Below is a list of frequently asked questions (FAQs), which include many related to privacy and security of electronic health records (EHRs) and health information exchange (HIE).
As an independent, nonprofit organization dedicated to improving health care for all Coloradans, CORHIO is committed to keeping patient health information private and secure. CORHIO follows all state and federal laws for protection of patient health information including the Health Insurance Portability and Accountability Act (HIPAA). Additionally, CORHIO's governing principles (PDF) guide all of the organization's initiatives and operations.
Please note that CORHIO staff do not have access to your medical records, therefore we cannot provide access to, nor copies of, any medical records. Please contact your health care provider directly for this type of information.
Click on a question below to reveal the answer. You may also type a key word or phrase into the "search" box in the upper-right to find relevant information on our site.
+What types of information might be stored on an electronic health record (EHR)?
Anything that can be stored on paper medical records can be stored in an electronic health record (EHR), but electronic records can be more comprehensive and flexible. EHRs enable viewing of results not only in chronological order but also arranged in any other manner, such as charts and graphs, that would allow the patient's care providers to see trends and changes that could affect that person's treatment.
EHRs also often allow care providers to quickly search and review lengthy patient records that may be difficult to sift through when they are on paper, thus improving the quality and quantity of information available to a care provider, especially in urgent situations.
+How secure are EHRs?
Just like paper records, EHRs must comply with the federal Health Insurance Portability and Accountability Act (HIPAA), and other state and federal laws, so security must be built into the system. Unlike paper records, electronic records can be encrypted — using technology that makes them unreadable to anyone other than an authorized user — and security access parameters are set so that only authorized individuals can view them.
Further, electronic records offer the added security of an electronic tracking system that provides an accounting history of when records have been accessed and who accessed them. So, in many ways, electronic health records are more secure than paper records.
+Why are EHRs valuable?
- Storing health records electronically allows for quick retrieval of patient information by authorized physicians and staff wherever and whenever necessary. That ensures information about each patient is accessible and complete whenever a provider must make a treatment decision.
- EHRs make it easy for physicians and providers to search, track and analyze information that improves patient care. Unlike paper records, they are not bulky, they don't take up costly space and they don't require labor-intensive methods to maintain, retrieve and file. EHRs are also stored in a standard way, so information is where the provider expects it to be, and there is no need to decipher handwritten notes.
- EHRs also provide easier access in times of emergency and can be backed-up easily and cost effectively, thus avoiding loss of critical information during and after times of disaster (such as flood, hurricane or tornado destruction).
- Unlike paper records, electronic records are encrypted and access is restricted so that only authorized individuals can view them. Furthermore, any time a person accesses an electronic record, the information is tracked and audited. When paper records are viewed by people, it is very difficult to track who saw the information and whether it was authorized.
+What is a health information exchange (HIE) network?
- An electronic health information exchange (HIE) network allows health care information to be shared between health care providers within a community or larger region.
- It allows clinical information to quickly move between the different health care information technology (IT) systems that may be used by a patient's different providers (e.g., specialists, labs) while maintaining the privacy, security and accuracy of the information being exchanged.
+Why is health information exchange important?
Health care in the United States costs too much, and the quality is below the level it should be. Recent research shows there are still nearly 100,000 medical errors annually and 30% of health care costs are unnecessary.
Health information exchange (HIE) helps improve the quality of patient care and reduces costs.
- HIE Saves Time:
With HIE, physicians and other qualified health professionals will have patient information compiled from across systems quickly. This means less time searching, calling and faxing for information. This reduces treatment delays for patients and allows health care providers to spend more time with patients.
- HIE Improves Care:
With consistent information, physicians and other providers will get results and reports in one compiled format. Additionally, the patient's information will be more complete. This reduces errors and improves treatment recommendations.
- HIE Reduces Cost:
With more streamlined and comprehensive information, there is less chance for mistakes and ordering or duplicate tests. This reduces patients' out-of-pocket expenses for unnecessary medications, radiology tests, lab tests and hospitalizations.
- HIE Enhances Privacy:
With enhanced security protections above what is possible with paper records, and more controlled access to patient health information, patient privacy is better protected.
+What are the advantages of health information exchange?
- An HIE allows two or more health care providers involved in providing care to a patient to quickly, securely, and accurately share information. Because each authorized provider can readily see a patient's complete electronic health record (EHR), the need for duplicate medical tests is reduced, efficiency is improved and patients receive higher quality care.
- Authorized medical professionals can quickly and easily retrieve a patient's treatment record, lab results, prescription lists and other information even if those records are stored in a distant location. Currently, physicians and their staff are spending much of their time "chasing" paperwork and results, which means they have less time to spend with patients.
- HIE enhances accuracy, appropriateness and efficiency in patient care.
+What type of health information is being exchanged via the HIE and who has access?
- Only health information important for providing care is exchanged between authorized health care providers who have a relationship with you (the patient) and have a need to know this information for providing treatment.
- Only providers who have entered into a legal contract with CORHIO and agree to abide by its strict privacy and security policies and comply with relevant federal and state laws are allowed access to their patients' information in the HIE.
- The law (often referred to as "HIPAA," or the Health Insurance Portability and Accountability Act Privacy and Security Rules) prohibits health care providers from sharing your personal health information for any purpose other than treatment, payment, and health care operations without special permission from you to do so. HIEs, like CORHIO, have built-in support for HIPAA and other security and privacy laws.
- When your health information is shared through the HIE, information about access to your record is stored electronically in an accounting history. This includes the identity of those who accessed your record, the date of access, the types of information accessed and the reason your record was accessed. This makes it easier for health care providers to enforce laws and their own policies restricting access to your records and helps you track the privacy of your health information in a way that is not possible with paper records.
