Health Information Exchange is the electronic transmission exchange from one health care professional to another. Health Information Exchange allows health care professionals and patients to appropriately access and securely share patient’s medical information electronically. Our industry is been working hard in the process and development of this new process, for the benefit of the patient and healthcare professionals. Some individuals with access to HIE are physicians, nurses, pharmacists, medical assistants, medical biller and coders and so forth. It is important to have an understanding about different health care professionals having access to the patient medical record. HIE benefits include:
Provides improvement for quality and safety of patient care by reducing prescription and medical errors. The education and orientation to patients’ involvement in their own health care. Increases efficiency by eliminating unnecessary paperwork.
Provides caregivers with clinical decision support tools for more effective care and treatment. Eliminates redundant or unnecessary testing.
Improves public health reporting and monitoring.
Creates a potential loop for feedback between health-related research and actual practice. Facilitates efficient deployment of emerging technology and health care services. Provides the backbone of technical infrastructure for leverage by national and State-level initiatives. Provides a basic level of interoperability among electronic health records (EHRs) maintained by individual physicians and organizations. Reduces health related costs
(The benefits & risks of health information exchange & health information technology. (n.d.). The first step in EHR implementation is to conduct an assessment of your current practice and its goals, needs, and financial and technical readiness. Your practice can design an implementation plan that meets the specific needs of your practice. Eligible health care professionals and eligible hospitals must use certified EHR technology in order to achieve meaningful use and qualify for incentive payments. It is important in an EHR when working in the implementation process to involve, training, mock “go-live,” and pilot testing for system improvement. (HIE benefits) The final phase of EHR implementation includes successfully attesting to demonstrating meaningful use of EHRs, and reassessing what you have learned from training and everyday use of the system implementation to continue improving workflows that achieve the individual practice’s goals.
The process and steps to follow on an HER system, most health care providers are covered entities, and thus, need HIPAA responsibilities for individually identifiable health information. Your leadership especially emphasizing the importance of protecting patient health information is vital to your privacy and security activities. HIPAA requires covered providers to designate an individual for both a privacy and a security officer on their staff and delegate the responsibility of security system in a practice. Documentation shows why and where you have security measures in place, how you created them, and what you do to monitor them. Create a paper or electronic folder for your practice medical records. The Center of Medicare Services advises all providers that attest for the EHR incentive programs to retain all relevant records that support attestation.
These records will be essential if you ever are audited for compliance with HIPAA or an EHR incentive program. (Anthony, R. (2013, September 19). Cms and ehealth.) Risk Analysis Plan compares your current security measures to what is legally and pragmatically required to safeguard patient health information. The risk analysis identifies high priority threats and vulnerabilities on EHR. You or a security risk professional can conduct your practice’s risk analysis, but you either way you will want to know what to expect.
Often, basic security measures can be highly effective and affordable. Using your risk analysis results, discuss and develop an action plan to mitigate the identified risks. The plan should have five components: administrative, physical, and technical safeguards; policies and procedures; and organizational standards. (Health information exchange: Is your privacy protected?. (2012, July) Every practice should develop a Risk Management Plan. It is the practice responsibility to develop written and up-to-date policies and procedures about how your practice protects e-PHI. All these records should be retained on all outdated policies and procedures for future audits on your practice. For the security of patient health information (PHI), your workforce must know how to implement your policies, procedures, and security audits. HIPAA requires you as a covered provider to train your workforce on policies and procedures.
Also, your staff must receive formal training on breach notification. (Health information exchange: Is your privacy protected? (2012, July) Your patients may be concerned about confidentiality and security of health information on an EHR. Emphasize the benefits of EHRs to them as patients, perhaps using patient education materials available in the Privacy & Security Resources section. Do not register and attest for an EHR Incentive program until you have conducted your security risk analysis (or reassessment) and corrected any deficiencies identified during the risk analysis. Document these changes/corrections. Providers participating in the EHR Incentive Program can be audited. When you attest to meaningful use, it is a legal statement that you have met specific standards, including that you protect ePHI. Work with your EHR vendor(s) to let them know that protecting patient health information and meeting your HIPAA privacy and security responsibilities regarding electronic health information in your EHR is one of your major goals. Involve your practice staff and any other partners that you have to help streamline this process. HIPAA privacy regulations
Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties. HITECH
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. Standards & Interoperability
The work promoting the adoption and uptake of health information technology is the key to ensuring the goals of the HITECH Act. But work being done to ensure that the technical standards and specifications are in place to support this technology is also critical to the development and success of a fully functional nationwide health IT ecosystem. Some of the Risks of HIE include:
Although health information benefits from all the security measures developed in other economic areas such as defense and finance, it has the same risks these other areas have experienced. Identity theft can occur with both paper files and electronic files, but a breach of electronic files may affect more records than a breach of paper files. Errors
Just like a paper health record, if the health care provider does not enter the correct information, that information remains in the health record until it is corrected. Electronic information can provide checks and balances that paper health records cannot. Hackers
Electronic health care information benefits from the security measure developed by other industries. Health care is the last frontier of information technology, so anti-hacking security measures from other economic areas are already used. However, hackers will continue to try to break security codes just like they do in other electronic systems. Encryption
Covered entities must encrypt protected health information when it “is a reasonable and appropriate safeguard.” When the HIPAA Security Rule was implemented in 2002, encryption was high in cost and challenging to use. The result is that many covered entities still do not encrypt their data. With the enormous amount of personal medical information that will be moving around electronically as HIE gets underway and spreads, the U.S. Department of Health and Human Services (HHS) needs to make encryption a requirement and set standards for its use in all practices. Personal mobile devices
Smartphones, tablets and USB drives are ubiquitous. Health care providers often use their own unsecured devices to record and transmit unencrypted work-related health information. The speed with which such devices have been adopted is well ahead of policies that govern their use. According to a number of recent studies, the vulnerability of mobile devices is already playing a significant role in medical data breaches. The cloud
That is, remote servers where more and more businesses are moving their data—will be essential in an era of electronic health information exchange, if for no other reason than the staggering quantities of data that digitizing the medical records of the entire U.S. population will create. Health care providers may also want to host their patient portals on cloud-based servers. Patient portals are websites where patients can access their medical records and exchange email with their providers. Cloud services are developing more quickly than laws or regulations can address. As a patient you’re unlikely to know where your medical records actually reside. And you’re forced to rely on the security practices of others to protect the privacy of your information.
