Healthcare Information Security

Cybersecurity News

How Behavioral Health Complicates Health Data Exchange

Health information exchanges have more than HIPAA to contend with when adding behavioral health as a component health data exchange.

By Kyle Murphy, PhD

- HIPAA is a ubiquitous term in United States healthcare, but it is not the be-all and end-all regulating health data exchange when behavioral health data is added to the mix.

Behavioral health data exchange

The Health Insurance Portability and Accountability Act (HIPAA) has played an instrumental role in promoting the development of health information exchanges, such as in Colorado and at the Colorado Regional Health Information Organization (CORHIO).

"The reason health information exchanges were able to proliferate in some ways was because of the regulations around HIPAA that got very clear about the fact that health data can be seen by others as long as it's for treatment, payment, and operations," CORHIO's Behavioral Health Information Exchange Coordinator Toria Thompson recently told "What gives you the authority as a health information exchange to be able to show someone's health data to someone else is HIPAA."

But the type of information sharing enabled by HIPAA is limited to the kind of data being exchanged. The same cannot be said of behavioral health data exchange.  

"When you're dealing with someone who is receiving services to treat a substance use disorder, you can't do that. In fact, the patient is in the center and has to be the traffic cop about who gets to see that more restricted protected information," said Thompson.

READ MORE: NY Clarifies Minor Patient Data Access, Maintains Security

Another lesser-known but equally-important federal rule (CFR 42 Part 2) regulates specifically patient health data used in the treatment of substance use disorders. According to Thompson, this rule is proving to be a challenge for health information exchanges wanting to enabled behavioral data exchange.

"If you're an HIE and you've built yourself around HIPAA sharing, it's not a small thing to now add the functionality of having a patient stand in the middle and deciding who gets to see what data. It's not what was built in to many HIEs," she added.

Depending on HIE infrastructure, managing patient data and consent can be as simple as turning on another feature or as complex as deploying a new technology.

"They are all doing it in different ways and that's true even here in Colorado," Thompson explained. "None of us wants to rip out the $25-, $50-, or $100-million we've invested in the current technology in order to put this new thing in. It has to be something that you can put around the outside."

Behavioral health data exchange at CORHIO

READ MORE: Data Security Considerations in Healthcare Interoperability

With funding from the Office of the National Coordinator for Health Information Technology, CORHIO is setting out to launch a pilot later this year to demonstrate the feasibility of its proposed approach to enabling behavioral health data exchange — one that will build off of its existing HIE infrastructure rather than a rip-and-replace approach.

The challenge of supporting behavioral health data exchange comes down to technology and the ability to segment data.  Whereas some HIE technologies can restrict viewer access to specific types of data, others cannot. For the former, the solution to patient consent and provider access to behavioral health data is as simple as checking the right box. For the latter, the solution requires a certain level of creativity and a heavier technical lift.

"Many HIEs, just like many EHR products, were not built to be able to treat data differently," said Thompson.

The inability of CORHIO's HIE platform to do so is the genesis behind its novel approach to supporting behavioral health information exchange.

"We're basically building a second data store — a second HIE if you will — and using The Sequoia Project eHealth Exchange HIE-to-HIE query protocols. So we are essentially tricking our HIE to treat the behavioral data as part of a separate HIE," Thompson stated. "That's the first piece you have to figure out how to do if your vendor doesn't enable the kind of segmentation — you have to make it up and that's how we chose to do that."

READ MORE: Prioritizing Healthcare Data Security in Aggregation, Sharing

In addition to the behavioral health data segmentation, CORHIO had to decide on a method for handling patient consent.

"We're going to give patients logins to a portal," said Thompson. "They're going log in to CORHIO and see their behavioral health data and choose to give or revoke access. That's the level of control our patients are going to have and we feel like that's where the control needs to be — that patients at any time can either grant or revoke consent as they want to."

From the provider's perspective, the HIE user experience remains the same with one exception. All HIPAA-enabled data is there for them to see, but additional behavioral data is available via a search of external documents they must have access to in order to retrieve.

"That's how we were able to bolt on that capability. And it's not cheap. It's a whole other process and practice — it's the heavy lift — but it doesn't require us to rip and replace our core HIE functionality which was key," Thompson maintained.

Two important questions will be answered by the time the pilot is completed.

"Can we even do it — architecturally, physically, and the like — and does putting patients in control of consent have enough of an upside that it's worth the extra effort to do it?" asked Thompson.

And the answers to these questions should have bearing on behavioral health data exchange beyond CORHIO.

Dig Deeper:

Value Remains a Problem for Health Information Exchanges
Potential for Healthcare APIs to Revolutionize the Industry


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...