic and operational plans9 categorized the governance structures of the exchanges along a continuum, ranging from centralized, decentralized, and hybrid models.10 The centralized models rely on a SDE that constructs a HIE for the entire state.11 The decentralized model is an SDE that is a facilitator and elevator, setting policy and providing structure for existing health information organizations and hospital exchanges to connect and form a state wide-entity.12 A hybrid model may consist of any of the characteristics of these two models.13
A healthcare attorney should advise a client to inquire into the manner that stakeholder input contributes to the governing structure of an exchange and the process providers utilize to provide input into the governance of the HIE. In and of itself, the governance structure may not be a determining factor for the healthcare provider when selecting a HIE. But, robust stakeholder input into the governance of the exchange is a factor encouraged by the ONC framework for HIE. Stakeholder input is defined as meaningful input into the governance structure from doctors, nurses, healthcare administrators, state Medicare officials and public health. This input is part of the five required domains of key accomplishments for cooperative agreement recipients and an advantage for providers.14 Stakeholder input ensures that healthcare providers have collaborated in the process of the governance structure of the HIE.
The important aspects of the HIE contracting documents are the obligations of the HIE for operation of the exchange. How is the governance structure of the HIE described in the document, what are the fees charged and what is the availability of the exchange? The contracting documents should also detail the exchange security responsibilities and the software the exchange is providing. Further, there should be a business associates agreement for the HIE, according to 45 CFR § 160.103.15
Healthcare attorneys will want to review the contracting documents for their healthcare clients for sections that define the uses the other participants and the exchange can make of the data provided by the client. These provisions are normally of paramount importance to the data provider. Without this use specifically delineated in the agreement, the healthcare provider, as the provider of the data, does not have control over the uses of the data. The healthcare attorney should look for these provisions and specially question the leadership of the HIE concerning the current and planned uses of the data furnished to the HIE. HIE has many purposes and healthcare providers must ensure that the exchange they partner with meets their individual needs. The data uses should be clearly defined in the agreement. For example, the Participation Agreement for the Governor’s Office of Electronic Health Information, the SDE for the state of Kentucky16 relies on the treatment, payment and healthcare operations definition of HIPAA to define that uses that can be made of the data in the exchange by the participants are for treatment, payment and healthcare operations as defined by HIPAA.17 The agreement further provides the exchange can only use the data for the operation of the master patient index and record locator service, both mechanisms that facilitate the location of patient records. Any other use of the data provided by the healthcare provider must be specifically approved by the provider of the data.
Operating exchanges with contracting documents in the public domain are relatively rare. The Washington and Kentucky HIE contracting documents are available examples of documents in use by operating exchanges. Both of these agreements are standardized agreements and all participants sign the same agreement. The web site of the lead organization of the SDE of Washington State, One HealthPort, advises that One HealthPort will start contracting in May of 2011.18 At seven pages, the Participation Terms and Conditions are relatively brief, when compared to the Participation Agreement of GOEHI, the SDE of the state of Kentucky and the state agency operating the Kentucky Health Information Exchange (KHIE). The GOEHI agreement, including the business associate agreement, is twenty-eight pages. However, the Kentucky HIE is fully operational, having been in pilot since April of 2010 and in full state roll-out since January 2011.19
NHIN, the national health information exchange will serve as the national platform for connectivity for all of the developed state HIEs.20 The DURSA is the model agreement being developed for use by participants in NHIN.21 The Frequently Asked Questions that preface the DURSA describe the agreement as follows:
The Data Use and Reciprocal Support Agreement (DURSA) is a comprehensive, multi-party trust agreement that will be signed by all NHIN Health Information Exchanges (NHIEs), both public and private, wishing to participate in the National Health Information Network. The DURSA provides the legal framework governing participation in the NHIN by requiring the signatories to abide by a common set of terms and conditions. These common terms and conditions support the secure, interoperable exchange of health data between and among numerous NHIEs across the country.22
The DURSA is also a valuable agreement for review since many HIE agreements are modeled upon it or on the terms contained in the DURSA.
POLICY FRAMEWORK OF THE HIE
Health information exchange includes the development of policies and procedures for the operation of the HIE. Governance models will determine the necessity for, and the type of, policies needed to operate the HIE. The HITECH act requires that a HIE organization that requires access on a routine basis to protected health information on behalf of covered entity, enter into a written contract.23 While not final, the proposed federal regulatory rule defines a business associate to include a “Health Information Organization, E-prescribing gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.”24
Healthcare counsel should inquire as to policies concerning breach notification by the HIE in case of a security event.25 The HIE should have an audit capacity both to advise the covered entity of uses of the data by the covered entities’ users, but also to be able to allow the covered entity to respond to requests for disclosures under 45 CFR § 164.528.
