A Practical Guide to Understanding HIE, Assessing Your Readiness and Selecting HIE Options in Minnesota
While there are many benefits to adding HIE capabilities to your practice, the process can significantly impact your staff and your operations. Before you move forward, evaluate your organization’s readiness in the following key areas: organizational support and needs, workflow issues including training, privacy and security issues, technical infrastructure, and estimating costs and benefits.
On this page:
Organizational Support and Needs
Privacy and Security Issues
Estimating Costs and Benefits
Developing the organizational support for implementing and using HIE as part of the regular clinical workflow is critical. Leaders need to be able to articulate a clear picture of a single, integrated delivery system for the patient—a system that can provide all the information needed when it is needed for both the patient and the providers. Respected clinician champions can provide a vision of HIE that transcends any current problems and communicate their support. This is important because while an organization or practice will benefit from implementing HIE, not every staff person will benefit in the same way.
One way to establish a shared vision of HIE is to conduct a visioning session with staff to avoid basing your HIE requirements solely on current health information needs and uses. A visioning session removes the constraints of thinking only about what happens today and instead focus on imagining what is possible. During a visioning session, first document the current environment and then brainstorm what the environment might look like if any type of information exchange were possible. What would it look like? What information are you not sharing today that you would like to share or receive? You might uncover requirements you had not previously considered.
Implementing HIE may give you the opportunity to add new or improve existing workflows. Before you develop your business requirements, make sure you understand your organization’s workflows look for ways to improve them.
- Engage a cross-functional group of staff that can identify priority information exchange scenarios, such as those found in the Information Exchange Priorities table. Then examine current workflows for those priority areas, looking for inefficiencies and how implementing HIE might address them. How is the health information integrated into the work setting and workflow? You may find opportunities in areas such as patient intake, patient exam, e-prescribing, and secure messaging among providers and between providers and patients.
- Look at non-clinical workflow considerations including privacy policies, staffing, training, etc. Does your staff need additional training to make HIE work? Do you have the right skills (capacity) in your staff to implement and maintain new HIE functionality? Are user roles clearly defined?
Make sure you know the difference between individual competencies and organizational capacity. This will be crucial for determining when to focus on planning and supporting staff training or when to address the changes that may occur in your practice culture and workflow.
Perhaps the most important consideration in HIE is that your patients maintain their trust in you to protect their health information and to use it to improve their care. Both Minnesota law and federal HIPAA privacy and security regulations establish the requirements and standards you must meet to maintain your patients’ trust. For health information exchange, you and any intermediary you choose to move the health information, such as an HIE Service Provider, must adhere to both state and federal privacy and security laws and regulations.
The same process you use to evaluate HIE Service Providers regarding privacy and security practices can be used to evaluate your own practice’s privacy and security policies and procedures. For example, patient consent will be required for you to share that patient’s health information through the HIE Service Provider (as a transport intermediary). Your EHR must also be able to send a “flag” or other indicator that you have the patient’s consent to share the information you are sending.
Before you make any decisions on privacy policies, procedures and practices, work with your privacy officer or legal counsel. Your EHR or other IT vendor may also be able to assist you with assess your health IT security policies, procedures and technical capabilities.
HIPAA Privacy and Security Requirements
You may be quite familiar with many of the federal HIPAA regulations, such as the need to have a Business Associate Agreement (BAA) with any organization or person who will have access to your patients’ personal health information (PHI) other than your employees. However, moving into the world of electronic HIE requires a fresh examination of your policies and procedures in light of new ways to obtain and send PHI. Consult with your privacy officer or legal counsel for a detailed analysis of these requirements.
Resources regarding HIPAA privacy requirements: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
In addition to privacy protections, you must also ensure you are compliant with HIPAA Security Requirements. Security is the degree to which data, databases, or other assets are protected from exposure to accidental or malicious disclosure, interruption, unauthorized access, modification, removal or destruction.
There are administrative, physical, and technical safeguard components to security. Use a risk analysis and risk management process to examine your current security policies and procedures around each of these components as they relate to HIE. It is also a good idea to know what policies and procedures are in place for those organizations with which you will exchange information. You may be unintentionally exposing yourself to security risks if you are not aware of the safeguards those other organizations have, or don’t have, in place.
Things to consider:
- Administrative safeguards: Do you have policies, procedures, and training in place, especially relating to security management processes, information access management, and workforce training? Are these evaluated in terms of effectiveness and being followed?
- Physical safeguards: Are effective measures being taken to protect patient health information on premises (to keep from being inadvertently seen by people not involved in the patient’s care)? This includes facility access and control as well as workstation and device security.
- Technical safeguards: Do you have access, audit, and integrity controls, including the capability to limit access to authorized users and to audit that access? You must also be able to guard against unauthorized access to personal health information being transmitted over an electronic network. With safeguards such as authentication, encryption, firewalls, and internet security processes.
Many of the issues can be daunting at first, so working with your IT staff and vendor(s) is essential.
Resources regarding HIPAA security requirements:
A HIPPA Security Rule Toolkit is available at http://scap.nist.gov/hipaa/
Minnesota Privacy Laws
While HIPAA provides a national floor for privacy protections, Minnesota law establishes a higher standard regarding patient consent for the release of health information.
For example, you must have a patient sign a consent/authorization to send the patient’s health information to a third party, even for treatment, payment, or healthcare operations, except for emergency situations.
- Note: In some instances, you can rely on another Minnesota provider’s representation that a patient has given his/her consent for you to release that person’s health information to that provider. You do not need to have a paper copy of that consent, but must note the representation in your files.
Resources regarding Minnesota privacy requirements:
Part of understanding your practice’s readiness for HIE involves assessing your technical capabilities, primarily through your electronic health record (EHR). Specific considerations are listed below on EHR certification, EHR capabilities for sending, receiving and querying information, standards, and EHR vendor support. In addition, you should also refer back to the HIE scenarios to help you align what you want to do with your current or needed technical capabilities.
National EHR certification (not to be confused with Minnesota’s HIE Service Provider certification, which is described in the “Plan & Select” section of this guidance) is intended to assure a provider and provider organization that their EHR system has capabilities and functionalities comparable to other EHR systems. With certification, providers can have greater confidence that the electronic health IT products and systems they use are secure, can maintain information confidentially, can work with other systems to share information, and can perform a set of well-defined functions, focused primarily on functions needed to meet meaningful use objectives. See https://www.cms.gov/EHRIncentivePrograms/25_Certification.asp for more information on EHR certification and meaningful use.
The EHR certification process will continue to evolve as technological advancements are made that support clinical decision making, quality measurement and improvements in care; visit http://onc-chpl.force.com/ehrcert to find more information.
Certification establishes a baseline of credibility for EHR software, but if there is not a certified option available you should choose a product that has the standard functionality including, but not limited to: provide clinical decision support; support provider order entry; capture and query information relevant to health care quality, and exchange electronic health information with, and integrate such information from, other sources. Detailed EHR functionality can be found for ambulatory, inpatient, emergency department, behavioral health, and other settings at the Certification Commission for Health IT (CCHIT) website, which certifies health IT for more than just the meaningful use program. See http://www.cchit.org.
EHR Capabilities for Sending, Receiving and Querying Information
To engage in HIE, you need to make sure your EHR system can:
- extract relevant information;
- package it in standardized formats;
- securely send to another organization either directly or through an intermediary such as an HIE Service Provider;
- receive information from another source, either directly or through an intermediary such as an HIE Service Provider, and
- store received information for later use or integrate the information into the EHR system/workflow.
Below are some typical capabilities your EHR should have. More specific examples of HIE transactions can be found in the Information Exchange Priorities table.
- Sending: Use your EHR to send information, including assembling or publishing the information into a standard format to be ready for exchange. This is similar to the push concept defined earlier.
- Receiving: Use your EHR to receive information from one of your trading partners; integrate the information into the EHR and workflow, which includes displaying and using it, storing and saving it, and translating (into other formats) if necessary. This would be an example of a “pushed” communication from another provider to your practice.
- Querying: Use your EHR to compile a query or message requesting information on a patient; send the query message to the HIE Service Provider or trading partner(s); receive information in response; integrate into EHR and workflow, which includes displaying and using it, sorting and saving it, and translating (into other formats) if necessary. This is similar to the pull concept defined earlier.
EHR Vendor Support
Make sure you understand the level of support you have from your EHR vendor as they can help you assess your EHR system’s technical capabilities as it relates to HIE.
The following are some questions to consider:
- Does your EHR vendor have the skills and capacity to build, test and implement interfaces to HIE at a reasonable cost?
- Do they have experience in working with intermediaries such as an HIE Service Provider?
- Can they map data kept in proprietary formats into standard formats for exchange?
- Do they have a clear business plan for evolving their software to keep pace with national certification requirements?
- Does your EHR system/product support the current national standards for HIE?
You should also consider whether your EHR can publish relevant data to a patient portal or personal health record (PHR), which is an area expected to grow in the next few years as more standardized approaches to such tools emerge and consumer/patient demand increases.
Standards support interoperability, which is the successful exchange of information across health care settings. It is characterized by three areas: technical, semantic and process.
Technical (transmitting the data): Technical interoperability refers to hardware, software, networks, data transmission, and closely related functions like access and security management. Technical interoperability includes connectivity and messaging across the network and across disparate applications/systems. Technical interoperability in health care reduces the effect of distance between clinicians, whether in the same building or across the country.
Semantic (communicating the meaning of the data): Semantic interoperability means that information is communicated in a way that is understood by both the sender and receiver. Semantic interoperability requires standard representation of data and information using data content terminologies such as ICD-9, SNOMED CT® and LOINC®.
Process (best practices on the use of data): Process interoperability refers to the coordination of work processes, user role specifications, and the presentation of data and information within the context of workflows.
Adding HIE capabilities can streamline your practice operations, reduce administrative costs and improve the quality of care. However, to develop an accurate return on investment (ROI) projection, or value on investment (VOI), make sure to correctly factor in all related expenses.
- Determine whether you need to purchase an additional EHR module to support HIE. Once you know what information you need, consult with your EHR vendor to find out what options are available. The vendor may suggest adding a module or additional custom interface work.
- Make sure that work plans are properly scoped so you can develop a reliable budget. Ask what it will cost to support maintenance, hardware, upgrades or other infrastructure purchases.
- Factor in the staff-related expenses related to implementation, training, and ongoing support.
- Evaluate the best way for your practice to purchase HIE services. Some intermediaries such as HIE Service Providers may have a subscription model for charges, while others may charge per transaction. There may also be one-time, upfront charges in addition to recurring charges. Be sure to consider total costs, including the ongoing charges and not just the initial set-up fees, as this will be an important aspect of contract negotiations.
Know whether the HIE service provider plans to offer the services you need in the future if they do not offer them now.Practical Guide to Understanding HIE (PDF 1.98MB/ 36pg)