The success of Health Information Exchange (HIE) is dependent on many factors, including the trust that patients and providers have in the accuracy of health information made accessible through HIE, and the confidence that the Health Information Organization (HIO) is facilitating appropriately authorized and authenticated access to the health information in accordance, with the patient's consent if required. This module discusses the protection of the health information of patients through privacy and security policies that address multiple requirements for HIE.

The passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act provisions, within ARRA, represented a significant change in the applicability of HIPAA to HIE. Under the HITECH Act, HIOs will be directly obligated to comply with the HIPAA regulations as HIPAA "business associates", whereas HIOs previously were subject to privacy and security rules only indirectly through their contracts with providers. HIOs are required to notify their participating health care providers of data breaches. Both the HHS Office for Civil Rights and state attorney general now have authority to enforce the HIPAA regulations against HIOs.

Ultimately, HIOs will need to do a significant amount of education and outreach to their stakeholders on privacy and security, laws and regulations that apply to HIE, and policies and technology. And it will be a moving target for HIOs: amended HIPAA regulations governing privacy of health information will be finalized this year, and states are beginning to regulate HIOs operating within their borders. HIOs must have clear privacy and security policies for accountability, transparency, consent, access, and use and disclosure of personal health information to maintain confidence and support for HIE.