Background Information on HIE Oversight

Minnesota's HIE Oversight Law established a process for oversight of health information organizations providing health information exchange services for clinical use transactions within Minnesota.

A health information organization (HIO) must submit an application, participate in a public hearing if deemed appropriate, and respond to questions and/or concerns from interested stakeholders, including consumers, before becoming certified to operate in Minnesota.

After an HIO submits an application, the Minnesota Department of Health holds a public hearing, if deemed appropriate. During a public hearing the application is reviewed and the HIO gives a presentation. After the presentation, the HIE oversight review panel, which represents different stakeholder groups and is selected by the Commissioner of Health, asks questions about the application. Public comments and questions specific to the application are also part of the public hearing.

HIO application materials are posted on the MDH website on the HIO Application Process page at least 10 days before a scheduled public hearing. Interested persons may submit comments specific to the application at the public hearing or during the formal written comment period, which begins once the application is posted and ends five calendar days after the public hearing.

After the public comment period closes, the HIE oversight review panel makes a recommendation to the Commissioner of Health on the certification of the organization. If an organization is certified, it is posted on the State-Certified Health Information Organizations webpage.

The federal law, under HIPAA (Health Information Portability and Accountability Act), established the baseline standards for protection of patient information and health records across the country. The HITECH Act, passed in 2009, included provisions to enhance a person's access to his/her own patient information and the protection of patient records. The Minnesota Health Records Act established additional requirements related to protecting access to patient health information including a requirement that the patient must consent to the release of his/her health records even for treatment purposes. This means healthcare providers and organizations, including health information exchange service providers that work with patient health information, must comply with HIPAA and HITECH regulations as well as the additional state requirements if they are conducting business in Minnesota.

An important part of the oversight and certification process is to ensure that any state-certified HIE service provider will comply with both the federal and Minnesota privacy laws. As part of the oversight process, HIE service providers must submit information in their certification applications about policies and procedures related to compliance with these laws.