HIE Security through Standardization and Limited Access
November 18 2015 by Gary Hamilton
Healthcare organizations and health information technology (HIT) developers are finding themselves between a rock and a hard place. A great deal of attention is focused on removing barriers to interoperability between disparate electronic health record (EHR) systems. Those barriers, whether intentional (such as information blocking), or rooted in state law or hardware incompatibilities, ultimately prevent the free flow of patient data. Providers and patients alike are lobbying Washington to devise a regulatory process whereby those barriers can be dealt with once and for all.
On the other hand, providers and developers also are under extreme pressure to prevent data breaches and medical identity theft.
The question is: can a health information exchange (HIE) network be designed that is both barrier-free and also secure from data theft? We believe the answer is yes.
Four U.S. Senators sent a signed letter to the Department of Health and Human Services (HHS) on November 12 requesting information on how HHS is dealing with data theft and the slew of legal ramifications involved.
The Senators are:
• Lamar Alexander (R-Tenn.), Chairman, Senate Committee on Health, Education, Labor, and Pensions;
• Orrin Hatch (R-Utah), Chairman, Senate Committee on Finance;
• Patty Murray (D-Wash.), Ranking Member, State Committee on Health, Education, Labor, and Pensions; and,
• Ron Wyden (D-Ore.), Ranking Member, Senate Committee on Finance.
One of the questions the Senators asked is whether HHS believes that the Health Insurance Portability and Accountability Act (HIPAA) “gives a victim of medical identity theft the right to access his or her health record if it contains a thief’s health information?”
Such an odd question. It turns out, many of the stolen records are sold to individuals who use them to get treatment in hospitals. The data from those encounters become part of the original patient’s records; however, the data does not belong to the original patient. Or does it? Thus the Senators’ question: who is HIPAA protecting? Patient or thief?
These issues form a complex puzzle that promises to become even more complicated when true nationwide interoperability becomes a reality. Once multitudes of access points to patient data have been established, how will organizations hope to prevent similar data breaches from occurring?
The answer is to minimize the number of connections, while simultaneously rendering the type/brand of electronic health record (EHR) moot. This is accomplished by a process we call standardization and is part of our commitment to connected health.
The Office of the National Coordinator for Health Information Technology (ONC) describes the importance of standardization on its HealthIT.gov website:
“If a practice has successfully incorporated faxing patient information into their business process flow, they might question why they should transition to electronic health information exchange. Many benefits exist with information exchange regardless of the means of which is it transferred. However, the value of electronically exchanging is the standardization of data. Once standardized, the data transferred can seamlessly integrate into the recipients’ Electronic Health Record (EHR), further improving patient care.”
Thus, once standardized, the healthcare organization’s patient data can be directly exchanged between all of the EHR systems on the network simultaneously. And limiting the number of access points reduces the opportunity for unauthorized ingress by data thieves.
For example, hospital physicians on an InteliChart network need only a single connection to access:
• All of their patients’ records;
• Admissions, discharge, transfers (ADT);
• Hospital lab orders/results;
• Hospital radiology orders/results;
• Hospital transcription/document; and,
• Discharge summaries.
All of this information will have been standardized for SNOMED, LOINC, and RX NORM compatibility. Thus, it can be accessed by providers through a single, secure portal, as well as exchanged securely with other providers, accountable care organizations (ACOs), patient-centered medical homes (PCMHs), and hospital networks.
Data can even be exchanged with statewide HIEs, once the connection has been established and their data standardized as well.
Patients gain a similar accessibility to their encounter documents, lab results, and provider communications all through a single, secure portal.
The InteliChart HIE platform solves many of the interoperability and security issues facing today’s evolving healthcare system. While the government prepares to embark on its newest incursion into uncharted regulatory waters, your organization could be establishing its own secure HIE network. And, while the various healthcare oversight committees debate how best to prevent information blocking, your organization could already be freely exchanging patient data, deflecting any potentially invasive oversight.