Skip to Content

Privacy and Security Requirements Set for Health Information Exchanges

New privacy and security guidelines–aimed at protecting the vast amount of healthcare information transmitted by state Health Information Exchanges–are now in place. A Health Information Exchange (HIE) manages access to and retrieval of clinical data to provide safer and more timely, efficient, effective, and equitable patient-centered care. Not to be confused with Health Insurance Exchange (HIX).

HIEs are networks intended to help states manage the electronic exchange of health information among health care providers and hospitals within their states and across state lines.  Privacy and security policies are required as a condition of accepting part of the $550 million federal grant money funding the development of state-based HIEs.

The guidelines, issued by the Office of the National Coordinator for Health IT (ONC), provide a common set of “rules of the road” designed to build confidence in the system on both the provider and patient level, ONC said.  

Under the new guidelines, state HIE grantees are required to develop privacy and security policies to address each of the fair information practice principles as outlined by ONC.  The principles include individual access to information; the right to correct errors; openness and transparency; collection, use and disclosure limitations; security safeguards; data quality and integrity; individual choice; and accountability.

The ONC also noted that there was no “one size fits all” approach when developing policy for HIEs.  For example, some state HIEs merely serve as information conduits, ensuring the secure exchange of identifiable health information among health care providers, without accessing or storing any of that data.  This type of HIE doesn’t have to worry about data quality or providing individuals access to copies of their health information or to have errors corrected or noted.  However, state HIEs that “store, assemble, or aggregate” identifiable health information are required to develop policies to address all of the fair information practices, including data quality, individual access and the right to correct errors.  

HIEs that that are merely secure conduits for personal health information shared among health care providers are not required to have policies requiring patient consent (except in circumstances where consent is expressly required by federal or state law).  However, HIEs that store, assemble, or aggregate personally identifiable information, must give the patient “meaningful choice” about whether this information is included in (or made available through) the HIE.  

“Meaningful choice,” includes the ability to make the choice in advance; to be free to make the choice (and not be denied medical treatment based on a choice not to participate) and to have full transparency and education about the choice.  Both “opt-in” and “opt-out” models are acceptable if the choice provided is “meaningful.”

If an HIE’s current privacy and security policies don’t comply with the new requirements and guidance, they have to be rewritten and a timeline for making those changes given to the ONC.

CDT applauds the new requirements and guidance.  They are consistent with the recommendations developed and issued by the Privacy and Security Tiger Team of the federal Health IT Policy Committee.   CDT serves as chair of the Tiger Team.