California Medical Privacy Fact Sheet C6:

Health Information Exchange:
Is Your Privacy Protected?

Send to PrinterSend to Printer
Copyright © 2012-2016
Privacy Rights Clearinghouse
Posted July 2012
Revised July 2012
  1. What is health information exchange?
  2. What is the Nationwide Health Information Network?
  3. What laws protect the privacy and security of electronically exchanged health information?
  4. When will you begin to notice electronic health information exchange?
  5. What are the benefits and risks of HIE?
  6. How does HIE work?
  7. Who has access to your medical records via HIE?
  8. Is your consent required for the electronic exchange of your medical information? 
  9. What additional rights do you have regarding HIE?
  10. Tips
  11. Resources

1. What is health information exchange?

If you have not yet heard about health information exchange (HIE), you are likely to learn about it soon. HIE is the electronic exchange of individual medical information with other health care providers. The term HIE is often used interchangeably as a noun—an organization that exchanges health information—and a verb—the exchange of health information. An HIE in its noun form may also be called a health information organization (HIO), which administers the exchange of health information.

The California Office of Health Information Integrity’s (CalOHII) eHealth Privacy 360 website has a Patient FAQ that is an excellent source for consumer information about HIE. Among other helpful information, you’ll find a definition of HIE that provides a high-level overview of health information exchange and its goals:

Health Information Exchange, or HIE, is a way of sharing electronic health information among doctors’ offices, hospitals, labs, radiology centers, and other health organizations. HIE allows access [to] the right health information [by] the right health care personnel at the right time, providing safer, more timely, efficient, patient-centered care. HIE will allow the doctors and nurses treating you in a hospital or doctor’s office to access your medical history. For example, doctors can review recent lab results whether the test was conducted at your primary care provider, at the hospital, or at participating labs across the State. . . . Because all authorized doctors and medical personnel will see the same health information through the HIE, this will help to reduce any errors, avoid unneeded duplication of tests and procedures, and consequently, could reduce medical bills.

Consider the many types of information your health care providers compile about you. HIEs will share information like lab test results, pathology results, diagnostic test images and results (such as radiology and other imaging diagnostics), prescription history, allergies, health care provider treatment orders, patient care summaries, provider visit reports, and referrals.

Although having such information in a medical record may be essential to treatment, the electronic exchange of sensitive health information raises many unresolved issues.  For example, there is no universally accepted definition of “sensitive information." This term generally includes records that refer to treatment for HIV/AIDs and other sexually transmitted diseases, treatment for substance abuse, mental health issues, and genetic information.Nor are there universal standards for who needs to know or access particular kinds of medical information. In addition, identifying and separating sensitive information from a larger record can be technologically challenging.

For these reasons, California health care providers and HIEs are generally excluding what California laws define as sensitive medical information from electronic exchange for the time being. However, excluding sensitive medical information is a practice, and not a formal policy. To read more about the complexity of sharing sensitive information electronically, see Cal OHII’s “Approach to Defining Sensitive Health Information.” 

a.  Are there HIEs already operating in California and elsewhere?

Although health information exchanges have a long way to go until they are actually performing all the functions expected of them, there are a number of operative HIEs across the U.S. and in California that are at various stages of fulfilling some of those functions.

California currently has at least eight operational HIEs (or HIOs) and four more in the planning stage. For example, Redwood MedNet is operating in Mendocino, Sonoma, and Marin counties. It allows hospitals, laboratories, and imaging centers to send results electronically to the EHR system used by the provider who ordered the test. It can also send records to a patient's Microsoft HealthVault personal health record (PHR).

The San Diego Beacon Community HIE is in the planning stage. When it is fully operational, it will enable medical information to be shared electronically among patients, health care providers, ambulances, clinics, and hospitals. It will also evaluate how and if HIE actually improves healthcare.  

You can read about active and upcoming California HIEs on the CalOHII (the California Office of Health Information Integrity) eHealth Privacy 360 website.