CONSENT POLICY OF THE HIE
HIEs differ in the patient authorization they require for sharing the patient’s protected health information. As explained by, and according to the guidance provided by the Centers for Medicare & Medicaid Services (CMS), providers are advised that HIPAA does not require patients to sign consent forms before doctors, hospitals, or ambulances can share personal health information about patients for treatment purposes .
Additionally, no prior consent is required for the permissive disclosure and sharing of personal health information for a number of defined purposes. These include circumstances when personal health information is used for treatment, payment and healthcare operations.26 Grounded in this legal foundation, many HIEs are sharing patient health information without any additional consent. The consent options for electronic exchange include the following:
- No consent: Health information of patients is automatically included—patients cannot opt-out. This model is typically used in states that require no additional provisions for electronic health information beyond the floor or baseline set by the federal HIPAA regulations;27
- Opt-out: Default is for health information of patients to be included automatically, but the patient can opt-out completely;28
- Opt-out with exceptions: Default is for health information of patients to be included, but the patient can opt-out completely or allow only select data to be included or select data to be provided to select providers;
- Opt-in: Default is that no patient health information is included; patients must actively express consent to be included, but if they do so then their information must be all in or all out; and29
- Opt-in with restrictions: Default is that no patient health information is made available, but the patient may allow a subset of select data to be included for specific purposes or for specific providers.30
The consent model of the HIE a healthcare provider selects is an important consideration because consent is often managed at the provider level. The provider will be responsible for explaining the electronic exchange of medical records to the patient and taking any desired action on behalf of the patient to modify the patient’s consent.
In February of 2010, the United States Government Accountability Office released a case study of electronic personal health information exchange that included in-depth case studies of four HIEs. In each HIE studied, all providers were managing the authorization of consent for the patient’s health record for electronic exchange.31 This is an important trend for the provider and provider’s counsel to be aware of and for counsel to advise the provider concerning the implications. Depending on the HIE, the healthcare provider and counsel may take no action, the HIE may recommend a change to the provider’s HIPAA Notice of Privacy Practices or the provider may elect to take independent action, such as changing the Notice of Privacy Practices to advise the patient that the patient’s records are being made available to the exchange.32
MEANINGFUL USE AND ADDED VALUE ELEMENTS OF THE HIE
The vision of the HITECH Act is to make significant and measurable improvements in the nation’s healthcare system. Key goals of the incentive program for electronic medical records are to improve the quality, safety and efficiency of the U.S. healthcare system and to remove the disparities that exist in the U.S. healthcare system. The incentive program requires a provider to not only adopt the electronic medical record, but also to be able to capture certain measures, and use the medical record to report required fields of data.33 Several of the meaningful use measures can be achieved with the assistance of HIE.
Of the fifteen professional core measures required for Stage One Meaningful Use, the capability to electronically exchange key clinical information among providers of care and patient authorized entities can be accomplished by the use of HIEs.
From the menu set of objectives for eligible providers and hospitals, health information exchange can assist with the following:
- Medication reconciliation, defined as the process of identifying the most accurate list of all medications that the patient is taking, including name, dosage, frequency, and route, by comparing the medical record to an external list of medications obtained from a patient, hospital, or other provider.
- The capability to submit electronic data to immunization registries, and actual submission where required and accepted.
- The capability to provide electronic submission of reportable lab results to public health agencies, and actual submission where it can be received.
- The capability to provide electronic syndromic surveillance data to public health agencies, and actual transmission according to applicable law and practice.34
These functions are required for Stage One Meaningful Use35 and should be offered by the exchange. The interface between the providers’ electronic medical record and the exchange will be a cost allocated to the provider. For this cost the provider will be well-advised to know when the exchange will be able to meet the Stage One Meaningful Use measures. However, one additional question the provider should ask of the HIE leadership is whether the exchange will provide additional added-value elements through the same interface now or in the future?
It is expected that the federal Stage Two and Stage Three Meaningful Use requirements will evolve to include more robust measurements across the patient-care spectrum, including care coordination, patient safety, preventive health, at-risk populations and the general patient-caregiver relationship.36 This will require continued enhancements to the data collection infrastructure and collection tools. The provider should inquire as to the future plans of the HIE to address these needs and requirements.
