The continued push for nationwide interoperability has helped fuel the growth of secure healthcare data sharing. Covered entities and business associates are exploring how to enhance patient care by engaging in health information exchange (HIE), but are also concerned with how they keep that data secure.
Sharing patient information can help providers reduce readmissions, avoid medication errors, and even decrease duplicate testing.
However, healthcare organizations need to consider HIPAA regulations and state privacy rules when it comes to patient information. While HIPAA violation concerns are often cited as a reason for not sharing data, federal agencies are working to ensure that entities know this is not the case.
“HIPAA supports the electronic exchange of information, including contagious disease tracking, provider participation in cancer registries, and monitoring the health of children who have experienced lead poisoning,” said then-ONC Chief Privacy Officer Lucia Savage and CDC Director of the Public Health Law Program, Office for State, Tribal, Local and Territorial Support Matthew Penn, when introducing a fact sheet on the topic.
When providers understand both the potential benefits and barriers of healthcare data sharing, they can take advantage of the process while still maintaining the security of protected health information (PHI).
What are the benefits of healthcare data sharing?
Organizations should understand the potential benefits of secure healthcare data sharing and how they could participate in such a program, or even connect to an HIE.
Genetic studies, cancer/chronic disease registries, substance abuse, population health management, larger-scale analytics, epidemiology/disease tracking, and even interoperability for routine patient care in the emergency department are all potential uses for data sharing.
In addition to its clinical and patient-facing use cases, data exchange is essential for ensuring that best practices can be shared between healthcare organizations, or even between entities in other industries, such as financial institutions or government agencies.
For example, data on insider threat incidents and cyber threat incidents – such as those stemming from a cyber attack – can be shared between healthcare organizations.
“Information sharing is useful for all types of incidents and threats,” HIMSS Director of Privacy and Security Lee Kim, JD, CISSP, CIPP/US, FHIMSS, wrote in a 2017 blog post. “Whether there is a threat of something actually occurring or an incident has actually occurred, both threats and incidents have indicators to help determine what has occurred (in the case of an incident) or what may occur (in the case of a threat).”
Kim added that fostering healthcare information sharing can aid incident communication and potentially prevent future cybersecurity incidents from happening. Entities should know what happened, how it was discovered, what was the loss, harm, or damage, and also be shown proof that the incident happened.
“Information sharing matters because we all need to be aware of what is going on and understand the consequences of what may occur,” she said. “We all can be the eyes and ears of an organization. In addition, we can be gatekeepers, in the sense of assisting our organizations in responding to incidents as soon as they occur.”
What does HIPAA say about healthcare data sharing?
Data security concerns are often one reason that providers are hesitant to share data, but HIPAA was designed to aid data exchange instead of hindering it, according to industry stakeholders.
Former ONC Chief Privacy Officer Lucia Savage wrote a series of blog posts with ONC privacy analyst Aja Brooks, JD, discussing HIPAA Permitted Uses and Disclosures.
“The HIPAA Privacy Rule specifically permits a use or disclosure of PHI for the covered entity that collected or created it for its own treatment, payment, and health care operations activities,” Savage and Brooks wrote.
“Similarly, HIPAA also permits the covered entity that collected or created the PHI to disclose it to another covered entity for treatment, payment, and in some cases, the health care operations of the recipient covered entity.”
The pair stressed that HIPAA allows PHI to be accessed, used, or disclosed interoperably, and that research has even shown that patients assume their PHI is automatically shared between their treating physicians.
However, certain healthcare stakeholders claim that data sharing barriers place a regulatory burden on organizations and also may make entities reconsider data sharing.
The American Hospital Association (AHA) wrote a letter to the House Ways and Means Health Subcommittee in August 2017, claiming that reducing data sharing barriers in current HIPAA regulations will aid healthcare.
HIPAA limits patient data sharing for “health care operations,” AHA noted, which can include quality assessment and improvement activities, such as outcomes evaluation.
“The challenge that strict regulatory prohibition poses in the integrated care setting is that patients frequently do not have a relationship with all of the providers among whom information should be coordinated,” AHA wrote. “A clinically integrated setting and each of its participating providers must focus on and be accountable for all patients.”
