Industry-wide electronic health record (EHR) utilization brings with it exciting promises of improved quality of care, increased efficiency and reduced cost. However, the full positive impact of EHR utilization will not be truly realized until providers and entities are seamlessly sharing health information in such a manner as is facilitated by health information exchanges (HIE).
While some offices are beginning to explore their technical readiness for HIE participation, most have not yet begun to consider the privacy considerations that must be addressed. In particular, a provider must ensure that he or she considers and addresses:
– Basic due diligence regarding the HIE to ensure knowledge (e.g., point-to-point or centralized) and a comfort level with the organization (e.g., is it financially sound and will it be there in 12 months)
– How will the office notify patients regarding the HIE participation (e.g., updated forms and discussion? who in your office can address questions?)
– Obtaining appropriate consent to cover the scope of the disclosure to the HIE and any limits thereof (e.g., opt-in or opt-out? any exceptions/restrictions?)
– Properly documenting the foregoing (e.g., updating forms presently used in the office)
While HIPAA and HITECH set a floor for privacy requirements, many state laws also contain important additional requirements that must be considered to stay within the parameters of controlling privacy laws. To learn more about these requirements and obtain sample forms, you can of course contact your healthcare attorney; alternatively, many local medical societies will provide their members with sample, state-appropriate, forms and resources.