hie_toolkit_banner
Introduction
How to Get Started
Environmental Scan
Conducting a Needs Assessment
Developing a Roadmap
Establishing Mission and Goals
Assessing Readiness
Sample Documents
Setting Up a Governance Structure
Stakeholders Roles and Needs
Types of Legal Entities
State Run HIE
Community Based HIE
Governance Challenges
Engaging Legal and Consulting Services
Sample Governance Documents
Legal and Information Sharing Agreements
Importance of Contractual Agreements
Types of Contractual Agreements
Determining Which Agreements to Use
Sample Agreements
Protecting Patient Privacy
Importance of Protecting Patient Privacy
HIPAA Compliance and Enforcement
National Privacy and Security Framework for Electronic Exchange of Individually Identifiable Data
Consent Models
Methods for Notifying Patients of Privacy Policies and Security Policies
Dealing with Variations in State and Federal Regulations
Key Issues to Consider
Sample Privacy Documents
Sustainability
Building a Sustainability Plan
Costs HIEs Should Consider
Revenue Streams
Usage Fee Models
Utility Model
Shared Revenue Model
Services
Grant Funding
Sample Documents
Marketing
Demonstrating Value and ROI
Engaging Stakeholders
Sample Documents
Social Media
Connecting Technically
Introduction
Elements to Consider
Supporting HIE Services
Infrastructure to Integrate with Regional HIEs
Integrating with State Medicaid
Integrating with Statewide Enterprise Services
Integrating with Payers
Using NwHIN Standards
Patient Access to HIE Data
Developing a Technical Infrastructure Plan
Moving Forward
Tracking Your Progress
Enhancing Service Offerings
Future Developments
Importance of Contractual Agreements

The success of health information exchange (HIE) depends on the sharing of patient information among health care providers in a private and secure manner and for authorized purposes. The dependence of the providers, HIEs and their contractors in the process of exchanging data gives rise to the need for data sharing agreements that clarify the responsibilities of each party.

HIEs are business associates of the HIPAA covered providers who contract for their services. Prior to the passage of the HITECH Act in 2009, they were not directly subject to enforcement by the federal government. Business associates could not be reached by HIPAA directly; they were reached indirectly by regulations requiring covered entities to have a specific form of contract in place, before allowing their business associates access to personal health information (PHI). If the business associate violated a contract by not adequately protecting PHI or doing something improper with PHI, the covered entity was required to take action, including possible contract termination. Moreover, the contractors to the business associates were not business associates of the providers. However, under HIPAA's required terms for business associates, they had to receive assurances from contractors that they would adequately protect and not misuse PHI.

Following the passage of HITECH, the requirements for business associates have changed. HITECH expands jurisdiction to the government to regulate the privacy and security of PHI to business associates. HIEs continue to be business associates of the covered entity providers who contract with them. At the present time, a notice of proposed rulemaking (NPRM) to the HIPAA Privacy Rule, Accounting of Disclosures under HITECH, would expand business associate requirements and penalties to business associate contractors. This change would impact the contractors to the HIEs. It would mean that any party in a chain of relationships that performs a function or activity on behalf of a covered entity that touches PHI is a business associate. Consequently, the NPRM not only affects HIEs, but also their contractors, their subcontractors, and so on. An exception is included in the NPRM to this proposed rule. Subcontractors that are conduits or organizations that provide data transmission services, that do not require access to PHI on a routine basis and who do not access the information other than on a random or infrequent basis, would not be considered business associates.

An example where the NPRM could impact business associates and their subcontractors is the HITECH change in breach notification rules. The breach notification rule, applicable to covered entities and their business associates, requires notification to affected patients and the Secretary of Health and Human Services (HHS) (and in some instances, the media) following the discovery of a breach of unsecured PHI. Business associates must notify covered entities in the event of a breach of unsecured PHI. The covered entity has the duty to notify affected patients. The subcontractors to the HIE, if they are outside of the exception cited above for data transmission organizations, will be held accountable to the business associate contract, that allows them to access PHI, and to HHS. Therefore, it is important for HIEs to include clear language in information sharing agreements stating who has the responsibility for notice and the timeliness of that notice and who bears the associated costs.

The federal government is aware of the significant change that will be necessary following the publication of the final rule with changes to HIPAA Privacy regulation. As a result, the Department of Health and Human Services indicated that a transition period of 180 days will be available for business associates to comply, with changes to their existing business associate contracts or other arrangements, following the final rule's publication. HIEs will also need to meet the actual compliance date with substantive compliance once the date is set. It will be important for HIEs to be watchful for the publication of the final rule. The proposed rule would allow business associates and their subcontractors to operate under existing contracts for up to one year following the effective date of the final rule modifying HIPAA per HITECH. This grandfathering applies to written contracts in place before the publication date of the final rule, contracts that comply with the HIPAA Rules in effect at the time the contract is put into place, and contracts that are not renewed or modified during the period between the effective date and the compliance date of the final rule.

Before determining which legal and information sharing agreements should be applicable to those they contract with, HIEs should consider their current internal policies and practices for maintaining the privacy and security of personal health information, including:

  • Determine all of the legal obligations relative to privacy and security laws and regulations that are applicable to the HIE
  • Review the HIE's privacy and security policies, including:
    • Privacy and security controls that are in place
    • Risk assessment process
    • Internal reviews and monitoring, including reactive and preventive controls
    • User authentication and access controls
    • Competence of personnel / privacy and security training
    • Physical and environmental security
    • Personal health information collection and use limits
    • Personal health information integrity and correction processes
    • Third-party transfer restrictions
  • Modify or create privacy and security policies, including the compliance, audit and incident management policies, that will be applicable to parties contracting with the HIE

818 Connecticut Avenue, N.W., Suite 500
Washington, D.C. 20006
Tel: 202-624-3270 | Fax: 202-429-5553