THE FINAL GOAL
Across the United States, 56 SDEs are working on health information connectivity. The goals set for this project are admirable and meaningful. Healthcare attorneys well-informed about HIE will be an additional asset in this evolving landscape that can lead to better healthcare for all Americans.
|1 ||See HITECH Act, Section 3011 et seq., codified at 42 U.S.C. 300jj-31 et seq.; Title IV, Division B, codified at 42 U.S.C. 1395 w-4.|
|3 ||Web link|
Requirements and Recommendations for the State Health Information Exchange Cooperative Agreement Program. ONC-HIE-PIN-001. July 6, 1020. Link
|6 ||State Health Information Exchange Cooperative Agreement Program Frequently Asked Question (link) NHIN is the national health information exchange that will serve as the national platform for connectivity for all the developed state HIEs|
The summaries of available approved State Strategic and Operational Plans show the following have multiple exchanges operating in their state: Indiana, five; Michigan, three; North Carolina, seven; Tennessee, three; and Texas, seven. http://statehieresources.org/state-plans/
A listing of the 56 State Cooperate Agreement Awardees is available at this link
States (including territories) or their non-profit SDEs were eligible to apply, as designated by the state. No more than one award was available per state. States could choose to enter into multi-state arrangements.
“Governance Models for Health Information Exchange”, Jennifer Covich, Diane R. Jones, JD, Geneieve Morris and Matthew Bates, MPH, eHealth Initiative, January 2011
Examples of centralized governance models for SDEs are Kentucky, Idaho, Nebraska, New Mexico, South Carolina and Utah.
Examples of decentralized governance models for SDEs are Indiana and Texas.
Examples of hybrid governance models for SDEs are Illinois, Michigan, North Carolina, Oregon, Tennessee and Washington.
American Recovery and Reinvestment Act of 2009, Title XIII-Health Information Technology, Subtitle B-Incentives for the Use of Health Information Technology, Section 3010, State Grants to Promote Health Information Technology, State Health Information Exchange Cooperative Agreement Program, Funding Opportunity Announcement, Office of the National Coordinator for Health Information Technology, Department of Health and Human Services, 2009. The five program domains are governance; finance; technical infrastructure; business and technical operations; and legal/policy. The announcement further elaborates that a governance structure should achieve broad-based stakeholder collaboration with transparency, buy-in and trust, page 12.
http://www.grants.gov/search/basic.do CFDA # 93.719 EP-HIT-10-002
|15 ||See the definition of business associate that includes (3)(i) A Health Information organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information of a covered entity and that requires access on a routine basis to such protected health information. 75 Fed. Reg. Reg. 40912 (2010)|
45 CFR § 164.501
The DURSA is available on the website of the Office of the National Coordinator for Health Information Technology at this link.
HITECH Act, Section 13408
45 CFR § 160.103 (3)(i), 75 Fed. Reg. 40912 (2010)
45 CFR § 164.410
See Department of Health and Human Services, Medical Privacy of Protected Health Information, Information for Medicare Fee for Service Professionals (June 2009) available at this link and 45 CFR § 164.514
|27 ||Examples of no consent HIEs are Indiana IHIE and Delaware DHIN, Consumer Consent Options for Electronic Health Information Exchange: Policy Considerations and Analysis, Melissa M. Goldstein, JD and Alison L. Rein, MS. White Paper prepared for the Office of the National Coordinator for Health Information Technology, March 23, 2010 p, 13. Virginia and Tennessee information taken from the State Strategic and Operational Plans of each state.|
Examples of Opt-out consent are HIEs CRISP of Maryland and Carespark of Tennessee, Goldstein supra, at 15. Kentucky, Nebraska, New Mexico and South Carolina information taken from the State Strategic and Operational Plans of each state.
|29 ||Example of Opt-in consent HIEs are Massachusetts, Rhode Island and Vermont information taken from the State Strategic and Operational Plans of each state.|
Goldstein, supra, note 24 at p 5-7
|31 ||Electronic Personal Health Information Exchange, Health Care Entities’ Reported Disclosure Practices and Effects on Quality of Care, United States Government Accountability Office, Report to Congressional Committees, February 2010, Appendix II Case Studies|
|32 ||The University of Nebraska Medical Center is including a notice of HIE in their Notice of Privacy Practices, see http://www.unmc.edu/npp.htm|
|33 ||Web link |
|35 ||75 Fed. Reg. 44569 – 44571 (2010)|
|36 ||In the CMS press release announcing Definition of Meaningful Use of Certified Electronic Health Records Technology CMS stated,”the Final Stage 2 would expand upon the Stage 1 criteria in the areas of disease management, clinical decision support, medication management support for patient access to their health information, transitions in care, quality measurement and research, and bi-directional communication with public health agencies. These changes will be reflected by a larger number of core objective requirements for Stage 2. CMS may also consider applying the criteria more broadly to the outpatient hospital settings (and not just the emergency department). Information exchange is a critical part of care coordination and we expect that the infrastructure will support greater requirements for using health information exchanges for Stage 2.” See this link for more information.|
The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.