Healthcare Information Security

Cybersecurity News

Health Data Privacy Top HIE Concern According to GAO Report

By Sara Heath

As the push for interoperability continues, health information exchange (HIE) stakeholders face hurdles with regard to health data privacy. The U.S. Government Accountability Office (GAO) consulted 18 EHR interoperability stakeholders regarding their largest hurdles in the interoperability push, with a resounding number of stakeholders citing health data privacy as a primary challenge.

health data privacy HIE security top concern for EHR interoperability

Stakeholders state that health data security poses many challenges to EHR interoperability because security policies differ from state to state. Specifically, the report says many states have different policies regarding explicit patient consent for HIE, and many providers are concerned that other providers have not obtained adequate consent before exchanging information. The variation between opt-in and opt-out state policies is a significant contributor to this problem.

As reported by, opt-in programs are when patients volunteer their information to be available via HIE. Opt-in programs assume that the patient does not wish his or her information to be shared unless explicit consent is given.

In contrast, opt-out programs assume the patient does consent to his or her information being shared unless explicitly stated otherwise. The disparity between the two policies creates an issue for interoperability because many practitioners may be apprehensive about whether patient consent was indeed provided.

The issue of health data security may be further exacerbated by differing policies regarding certain types of health information such as behavioral health information or HIV status, GAO reports. Due to the sensitivity of this information, many states require an added level of patient consent when sharing this information. Many current EHRs do not provide a note of assurance that consent had indeed been obtained, thus making it easy for prohibited health information to be gathered and integrated with other information. Many providers worry that this puts them at risk for breaching privacy rules.

The GAO report also provides details on how certain EHR interoperability stakeholders are approaching this problem. Eleven out of the 18 stakeholders consulted for the report state that they are addressing this issue, with six of those 11 stating that they are addressing the problem of assuring patient consent. This would allow EHRs to keep track of which information patients have consented to having shared, as well as keep track of other patient preferences.

One of the emerging strategies for keeping track of patient consent includes one that puts the control in the patient’s hands. This would enable patients to electronically document whether or not they had consented to certain pieces of their health information to be shared.

Other initiatives include developing EHR systems that allow providers to control which patient information is shared and which isn’t. This would prevent entire patient files from being shared when they have not consented to, while still sharing information that is consented to.

Despite these EHR initiatives, many of the stakeholders expressed that it will take other outside actions to secure patient information across interoperable systems. For example, six stakeholders stated that it will take government oversight and guidance to create standards regarding HIE security. Others explain that increased provider education on HIE security is critical in enhancing EHR interoperability.

The large issue with health data security on interoperable systems is a testament to the importance of patient privacy. Regardless of current initiatives being made by interoperability stakeholders, it is important that all providers remain up-to-date on HIPAA guidelines and best practices for HIE security.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks