Health information exchange (hie) by Sutherland Global Services

Health Information Exchange

Aparna Gole Ashish Banka

June 2013 1

Contents I. Definition, Overview and Regulations................................................................................................. 3 Broad Overview ............................................................................................................................... 3 Health Insurance Portability and Accountability Act (HIPAA) ......................................................... 4 Privacy Rule ................................................................................................................................... 4 Security Rule .................................................................................................................................. 4 American Recovery and Reinvestment Act (ARRA) ......................................................................... 5 Business Associates ....................................................................................................................... 5 Marketing/Sale of PHI ................................................................................................................... 5 Electronic Health Records.............................................................................................................. 5 II. Different Health Information Exchange (HIE) Models ....................................................................... 6 The Centralized Model..................................................................................................................... 6 The Decentralized or Federated Model........................................................................................... 6 The Hybrid Model ............................................................................................................................ 7 Factors Affecting Selection of Governance Model .......................................................................... 8 III. Expert-Speak on Health Information Exchange ................................................................................ 9 IV. Conclusion ....................................................................................................................................... 10

Table of Figures Figure 1: Touch-points for Patient Data Generation and Requirement ............................................ 4 Figure 2: Broad Flow Chart: The Centralized Model .......................................................................... 6 Figure 3: Broad Flow Chart: The Decentralized or Federated Model ................................................ 7 Figure 4: Broad Flow Chart: The Hybrid Model.................................................................................. 7 Figure 5: Governance Model by State ................................................................................................ 8

I. Definition, Overview and Regulations The US system of healthcare is highly complex. Healthcare also accounts for a high percentage of the US GDP expenditure as compared to the other developed nations. However, despite such high expenditure, the US healthcare system is not free of medical errors (for example, adverse drug reactions) and inefficiencies (for example, duplication of laboratory tests), which results in loss of life for many people. Inability of healthcare providers to access patients’ existing medical information in a timely manner is cited as a key reason for such incidents. In 2004, to improve the quality and efficiency of its healthcare, the US government issued an order to develop a health information technology infrastructure that can share a patient’s health information anywhere in the US. The goal was to have every American’s health record in electronic format by 2014. “…digitize patients' health records and medical files and create a

A Health Information Exchange (HIE) facilitates aggregation national network to place the information in.” of health-related data of an individual on a platform that can be used by multiple stakeholders of healthcare. This data can – United States Government be accessed and modified by all the different stakeholders of a healthcare system at their end so that a complete medical history of an individual is kept up to date for any reference. This can lead to a better care co-ordination of an individual. HIEs also maintain context and integrity of the information being exchanged in order to provide safe, efficient, effective and timely patient care. HIEs generally address the information exchange need of a region to improve healthcare for a defined population. Different regions of a state form formal organizations to provide technology, governance and support to HIEs. These formal organizations are generally known as ‘Regional Health Information Organizations’ (RHIOs). In order to make HIEs a success, every institution of healthcare must adopt to technologies to maintain records in electronic/digital form, also known as Electronic Health Records (EHRs). However, many physicians and hospitals fail to do so due to strict investment commitments required to implement and maintain the system. To facilitate this, the government has come up with several incentive programs for hospitals and physicians’ clinics.

Broad Overview A patient’s data can be shared by various entities to improve and expedite the clinical decisionmaking process. Efficient working of HIE involves multi-directional flows of information between providers (hospitals, physicians, clinics, labs, etc.) and others (information provided by consumers, health plans, employers and government).

Figure 1: Touch-points for Patient Data Generation and Requirement HIE Overview – Patient Data Generation and Requirement

Laboratories

Home PBMs, Retail Rx

Employer

Imaging Center

Physician Group

Patient Payors

Hospital

Care Managers

Care Centers Community Health Services

Government

Source: Healthcare Information and Management Systems Society (HIMSS)

Health Insurance Portability and Accountability Act (HIPAA) The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the Congress in 1996, of which the ‘Privacy Rule’ and ‘Security Rule’ are of significant relevance to HIE. Privacy Rule This HIPAA policy establishes regulations for the use and disclosure of protected health information (PHI). PHI is any information related to an individual’s medical record and payment history. A healthcare entity may disclose PHI of an individual after obtaining authorization from that individual. Entities should be careful in disclosing minimum information possible to solve a purpose. Security Rule This HIPAA policy establishes regulations for the safeguarding of electronic protected health information (ePHI). Three types of security safeguards required for the compliance are: 1. Administrative: – – – – – – –

Written procedures Employees who will have access to ePHI Employee training program regarding handling of PHI Vendor PHI policies (outsourced services) Disaster recovery procedures Provision for periodic internal security audits Procedures for addressing and responding to security breeches

2. Physical: – – –

Controlling physical access to protect against inappropriate access to PHI Controlling access to hardware and software used with PHI Facility security (security plans, maintenance records, visitor sign-in, escorts etc.)