Elsewhere, the Indiana Health Information Exchange (IHIE) claims to be the largest statewide exchange. It was launched in 2004 to help lower the state’s health care costs and improve its poor rankings in such health indicators as obesity, smoking, diabetes and heart disease. CalOHII has a fairly current list of states with active statewide or regional HIEs.

To learn more about the progress of HIEs around the U.S., see a report from the National eHealth Collaborative, titled Health Information Exchange Roadmap: the Landscape and a Path Forward.

2. What is the Nationwide Health Information Network?

The Office of the National Coordinator for Health Information Technology (ONC), part of the U.S. Department of Health and Human Services, defines the Nationwide Health Information Network (NHIN) as “the set of standards, specifications and policies that enable the secure exchange of health information over the Internet.”

The 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act) set the goal of having an operative NHIN by 2014, when it will be possible to share individual health information locally, regionally, and nationally. While the 2014 goal is probably a stretch, HITECH-funded HIE demonstration projects are now underway in all states. As HIEs link to one another through the Internet, your health information will become available to health care providers all over the U.S.

Developing a NHIN is an extremely complex process. It requires standardized file-sharing technology, data-sharing agreements, patient consents, and strong security to make real-time exchange of medical records possible between entities located anywhere in the U.S. Such availability of medical data will undoubtedly have many benefits. It will also make breathtaking quantities of highly personal information more vulnerable to data breaches, medical identity theft, and the introduction of errors.

3. What laws protect the privacy and security of electronically exchanged health information?

HIPAA privacy regulations apply to medical records in any format, which generally means paper or electronic. The security regulations apply only to electronic health information. California law applies to both.  The HIPAA Privacy Rule and Security Rule may be found at 45 CFR Parts 160, 162, and 164

HIPAA regulates so-called “covered entities,” which it defines as health care providers, health insurers, and health care clearinghouses (an entity that standardizes health information, such as a billing service that processes data into a standardized billing format). HIEs or HIOs, which have access to your health information because of their role as a data exchange, must follow HIPAA regulations concerning the access, use, disclosure, and confidentiality of your medical records.  They must also notify you about how the information will be used.

In addition, HIPAA requires HIEs and HIOs to have privacy and security policies and procedures in place to safeguard your health information when it is exchanged. These policies and procedures specify who is authorized to access your health information, and that the information must be encrypted.

In California, the Confidentiality of Medical Information Act (CMIA) (Cal. Civ. Code §§ 56-56.37) also regulates the access, use, and disclosure of individuals’ medical information. It applies to HIEs or HIOs that exchange information electronically. For more detailed information about California laws that protect the privacy of medical information—and also about HIPAA—see PRC's California Medical Privacy Fact Sheet C1: Medical Privacy Basics for Californians.

4. When will you begin to notice electronic health information exchange?

It is likely you are already experiencing some effects of HIE. The HITECH Act offers incentives until 2014 to health care providers that implement health information technology (HIT).   Providers that follow HIT implementation steps receive incentive payments through Medicare and Medicaid. The five-year period of incentive payments is followed by five years of disincentives—lower payments—for failing to implement HIT.

The implementation steps are known as “meaningful use” goals. The first stage ends in 2012. During this stage, only a few of the meaningful use goals have to do with HIE. Goals include electronic prescribing (electronic transmission of prescriptions from physician to pharmacy) and some electronic sharing of lab results; a summary of care record is not yet required. To learn more about future requirements for HIE, see the Healthcare Information Management and Systems Society (HIMSS) report titled, “HIE Implications in Meaningful Use Stage 1 Requirements.”

You may also notice the implementation of meaningful use goals that are not directly related to HIE. One is that your health practitioner will likely be entering information into a computer during your visit. Stage 1 meaningful use requires implementing computer-assisted physician order entry (CPOE), and recording such information about you as an up-to-date list of diagnoses, all current medications (including non-prescription) and medication allergies, vital signs and changes in vital signs, smoking status, and demographics. If this sounds similar to a paper intake form you have filled out before, it is. The primary difference is that now all of the data is going into computer and may be shared more easily.

