hie_toolkit_banner
Introduction
How to Get Started
Environmental Scan
Conducting a Needs Assessment
Developing a Roadmap
Establishing Mission and Goals
Assessing Readiness
Sample Documents
Setting Up a Governance Structure
Stakeholders Roles and Needs
Types of Legal Entities
State Run HIE
Community Based HIE
Governance Challenges
Engaging Legal and Consulting Services
Sample Governance Documents
Legal and Information Sharing Agreements
Importance of Contractual Agreements
Types of Contractual Agreements
Determining Which Agreements to Use
Sample Agreements
Protecting Patient Privacy
Importance of Protecting Patient Privacy
HIPAA Compliance and Enforcement
National Privacy and Security Framework for Electronic Exchange of Individually Identifiable Data
Consent Models
Methods for Notifying Patients of Privacy Policies and Security Policies
Dealing with Variations in State and Federal Regulations
Key Issues to Consider
Sample Privacy Documents
Sustainability
Building a Sustainability Plan
Costs HIEs Should Consider
Revenue Streams
Usage Fee Models
Utility Model
Shared Revenue Model
Services
Grant Funding
Sample Documents
Marketing
Demonstrating Value and ROI
Engaging Stakeholders
Sample Documents
Social Media
Connecting Technically
Introduction
Elements to Consider
Supporting HIE Services
Infrastructure to Integrate with Regional HIEs
Integrating with State Medicaid
Integrating with Statewide Enterprise Services
Integrating with Payers
Using NwHIN Standards
Patient Access to HIE Data
Developing a Technical Infrastructure Plan
Moving Forward
Tracking Your Progress
Enhancing Service Offerings
Future Developments
HIPAA Compliance and Enforcement

The HIPAA Privacy Rule applies to covered entities – health plans, health care clearinghouses, and most health care providers. After the HITECH Act, Business Associates (BAs) will also be required to comply with most of the HIPAA regulations1. HIOs are Business Associates of covered entities under HIPAA, because HIOs handle health information on behalf of the health care providers participating in HIE. HIOs will have to comply with most of the HIPAA Privacy and Security regulations as of eight months after the final HIPAA regulations are published.

As Business Associates, HIOs will need to have extensive policies and procedures in place to comply with the HIPAA Privacy and Security regulations, and will have to have contracts in place with their subcontractors that receive health information. For example, HIOs will need to have policies that control how the HIOs will use and disclose health information and how they will implement patient rights. The eHI resources on this issue will assist.

In addition, Business Associates are presently required to comply with the HIPAA breach notification regulations. This requires HIOs to notify the covered entities participating in the HIO. The covered entities then are required to notify patients and HHS of a breach of health information if there is a significant risk of financial, reputation or other harm to the patients.

Finally, HIOs are required to comply with state privacy regulations. HIPAA only preempts state laws that are "contrary" to HIPAA, unless the state law is more protective of patient privacy. HIOs thus must be vigilant to their own state laws.

1Technically, BAs are not required to comply with HIPAA (or at least it won't be enforced against them), until 8 months after the final HIPAA regulations are published.

818 Connecticut Avenue, N.W., Suite 500
Washington, D.C. 20006
Tel: 202-624-3270 | Fax: 202-429-5553