Skip to content Skip to navigation

Devil in the Details

August 21, 2012
by David Raths
| Reprints
State health information exchanges (HIE) boards grapple with a dense thicket of policy questions

The journey for statewide HIEs has been slow-going and fraught with challenges of governance, consent, security, auditing structure, and secondary data use. Executive directors of statewide health information exchanges speak about thepolicy hurdles they have encountered, and those that still lay ahead.

A quick look at the Maryland Health Care Commission’s ongoing health information exchange (HIE) policy work illustrates both how much progress states are making and how far they still have to go. The Old Line State has completed final recommended policies on 13 topics, ranging from secondary data use to consumer choice. Still in the works are policy provisions for 15 other topics, ranging from consumer portals and health record banks to breach notification.

None of the work on privacy and security frameworks has been easy or quick. Many states have had to go to their legislatures to have laws rewritten. Others have used state laws in place as their starting point and worked around them. And officials have come to realize that, because health IT policy is constantly evolving, their work is never really done.

When market research firm IDC listed its “Top 12 Best Practices for Sustainable Health Information Exchange” earlier this year, No. 10 was more of a warning: Don’t underestimate how long privacy and security will take.

Executive directors of statewide HIEs are under no illusions that privacy and security policies, especially dealing with patient consent, will happen overnight.

They have discovered that only the dedication and hard work of hundreds of stakeholders makes it possible to move from aspirations to the operational stage of HIE. As Michael Matthews, CEO of regional HIE MedVirginia puts it, the volunteer governance body set up to create ConnectVirginia, the statewide HIE, is doing great work to move forward on challenging issues. To follow that learning curve, they often have to sit through five- or six-hour meetings. “It speaks to their commitment,” he says. By the third quarter of 2012, the amount of policy work is expected to subside, but once the HIE is operational, Matthews added, they will have to see if state laws need to be adapted for data to flow.

Michael Matthews

Healthcare Informatics asked several statewide HIE leaders to describe some of the policy hurdles they are dealing with. Many admit that governance structures and policy details have been difficult to reach agreement on, and some say that aligning their efforts with those on the federal level adds to the degree of difficulty.

The state of Connecticut, which hasn’t made as much HIE progress as other states in New England, has fashioned consent policies and made them a condition of participating in the HIE. But getting consensus among stakeholders has been difficult, notes David Gilbertson, CEO of the Health Information Technology Exchange of Connecticut (HITE-CT). “We have been working on it for two years,” he reports. “You have to get compromises from attorneys and privacy advocates. Hospital organizations that treat data one way are now being asked to treat it a different way for the HIE.”
Because the federal State HIE Cooperative Agreement Program funding was part of the stimulus act, the states have to spend the money over a fairly short time frame in the next two years. That puts states that had made little progress previously on HIE in a difficult situation because governance, consent, security, auditing structure, and secondary data use policies must all be worked through.

Another challenge is the fact that many private health systems are developing their own local HIEs to attract physician groups seeking meaningful use funds. “They have spent time developing their own governance process that may not be consistent with what we are doing at the state level,” Gilbertson explains. “So now we are asking them to revisit that.”

Consent issues also continue to challenge Maine’s HIE, HealthInfoNet. In a legislative session a few years ago, a bill drafted with the support of the Maine Civil Liberties Union was introduced that would require the state’s HIE to switch from an opt-out model of consent to opt-in. A compromise was crafted that gives patients a separate form about the HIE and explicitly offers the opportunity to opt out.

But in dealing with mental health and other sensitive data such as HIV status, there are state laws that require that patients be told whom their health data is being sent to. That is unworkable with Maine’s central data repository model, says Dev Culver, HealthInfoNet’s CEO. “So now, HealthInfoNet must sequester that data, and the patient can choose to opt in for certain categories of content, either permanently or at the time of a doctor visit.” Maine is testing a new hybrid opt-in/opt out form of consent. “We think we can do it technically,” Culver adds, “but all of the burden is on our shoulders.” Typically with an HIE, if a provider releases data inappropriately, they are at risk, he notes. “Now all the risk is with us. It is a liability concern, so we are being cautious and going slow.”

Another policy question on the horizon involves the appropriate use of information, and what fits under the definition of “treatment and operations.” For instance, Culver says, Maine has an all-claims database. “How that data is merged with clinical data is a question.”