TRENDING:

Building Trust in HIEs: Key Steps

Thought Leaders Pinpoint Vital Privacy, Security Strategies Howard Anderson (ismg_editor) • November 24, 2010    
Building Trust in HIEs: Key Steps
Will the American public accept the notion of transferring their electronic health records among various sites via health information exchanges, eventually enabling clinicians at any U.S. location to access the records? The answer to that question is: It depends.

Some thought leaders say building public trust in health information exchanges as well as EHRs depends on many factors, including:

  • Tough federal enforcement of privacy and security regulations;
  • Adequate security precautions for HIEs;
  • Consistent state laws on patient privacy;
  • Well thought-out approaches to obtaining patient consent for information exchange;
  • Accountability to patients about who has accessed their records.

"The public really needs to know that laws and regulations do exist and are taken seriously and are going to be enforced," says Alan Dowling, CEO of the American Health Information Management Association. "The privacy of information is sacrosanct, and government must support that."

Dowling called on federal authorities to follow through with tough sanctions for violations of patient privacy, as called for in proposed HIPAA modifications under the HITECH Act.

Also essential, he says, is ensuring all regional and statewide HIEs implement adequate security measures. Plus, hospitals, clinics and other healthcare organizations must implement thorough privacy and security policies, train staff on compliance and enforce sanctions against staff members who violate the policies.

Without those steps, "We may, in fact, find we're in a situation where trust is not there and we have very significant adoption problems" for both HIEs and EHRs, Dowling says.

Uniform State Privacy Laws

But without uniform state privacy laws, the effort to build and eventually link statewide HIEs could fail, warns Richard Gibson, M.D., a former hospital CIO who's involved in the formation of a statewide HIE in Oregon.

Gibson recently testified before Congress, calling for the federal government to draft model patient privacy legislation that states can fine-tune to meet their needs. Because it's impractical to force every state to adopt identical laws, Gibson calls for model legislation "that states could accept or adjust as necessary to meet their own needs."

This is particularly important for HIEs, he notes, because healthcare organizations in many communities, including Portland, Ore., treat patients from bordering states. Exchanging patient records across state lines, he notes, could prove difficult if the states have widely varying privacy laws.

Uniform state laws would make it easier for EHR vendors and HIE organizers to build in the necessary technical capabilities to meet all state as well as federal requirements, Gibson argues. And they would help pave the way for the national exchange of data among various HIEs, he adds.

Control of EHR Access

Another critical step to winning consumer support for HIEs, Gibson argues, is enabling patients to control who gets to see their records, including specifying what parts of the record can be accessed.

He points out that in emergencies, clinicians need to have instant access to patient records, no matter where they reside. But he contends that allowing patients to otherwise designate who can see their records by accessing them via an HIE "will go a long way toward giving patients comfort and confidence that their record is being used properly."

Mark Savage, senior attorney for Consumers Union, points out that his organization is advising organizers of a statewide HIE in California to adopt the "fair information practices" as well as the "meaningful consent" model recommended by the Privacy and Security Tiger Team advising federal regulators about proposed guidelines. That model calls for, among other things:

  • Giving patients enough time to make a decision about consent.
  • Providing a clear explanation of the consent choices and all their consequences.
  • Refraining from making the granting of consent for data exchange a condition of receiving necessary medical services.
  • Enabling patients to revoke consent at any time.

A state advisory board that's recommending guidelines for the Cali-Connect HIE will meet Dec. 9 to consider the issue of obtaining patient consent. It voted earlier to require patients to opt-in for exchange of their information via the HIE. But Savage says that an opt-out strategy, which automatically authorizes the exchange of a patient's information unless they opt out, might be appropriate if the HIE also follows all of the tiger team's recommendations.

In Oregon, HIE organizers is tackling privacy and security policy decisions in anticipation of completing all guidelines in 2012, Gibson says.

EHR Audit Logs

Another important way to build public trust in HIEs is to ensure that consumers can obtain a list of everyone who has viewed their EHR, Gibson contends.

All organizations using EHRs, as well as all HIE organizers, should offer easily accessible audit logs, he says. "That will go a long way toward giving patients the comfort and confidence that their records are being used appropriately. And it's not difficult to do technically."

To be certified as qualifying for the HITECH Act's EHR incentive program, EHR software must include this audit capability. Federal regulators also are drafting a rule on how to account for disclosure of EHRs to those outside of the organization that created the record. And they're in the early stages of crafting rules for HIEs.

Previous
Spaf on Security Education in 2011
Next
Puerto Rican Breach Affects 400,000

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.



Around the Network

Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Why Health Firms Struggle with Cybersecurity Frameworks
Why Health Firms Struggle with Cybersecurity Frameworks

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.