Healthcare Information Security

Cybersecurity News

Breaking Down HIPAA Rules: HIE Security

By Elizabeth Snell

- HIE security is an increasingly important issue, especially as the push for interoperability continues. We’ve previously discussed how the HIPAA Omnibus Rule made important impacts on several aspects of HIPAA rule, and how covered entities must work to keep patient data secure. This week, we’ll review the importance of HIE security, and how it coincides with certain aspects of HIPAA, as well as interoperability progress.

The Omnibus Rule was designed to accommodate for technological advancements, as well as to help balance rules and regulations pertaining to covered entities and the Health Information Technology for Economic and Clinical Health Act (HITECH). Secure HIEs are becoming an increasingly important issue, especially as numerous states are working to develop and implement options that meet all regulations but do not hinder clinician workflow.

“This final rule is needed to strengthen the privacy and security protections established under the Health Insurance Portability and Accountability of 1996 Act (HIPAA) for individual’s health information maintained in electronic health records and other formats,” the authors of the Final Rule wrote. “This final rule also makes changes to the HIPAA rules that are designed to increase flexibility for and decrease burden on the regulated entities, as well as to harmonize certain requirements with those under the Department’s Human Subjects Protections regulations.”

So how exactly does this affect HIEs? How is the federal government hoping to help covered entities ensure HIE security is a top priority? takes a closer look.

HIEs and business associates

READ MORE: AHIMA Notes Cybersecurity Prep, HIPAA Compliance as Focus Areas

A major aspect of the Omnibus Rule was the change stating that to determine whether an organization is a business associate or a conduit depends on the access they have to PHI provided to them by a covered entity.

“A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires routine access to such protected health information,” is a new class of business associate, according to the final rule.

Moreover, the nature of a business associate is determined by actions, not the contracts.

“Therefore, liability for impermissible uses and disclosures attaches immediately when a person creates, receives, maintains, or transmits protected health information on behalf of a covered entity or business associate and otherwise meets the definition of a business associate,” the rule states.

This is important because as HIEs and other health information organizations (HIO) are now considered business associates, they must also understand their role in notifying individuals affected by a health data breach.

READ MORE: Maintaining HIPAA Compliance in Social Media Interaction

The future of HIEs

The Office of the National Coordinator for Health Information Technology (ONC) hopes to improve interoperability across the nation and encourage HIE use over the next decade. In particular, patient matching is an important aspect of this improvement.

By incorporating a standardized patient data set, healthcare organizations can ensure that patient records are linked to each other in the HIE. Moreover, physicians can then access a full medical history before determining the most appropriate treatment for patients. The goal is that by adopting a uniform patient matching data set, medical errors will decrease and the overall quality of health information will be improved.

According to an ONC strategy paper from 2013, Stage 3 of the EHR Incentive Programs will also include requirements for advanced HIE.

“A significant number of commenters supported, and recommended extending, many current CMS efforts through the Center for Medicare and Medicaid Innovation (Innovation Center) to develop new processes and support ‘outside of the box’ policy approaches in areas where current regulations restrict access and funding,” the paper explained. “Many commenters recommended adding specific requirements for HIE in the new payment models.”

READ MORE: ONC: HIPAA Regulations Help, Not Hinder Interoperability

Moreover, the Health IT Policy Committee recommended in their comments that CMS require HIE in all advanced payment programs and Medicaid waivers.

Data security is also a top issue that federal organizations are keeping in mind for HIE growth. The ONC released the results of a survey on six states that was done to better understand the overall impact of the State Health Information Exchange (HIE) Cooperative Agreement Program (the State HIE Program). The State HIE Program was created in 2009 to encourage the secure exchange of health information.

Furthermore, changes to privacy legislation helped facilitate HIE progress in some instances, according to the report. For example, some stakeholders said that the opt-in consent model was an impediment to the program. In this type of HIE model, patients must give their consent so providers can exchange their health data.

In the study, stakeholders said it was too early to truly know the long-term impact of the State HIE program, but that the value would definitely increase over time because Accountable Care Organizations (ACOs), Patient Centered Medical Homes and new payment models would also increase in use.

“Critically, the program established the foundational elements necessary for exchange, including governance and technical structure, privacy and security policies, and stakeholder collaboration,” the report said.

Overall, more time is needed to fully see how interoperability and the use HIEs will impact the healthcare industry. However, it is clear that the government plans to continue encouraging the use of secure HIEs. The ongoing development and usage of data standards will definitely have an impact in the long term, along with the continued use of the EHR Incentive Program. It remains to be seen if all of the goals of the ONC’s 10-year program will be successful, but if covered entities keep data security a priority, the move toward secure HIEs should be able to stay in line with HIPAA regulations.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks