On February 17, 2010, the Government Accountability Office (GAO) released its Report to Congressional Committees on Electronic Personal Health Information Exchange (GAO-10-361), a study initiated to promote the use of information technology for the electronic exchange of health information among providers and other health care entities involved in the delivery of health care services. The many benefits of appropriate and well-designed electronic exchange of health information motivated Congress to pass the Health Information Technology for Economic and Clinical Health (HITECH) Act as part of the American Recovery and Reinvestment Act of 2009 to incentivize the adoption of technology to promote such electronic information exchange. While the GAO study does not provide particularly unexpected results, the report confirms the common adoption by health information exchanges (HIEs) of seven elements of the Fair Information Practices underlying the regulations and policies of the Health Insurance Portability and Profitability Act of 1996 (HIPAA) and validates the purpose of HIE and electronic information exchange.
The Study Design
The study focused on case studies of four HIEs of approximately 60 HIEs reported to be operational. Within these case studies, the GAO also studied a selection of the providers identified as active participants in the HIEs. Additionally, the GAO interviewed two integrated health care delivery systems, two professional associations and a state electronic health collaborative. The study took place between May 2009 and February 2010.
Standards and Rules Applicable to Exchange of Health Information
It is currently unclear exactly which set of federal regulations establish privacy and security requirements of HIEs, but in general, HIEs have adopted the core elements upon which HIPAA’s privacy and security regulations were based. In the coming weeks, the issuance of the anxiously awaited HITECH regulations may clarify the extent to which HIPAA’s Privacy and Security Rules may apply to information exchange by HIEs.
After establishing the privacy principles adopted by HIEs, the report examined and noted the following benefits of a successful information exchange:
- Increased patient safety
- Improved quality of health care
- Enhanced efficiency of administrative functions
- Reduced costs
- Decreases in the duplication of diagnostic procedures
- Prevention of medical errors
None of these stated benefits surprises health care entities working in health information technology, and all of them have consistently been offered as justifications for incentivizing providers and health care entities to convert to electronic health information records.
Many of the hospitals in western North Carolina have joined an exchange linking the data from their facilities to other area facilities to coordinate patient care and improve outcomes. To date, participants in the exchange have had positive interactions with each other and have found the electronic exchange of information has confirmed many of the findings of this report. The success of this program in western North Carolina should provide further incentive to hospitals in other areas of the state to investigate whether joining a health information exchange is an appropriate step toward more streamlined and coordinated patient care for the patients living in their service areas.
Keep in mind, as North Carolina providers continue to grapple with how to design an effective, yet protected, statewide health information superhighway, this GAO report, other studies, and experts in the field gain significance. Joining a HIE raises many legal issues—particularly liability, privacy and security issues—such that involving a qualified consultant or attorney to prepare or review the necessary agreements, as well as associated policies and procedures, is essential to maximizing the benefits of health information exchange while minimizing the potential risks.
Commonly Implemented Fair Information Practices of HIEs
- Informing individuals about the use of their information and how it is to be protected
- Obtaining individual consent
- Facilitating individual access to and correction of records
- Limiting use and disclosure to a specific purpose
- Providing security safeguards
- Ensuring that data is accurate, timely and complete
- Establishing accountability for how personal information is protected
This article was originally written by Kim Licata, who is no longer associated with Poyner Spruill.