Achieving Privacy & Security with Electronic Health Information Exchange

January 2008Newsletters Staying Well within the Law

Printer Friendly

As seen in Staying Well within the Law, a newsletter on the current legal issues facing today's health care industry.

In 2004, President Bush issued a directive for interoperable electronic health records to be a nation-wide reality by 2014. Since then, health information exchange (HIE) has received significant national attention, and HIE initiatives are gaining momentum across the nation.

There are many potential benefits to making patient information more readily available to providers at the point of care through electronic HIE. First, the quality of care may be improved through greater access to relevant information. This can lead to improved patient experience with the provider and result in higher patient satisfaction overall. Costs may be reduced through both efficiency and productivity gains because finding, faxing, and managing paper records takes more time and administrative support. Costs also may be reduced because redundant provider and diagnostic services can be avoided. Finally, providers participating in state-wide HIE or a "Regional Health Information Organization" or "RHIO" may find opportunities for new revenue streams through potential business opportunities that can be created through the network.

In New Jersey more and more providers are participating in cooperative HIE. Currently, there is increased movement and discussion to potentially create a state-wide HIE system through the establishment of a RHIO. Although the functions and purposes of RHIOs vary, if a New Jersey RHIO is established, this is one source that providers could look to for guidance on developing best practices regarding maintaining the privacy and security of health information in connection with electronic HIE.

HIPAA Privacy

The Health Information Portability and Accountability Act of 1996 and its related regulations set forth the minimum protections and standards for health information that is created, used and disclosed by covered entities, which include most health care providers. Under HIPAA, a provider cannot disclose health information about an individual unless the disclosure is permitted under one of the several exceptions and is not otherwise prohibited under state law. If a particular disclosure does not fit within one of the enumerated HIPAA exceptions, a written authorization must be obtained from the individual.

Treatment, Payment, Health Care Operations

The broadest exception under HIPAA allows providers to use and disclose health information to third parties for purposes of treatment, payment, or health care operations.

With regard to treatment, HIPAA does not require a provider to obtain written authorization from the individual before using and/or disclosing an individual's health information for treatment activities with respect to such individual (the Treatment Exception). HIPAA defines "treatment" activities to include the provision, coordination, or management of health care and related services by one or more health care providers, including:

  • the coordination or management of health care
  • consultation between health care providers
  • the referral of a patient for health care

HIPAA also does not require a provider to obtain written authorization from the individual before disclosing an individual's health information to a health plan or another provider for payment activities (the Payment Exception). Payment activities can include, but are not limited to:

  • a provider attempting to obtain reimbursement
  • coordination of benefits
  • claims adjustment
  • review of services for medical necessity
  • utilization review

Health plans that are subject to HIPAA's rules include group health plans, health insurers, HMOs, Medicare, Medicaid, any Medicare supplemental policy, among others.

Finally, with certain additional requirements, HIPAA does not require a signed HIPAA authorization for a provider to use or disclose health information for its own internal health care operations, including its own business management and planning activities, general administrative activities, quality assessment and improvement activities, auditing functions, as well as others (the Operations Exception). Providers also can disclose health information to a third party, such as a contractor, in order to have the contractor perform any health care operations task on the provider's behalf. However, in this situation the provider must obtain a signed HIPAA "Business Associate Agreement" from the contractor requiring compliance with HIPAA.

HIE Under The HIPAA Exceptions

The primary purpose of most HIEs and RHIOs is to give providers access to relevant information about the patients they are treating. As a result of the Treatment Exception, HIPAA generally will not be a legal barrier to the exchange of information between providers, as long as such exchange is limited to purposes related directly to treatment of the person.

If a RHIO is created as a separate legal entity for the purpose of facilitating and supporting the exchange of health information between providers, the Operations Exception under HIPAA generally would allow providers to make discloses to the RHIO as their "HIPAA Business Associate" so that the RHIO can perform health care operations activities on behalf of the providers. For each provider contracting with the RHIO for such purpose, a HIPAA Business Associate Agreement must be signed.

To the extent that the foregoing paints a picture that HIPAA may actually pose minimal privacy compliance barriers to providers participating in a state-wide HIE or RHIO, this picture is not complete. New Jersey law adds a second layer of restrictions and requirements that must be complied with.

New Jersey Privacy Laws

New Jersey law affords a number of additional privacy protections to certain health information. However, the specific restrictions and requirements vary somewhat depending on if the information is maintained by a:

  • licensed health care or diagnostic facility (the Facility Laws)
  • individual health care provider (the Provider Laws)
  • health care program or service (e.g., Medicaid, WIC, hospice etc.) (the Program Laws)

In addition, certain information that is considered "highly-sensitive," such as HIV/AIDS, genetic information, and sexually-transmitted diseases, are guarded under New Jersey law regardless of who the holder of such information is (the Sensitive-Info Laws). Within these categories of state law, there are a number of provisions that require patient consent before health information can be shared with a third party, including, in some instances, other providers.