Another important goal of HIE is to involve patients more actively in their own health care by giving them more information about it. This means that you should receive an electronic copy of your health information including diagnostic test results, problem list, medication lists, and allergies on request, within 48 hours. You should also receive a clinical summary of each visit you make to a health care provider. If you are enrolled in Kaiser Permanente, for example, you already have a “patient portal,” where you can log in online, see your lab results, and send and receive secure emails with your providers.

5. What are the benefits and risks of health information exchange?

Proponents claim that electronic health records and HIE will revolutionize medical practice. Not only will they improve the quality of health care, but they will also increase efficiency and reduce costs. The idea is that once a person’s medical records are electronic and available to every provider he sees, treatment will be better, safer, and more effective because it will be based on the complete record. In addition, overall costs will go down because providers will be able to eliminate redundant diagnostic tests, procedures, and prescriptions—no need to re-invent the wheel.

HIE's anticipated benefits include:

  • improved quality of care;
  • reduction in medical errors;
  • decrease in redundant or unnecessary services and tests;
  • reduced administrative and clinical costs;
  • ability to track who accesses medical records, including when and why;
  • improved monitoring of chronic conditions;
  • improved public health research, including the ability to detect and prepare for pandemics or bioterrorist events;
  • increased patient engagement in their care when patients can access their own health information.

It will be some time before we know whether the benefits of electronic health records have been over sold. However, it is clear that HIE will increase the exposure and vulnerability of everyone’s medical information by making individual medical information universally available. Medical information is already widely exposed.  The healthcare industry's non-standardized and duplicative record-keeping and billing procedures generate multiple records containing personally identifying information in the course of treatment and payment. In addition, third parties and contractors have access to personal medical information in order to perform many non-treatment-related functions on both the provider and payer sides of health care.

When electronic medical records are universally available, the number of locations and people accessing the information will increase. Even with access controls, technical security, and data breach laws and regulations, increased accessibility will increase the risk of medical identity theft and large-scale medical financial fraud.  It also increases the likelihood that errors entering a medical record are replicated.  Errors may enter a medical record when someone makes data entry mistakes, inadvertently or negligently mixes records, or commits medical identity theft.

a. Additional security concerns posed by HIE

Health care providers will need to address several security issues including encryption, use of personal mobile devices, and cloud storage.

  • Encryption is an “addressable” security standard under HIPAA. That means covered entities must encrypt protected health information when it “is a reasonable and appropriate safeguard.” (45 CFR § 164.312(a)(2)(iv)) When the HIPAA Security Rule was implemented in 2002, encryption was expensive and challenging to use. The result is that many covered entities still do not encrypt their data. With the enormous amount of personal medical information that will be moving around electronically as HIE gets underway and spreads, the U.S. Department of Health and Human Services (HHS) needs to make encryption a requirement and set standards for its use.

  • Personal mobile devices like smartphones, tablets and USB drives are ubiquitous. Health care providers often use their own unsecured devices to record and transmit unencrypted work-related health information. The speed with which such devices have been adopted is well ahead of policies that govern their use. According to a number of recent studies, the vulnerability of mobile devices is already playing a significant role in medical data breaches.

    For example, the Ponemon Institute reports that “51% of the organizations [it surveyed] experienced data loss resulting from employee use of unsecured mobile devices (including laptops, smartphones, USB devices, and tablets).” (See the Ponemon Institute’s “Global Study on Mobility Risks,” registration required.)

    At the outset of implementing HIE, one policy that health care providers should consider for all mobile devices, including personal devices, is allowing access to personal health data for viewing but not for download and storage.

  • The cloud—that is, remote servers where more and more businesses are moving their data—will be essential in an era of electronic health information exchange, if for no other reason than the staggering quantities of data that digitizing the medical records of the entire U.S. population will create.

    Health care providers may also want to host their patient portals on cloud-based servers.
    Patient portals are websites where patients can access their medical records and exchange email with their providersHIEs may also find it convenient to perform their data search and exchange functions by way of cloud servers.