“Congress should require that the HIPAA medical privacy regulation enforced by the Office for Civil Rights permit a patient’s medical information to be used by and disclosed to all participant providers in an integrated care setting without requiring that individual patients have a direct relationship with all of the organizations and providers that technically ‘use’ and have access to the data,” the letter continued.
HIPAA also permits the covered entity that collected or created the PHI to disclose it to another covered entity for treatment, payment, and in some cases, the health care operations of the recipient covered entity.
AHA also called out the current restrictions on accessing individuals’ substance use disorder treatment records, as limiting access to this data could potentially endanger patients’ lives.
Further aligning substance use disorder treatment information sharing options with HIPAA regulations will benefit patients. HIPAA allows for the use and disclosure of patient information for treatment, payment, and healthcare operations, the group stated.
HIPAA regulations do allow for information to be exchanged in certain circumstances, including patients being able to access their own data. Covered entities must keep current on federal regulations, and how they are expected to securely share information when it comes to providing proper care.
The 21st Century Cures Act and its effect on data sharing
The 21st Century Cures Act will potentially have a significant impact on how providers share data, as it called for enhanced requirements for health IT interoperability and more precise language around information blocking.
The law includes the threat of financial penalties for providers and vendors who fail to meet interoperability thresholds, sparking concern from many stakeholders.
Penalizing providers and EHR developers will not encourage further information sharing, the EHR Association (EHRA) argued in a 2017 blog post.
Current regulatory requirements such as HIPAA “provide ample policy and enforcement tools related to potential instances of information blocking,” EHRA said in response to a Health Affairs blog post written by Lucia Savage.
“Certainly, not all (or even most) HIPAA misinterpretations by providers can or should be considered information-blocking based on government descriptions,” EHRA wrote.
“The task we should all focus on is education on what HIPAA permits and requires, not punishing providers who make mistakes or simply live in the real world of complex interoperability and HIPAA implementation decisions.”
It is important to understand what true information blocking entails, EHRA said. For example, it is unlikely that an EHR vendor would not “allow” health data sharing with a certain registry because an organization were not a customer.
“Ideally the registry with whom a hospital or other provider wants to share information uses standards-based tools and identifies data requirements that make it straightforward for the provider to submit data,” the blog post stated.
“Of course, if the registry employs a non-standard information exchange approach or requires data elements not captured in the provider’s clinical workflow, which is not uncommon, there reasonably may be fees for creation of any needed interface or other customization necessary to collect the additional data, in addition to any normal fees for integration with the registry, depending on the particular EHR’s architecture and business model.”
The task we should all focus on is education on what HIPAA permits and requires, not punishing providers who make mistakes or simply live in the real world of complex interoperability and HIPAA implementation decisions.
Industry stakeholders have also called for improvements in secure exchange, stating there is a need for standardization and non-discrimination in data sharing.
In response to the 21st Century Cures Act Trusted Exchange Framework and Common Agreement from ONC, the AHA said that a common approach is essential.
ONC must “develop a framework and common agreement solely on the connections across information exchange networks and the rules of the road for those entities,” the organization urged.
“We also recommend that the federal government separately continue to pursue alignment and simplification of the existing privacy and security requirements that apply to health care providers, including those that apply uniquely to federal health care providers,” wrote AHA. “As noted in a recent ONC-funded report by the National Governors Association, these overlapping and sometimes conflicting requirements continue to be an impediment to information exchange.”
In its own response to ONC, HIMSS called for an established common method for authenticating trusted health information network participants. Additionally, organizational and operational policies should enable the exchange of health information among networks, HIMSS wrote.
“The common set of rules for trusted exchange should take into account HIPAA obligations, applicable state law (e.g., protections of certain categories of super protected health information), intellectual property rights (as applicable), and other applicable federal law,” HIMSS said in its letter. “It may be helpful, too, for a crosswalk to be developed to ensure trusted, secure exchange of health information between networks across multiple jurisdictions.”
As ONC continues to fulfill its requirements under the Cures Act, healthcare organizations should consider joining existing information sharing groups, such as the National Health Information Sharing and Analysis Center (NH-ISAC).
ISACs and Information Sharing and Analysis Organizations (ISAOs) can be greatly beneficial in helping covered entities work together to improve patient care and keep daily operations running smoothly.
Secure data sharing requires providers to plan and ensure existing security requirements – such as HIPAA technical safeguards – are in place. Patient care will benefit when data can easily, and securely, move from one provider to another.