Healthcare Information Exchange (HIE)

How to 'Unblock' Secure Info Exchange

Senate Panel Hears Ideas for Improving Health Data Sharing
How to 'Unblock' Secure Info Exchange
David Kibbe, M.D., testifying before Senate panel.

The federal government, healthcare providers and electronic health records software vendors all could take several steps to help ensure the secure exchange of patient information to improve treatment is not blocked. That was the message offered at a July 23 Senate hearing called to examine obstacles to health information exchange.

See Also: The Application Security Team's Framework For Upgrading Legacy Applications

For example, those testifying suggested that the federal government could better align Medicare payment models to incentivize healthcare providers to securely exchange health data. They said healthcare providers could stop using HIPAA as an excuse for not sharing data. And they suggested EHR vendors could embrace technology standards and business practices that support easier, secure data exchange.

"Interoperability - this communication between systems that is so critical to the success of electronic health records - has been difficult to achieve. Information blocking is one obstacle to interoperability," Lamar Alexander, chair of the Senate Committee on Health, Education, Labor and Pensions, said at the hearing.

Even though the federal government has spent $30 billion on HITECH Act financial incentives to promote widespread adoption of EHRS, system interoperability issues are still impeding data exchange, he said.

In April, the Office of the National Coordinator for Health IT issued a "Report to Congress on Health Information Blocking." (See Overcoming Health Info Exchange Blocking.)

HIE Hurdles

An unwillingness to securely share patient information "originates in the current business models of some healthcare provider organizations, and the healthcare industry in general, wherein fee-for-service payment creates disincentives for sharing of health information and rewards information hoarding, or at least the delay of timely information exchanges," testified David Kibbe, M.D., senior adviser to the American Academy of Family Physicians. He's also president and CEO of DirectTrust - a nonprofit alliance that created and maintains the security and trust framework for using the Direct Project for secure e-mail in the healthcare sector.

Testimony by Kibbe and other witnesses also suggested that some EHR vendors inhibit - sometimes intentionally - the exchange of patient data in a number of ways. Some products lack interoperability functionality. Some fail to take advantage of standards for facilitating secure exchange. And some EHR vendors charge healthcare providers hefty extra fees for interfaces that can facilitate secure data exchange and insert "gag orders" in contracts that prohibit healthcare organizations from publicly disclosing technical issues with EHR products.

"There's a lot of intimidation about reporting vendors" whose EHR systems lack interoperability, testified David Kendrick, M.D., chair of the department of medical informatics at the University of Oklahoma. He's also CEO of MyHealth Access Network, a health information exchange organization based in Tulsa, Okla.

"Should we outlaw gag orders?" asked committee member, Sen. Bill Cassidy, M.D, R-La. "Yes," several witnesses answered in unison.

Secure Exchange

The exchange of patient information by using secure, encrypted email that takes advantage of the "Direct" standard has grown rapidly since becoming a required feature in 2014 of EHR technology certified by the Office of the National Coordinator for Health IT under the HITECH Act program, Kibbe testified. Healthcare providers, however, are still facing obstacles in using Direct to share patient information, he said.

"Information blocking by healthcare provider organizations and their EHRs, whether intentional or not, is still a problem for some providers wishing to use Direct exchange, as well as for these providers' clinical partners who want to be able to exchange Direct messages and attachments with them," he testified.

For example, some EHR software lacks in-boxes to receive Direct messages, he said. Other EHRs restrict the various kinds of attachments - such as Word documents - that can be securely sent via Direct, he added.

In addition to vendor issues impeding secure health information exchange, some healthcare providers also contribute to the problem by using HIPAA compliance as an inappropriate excuse for not sharing or disclosing patient data to authorized individuals, some of the witnesses testified.

The Department of Health and Human Services needs "to help improve stakeholder understanding of the HIPAA provisions related to information sharing," Michael Mirro, M.D., past chair of the Medical Informatics Committee of the American College of Cardiology, testified.

Federal Action Needed

The federal government could also help fuel better interoperability of health IT and collaboration among healthcare providers by aligning financial incentives, witnesses told the Senate panel.

For instance, HHS needs to better align "value-based payment models" for Medicare that reward healthcare providers based on patient quality care measures with the requirements for the HITECH meaningful use EHR incentive program, including those aimed at secure patient exchange, Kendrick of MyHealth Access Network, testified. "Value-based payment models need to incentivize providers to make patient information available," he said.

In addition, ONC needs to develop a national governance strategy for health information exchange, he testified.

Under HITECH, "ONC was called upon to establish the governance for the nationwide health information network," Kendrick said. "Now, more than six years later, that governance still does not exist, due in part to interpretations of limitations on ONC's authority. Thus, there is a vacuum in governance for this critical component of America's infrastructure."

Patients are also concerned about secure health information sharing, testified Mirro, who is chief academic and research officer of Parkview Mirro Center for Research and Innovation. "A lot of my work is focused on delivering content to patients in a secure fashion," he says. "Encryption and secure file transfer protocol seems to adequately protect patient information in the transmission to personal health records. Today we have adequate privacy and security, but we could do better."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.