What are health information exchanges?

Health information exchanges (HIEs) provide the channel with which healthcare organizations can safely share patients’ protected health information (PHI). Of course, while remaining compliant under the HIPAA Act. HIPAA (the 1996 Health Insurance Portability and Accountability Act) is U.S. legislation that protects the rights and privacy of patients. It was designed not only to keep medical records private but also to ensure proper access.

SEE ALSO: HIPAA compliant email: The definitive guide

Recent technological innovations encourage the use of electronic record systems (like HIEs) within the healthcare industry. Unfortunately, the adoption and move toward electronic data systems is slow. It’s easy to see why when breaches occur daily and can conclude in a HIPAA violation and steep fine.

So what are health information exchanges and are there any real benefits? How can healthcare organizations secure PHI when using these networks? How can organizations ensure they safely store and share PHI with patients and healthcare partners?

What are Health Information Exchanges?

A health information exchange allows healthcare organizations to access and share patients’ ePHI (electronic PHI) securely. Practitioners also sometimes use the term HIE as a verb, meaning the transmission of PHI electronically. An HIE acts as a healthcare clearinghouse, facilitating the processing and sending of unstandardized information in a standardized form. PHI shared depends on what is needed and for what purpose.

HIEs function within the National Health Information Network (NHIN) created by ONC (the Office of the National Coordinator) in 2004. Key elements of NHIN, the national health IT infrastructure, include HIEs and:

• RHIOs (regional health information organizations)
• EMR/EHR (electronic medical records/electronic health records)
• PHR (personal health records)

The point of NHIN and HIEs is to create more interoperability. The meaning of interoperability is to correctly exchange and integrate data (i.e., PHI) in a coordinated manner. HIEs, therefore, should assist the healthcare industry with effective communication and sharing. The general goal of such interoperability is better patient care as well as HIPAA compliance.

Types of HIEs

There are generally three types of HIE communications. Directed exchange is the ability to send and receive ePHI between care providers coordinating care. Query-based exchange helps providers find and/or request information from other providers. Finally, consumer-mediated exchange helps patients aggregate and control their PHI.

HIEs exist on a community, regional, state, and national level. A 2021 survey recorded 89 operational HIEs. Some are government-run, some are for-profit, and some are not-for-profit.

The three primary infrastructure models of HIEs

1. Centralized – connects several organizations through a single common data pool
2. Federated or decentralized – records are stored in independent databases or repositories
3. Hybrid – combines aspects of centralized and decentralized

All have their limitations and benefits. The model chosen depends on how an HIE should function for an organization and for a patient. Also, it depends on how an HIE should function under HIPAA and health-related laws.

Health information exchanges and HIPAA

The U.S. Health and Human Services (HHS) created HIPAA to improve healthcare standards and combat PHI fraud and abuse. While HIPAA has been around for almost 30 years, the protection of ePHI exchange did not occur right away.

The 2003 HIPAA Privacy Rule lets covered entities disclose PHI to an HIE:

1. When asked by a patient
2. When required by law
3. For public health purposes

The HIPAA Security Rule (2005) then added further security standards to protect ePHI in transit and storage. The HITECH Act of 2009 (the Health Information Technology for Economic and Clinical Health) further promoted the adoption and meaningful use of technology in healthcare. In fact, the act included $30 billion to incentivize doctors into adopting digital records.

In 2012 NHIN became the eHealth Exchange. And in 2018, ONC released a draft of its Trusted Exchange Framework and Common Agreement (TEFCA). Published in 2022, HHS defined the standards for interoperability as required by the 2016 21st Century Cures Act. TEFCA broadened access by including health information networks, federal agencies, public health, individuals, payers, providers, and technology developers.

Currently, more than 50% of the nation’s HIEs connect to the eHealth Exchange.

Electronic vs paper storage

National laws and HIEs show the push over the past two decades toward electronic storage and transmission. Unfortunately, despite this push, many healthcare organizations still rely on paper records, mail, and fax machine.

SEE ALSO: Can I send a HIPAA compliant fax? Yes, but you should use email instead

In fact, some patients still carry their personal records from appointment to appointment. A 2018 survey found that only 7% of healthcare and pharmaceutical companies labeled themselves as digital, compared to 15% of companies in other industries.

Still, we’ve talked extensively about the benefits of going electric. When first created, the fax was innovative, but the Internet followed shortly behind. And then email with its lightning-fast speed.

Nowadays, technology has a huge footprint within the healthcare industry. There’s telemedicine, artificial intelligence (AI)-enabled medical devices, robotic surgery, wearable devices, EHRs, and HIEs. And more just like it. No matter how many hesitations there are, the benefits of technology are clear.

Five benefits of HIEs

According to the ONC website, an HIE improves the “speed, quality, safety and cost of patient care.” HIEs standardize information across the board, which means everyone involved in a patient’s care is working with the same information. Communication is much improved with other providers and with patients. They are on the same page, and feedback also becomes easier.

HIEs allow healthcare providers to avoid readmissions, duplications, and medication errors and enhance monitoring and diagnoses in general. This means:

1. Improved patient care
2. Reduced costs
3. More involved patients
4. Better patient engagement
5. Happier patients

The entire process of healthcare becomes efficient saving doctors and patients’ time. Patients benefit because they also have access to their records and fewer issues when trying to see a doctor. The general idea behind an HIE is to improve the quality, coordination, and cost-effectiveness of healthcare in communities.

Securing health information exchanges

Technology, especially health tech, is developing at a faster pace than ever. It makes it easier for patients and their doctors to access their records. At the same time, it also makes it easier for cyberattackers to illegally access PHI as well. Healthcare covered entities must use a proactive approach to protecting ePHI at the same time ensuring the information is standardized and shareable.

That means using, among other methods:

• Encryption in transit and at rest
• Identity and access management (e.g., authentication rules and password policies)
• Virus and malware protection
• Device usage rules
• Proper disposal of devices and data, as needed

All organizations should ensure they utilize signed business associate agreements with HIEs and other involved providers. Furthermore, they must create and update frequently risk management audit protocols.

Every HIE should follow a set of standards and best practices that move beyond malware or data theft protection. This includes following ONC and HHS compliance and ensuring patient consent.

Finally, organizations cannot forget the importance of securing every aspect of digital communications. All a cyberattacker needs is one unsecured endpoint.

Don’t forget PHI everywhere, including in email

It’s important to make email encryption a guarantee with the perfect HIPAA compliant email service. Paubox Email Suite can help you increase security for email, the most vulnerable threat vector.

Paubox Email Suite, our HITRUST CSF certified solution, sends HIPAA compliant email by default and automatically encrypts every outbound message. Moreover, it conveniently integrates with your current platform, such as Google Workspace or Microsoft 365. You don’t have to spend time choosing what to encrypt. And your patients can receive emails directly in their inbox without navigating separate portals or passwords.

In addition to email encryption, our Plus and Premium solutions offer patented inbound email security tools. Paubox utilizes Zero Trust Email to check and double-check every message, every attachment, and every link that enters an employee’s inbox. We do all the hard work so you that your patients don’t have to.

All data security, whether part of an exchange or an email is important within the healthcare industry. Know what you are using to secure and share PHI without worrying about HIPAA violations or data breaches.  

HITRUST CSF certified 4.9/5.0 on the G2 Grid Paubox secures 70 million HIPAA compliant emails every month.