The Privacy Rule gives you, with few exceptions, the right to inspect, review, and receive a copy of your medical records and billing records that are held by health plans and health care providers covered by the Privacy Rule. Only you or your personal representative has the right to access your records. A health care provider or health plan may send copies of your records to another provider or health plan as needed for treatment or payment or as authorized by you. However, the Privacy Rule does not require the health care provider or health plan to share information with other providers or plans. You do not have the right to access a provider’s psychotherapy notes. Psychotherapy notes are notes taken by a mental health professional during a conversation with the patient and kept separate from the patient’s medical and billing records. The Privacy Rule also does not permit the provider to make most disclosures of psychotherapy notes about you without your authorization. Because HIE’s primary purpose is to improve the quality of medical care, your health care providers’ priorities are to gain and allow access to a comprehensive record of your medical history.
When the U.S. Department of Health and Human Services (HHS) finalizes its “accounting of disclosures” rule, providers that maintain EHRs will have to account to you for all disclosures of your personal health information that it makes for purposes of treatment, payment, and business operations for three years prior to the date of your request. (Health information exchange brief examines privacy and security concerns. (2012, June 13). Until HHS’ rule is final, you can get an accounting that goes back six years prior to your request, but this DOES NOT include disclosures for treatment, payment, or business operations. Therefore the disclosures you are currently able to get may seem largely incomplete and irrelevant to the purposes for which you want them. You also have access to your own medical records (apart from psychotherapy notes about you), but you must request them directly from your providers. It is not possible to request your records through an HIE.
It has to be in person from the practice you are requesting medical records from. However, your doctor should be able to give you—or will soon be able to give you—what’s called a Continuity of Care Record (CCR) after each visit. The CCR is a summary of the most relevant and up-to-date facts about your care and treatment with that provider. A CCR can be helpful for you, and can also provide a current snapshot of your medical status for the next doctor you visit. A CCR may be transmitted either on paper or electronically. HIE is a tremendous tool to utilize in the healthcare industry. However, different challenges still existing now days. Effective and Affordable Technology is a big issue and the primary problem. HIE required costly network, connections hardware, software and so forth. Some practices including hospitals can’t afford the cost of technology.
Providers are trying to save in cost of information transmission and are always looking for inexpensive vendors. Practices are also working on overcoming these obstacles, but are very hard to overcome. HIEs can support care management by making it possible to generate patient reports for use at the point of care. It may also be easier to identify patients who are not following a prescribed care regimen or not meeting its goals, and to measure how well providers are delivering recommended care. This all goes along with the government’s goal of shifting the health care payment model from one of fee for service to payment based on outcomes; that is, not just whether you saw a doctor but whether you benefited from seeing her. The goals of HIE are to improve the quality of care and make delivering it more efficient and cost-effective. Once electronic medical records are available everywhere, for all patients, though, it is inevitable that more people will want access to this data. It is a goldmine for medical research and all kinds of statistical analysis, for example. Conclusion
HIE will continue providing planning and implementation within health care organizations. We must comply as HIM professionals providing the best of our knowledge to contribute in this process. Also we need to follow HIPPA policies and procedures in our place of employment and commit ourselves to meet our goal which is providing the best on patient care. The more we work as a team; at the end of the road it will be easier on us to have our job done and accurate at the end of the road. Avoiding errors is also our responsibility as an HIM professionals. Let’s not focus on productivity, which is important, but also let’s put ourselves in the patient’s situation. We are also patient’s and we like to have things done the right way.
Rhodes, H. (2013, August 05). Seven unintended consequences of electronic HIE. Retrieved from http://www.healthit.gov/policy-researchers-implementers/reports HIE benefits. (n.d.). Retrieved from
http://www.healthit.gov/providers-professionals/health-information-exchange/hie-benefits The benefits & risks of health information exchange & health information technology. (n.d.). Retrieved from http://www.nchica.org/GetInvolved/CACHI/HIEbenefits-risks.htm Anthony, R. (2013, September 19). Cms and ehealth. Retrieved from http://www.cms.gov/eHealth/downloads/Webinar_eHealth_September19_CMSeHealthOverview.pdf Health information exchange: Is your privacy protected?. (2012, July). Retrieved from https://www.privacyrights.org/fs/fsC6/CA-medical-HIE Health information exchange brief examines privacy and security concerns. (2012, June 13). Retrieved from https://www.cdt.org/pr_statement/health-information-exchange-brief-examines-privacy-and-security-concerns