hie_toolkit_banner
Introduction
How to Get Started
Environmental Scan
Conducting a Needs Assessment
Developing a Roadmap
Establishing Mission and Goals
Assessing Readiness
Sample Documents
Setting Up a Governance Structure
Stakeholders Roles and Needs
Types of Legal Entities
State Run HIE
Community Based HIE
Governance Challenges
Engaging Legal and Consulting Services
Sample Governance Documents
Legal and Information Sharing Agreements
Importance of Contractual Agreements
Types of Contractual Agreements
Determining Which Agreements to Use
Sample Agreements
Protecting Patient Privacy
Importance of Protecting Patient Privacy
HIPAA Compliance and Enforcement
National Privacy and Security Framework for Electronic Exchange of Individually Identifiable Data
Consent Models
Methods for Notifying Patients of Privacy Policies and Security Policies
Dealing with Variations in State and Federal Regulations
Key Issues to Consider
Sample Privacy Documents
Sustainability
Building a Sustainability Plan
Costs HIEs Should Consider
Revenue Streams
Usage Fee Models
Utility Model
Shared Revenue Model
Services
Grant Funding
Sample Documents
Marketing
Demonstrating Value and ROI
Engaging Stakeholders
Sample Documents
Social Media
Connecting Technically
Introduction
Elements to Consider
Supporting HIE Services
Infrastructure to Integrate with Regional HIEs
Integrating with State Medicaid
Integrating with Statewide Enterprise Services
Integrating with Payers
Using NwHIN Standards
Patient Access to HIE Data
Developing a Technical Infrastructure Plan
Moving Forward
Tracking Your Progress
Enhancing Service Offerings
Future Developments
National Privacy and Security Framework for Electronic Exchange of Individually Identifiable Data

In 2008, ONC released a nationwide privacy and security framework for the electronic exchange of individually identifiable information. This document continues to serve as a resource for HIEs working to develop clear, consistent and coordinated approach to privacy and security.

The Framework is based on Fair Information Practice Principles, including limitations on collection of data, data quality, purpose specification for the data collected, use limitations, security safeguards, openness, individual participation, and accountability. In 2008, the Department of Homeland Security published a guidance memorandum on the subject.

Since 2008, activities in several areas are advancing the national privacy and security framework. ONC created the State Health Information Exchange Cooperative Agreement Program, and entered into cooperative agreements with 56 territories and State Designated Entities (SDEs) to coordinate and facilitate HIE within their state. The SDEs must address legal and regulatory issues, including the requirements for privacy and security in the context of facilitating HIE within their state and exchange with other states. SDEs will establish a statewide privacy framework, implement an enforcement mechanism to address non-compliance with privacy and security requirements, review of legal and policy obstacles to information exchange, and establish policies and frameworks for services.

SDEs are required to support the health professionals and hospitals within their jurisdiction in meeting meaningful use requirements. They are expected to facilitate increased connectivity and enable patient-centric information flow to improve the quality and efficiency of care within their state. HIOs, working with the SDEs to enable HIE, also should be aware of the meaningful use requirements, specifically the requirements that support the adequacy of privacy and security protections for PHI. Meaningful use objectives are expected to increase over time. The capacity of technology to support any increased privacy and security requirements is being considered and the expectation is that technology will evolve to meet new requirements. The efforts of SDEs to advance their respective privacy frameworks and doing so within the context of supporting meaningful use will be one activity that advances the national privacy and security framework, and HIO practices must remain aligned with this activity.

More changes are ahead: the Federal Trade Commission and the Department of Commerce each issued requests from the public on questions of data information sharing practices, which may result in regulations that affect HIE. With the rise of social media, technologies that enable direct patient capture and sharing of health information will change the HIE landscape. In short, the evolution of requirements governing health information is likely to evolve in a manner that continues to focus on the type of information more than the place where the information resides.

818 Connecticut Avenue, N.W., Suite 500
Washington, D.C. 20006
Tel: 202-624-3270 | Fax: 202-429-5553