HIE inPractice Blog Series: Consent, Privacy and Security in Population Health Data Management

by: Timothy Butts, BS, MSIS, PMP, DPRC, TEB1 & Associates LLC, and David A. Watson, Ascension Health

There is a new push for better population health management that leverages health information exchanges (HIEs) and their ability to normalize, harmonize, and provide a longitudinal view of health data for the providers, from primary care to specialists.   As this initiative gains traction, it increases the imperative on HIEs to present consistent views, common access protocols, and assured privacy of any patient’s health record.

What does this mean in for those that manage HIEs, consume data via HIEs, and the patients themselves?

First, the data each HIE owns is dependent upon the patient choosing if the data can be viewable across providers.  This is HIPAA 101.   Those that manage HIEs must always remember that they are the stewards, not owners, of the patient’s information.   Most models are opt-out, meaning the patient is agreeing to share their data unless they specifically opt-out.  This is the first level of consent.  If a patient elects to opt out of participation, HIEs are not able to freely share that specific patient’s data.

In turn, this brings up use-case situations that need to be addressed.  What if that patient is unconscious, in the emergency room, and has opted out of sharing their patient data via the HIE?  What if that patient has data within the HIE and no one in the emergency room has access to view it under their emergency need?  What if that patient is on a medicine like lithium and the emergency staff does not know?  Here is a need to allow providers and staff the ability to overcome the opt-out in order to understand what that unconscious patient is allergic to, what medications they are on – in short, to have the information available to save the patient’s life.  It’s what we’re all about in healthcare, right?

This use-case points out the struggle to manage all the legal requirements surrounding patient data, as well as, providing the patient the care they deserve.

How does an organization get around this challenge? 

HIEs need to work closely with their compliance teams, legal teams, and clinical leadership to set guiding policies, procedures and workflows that clearly convey when, where and how the patient’s data will be leveraged.  These decisions need to be made while being fully aware of the HIPAA, Hi-Tech and basic technological requirements of managing consent and data security.  The HIE needs to ensure that the ability to manage patient’s care when and where needed is not abused.

When all of these different aspects come together, integrating patient care and security as the primary focus, an HIE can successfully manage consent and privacy regulations.

How to get them to all agree?  Well, that is up for discussion.  Let us know what you think and what has worked well for you!



About Mari Greenberger, MPPA

Director of Informatics at HIMSS North America
This entry was posted in HIEs and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s