    The vast potential of cloud service for storage and active use of data raises an obvious question: how good is cloud security? It’s difficult to say at this point because the state of data protection in cloud environments is still somewhat immature. Cloud-based data breaches have already occurred.

    For example, in December 2010, Honda had a breach affecting the names, email address, and VIN (Vehicle Identification Number) numbers of 2.2 million customers whose data was stored with storage provider Dropbox. The cause was a code change by Dropbox that eliminated the password authentication system required to access users’ stored data. This error made the data accessible to anyone.
    Health care providers and HIEs considering cloud services need to know the cloud provider’s practices and policies for:  
    • keeping data from different tenants on the same virtual server separate, unmixed, and inaccessible from each other;
    • internal encryption of data and entire systems within the cloud, including management of encryption keys. For example, will cloud service providers require access to their tenants’ encryption keys?;
    • ensuring the tools are in place for detecting and responding to data breaches;
    • the physical location of cloud servers and which laws apply.

Cloud services are developing more quickly than laws or regulations can address. As a patient you’re unlikely to know where your medical records actually reside. And you’re forced to rely on the security practices of others to protect the privacy of your information.

6. How does health information exchange work?

Health information exchange is a work in progress, but the first step is transitioning from paper to electronic records (computer files). Health care providers of all sizes—from a small practice to a large medical center—must purchase an electronic medical records system (EMR) to computerize their records. The computerized records are called electronic health records (EHRs).

Once it has electronic records, the provider will likely contract with an HIE or HIO so it can exchange medical data with other providers. Providers may directly request records from other providers, called a “point-to-point” solution. But having an HIE or HIO in the middle to facilitate the transaction seems to have become the standard practice.

Another option that is independent of an HIE/HIO middleman is the personal health record (PHR). This type of record is one that you control.  A PHR may have a fee or may be “free” but supported by advertising or sale of your de-identified data. It’s important to note that there is no protection under HIPAA or the CMIA for de-identified data, The business that is de-identifying it need only procure an unmonitored certification that the data is truly de-identified and has had all 18 HIPAA-mandated identification elements removed. (45 CFR § 164.514(b)(2))

The easiest format to use is a web-based PHR, which allows you to request records electronically from your health providers to include in your record. The PHR also lets you send all or parts of your record to other providers online. Before you decide to go this route, it is a good idea to learn about PHRs, including the privacy risks, from a source that is not selling them. 

For a basic understanding of how HIE operates, it may help to compare HIE to the online airline reservation sites that aggregate information from multiple airlines. When you enter a destination and date, the site displays all the available flight information from airlines that participate in its system. Similarly, when your doctor enters your name, and possibly one or two additional identifiers, the HIE Record Locator Service (RLS) checks the Master Patient Index (MPI) of every provider that participates in the HIE. The MPI is a database that has a unique identifier for every patient registered at a health care organization (HCO). It contains a patient’s name, birth date, gender, race, SSN, and address, along with her medical history at that HCO.

Providers who may participate in an HIE include individual physicians, practices of any size, large medical centers, laboratories, imaging centers, and pharmacies, although not all of these entities are involved in the current start-up phase. When the Record Locator Service finds a match in a provider’s Master Patient Index, it transmits the record to the requestor as a read-only file, which can be downloaded or printed. This record is a snapshot in time; that is, it reflects all the information about you that the RLS can find at the time of the request.

The process of exchanging health information assumes that detailed data-sharing agreements among the providers and between the providers and the HIE are all in place. Interim privacy and security standards require encryption of data at rest (in the provider’s servers) and in transmission (between providers, via the HIE), but actual adoption of encryption may be slow to happen.

7. Who has access to your medical records via HIE?

a. How can you find out who has accessed your medical records?

Because HIE's primary purpose is to improve the quality of medical care, your health care providers' priorities are to gain and allow access to a comprehensive record of your medical history. When the U.S. Department of Health and Human Services (HHS) finalizes its “accounting of disclosures” rule, providers that maintain EHRs will have to account to you for all disclosures of your personal health information that it makes for purposes of treatment, payment, and business operations for three years prior to the date of your request.