For instance, under New Jersey's Hospital Licensing Standards, every patient has the right to confidential treatment of his or her information, which includes the right that a hospital generally not release the patient's record to anyone outside the hospital without the prior approval of the patient. Similarly, under the Standards for Licensure of Ambulatory Care Facilities, a licensed ambulatory care facility must implement policies and procedures to obtain a patient's written consent for release of medical record information. Skilled Nursing Facilities generally may not disclose a resident's information without the resident's approval, and licensed assisted living facilities must obtain the resident's written consent for release of his or her records to any individual outside the facility.

The exceptions under the Facility Laws are narrow, and generally are limited to allowing disclosures without prior patient approval or consent only in cases of transfer of the patient to another health care facility, or if the disclosure is required by law, third-party payor, or authorized government agenciesi. Unlike HIPAA, the Facility Laws do not contain a "blanket" exception that would permit licensed health care facilities to share information with third parties in connection with treatment activities without first obtaining patients' approvals and written consents.

Similar restrictions are found under New Jersey's Provider Laws. For example, psychologists, therapists, and social workers are prohibited from disclosing to a third party any information that is considered a privileged communication with a patient. Physicians and dentists are required to keep their patient's information confidential, however they are permitted to release pertinent information about the patient's treatment to another licensed health care professional who is providing or who has been asked to provide treatment to the patient, or whose expertise may assist the physician or dentist with his or her rendition of services. Thus, the exception for physicians and dentists resembles the Treatment Exception under HIPAA and supports such providers participating in HIE for treatment purposes that benefit their patients.

By far the most difficult privacy minefield to maneuver in New Jersey is with regard to the Sensitive-Info Laws. Under New Jersey's AIDS Assistance Act, any identifying information about an individual who has or is suspected of having HIV or AIDS generally cannot be disclosed to anyone except with the written consent of the person. The AIDS Assistance Act does provide a limited exception for qualified personnel to receive such information without the individual's specific consent, however the recipient must be directly involved in the diagnosis and treatment of the individual. Similarly, any person who has information regarding an individual known or suspected to have a venereal disease may not disclose that information to anyone without the individual's consent, except to the individual's personal physician. Finally, New Jersey's Genetic Privacy Act requires that an informed consent that complies with specific regulatory requirements be signed by the individual before disclosing any genetic information about the individual upon whom a genetic test has been performed.

The difficulty that the Sensitive-Info Laws pose with respect to HIE is that the restrictions and consent requirements are specific and attach to the information, wherever it may be embedded. Therefore, even though a general "blanket consent" obtained from the patient should be sufficient to allow facilities and providers to share patients' general health information through electronic HIE, the consents that must be obtained from patients in order to share highly-sensitive information must be specifically tailored and comply with regulatory requirements. If such specific consent is not obtained and sensitive information is introduced into a patient's record and shared through the HIE, disclosures may be considered privacy violations even though blanket general consents were obtained upon initiation of treatment. One way to attempt to address this issue is to develop consents that are comprehensive and contain specific language to address each potential scenario.

Another possibility is to exclude sensitive information from being shared through an electronic HIE. In any case, how a provider decides to approach handling sensitive information in connection with electronic HIE must be carefully implemented and consistently applied.

Paving the Path for the Future

The privacy obstacles faced by providers wishing to participate in electronic health information exchange in New Jersey are surmountable. The first step towards clearing the HIPAA hurdle is for providers to gain a full and accurate understanding of what the applicable laws allow, prohibit, or require in connection with maintaining the privacy and security of health information. Widespread misinterpretation and misapplication of HIPAA and related state laws has created significant confusion among providers and patients alike. Education and training provided by individuals with a strong understanding of these laws is essential. A clear understanding of these laws also will facilitate the development of appropriate privacy policies, procedures and agreements that would apply to participants in electronic HIE and, potentially, a RHIO.

With strong commitment from the health care community and sound guidance from leaders and advisors, not only can privacy and security be achieved with electronic HIE, but health care in New Jersey may be improved through providers' participation in HIEs and RHIOs.

See N.J.A.C. 8:43G-4.1(a) 21 (Hospital can release, without patient approval, the patient's medical record to another health care facility to which the patient was transferred that requires the information, or if the release of the information is required and permitted by law, a third-party payment contract, a medical peer review, or the New Jersey State Department of Health); N.J.S.A. 30:13-5(g) (Skilled Nursing Facility may disclose record to another nursing home or health care facility on transfer, or as required by law or third-party payment contracts); and N.J.A.C. 8:36- 15.3(b) (Assisted Living Facility may release information without written consent in case of the resident's transfer to another health care facility, or as required by law, third-party payor, or authorized government agencies).

HIPAA Health Law Blog

Need information about the legal developments, issues, and other pertinent information relating the creation, use, and exchange of health information? Look to Fox's Helen Oscislawski, author of the HIPAA Health Law blog. Join Helen as she discusses topics such as EHRs and PHRs; HIEs, RHIOs, and EHR networks; privacy and security; breaches; and recent legislation.
To start reading, visit today!