What are the policies and procedures that we need to have in place?
Health information exchange policies and procedures should be mutually agreed upon by stakeholders. Adherence to them should be required and included in member agreements. To the extent possible, the policies and procedures should be minimal and allow for local decision-making. In addition, member agreements such as a master data sharing agreement should include terms on: obligations for data use and data provision, fees and charges, and indemnification.
One of the most important and challenging areas for health information exchange organizations is privacy and security. The technical architecture and supporting policies and procedures should embody the basic principles of confidentiality, integrity and availability. The foundations of privacy protection are built on having data security. Due to provisions included in HIPAA and other federal and state legislation, legal counsel should assist in drafting consent forms and other governance documents to ensure compliance. The American Recovery and Reinvestment Act of 2009 (ARRA) expands the types of entities required under HIPAA to have a written contract (i.e., business associate agreement) to include health information organizations and RHIOs that provides data transmission and requires access on a routine basis of protected health information from covered entities, such as health care providers and payers.
Security policies and procedures should focus on the following areas:
- User identification
- User authorization
- Role based access control
- Transmission security
- Minimum necessary
- Audit trail and information system activity review
- Response to security incidents including reporting, sanctions, and mitigation
In terms of privacy, policies and procedures should be developed with regard to the following:
- Notification and consent
- Uses and disclosures of health information
- Matching patients with their records
- Patient access to their own information
- Breaches of confidential information
- Model Privacy Policies and Procedures for Health Information Exchange (PDF - 650 KB) - Developed by the Markle Foundation, the model policies presented here establish baseline privacy protections. (2006)
- Key Topics in a Model Contract for Health Information Exchange (PDF - 450 KB) - Developed by the Markle Foundation , this document contains key terms associated with a contract for HIE. (2006)
- eHealth Initiative Toolkit - Developed by the eHealth Initiative (eHI), this toolbox contains information related to consumer engagement, organization and governance, and value and sustainability.
- HIMSS privacy and security toolkit - Developed by the Healthcare Information and Management Systems Society, this toolkit contains information on privacy and security principles, rules and regulations, rights and obligations, policies and practices, as well as Federal case studies and information regarding the American Recovery and Reinvestment Act of 2009 (ARRA).
- CalRHIO's HIE legal agreement templates - Developed by CalRHIO, this Web-site contains templates of legal documents that are commonly used in forming HIE agreements.
- HIE Policies and Practices: Developing Options and Implementation Guidance To Foster Consistency (Interim Report - August 2008) (PDF - 83 KB) - Developed by Foundation of Research and Education (FORE) of the American Health Information Management Association (AHIMA), this report addresses two key objectives: 1) developing recommendations for strengthening HIE policies to increase their effectiveness and applicability, and 2) developing and disseminating useful tools and implementation guidance that foster application of standardized approaches to HIE policies and practices and support state-level HIE and other HIE implementation efforts to advance production data exchange. (2008)
- Framework for HIE implementation (PDF - 130 KB) - Developed by the State-Level Health Information Exchange Consensus project, this diagram illustrates a sustainability framework working model (pg. 11).
- Date Use and Reciprocal Sharing Agreement (Executable Test Data) (PDF - 108 KB) – Developed by National Health Information Network, this document serves as an example of a legal agreement involving health information exchange. (2008)
Developed by the Health Resources and Services Administration as a resource for health centers and other safety net and ambulatory care providers who are seeking to implement health IT.