Until HHS' rule is final, you can get an accounting that goes back six years prior to your request, but this DOES NOT include disclosures for treatment, payment, or business operations.  Therefore the disclosures you are currently able to get may seem largely incomplete and irrelevant to the purposes for which you want them.

Read the full text of the Proposed Rule: HIPAA Privacy Rule Accounting of Disclosures Under the HITECH Act published May 31, 2011. (HITECH Act § 13405(c)).

b. Can you access your own medical records?

Of course you also have access to your records (apart from psychotherapy notes about you), but you must request them directly from your providers.  It is not possible to request your records through an HIE.

However, your doctor should be able to give you—or will soon be able to give you—what’s called a Continuity of Care Record (CCR) after each visit. The CCR is a summary of the most relevant and up-to-date facts about your care and treatment with that provider. A CCR can be helpful for you, and can also provide a current snapshot of your medical status for the next doctor you visit. A CCR may be transmitted either on paper or electronically

c. Who else will be able to access your medical records through HIE in the future?

HIEs will be able to transmit medical records required for public health reporting, including immunization registries. HIEs will also transmit data to disease registries, which track the care and health outcomes of patients with a chronic disease or condition, such as coronary artery disease, diabetes, or asthma. Paper registries have done this kind of tracking in the past, but automating record collection through HIE may be more effective.

HIEs can support care management by making it possible to generate patient reports for use at the point of care. It may also be easier to identify patients who are not following a prescribed care regimen or not meeting its goals, and to measure how well providers are delivering recommended care. This all goes along with the government’s goal of shifting the health care payment model from one of fee for service to payment based on outcomes; that is, not just whether you saw a doctor but whether you benefited from seeing her.

The goals of HIE are to improve the quality of care and make delivering it more efficient and cost-effective. Once electronic medical records are available everywhere, for all patients, though, it is inevitable that more people will want access to this data. It is a goldmine for medical research and all kinds of statistical analysis, for example.

It will be important to follow the evolution of HIE and make certain as its uses expand that the focus remains on improving the quality of care for individuals whose records are the raw material of HIE. Others who are not directly involved in patient care and treatment will undoubtedly want this information. Access should be subject to clear restrictions, such as the following:

  • statistically certified de-identification of data;
  • disclosures of how the data will be used;
  • limits on how data may be used;
  • and highly specific consent agreements.

8. Is your consent required for the electronic exchange of your medical information?

Tentatively, the answer is “yes,” at least in California. In California, you must give specific permission for your medical information to be exchanged electronically.  Determining this took two years worth of discussions among a wide range of stakeholder groups, including consumers. Eventually the discussions led to CalOHII’s including opt-in consent in the rules governing electronic health information exchange. However, the requirement's status is tentative because it only applies to HIE demonstration projects.

CalOHII currently administers demonstration projects to test HIE privacy and security policies and practices, new technologies that support HIE, and problems small health care practitioners may have in implementing HIE. The regulations automatically “become inoperative on the date the CalOHII Director executes a declaration stating that,” the demonstration projects are complete. CalOHII will need to write new regulations at that time, and it is likely that opt-in consent for HIE will be revisited.

Keep in mind that California's opt-in consent requirement applies only to sharing your medical records electronically. It does not supersede the HIPAA regulations or their presumption of consent for the use of your medical information for purposes of treatment, payment, and routine business operations. For more about consent, see PRC's California Medical Privacy Fact Sheet C2: Uses and Disclosures of Medical Information—With and Without Consent.

In addition, there are some exceptions to opt-in consent to HIE, including emergency situations—referred to as “break the glass”—when you (or a representative) are unable to give consent for electronic access to your records. Mandatory public health reporting is another exception. This would include, for example, reporting of staph infections, including MRSA (methicillin-resistant Staphylococcus aureus); communicable diseases; HIV/AIDS; and hospital-acquired infections.

California regulations also allow you to revoke HIE consent. The revocation becomes effective on the date it is made, and does not apply to health information already exchanged prior to revocation.

