As They Grow, HIEs Face New Privacy Protection Issues

For quite some time, providers have struggled with how to manage and protect the  PHI that flows across their internal network.

Now, the game is getting even tougher. Joining HIEs puts an even greater strain on the process; after all, keeping your internal data safe is one thing, but seeing that only authorized outside parties get the data makes the picture far more complex.

“We’re really struggling with this,” says Freeman , who works closely with a number of health providers. “If  you have, say, 32 entities in an HIE, does the patient have to authorize data use for each one?” asks attorney Bill Freedman, a partner with the Cincinnati office of Dinsmore & Shohl, LLC.

According to Freedman, the law still isn’t clear on some critical issues related to HIE data sharing:

*   Under HIPAA, other facilities can access HIE-based patient data if it’s used for treatment, billing/payment or operations.  Some legal minds have interpreted data sharing for archival purposes as “operations” but others disagree.  And if the HIE data can’t be shared freely without explicit  permission, you’ve got some serious logistical issues.

* If a state has tougher privacy protection laws than HIPAA in place — which happens regularly — the providers must abide by those, not  not the HIPAA rules, Freedman notes. Some hospitals are locking down data access until it’s clearer how state law and HIPAA ultimately interact, he notes.

As if these issues weren’t difficult enough, providers must also make a point of tracking who accessed a patient’s file, and when they did so.  This is a complicated and difficult security issue even within one facility;  tracking access across facilities and data exchange points is yet another level of complexity.

Then add on the fact that providers (especially doctors, who have the most contact with the patient) must manage and keep track of what disclosure agreements patients have signed, and things get even trickier.

I’m confident that HIE members will eventually work all of this out, but we haven’t heard the last of these issues either. Seems to me they should keep security geeks in the money for many years to come!

About the author

Anne Zieger

Anne Zieger

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.


  • “If you have, say, 32 entities in an HIE, does the patient have to authorize data use for each one? – My answer would be yes, which is quite trivial if you use XACML Policies to control HIE ROIs.

    According to ONC’s NHIN standards, every HIE request must state (in its header) the purpose of the request (Treatment, Payment, Operations, Benefits, Eligibility). This purpose can be matched against the patient’s privacy policy.

    In our HIE, that’s exactly the way we work. Anne, if you want to follow up more on this with me, please feel free to contact me

  • The State of Kansas has taken an interesting approach. They’ve been watching this situation for years. They first started by rewriting a number of their laws to correspond to various Federal laws to help eliminate confusion and create consistency. Some State laws were simply retired in favor of their Federal counterparts.

    Now, as far as a patient having to authorize multiple sites to access their PHI from an HIE Kansas has decided to centralize this function. Their process removes the burden from hospitals and physicians. Simply put, any organization that participates in the State HIE will have to include a little blurb in their Notice of Privacy which essentially says that Kansas is an “Opt Out” state. This means unless you indicate otherwise you will be included in the HIE. Additionally, if a patient wishes to Opt Out they must contact a State office (or website). The provider will not be responsible for managing this issue. The program also indicates that if a patient’s PHI is improperly disclosed through the HIE it will be the State’s responsibility; not the providers.

    I’m sure I’m doing a horrible job of summarizing the program. However, I thought it might be interesting. 🙂

Click here to post a comment