Healthcare organizations have been working hard to implement proper HIE security practices this year, and must continue the process into 2015.
- Health information exchanges (HIE) continue to play an increasingly important role in healthcare. With more interoperability, health organizations can quickly and easily exchange patient information between physicians, providers, hospitals, pharmacies, payers, and other healthcare professionals. All of this can typically be done at a reduced cost as well.
But what are some of the best HIE security practices? Did more hospitals and providers actually start to connect to one another during 2014? HealthITSecurity.com decided to take a look back and see how HIE programs were implemented over the last year, and how organizations ensure patients’ protected health information (PHI) remains secure.
New HIE and interoperability programs
Florida’s Memorial Healthcare System recently implemented a secure interoperability program with Henderson Behavioral Health. An HIE was already in place at Memorial, but the hospital wanted to be able to send confidential emergency room referrals to Henderson. The move was done to more effectively treat patients, save money, and ensure care continuity.
According to Memorial’s Clinical Informatics Supervisor Elizabeth Cole, some patients might also not want behavioral health information transferred in a standard HIE. The new program was an opportunity to create a direct connection between the two agency’s EHRs, which would provide patients with a more secure exchange, she said.
Individual HIE programs were not the only success stories for the year. The Interoperability Workgroup (IWG) formed a strategic relationship with Healthcare Information and Management Systems Society (HIMSS) and Integrating the Healthcare Enterprise (IHE) USA to improve the connectivity building process between EHR and HIE systems.
The partnership will be part of IWG’s current program that tests and certifies EHRs and HIE vendors to enable reliable transfer of data within and across organizational and state boundaries.
Also this year, the Texas Health Services Authority (THSA) and the Electronic Healthcare Network Accreditation Commission (EHNAC) announced a public review period for the TX-HIE accreditation program. The program will aim at augmenting health information exchange (HIE) privacy, security, and interoperability.
Moreover, the TX-HIE accreditation program will certify qualified Texas HIE participants to prove that they are properly securing and managing protected health information (PHI).
HIE security best practices
At the beginning of the year, the North Carolina HIE (NC HIE) surveyed 435 North Carolina clinicians and practice managers to learn more about their EHR needs and meaningful use focuses. According to the NC HIE survey, 18 percent considered privacy and security significant roadblocks toward HIE implementation.
However, the NC HIE explained that proper user access and authorization is key to its success. For example, it ensures user authentication by enforcing multiple parameters to generate unique usernames and strong, secure passwords. NC HIE added that more complex usernames and stronger passwords will verify that a person seeking access is who they claim to be.
The creation of a large HIE earlier this year prompted numerous security concerns. Blue Shield of California and Anthem Blue Cross joined forces to create Cal INDEX, a new network to store the records of 9 million customers. For example, the new HIE sparked the debate over whether an “opt out” HIE or an “opt in” option was better.
For “opt out,” patients must manually remove their records if they choose not to participate in their state’s HIE. Critics’ main point is that many patients may not be affording the HIE informed consent because they have no idea their records are even in the HIE. However, it is critical for healthcare organizations to ensure that any HIE participants remain aware and informed on all aspects of the exchange.
Other healthcare experts are adamant that simplicity is key for strong HIE security and an overall successful program. Dr. Charles Gutteridge, chief clinical information officer and consultant hematologist for Barts Health NHS Trust in East London explained in an interview that the size of the facility does not matter – what’s necessary is create a concise plan and understand why it’s a good thing to do.
Gutteridge also harkened back to communication with patients. In order to exchange data across HIE platforms consistently greatly depends on each of the parties involved signing and agreeing to data sharing agreements, he said.
Looking forward to 2015
Cost and technical challenges were cited as central barriers to interoperability for HIEs this year. However, regulatory policies have seemingly encouraged increased use of core HIE services, such as Direct, care summary exchange and transitions of care.
Moreover, insufficient standards, concerns about how privacy rules varying between states, and difficulties in matching patients to their records were also cited as top issues that practices must overcome. HIPAA covered entities must also adhere to both federal privacy rules and potentially stricter state privacy rules.
By taking the time to implement clear, concise and compliant policies, organizations can create HIE programs that are secure and cost-effective. It can be difficult to find the right balance but healthcare facilities must make an effort to keep pace before they fall too far behind the latest HIE security trends.