A recent example is Minnesota, their health information exchange partnered with Compuware Covisint for the technology needs and the Nebraska Health Information Initiative selected Axolotl Corp to provide their technology infrastructure. Health information exchanges are more then simply opening up a web based portal.

Each state has individual laws addressing privacy of patient health information, which is complicated by federally mandated HIPAA requirements. Therefore, it becomes a complex task to make sure that all laws are addressed. For example, HIPAA “minimum necessary” regulation requires that reasonable effort be made to limit protected health information to the minimum necessary to accomplish the intended purpose. For routine and recurring disclosures, standard protocols must be implemented, such as the Continuity of Care Record standards. For all other disclosures, reasonable criteria must be developed for making the minimum necessary determination, and disclosures must be individually reviewed in accordance with these criteria.

An added problem is inconsistency from state to state; many patients want their health information accessible not only by their doctors on a local health information exchange, but also by doctors in another state. Yet, what is allowable access to information in one state maybe protected data in another. Experts agree that in order for the information to remain secure all participants in a Health Information Exchange need to enter into a written agreement that specifies roles, rights and responsibilities of each participant. That way each participating healthcare provider understands not only what technical specifications are needed to exchange the data, but also what steps they will need to take to be HIPAA compliant, how best to protect their proprietary information and other issues.

Another step to keeping the information secure is defining exactly who will be able to look at the data. This requires that the health information exchange have the four A’s covered. The four A’s consist of Access Control, Authorization, Authentication and Auditing (accounting). This means all users of the health information exchange are subject to user identification and authentication, only after proper authentications are they authorized to access the information. Then once the date is being transmitted, it needs to be done securely and only the minimum amount of data necessary is transmitted.

In addition, the system needs to have clear audit trails and a review procedure in place to monitor all the activity. Data encryption must be the highest level possible, which is what Louisville Health Information Exchange employed. They installed industrial grade security technologies similar to those used to protect money in financial institutions. Once these key components are in place the health information exchange will be successful and secure.