Report Outlines HIE Privacy Challenges

Patient Record Matching, State Privacy Rules Among Hurdles
Report Outlines HIE Privacy Challenges

Matching patients to all the right electronic records and complying with privacy rules that differ from state to state are among the toughest ongoing challenges that health information exchanges face, according to a new Government Accountability Office report.

See Also: 2015 Fraud Mitigation & DDoS Response Study

The GAO report is based on interviews with providers and other stakeholders in four states with ongoing HIE efforts. Those interviewed said key challenges include "issues related to insufficient standards, concerns about how privacy rules can vary among states, difficulties in matching patients to their records, and costs associated with exchange," the report notes.

Linda Kohn, director of healthcare at the GAO, tells Information Security Media Group, "We interviewed providers and other stakeholders in Georgia, North Carolina, Minnesota and Massachusetts, and that generally happened during the summer months of 2013."

Two units of the Department of Health and Human Services - the Centers for Medicare and Medicaid Services and the Office of the National Coordinator for Health Information Technology - have several ongoing programs and initiatives to help address some aspects of these key challenges, the report notes. "But concerns in these areas continue to exist."

For example, several providers told GAO that they have difficulty exchanging certain types of health information due to insufficient health data standards.

Exchange Across State Lines

"In terms of the variation in privacy rules across states, some providers reported to us that the lack of clarity in the rules adds to the difficulty in exchanging information with providers in other states," Kohn says.

The complexities of differing state privacy rules most frequently come up with patients who live on the border of states, such as in the Tri-state area of New York, New Jersey and Connecticut, says David Whitlinger, executive director of New York eHealth Collaborative, which oversees a statewide health information exchange efforts.

Although there are challenges that make data exchange difficult on a regional basis, HHS still envisions nationwide health information exchange, as called for under the HITECH Act .

In a recent speech, Karen DeSalvo, M.D., the new head of ONC, argued that health information exchange on a national level is attainable within the next three years, but matching patients to all the right records is a critical data security, privacy and patient safety concern that must first be addressed (See: ONC's DeSalvo on Patient IDs and HIEs).

"A technology challenge [for health information exchange] is patient matching ... making sure data flows in a smart way," DeSalvo said. "There's a need to sort out where data is coming from, and where it's moving. As doctors integrate data, patient matching is very important."

The issue of ensuring that all the correct data from multiple sources about the correct patient reaches the right clinician at the right time "is about safety as much as it is security," she added.

To help address the issue of matching patients to all the right records, ONC last fall launched a patient ID collaborative initiative (see Patient Data Matching: Best Practices). "The goals of the initiative are to improve patient matching based on an assessment of current approaches used by selected stakeholders; identify key attributes and algorithms for matching patients to their records; and define processes or best practices to support the identified key attributes," the GAO report notes.

The first phase of the ONC initiative was completed with the release of a report containing patient matching recommendations for possible inclusion in Stage 3 of the HITECH Act electronic health record incentive program and the 2015 edition of the standards and certification criteria, notes the report (see: Ways to Improve Patient ID Matching).

GAO Recommendations

The report notes that HHS developed and issued a strategy document in August 2013 that describes how it expects to advance electronic health information exchange. "The strategy identifies principles intended to guide future actions to address the key challenges that providers and stakeholders have identified. However, the HHS strategy does not specify any such actions, how any actions should be prioritized, what milestones the actions need to achieve, or when these milestones need to be accomplished," the report notes.

As a result, the report stresses that CMS and ONC need to develop and prioritize specific actions to advance health information exchange. And it calls for the agencies to develop milestones with time frames for the actions to better gauge progress toward advancing exchange, with appropriate adjustments over time.

CMS and ONC concurred with these recommendations, the report notes.

Signs of Progress

Whitlinger of the NYeC says that security and privacy matters are among the top concerns for health information exchanges. But he sees progress being made in those areas.

For instance, on a regional basis, the legal teams that represent health information exchange organizations, hospitals, physician practices and accountable care organizations are "getting very good at trust agreements" that spell out terms for sharing patient information among the entities, he says. "That's the basis of HIE, trust and stewardship of data."

Also, Whitlinger believes that technology vendors and others are beginning to tackle the patient matching issue. "Identity matching happens all the time in e-commerce, on the Internet. It's still an issue [for HIEs] but we're starting to catch up," he says. "There are tons of identity management solutions in the industry, and we need to leverage that."

Micky Tripathi, CEO of the Massachusetts eHealth Collaborative, a not-for-profit consultancy that has helped build several regional health information exchanges, notes: "Patient matching is not perfect, and never will be. But it is good enough, and will likely get better with growing demand for HIE."

What's more challenging for HIEs, Whitlinger says, is a lack of interoperability standards. For example, an HIE organization can spend $1 million on a vendor solution to set up an HIE, but then it might cost thousands more for each healthcare organization to interface its systems with an exchange because of a lack of industrywide interoperability standards, he says. "It's not cost-prohibitive to set up an HIE - but getting everyone to connect can be," he says.

HHS is working on standards for point-to-point data queries and for integration of electronic directories of providers and patients for implementation in Stage 3 of the HITECH Act electronic health records incentive program, Tripathi says. "Those are the two areas where the government can still add value," adds Tripathi, who co-chairs two HIT Policy Committee advisory panels, the privacy and security tiger team and the health information exchange workgroup.

The HITECH Act EHR incentive program "has done a fabulous job of giving providers the tools and kick-starting the demand for interoperability," Tripathi says. "The best role for the government is to now step aside and let the market take it forward."

Whitlinger notes that next week, he expects New York Gov. Andrew Cuomo will announce that the state's HIE effort will be "turned into a public utility," receiving annual state funding, including $65 million for the next fiscal year.

Many HIEs, including statewide efforts launched under the HITECH Act, receive grants or government funding for their start up and early operations. Once that funding dries up, however, HIEs must devise a financial sustainability plan that might include charging subscription fees to participating healthcare organizations.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network