3. Technical: – – – – –

Controlling access to computer networks Ensuring only the intended recipient receives the communication Information sent over an open network must be encrypted Entities to authenticate each other before communicating Risk analysis and risk management programs must be documented

American Recovery and Reinvestment Act (ARRA) The American Recovery and Reinvestment Act (ARRA) – enacted in 2009 – was an economic stimulus package with an objective to save and create jobs; to provide temporary relief programs for people impacted by the recession (of late 2008); and to invest in infrastructure, education, health and renewable energy. ARRA adds a number of provisions to HIPAA, which are outlined by the Health Information Technology for Economic and Clinical Health (HITECH) Act. These modifications and additions pertain to the marketing and sales of PHI, disclosures of the limited or minimum necessary data set, status of business associates, privacy and security breaches, education programs, electronic health records, changes in enforcement and penalties for violations of privacy. Some of the important ones are listed below: Business Associates As per ARRA, any entity that engages in health information exchanges or provides data transmission of PHI (such as personal health record vendors, regional health information organizations and health information exchanges) is considered a Business Associate. These entities are now required to enter into a business associate contract and are under the purview of ARRA’s civil and criminal penalty provisions. Marketing/Sale of PHI ARRA provides new restrictions that prohibit an entity from selling PHI or receiving payment for PHI without an authorization from the individual. Electronic Health Records Each individual having an electronic record has the right to receive its electronic copy or to transfer the record to a third party. Disclosure of PHI made in the last three years prior to a request by an individual is permitted.

II. Different Health Information Exchange (HIE) Models There are three basic HIE governance models, as explained under: decide.com; wsj.com (September 05,

Centralized Model A centralized model is used on a regional basis (e.g., hospital systems located in same metro) wherein a single Clinical Data Repository (CDR) is maintained by the HIE authority. The CDR is connected to each entityâ&#x20AC;&#x2122;s patient data repository, or health information system (HIS). PHI data is stored securely with the CDR and shared with entities as and when required. This model requires healthcare organizations to maintain the EHR system at their end. Figure 2: Broad Flow Chart: The Centralized Model The Centralized Model

Local Hospital Integration

Regional Central Authority

Local Hospital Integration

Source: Healthcare Information and Management Systems Society (HIMSS); Secondary Research; Sutherland Analysis

Decentralized or Federated Model A decentralized model is used to provide information to different regions or remote locations not having the same CDR. In this model, an organization from a region cannot directly access information from the CDR of another region. A central state authority finds the physical location of a patient data file and transmits this information to the organization seeking it. This organization then requests the concerned regional authority for information. The regional authority storing the information can transmit it to the requesting organization via secured communication (e-mail, web services, or a VPN connection). As different regions have different CDRs, locating the patient information and transmitting the most updated information increases the complexity of the process.

Figure 3: Broad Flow Chart: The Decentralized or Federated Model The Decentralized or Federated Model

State Central Authority

Regional Central Authority

Hospital

Regional Regional Central Central Authority Authority

Hospital

Source: Healthcare Information and Management Systems Society (HIMSS); Secondary Research; Sutherland Analysis

The Hybrid Model Figure 4: Broad Flow Chart: The Hybrid Model [ ] Model The Hybrid

National Central Authority

State Central Authority

Regional Central Authority

State Central Authority

Regional Central Authority

Source: Healthcare Information and Management Systems Society (HIMSS); Secondary Research; Sutherland Analysis

A hybrid model aims at creating a national exchange of health information, which has all or some of the information collected and stored by regional authority. An organization under different regional authorities can request information from national authority, which will facilitate searching and locating of information.

Factors Affecting Selection of Governance Model HIE governance model for each state may vary depending upon the demographics of the state. Some of them are as below: 1. Geography Infrastructure for database will vary depending upon the size of the state and how many different regions does the government want to establish, which will act as a central depository of information. 2. Population Size The number of health providers and patients can also vary, making the setting up of an HIE a complex task. Some regions may require some unique customization to suit their need. A small state may adopt a centralized system, while a large state may find it difficult to build and manage a centralized system. Also, a large state that has some functional regional HIE can implement a decentralized system to connect the whole state. A hybrid system is generally aimed at creating a nationwide information exchange. A state must carefully evaluate the long-term benefit of adopting any governance model. It should also carefully evaluate the financial implication associated with implementing adopting different models and whether it can bear those expenses in the short and long term. Figure 5: Governance Model by State

WA ME

MN ID

PA IL

NJ DE

NC AZ

SC MS

TX LA FL

Centralized Decentralized

Hybrid Unknown

Source: Thomson Reuters (2010)

III. Expert-Speak on Health Information Exchange

IV. Conclusion HIEs have tremendous potential to provide timely communication to healthcare providers who can take more informed decisions and, hence, provide better healthcare to patients. This results in not only improving the quality of healthcare but also lowering the cost, as the database many a times saves on duplication effort. Efforts like National Healthcare Exchange would facilitate seamless communication of healthcare information for patients and help in their better treatment regardless of which part of the country they are in. As per a survey, there were c. 190 Regional Health Information Organizations (RHIOs) in various stages of development in the United States, of which c.57 were exchanging information used by various healthcare stakeholders. However, changes in government policy and technological advancement have increased the complexity of selecting and implementing an HIE, which also faces financial and operational challenges. Nevertheless, looking at the long-term benefit an HIE provides in imparting better healthcare, every state should not mind going the extra mile to remove glitches in implementing one.