Healthcare Information Security

Cybersecurity News

How staff training can enable HIE despite tough privacy laws

By Kyle Murphy, PhD

- Depending on the state, getting patients to allow their health information to be part of health information exchange can be a straightforward or circuitous process. Minnesota serves as an example of a state whose strict health data privacy and security rules make the exchange of health information between healthcare organizations a complex task.

Alongside financial barriers in the way of getting hospitals to participate in HIE, the Community Health Information Collaborative (CHIC), a state certified health information organization (HIO), must abide by Minnesota laws that “make it almost impossible to exchange but not quite,” says President and CEO Cheryl Stephens.

In particular, three features of state legislation figure most prominently in enabling HIE in the Gopher State. The first has to deal with the certification of organizations planning to facilitate exchange.

“One, if you’re going to be health information exchange service provider, you have to be certified by the state, which is quite a lengthy process,” explains Stephens. “Our application to them when we submitted it originally was 250 pages long based upon everything they wanted to see and everything we needed to pull together for them.”

More germane to the discussion of health data privacy and security are the other two features: patient consent and the use of a record locator service. As an opt-in state, healthcare organizations and providers in Minnesota have the responsibility to prove that patients have consented to their health data being exchanged.

“Whenever you are exchanging clinical information you must have written patient consent (or attest that you have written patient consent or it’s a medical emergency,” Stephens reveals. “We have to then go and audit those or have the hospital submit to us an audit showing that when someone said it was a medical emergency that they can actually prove it was.”

Coupled with matters of patient consent is ensuring that a patient’s wishes are well documented and respect in the use of a record locator service as regulated by Minnesota’s Health Records Act:

We can upload all of the patient demographics into a database and have that populated, but the minute you want to exchange clinical information  you have to have given all of those patients in that record locator service the ability to opt out. We have to have a consent management database as well where all of the opt-outs are stored, so if anyone does a query on a patient, it has to ping against that consent management module before the query will be sent out.

Although state rules and regulations make the task of facilitating the exchange of health information difficult, an overwhelmingly majority of Minnesotans are opted in although Stephens and CHIC are still in the process of extending the organization’s services throughout the state.

“Most of the folks are not opting out,” she continues. “We have to keep track of the percentage of opt-outs against patient names in the system, and we’re running at about .07 %. But we haven’t gotten to all parts of the state and there are pockets where people tend to be more concerned about privacy. When those come on board, we may see that percentage go up.”

According to Stephens, this low percentage of opt-outs is the direct result of training dedicated to educating patients about health data privacy and the value of HIE:

In the training that we give to the ward clerks or emergency room admissions staff, when somebody says they don’t want to share they do indicate then that if you come in for an emergency there will be no information available on you, period. When they hear that’s what it means, they tend to say, “Well, no, that’s not what I want to happen.”

Despite strict state laws, the solution to the challenge of HIE in Minnesota and similar states is simple: Training can mitigate obstacles in the way of exchange. “A lot of it depends on the training and how that first-line staff handles the situation. Our current experience is they’re doing a great job because we’re only running at .07%,” says Stephens.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...