For quite some time, providers have struggled with how to manage and protect the PHI that flows across their internal network.
Now, the game is getting even tougher. Joining HIEs puts an even greater strain on the process; after all, keeping your internal data safe is one thing, but seeing that only authorized outside parties get the data makes the picture far more complex.
“We’re really struggling with this,” says Freeman , who works closely with a number of health providers. “If you have, say, 32 entities in an HIE, does the patient have to authorize data use for each one?” asks attorney Bill Freedman, a partner with the Cincinnati office of Dinsmore & Shohl, LLC.
According to Freedman, the law still isn’t clear on some critical issues related to HIE data sharing:
* Under HIPAA, other facilities can access HIE-based patient data if it’s used for treatment, billing/payment or operations. Some legal minds have interpreted data sharing for archival purposes as “operations” but others disagree. And if the HIE data can’t be shared freely without explicit permission, you’ve got some serious logistical issues.
* If a state has tougher privacy protection laws than HIPAA in place — which happens regularly — the providers must abide by those, not not the HIPAA rules, Freedman notes. Some hospitals are locking down data access until it’s clearer how state law and HIPAA ultimately interact, he notes.
As if these issues weren’t difficult enough, providers must also make a point of tracking who accessed a patient’s file, and when they did so. This is a complicated and difficult security issue even within one facility; tracking access across facilities and data exchange points is yet another level of complexity.
Then add on the fact that providers (especially doctors, who have the most contact with the patient) must manage and keep track of what disclosure agreements patients have signed, and things get even trickier.
I’m confident that HIE members will eventually work all of this out, but we haven’t heard the last of these issues either. Seems to me they should keep security geeks in the money for many years to come!