Skip to Content

Privacy & Data

Patient-Managed Health Information Exchange: An “HIE of One”

Patient management of their own health information is a much discussed topic in health IT. Patients with the power to access their health information and actively direct its flow have the tools to take charge of their health care and make more informed decisions. A great example of this is a patient who downloads her hospital discharge summary and electronically sends it to both her primary care physician and her adult daughter who helps her manage her condition.

Nikolai Kirienko, a patient advocate (@nikolaikirienko) and co-director of Chronology.MD has referred to this concept as patients becoming a “Health Information Exchange (HIE) of One.” A successful implementation of the HIE of One concept is the Blue Button program. Originally implemented by the VA and since expanded to TRICARE and Medicare, Blue Button provides the patient with a simple online button to view and download their health information. An updated version of Blue Button, known as Blue Button Plus, will provide patients with the ability to transmit health records to a provider or caregiver and to set automatic downloads or uploads into a mobile app or a personal health record tool.

Some private sector organizations have begun to offer the original Blue Button functionality to their patients. But what about the rest of us? When will we all have the capacity to be HIEs of One?

HIPAA has always given patients the right to obtain copies of their health information, and once patients have this information, they can share it with whomever they please. Congress improved on this right in HITECH by requiring HIPAA-covered entities to provide patients with an electronic copy of their electronic health information and to have that digital copy directly transmitted to a third party – such as a personal health record, a mobile health app, or a health provider or family member. The Office for Civil Rights (OCR), which oversees HIPAA, released final rules last January implementing this right. Patients who want to have their health information directly transmitted to a third party must submit that request in writing (which can be electronic). OCR also clarified that if a patient wants to receive their digital information via a mechanism that is convenient for them but is not secure (such as by unsecure e-mail), the patient has the right to receive their health information in the format they want.

While these changes to HIPAA’s patient access rights are welcome and prioritize the needs of patients, the regulators fell short of creating the ideal environment for facilitating patient HIEs of One. Providers are still permitted to take up to 30 days (and in some cases, up to 60 days) to provide a patient with access to electronic health information, and this timeframe also applies to the direct transmission of this data (per patient request). This is hardly fast enough to permit the patient to meaningfully exchange their current health information with others.

Beginning in 2014, the federal Meaningful Use program will enable some of us to have much more timely ability to electronically view, download and transmit our digital health data. For example, physicians participating in the Meaningful Use program (and using Certified EHR Technology) will have to provide patients with the ability to view, download and transmit (V/D/T) relevant health data within 4 business days. In addition, hospitals participating in the program must provide patients with their discharge summaries within 36 hours.

That timeframe comes much closer to enabling patients to be HIEs of One. It is the case, however, that fewer patients will be impacted by these new Meaningful Use Requirements. The Meaningful Use Requirements only require that 50% of patients be offered and more than 5% of patients use the V/D/T capabilities. But it’s a great start to building the movement.

Regulators may need to tie up a few loose ends. For example, the EHR 2014 Certification Requirements should be checked to ensure they are consistent with the new final HIPAA regulations. Since a patient’s request to transmit data to a third party must be in writing, certification criteria should specify a standard or require a functionality for capturing this information. Health care providers offering these capabilities to patients also would benefit from specific guidance from regulators about how to deploy the V/D/T capabilities consistent with both HIPAA and Meaningful Use requirements. Finally, when there is more experience with deployment of Blue Button and Meaningful Use, there will be a more hospitable climate for revising the baseline HIPAA rules, so that all patients have the capability to take control of their health care.