The javascript used on this site for creative design effects is not supported by your browser. Please note that this will not affect access to the content on this web site.
Skip Navigation
H H S Department of Health and Human Services
U.S. Department of Health and Human Services
Health Information Technology and Quality

A-Z Index  |  Questions?  |  Order Publications  |  HRSA Mobile

What are the policies and procedures that we need to have in place?

Health information exchange policies and procedures should be mutually agreed upon by stakeholders. Adherence to them should be required and included in member agreements. To the extent possible, the policies and procedures should be minimal and allow for local decision-making. In addition, member agreements such as a master data sharing agreement should include terms on: obligations for data use and data provision, fees and charges, and indemnification. 
One of the most important and challenging areas for health information exchange organizations is privacy and security. The technical architecture and supporting policies and procedures should embody the basic principles of confidentiality, integrity and availability. The foundations of privacy protection are built on having data security. Due to provisions included in HIPAA and other federal and state legislation, legal counsel should assist in drafting consent forms and other governance documents to ensure compliance. The American Recovery and Reinvestment Act of 2009 (ARRA) expands the types of entities required under HIPAA to have a written contract (i.e., business associate agreement) to include health information organizations and RHIOs that provides data transmission and requires access on a routine basis of protected health information from covered entities, such as health care providers and payers.


Security policies and procedures should focus on the following areas:

  • User identification
  • User authorization
  • Role based access control
  • Transmission security
  • Minimum necessary
  • Audit trail and information system activity review
  • Response to security incidents including reporting, sanctions, and mitigation

In terms of privacy, policies and procedures should be developed with regard to the following:

  • Notification and consent
  • Uses and disclosures of health information
  • Matching patients with their records
  • Authentication
  • Patient access to their own information
  • Audit
  • Breaches of confidential information

Related Resources:

Developed by the Health Resources and Services Administration as a resource for health centers and other safety net and ambulatory care providers who are seeking to implement health IT.
Health Information Technology Toolboxes help health centers, safety net providers, and ambulatory care providers with electronic and online resources and technical assistance to improve patient care.  More>
Stay Informed