Healthcare Information Security

Cybersecurity News

How PHRs are streamlining secure exchange better than HIEs

By Kyle Murphy, PhD

- The process of sharing protected health information (PHI) is wrought with many challenges. Entities covered under HIPAA and its recent update in the omnibus rule have the legal responsibility to safeguard PHI by putting the right policies, procedures, and agreements in place in order to remain HIPAA compliant. Coupled with these responsibilities are requirements for patient consent that may vary state to state but ultimately come down to patients authorizing their information to move between healthcare organizations and providers.

According to one speaker at last week’s Information Management Network (IMN) Hospital Cloud Forum, the use of a novel approach to sharing PHI — in this case, images — could mitigate these aforementioned rules and regulations.

That speaker was David S. Mendelson MD, FACR, of Mount Sinai Medical Center, who among other responsibilities co-chairs Integrating the Healthcare Enterprise (IHE) International. During his presentation, Mendelson explained how the Radiological Society of North America (RSNA) Image Share project for which he serves as principal investigator uses the concept of the personal health record (PHR) as a less cumbersome mechanism for exchanging health information.

“So why the PHR, the personal health record?” Mendelson asked the audience of the event. “Because we are interested in patient engagement. You as the consumer are interested in controlling the flow of your data and expediting that flow when necessary. It actually eliminates a whole set of consent issues out there. Once you put the data into the PHR, you as the patient have the ability to distribute and control the distribution. You don’t have to sign consent forms anymore, which just introduces a delay and a bureaucratic step into moving your image around.”

So how does it work? Mendelson provided a high-level view:

It diminishes the need for business associate agreements between disparate hospitals. A radiology department would have a business associate agreement with one central clearinghouse and then images are distributed from a clearinghouse to the PHRs. It just condenses a lot of the legal ramifications and relationships that needed to be put in place.

The setup requires an edge sever that serves as “a buffer between PACS and the rest of the world outside your firewall.” The serve communicates with either the PACS (picture archiving and communication system) or radiology information system (RIS) that in turn gets the image and transfers it to the clearinghouse. “What we do is package the images, we package the reports, and we encapsulate it and we actually encrypt it,” added Mendelson. The package then goes to clearinghouse in the cloud and the patient opens up account with PHR vendor, using a provisioned account, password, and 8-digit code to access their images.

The project took a year of development, most of that time spent on resolving policies. “This was the hardest part: It was all about policy, security, and confidentiality. The technical solutions weren’t trivial, but I have a team of developers that built it in three months’ time. We spent discussing security and confidentiality issues,” Mendelson shared.

As it stands now, the project is adding more users, as many as five academic institutions which will use this banking model to streamline exchange. As Mendelson noted, the patient-centric model to PHR isn’t the only mechanism for exchange, but it’s the most efficacious at the moment.

“Hopefully, in the next few years we’re going to see a variety of solutions emerge that are easy and transparent to share information and get the data where it needs to be when patients need their care,” Mendelson explained. “So as much I would like to believe that the HIE solution can work and will work, I still think if you have a significant illness, you’d like to have it in your hands to just get it to the doctor you chose to see at any given moment in time.”

Considering that the patient is the common denominator in healthcare and dictates where the point of care will be, shouldn’t the patient also serve as the point of exchange?


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks