Health Information Exchanges (HIEs): Working with the New Kid in Town

Article Date: Wednesday, May 18, 2011

Written By: Kimberly Licata

Every day businesses find new ways to capture and utilize more and more information about individuals in the hope that some tidbit will prove valuable. For health care providers who collect and use information to treat patients and for other purposes, there’s a new kid in town with whom to negotiate and work, the health information exchange (HIE). On one hand, health care providers are no different than other businesses that want to succeed and need information to do so. On the other hand, health care providers are different; they operate in a highly regulated industry. What is the end result of this?

The potential risks (and benefits) of information collection and exchange are magnified for health care providers. Attorneys representing providers need to familiarize themselves with the risks and benefits of participation in an HIE (or several HIEs) now, as HIEs begin to populate the health care landscape.
From a legal and operational perspective, exchanging information through an HIE raises many issues affected by federal and state laws and regulations for providers, not to mention contractual obligations and provisions. Providers must consider the impact on information privacy and security, patient access and rights, professional liability, and data property rights to name a few issues. Likewise, incentives for providers adopting electronic medical records also raise tax and fraud and abuse considerations. As the keeper of electronic health information, an HIE can be a bully or the new best friend of a provider. Which camp do you think the new kid in town has the potential to be for you or your clients? That depends on how the following concerns are addressed.

Privacy and Security of Health Information
A byproduct of the electronic age has been increased emphasis on privacy and security of information as the aggregation and transfer of information has become easier, quicker, and more frequent. It is no wonder that the threshold legal and operational issues associated with HIEs relate to the management and protection of the privacy and security of health information collected by and exchanged through the HIE. Not only are federal laws and regulations implicated by HIEs, North Carolina itself has numerous statutory and regulatory protections granting confidentiality and privacy protection to health information by either provider type or by substance of the information. Failure to recognize applicable protections may result in improper use or disclosure of information, which in turn may lead to hefty fines and corrective actions.

Attorneys advising providers who want to participate in an HIE must consider how this participation affects the confidentiality of patient information, the management of the medical record (from what is appropriate or required documentation to what is included in the designated record set), as well as the privacy and security of patient information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). Federal and state laws and regulations affect patient consent, confidentiality (again, by type of provider or by type of health information), and restrictions on the use and disclosure of specified information. As HIPAA enforcement actions become more common, and with higher penalties associated with them, understanding the privacy and the security implications of participation in an HIE is critical. Managing these issues and being knowledgeable about the legal, regulatory, and contractual obligations associated with privacy and security affects all providers and suppliers, their business associates, and their downstream contractors. Providers will need to focus resources (money, staff, and IT) on getting their own information systems secure and functional for participation in an HIE.

Opt-In Versus Opt-Out: Getting Information Into (and out of) the HIE
Getting information into and out of an HIE are critical threshold issues that may have no easy answer. There are several ways that providers can populate an HIE with information, but they all boil down to whether patient consent is required. Basically, opt-in models for HIEs require an affirmative authorization from a patient (perhaps through a signed standard consent form) before that patient’s information is exchanged through the HIE. If a patient needs to opt in for that patient’s information to be contained in the HIE, it is likely less information will be collected. Opt-out models for HIEs typically require that the patient be given notice (poster, mailed notices, or other notice) and the opportunity to object to (or opt out of) his or her information being included in an HIE. Many proponents of HIEs favor opt-out so as to maximize the amount of information captured by the HIE, since most patients will not affirmatively act (to opt in or out). The true value of an HIE can only be achieved if extensive health information is actually available through the HIE. With this in mind, it is not surprising that North Carolina is favoring an opt-out model, presently at the provider level. This means that providers will have to implement a system to manage the records and data for patients in the HIE and for those patients who opt out of the HIE.

Patient’s Perspective: Access, Rights, and Consent
Patient Access. Providers will have to have systems in place to permit patient access and to protect patient rights when participating in an HIE. As records become increasingly electronic, providers and patients will encounter new software and media hurdles in this process, as well as cost and implementation issues. Who pays for the costs associated with patient access and medical records once costs change in an electronic information world? Currently, North Carolina health care providers can charge a “reasonable fee” to cover costs associated with providing medical records to patients. See N.C.G.S. § 90-411 (although this statute does not apply to record requests for Social Security or disability determinations). HIPAA also permits providers to charge a reasonable cost-based fee for providing medical records to patients. See 45 C.F.R. § 164.524(c)(4). Despite these provisions that permit a provider to assess a fee, when information is electronic, patients may argue that such access should be free (particularly if a patient provides the media upon which the electronic information is loaded).

Patient’s Rights. Some providers, like nursing homes and adult care homes for example, are bound by statutory patient rights. See N.C.G.S. §§ 131E-115 through 131 (Chapter 131E, Article 6 Health Care Facilities Licensure Act, Part 2 Nursing Home Patients’ Bill of Rights); N.C.G.S. §§ 131D-19 through 34.1 (Chapter 131D, Article 3 Adult Care Home Residents’ Bill of Rights). These rights find their basis not only in state law, but also federal regulation. This raises the question of whether the HIE needs to be bound by these specific statutory rights where applicable. Currently, there is no regulatory guidance that answers this question.

Consent. HIEs must have a comprehensive patient or consumer consent policy to address many of the issues discussed in this article. Other issues related to consent include: (a) how much consumer outreach and/or education should be offered related to consent; (b) to what extent can patients exclude certain information from the HIE (i.e., self-pay treatment); (c) to what extent can providers “break the glass” to access health information in emergency situations when a patient does not have the opportunity to consent; (d) how should specially protected health information (communicable diseases, substance abuse and treatment, mental health services, and others) be treated in the HIE (will there be greater protection of this information); (e) to what extent can patients control which providers access the information; and (f) to what extent can a patient revoke consent and how long consent lasts, among others. These issues have been debated by representatives of the sectors of the health care industry (providers and payers) and patient representatives as North Carolina develops a workable statewide HIE. As health law attorneys, we know that all of these issues affect existing laws and regulations, which in turn should be modified to be consistent with the decisions made on the HIE.

Provider’s Perspective: Increased Liability, Improved Care
Provider Liability. For many providers, HIEs represent the good and the bad of change. HIEs introduce significant new liability for providers, but HIEs also afford providers with a more complete picture of a patient to improve treatment and care. From the perspective of liability, however, HIEs increase a provider’s vulnerability to privacy and security complaints and professional liability suits arising out of either the content of the information in the HIE or the use of information in the HIE.

HIEs provide additional access to the health information a provider maintains about its patients. Access provides the opportunity for a potential data breach of the provider’s information because the other users of the HIE have access to the provider’s information, but the provider has no direct control over the other’s use. A well-crafted HIE, however, should have that control over all users’ use and access of the HIE through appropriate policies and procedures, as well as thorough participation agreements and data use agreements. Providers must carefully read the contractual provisions and obligations, as well as the policies and procedures, associated with the HIE to modify its own practices to avoid liability. Mistakes in privacy and security mean significant breach notification expenses, loss of business revenue, civil liability, and even, in extreme cases, criminal liability.

Medical malpractice lawyers are intrigued by the new possibilities that reliance, participation, and use of an HIE represent. Professional liability could flow from inaccurate, incomplete, or untimely information being exchanged by the HIE to a provider. It is unavoidable that some information in an HIE will be inaccurate. Patients will have similar or the same name or demographic information. Human error in data processing will occur. Certainly, there will be policies and procedures that attempt to minimize these issues, but some will slip through the cracks. How should this be managed? At the end of the day, the HIE is dependent on the integrity of the data, which must be maintained.

Liability issues can be minimized by providing immunity or raising the level of fault required to bring suit on a claim related to participation in an HIE. Absent a change, providers could be deemed negligent for failing (or being unable because of connectivity issues) to check the HIE for potentially pertinent clinical information when doing so may not be feasible or possible, thus establishing a new standard of care. Some states creating HIEs have opted for specific immunity provisions for users (much like the immunity offered to good Samaritans or users of automated external defibrillators). North Carolina stakeholders should consider both of these options to minimize unanticipated and negative professional liability issues through either a higher level of fault (gross negligence versus ordinary negligence for claims related to use of the HIE) or immunity from liability based on good faith reliance on information in the HIE.

Another basis for liability is the improper transmission of health information of patients who have opted out of sharing their information through the HIE. No doubt errors and mistakes will occur, but the chance of this is minimized by a provider having a robust system to separate the information of patients who opt out of the HIE from patients who do not do so. Some providers may be uncomfortable treating patients who opt out of an HIE and decide not to treat such patients. It remains a delicate balance between a patient’s right to control his or her health information and a health care provider’s need to have complete health information to provide quality health care services.
Improved Care. Remember that increased liability for a provider is a real cost of participation. If liability is not managed and provider exposure is not limited, then providers are less likely to participate in HIEs absent other driving factors. Providers will need an incentive to offset the increased costs, and the greatest incentive may be the possibility that patient care is improved and more efficient because of a provider’s participation in an HIE.

Property Rights, Fraud and Abuse, among Other Issues
Property Rights. Health information is a valuable asset for providers, patients, and marketers. Many companies would delight in having more information about individuals to better market services or goods to them. Information about individuals has a value for research, public health, and law enforcement, among other purposes. Defining what uses are acceptable is another fundamental decision in HIE creation. HIPAA’s identification of permitted uses and disclosures provides a starting point for many HIE creators. Thus, who owns the data in the HIE (and what rights the owner has) is a key issue to resolve (and define in contracts).

Fraud and Abuse. To the extent that providers are considering donating technology or electronic medical records systems, these donations implicate fraud and abuse laws (and the tax exempt status of a provider). While donating technology as part of a provider’s development of a health information infrastructure with affiliated or associated practitioners may make good business sense, there are a number of legal restrictions to consider before such donations begin. The Stark Self-Referral law (42 U.S.C. § 1395nn) contains two relevant regulatory exceptions, one for electronic prescribing (42 C.F.R. § 411.357(v)) and one for electronic health records (42 C.F.R. § 411.357(w)). The federal Anti-Kickback Statute (42 U.S.C. § 1320a-7(b)) contains similar, but not identical, safe harbors protecting eligible entities that provide e-prescribing and electronic health record items and services to eligible recipients. See 42 C.F.R. § 1001.952(x) and (y). Providers may be revisiting whether to donate technology or services in an effort to promote HIE participation by others.

Summary
Providers (and their counsel) should assess how current policies and procedures, existing contractual obligations, and insurance coverage may be implicated (and need to be changed or updated) by participation in an HIE. Providers should be aware of the issues related to HIEs; there are many operational as well as legal issues to consider beyond what is discussed here. To be effective, this assessment should be comprehensive and address issues related to information technology, privacy and security, compliance, and other corporate departments. The ultimate value in an HIE, for patients and providers alike, is the exchange of accurate information in a timely manner to provide quality care, but achieving this goal depends upon having the proper tools in place to manage expectations, benefits, and potential risks of participation.

Kim Licata is an attorney practicing in the Health Law Section of Poyner Spruill LLP. She focuses her practice on providing regulatory, compliance, and litigation advice to health care providers from the perspective of a former in-house counsel and business person. She is a member of Poyner Spruill’s Privacy and Information Security team and Emerging Technologies team.

Views and opinions expressed in articles published herein are the authors' only and are not to be attributed to this newsletter, the section, or the NCBA unless expressly stated. Authors are responsible for the accuracy of all citations and quotations.