Opt-in consent to having your medical information shared widely through electronic transmission is a reasonable consumer protection and one that gives you a bit of control over the dissemination of your medical records. The health care industry, which was well represented in the meetings from which the HIE regulations evolved, generally views opt-in consent as a barrier to HIE.

California’s HIE demonstration project regulations, including consent, are available on the CalOHII website.

9. What additional rights do you have regarding HIE?

CalOHII’s HIE regulations include HIE-specific high-level principles based on what are commonly known as Fair Information Practices (FIPs). FIPs are not specific instructions as much as they are a philosophy or set of ideal goals for how HIE should be conducted in California. They are as follows:

  • Entities participating in HIE should be open with each other about their policies and practices regarding individual health information.
  • The quality of individual health information, its accuracy, and its completeness should be a priority.

  • You should be able to know who is responsible for your health information at a given entity, whether the entity has your health information, and where it is located.

  • You should be able to request and receive that information for a reasonable fee, in a timely manner, in the format you request.

  • You should be able to question the accuracy of your record, and if you can prove you’re right, have it corrected.

  • You should control access to your medical records, except in the circumstances under which they can be legally accessed without your consent (treatment, payment, business operations, public health reporting, legal process, and more).

  • Your medical information should be collected only by lawful and fair means, you should be told all the purposes for which it’s being collected beforehand, and it should be used only for those purposes.

  • Only the minimum amount of information necessary for the specified purpose(s) should be collected.

  • If your medical information has been de-identified, re-identifying it should be illegal.

  • Anyone who controls, maintains, or uses your medical information—not just the covered entities regulated by HIPAA—should be required to protect it from loss or destruction, and unauthorized access, use, modification, or disclosure.

(Cal. Health & Safety Code §126030—California Health Information Exchange Practices Principles)

10.  Tips

Health information exchange is going to make your medical information widely available. However, it will also make it more easily available to you, and that is something you should take advantage of.

  • Educate yourself about how your health care providers are implementing HIE (or maybe not implementing it). What privacy and security practices are they developing specifically for HIE?
  • Find out what options you have, if any, with regard to your participation in a provider’s EHR system and in the electronic exchange of your information. Can you opt out of participating? Can you consent to sharing certain information while restricting sharing of other information?
  • You may not be able to get a report accounting for disclosures of your medical information yet—and it is likely to take some time before the rule is final—but you can certainly ask your provider with whom she shares the information.
  • Always carefully read consent or authorization forms you are asked to sign. With HIE, look for general multipurpose and open-ended consents to sharing your health information electronically. Keep in mind that in California you have the right for now to withdraw your consent to HIE at any time.

    An HIE may combine its consent form with a notice of privacy practices. The notice will probably say something to the effect that the HIE’s purpose is “to facilitate electronic sharing of your personal health information among your health care providers in order for your medical treatment to be based on as complete a record as possible.”

11.  Resources

For consumer information on health information exchange, consent, and advantages and risks, see the Cal OHII’s eHealth Privacy 360 Patient FAQ.

Cal OHII’s Demonstration Project Privacy and Security Regulations

Health Information Partners for Tennessee (HIPTN) has five educational videos on the benefits of HIE, viewed from the perspective of health care providers, consumers, and administrators. The videos are about 9-12 minutes long. Much of the information in them is repeated in each video, so if you have time for only one, try watching one of these three: Consumers: “Access to Care”; Providers: either “Urgent Care” or “Virtual Medical Home.”

The Department of Health and Human Services’ California eHealth Initiative website is a good source of basic information about HIE for patients/consumers, health care providers, health information technology vendors, and health care workers.

ONC (the Office of the National Coordinator of Health Information Technology)
ONC  is the division of the U.S. Department of Health and Human Services that oversees the Nationwide Health Information Network.

If you want to learn more about the adoption of health information technology, ONC has a helpful website about many of its current initiatives and programs.


Content type: 
Copyright © Privacy Rights Clearinghouse. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse.