What is health information exchange?
Health information exchange is a method to make patient health information available electronically for doctors, hospitals and other care providers when it’s needed for patient care. Health information is protected and exchanged under strict medical privacy and confidentiality procedures.
What is a health information exchange network?
- An electronic health information exchange (HIE) network allows healthcare information to be securely shared between care providers within a community or larger region.
- HIE allows medical information to quickly move between the different healthcare information technology (IT) systems that may be used by a patient's different providers (e.g., doctors, specialists, labs) while maintaining the privacy, security and accuracy of the information being exchanged.
Why is health information exchange important?
Healthcare in the United States costs too much, and the quality is below the level it should be. HIE helps improve the quality of patient care and reduces costs. It also:
- Saves time: physicians and other qualified health professionals have access to patient information compiled from across different computer systems quickly. This means less time searching, calling and faxing for information, which reduces treatment delays for patients and allows care providers to spend more time with patients.
- Improves care: with consistent information, physicians and other providers will get results and reports in one simplified format. Additionally, the patient's information will be more complete, which reduces errors and improves treatment recommendations.
- Reduces cost: with more streamlined and comprehensive information, there is less chance for mistakes and ordering duplicate tests. This reduces patients' out-of-pocket costs for unnecessary medications, radiology tests, lab tests and hospitalizations.
- Improves privacy: with enhanced security protections above what is possible with paper records, patient privacy is better protected.
What type of health information is being exchanged via the CORHIO HIE and who has access?
- Only health information important for providing care is exchanged between authorized healthcare providers who have a relationship with you (the patient) and have a need to know this information for providing treatment.
- Only providers who have entered into a legal contract with CORHIO, agree to abide by its strict privacy and security policies, and comply with relevant federal and state laws are allowed access to their patients' information in the HIE.
- The law (often referred to as HIPAA, or the Health Insurance Portability and Accountability Act Privacy and Security Rules) prohibits healthcare providers from sharing your personal health information for any purpose other than treatment, payment, and healthcare operations without special permission from you to do so. CORHIO has built-in support for HIPAA and other security and privacy laws.
- When your health information is shared through the HIE, information on who accessed it is stored electronically in an accounting history. This includes the identity of those who accessed your record, the date, the types of information accessed and the reason your record was accessed. This makes it easier for healthcare providers to enforce laws, as well as their own policies, restricting access to your records and helps you track the privacy of your health information in a way that is not possible with paper records.
Can I find out who has requested access to my health information through the HIE?
- As with paper health records, you should receive a notice of privacy practices upon a first visit to a provider or admission to a hospital. As specified by HIPAA, these notices describe how your protected health information is to be collected, used and transmitted for the purposes of treatment, payment and healthcare operations.
- HIPAA provides additional protections to psychotherapy notes maintained by mental health providers. These notes may not be disclosed for any purpose unless you provide a written authorization to do so. Please see more information on sensitive information below.
- CORHIO maintains audit logs, tracking every occasion where your health records are accessed — identifying the authorized individual accessing your information, the date, the reason for accessing, and the relationship between you and the healthcare provider accessing your information. You have the right to request a list of this information from your provider and review the access logs.
- Healthcare providers who request access to your personal health information through CORHIO must affirm that they have a proper treatment relationship with you before being granted access. A record is created and logged in the system every time a provider accesses your health record.
Will I know if my health information was misused?
- Under HIPAA requirements and CORHIO policies, you have the right to receive a list of instances where your health information was accessed and for what purposes.
- If you believe that a person, agency or organization covered under HIPAA violated your (or someone else's) health information privacy rights or committed another violation of the Privacy Rule, you may file a complaint with the federal Office for Civil Rights. Individuals found in violation of HIPAA can be civilly and criminally prosecuted. For more information, see http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html
What if I don't want my providers to have access to my health information?
- If your healthcare provider is participating in the HIE, they are required to notify you of their participation at your next appointment or at the time of registration. At that time, or anytime thereafter, you have the choice to opt out of having your information shared through the HIE.
- Should you choose to do so, CORHIO is committed to honoring your choice to opt out of the system and will ensure your information is not searchable in the HIE.
- Although your information will not be searchable if you opt out, your healthcare provider may still use the CORHIO network to issue electronic orders for lab tests, prescriptions, and other directed healthcare services, and may also receive lab results, x-rays and other information that is sent directly to them electronically. This service is no different than your provider using the mail or a fax machine to receive this information.
Note: not all healthcare providers are participating in HIE. If your providers are not participating in HIE, then your health information is not available in the HIE. Please see our list or participating providers to look for your provider.
Is my healthcare information sitting on the Internet for anyone to see?
No. CORHIO and its participating providers take your privacy and the security of your healthcare information very seriously. Healthcare providers are only allowed to access the CORHIO HIE system using a secure login and transmission of your information is encrypted. Providers are also only allowed to access your information if they have a treatment relationship with you. Your information is not held on a website – it is available through a query system, which means the provider searches the system and the result is returned.
How do I get access to my own medical records?
- HIPAA requires that your healthcare providers and health insurance company allow you access to your medical records. Notices you receive from your providers and insurance must include information about how you can obtain copies of your medical records.
- You can request copies of your medical record from your healthcare provider. CORHIO employees are not permitted to access your health information in any way, therefore we cannot provide copies of your records.
- If you receive care in a federal medical facility, you have a right to obtain your records under the federal Privacy Act of 1974 (5 USC sec. 552a).
How is CORHIO ensuring the security of my health information when it is being transferred or exchanged?
Personal health information is protected by state-of-the-art systems employing many security measures, including administrative, physical, and technical safeguards, against such risks as loss or unauthorized access, destruction, inappropriate use, modification, or disclosure. All systems, including provider electronic health record systems and the CORHIO network, must comply with the security provisions of HIPAA. For added assurance, the CORHIO system is subjected to regular third-party security audits.
How does CORHIO handle unauthorized requests for access to my health information? Are there any penalties for those who misuse or inappropriately disclose my information?
- Considering the highly sensitive nature of patient health information, CORHIO maintains a zero-tolerance policy regarding inappropriate use of the system. Authorized users who violate CORHIO Policies, as identified through reporting, audit, or other processes, will be sanctioned appropriately, may have their access terminated by CORHIO, and will be referred for appropriate disciplinary action within their own organizations.
- Additionally, those found in violation of HIPAA can face civil and/or criminal penalties, including fines and/or imprisonment. They can also face civil penalties for HIPAA violations including fines. You may obtain more information about HIPAA penalties on the website for the Department for Health and Human Services.
Does CORHIO share my health information with employers?
No. Additionally, the HIPAA Privacy Rule absolutely prohibits healthcare providers and insurance plans from disclosing personal health information to employers without a patient's explicit, written authorization.
Can I request changes to my health record or other information included in the HIE?
Yes, you can request revisions and corrections to your health records by talking with your healthcare provider who is the owner/creator of the record in question. CORHIO does not alter your health information in any way; the HIE simply provides a method to privately and securely transport health information from one provider to another.
Is some of my most sensitive health information provided extra protection?
Certain kinds of health information, including mental health notes, substance use and genetic testing, are subject to additional legal protections. These additional protections may include a requirement that express written consent be obtained for each release of protected information and other requirements relating to the form of the consent or other information that must be provided to the patient at the time of consent.
All healthcare providers participating in CORHIO are required to comply with such laws and regulations and ensure these special protections are provided to this important and sensitive health information.
How do I know if my provider is a participant in the CORHIO HIE?
All participating healthcare providers are required to notify all patients that they are participating in the CORHIO HIE. When you visit a participating provider you will receive a notice about this, which may be accompanied with the provider's HIPAA privacy notification.
CORHIO also provides a list of participating providers online, click here to view the list. Doctors are not always listed individually by name, unless the doctor’s name is the name of the practice. Your doctor is more likely to listed by the name of their practice (office) or their company name.