+How much of my personal information can be shared with HIE?
CORHIO policies and state and federal law require we use the
minimum amount of personal information to ensure we are providing
the right information regarding the right person to the right
+If I participate as a patient in the HIE, does CORHIO track who accesses my health information?
Yes. CORHIO maintains audit logs, tracking every occasion where your health records are accessed — identifying the authorized individual accessing your information, the date of access, the reason for accessing and the relationship between you and the health care provider accessing your information. You have the right to request a list of this information from your health care provider and review the access logs.
+Can I find out who has requested access to my health information through the HIE?
- As with paper health records, you should receive a notice of privacy practices upon a first visit to a provider or admission to a hospital. As specified by HIPAA, these notices describe how your protected health information is to be collected, used and transmitted for the purposes of treatment, payment and healthcare operations.
- HIPAA provides additional protections to psychotherapy notes maintained by mental health providers. These notes may not be disclosed for any purpose unless you provide a written authorization to do so. Please see more information on "sensitive information" below.
- CORHIO maintains audit logs, tracking every occasion where your health records are accessed — identifying the authorized individual accessing your information, the date of access, the reason for accessing, and the relationship between you and the health care provider accessing your information. You have the right to request a list of this information from your health care provider and review the access logs.
- Health care providers who request access to your personal health information through CORHIO must affirm that they have a proper treatment relationship with you before being granted access. This is called "breaking glass," meaning the system will not make your information available until the provider "breaks the glass" by affirming they have legally permissible authorization to view your information. A record is created and logged in the system every time a provider "breaks the glass" on your health record.
+Will I know if my health information was misused?
- Under HIPAA requirements and CORHIO policies, you have the right to receive a list of instances where your health information was accessed and for what purposes.
- If you believe that a person, agency or organization covered under HIPAA violated your (or someone else's) health information privacy rights or committed another violation of the Privacy Rule, you may file a complaint with the federal Office for Civil Rights. Individuals found in violation of HIPAA can be civilly and criminally prosecuted. For more information, see http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html
+What if I don't want my providers to have access to my health information? Can I elect not to have my information shared through CORHIO?
- If your health care provider is participating in the HIE, they are required to notify you of their participation at your next appointment or at the time of registration. At that time, or anytime thereafter, you have the choice to "opt out" of having your information shared through the HIE.
- Should you choose to do so, CORHIO is committed to honoring your choice to opt out of the system and will ensure your information is not searchable in the HIE.
- Although your information will not be searchable if you opt out, your health care provider may still use CORHIO's network to issue electronic orders for lab tests, prescriptions, and other directed health care services, and may also receive lab results, x-rays and other information that is sent directly to them electronically. This service is no different than your provider using the mail or a fax machine to receive this information.
Note: not all health care providers are participating in HIE. If your providers are not participating in HIE, then your health informataion is not available in the HIE.
+How do I know if my provider is a participant in CORHIO's HIE?
All participating health care providers are required to notify all patients that they are participating in CORHIO's HIE. When you visit a participating provider you will receive a notice about this, which may be accompanied with the provider's HIPAA privacy notification.
CORHIO also provides a list of participating providers online, click here to view the list. Doctors are not listed individually by name, instead they are listed by the name of their practice or their company name.
+Is my health care information sitting on the Internet for anyone
No. CORHIO and its participating providers take your privacy and
the security of your healthcare information very seriously. Health
care providers are only allowed to access the CORHIO HIE system
using a secure login and transmission of your information is
encrypted. Providers are also only allowed to access your
information if they have a treatment relationship with you.
+How do I get access to my own medical records?
- HIPAA requires that your health care providers and health insurance company allow you access to your medical records. Notices you receive from your providers and insurance must include information about how you can obtain copies of your medical records.
- You must request copies of your medical record from your health care provider. CORHIO employees are not permitted to access your health information in any way, therefore CORHIO cannot provide copies of your records.
- If you receive care in a federal medical facility, you have a right to obtain your records under the federal Privacy Act of 1974 (5 USC sec. 552a).
+How is CORHIO ensuring the security of my health information when it is being transferred or exchanged?
Personal health information is protected by state-of-the-art systems employing many security measures, including administrative, physical, and technical safeguards, against such risks as loss or unauthorized access, destruction, inappropriate use, modification, or disclosure. All systems, including provider EHRs and CORHIO's network, must comply with the security provisions of HIPAA. For added assurance, the CORHIO system is subjected to regular third-party security audits.
+How does CORHIO handle unauthorized requests for access to my health information? Are there any penalties for those who misuse or inappropriately disclose my information?
- Considering the highly sensitive nature of patient data and information, CORHIO maintains a zero-tolerance policy regarding inappropriate use of the CORHIO HIE system. Authorized users who violate CORHIO Policies, as identified through reporting, audit, or other processes, will be sanctioned appropriately, may have their access terminated by CORHIO, and will be referred for appropriate disciplinary action within their own organizations.
- Additionally, those found in violation of HIPAA can face civil and/or criminal penalties, including fines from $50,000 to $250,000 and/or imprisonment ranging from 1 to 10 years depending upon the severity of the offense. They can also face civil penalties for HIPAA violations that could range from $100 for each violation up to $25,000 per calendar year for all violations of an identical requirement. Maximum civil penalties for multiple violations can range from $25,000 to $1.5 million. You may obtain more information about HIPAA penalties on the website for the Department for Health and Human Services.
+Does CORHIO share my health information with employers?
No, CORHIO does not share health information with any employers.
Additionally, the HIPAA Privacy Rule absolutely prohibits health
care providers and plans from disclosing personal health
information to employers without a patient's explicit, written
+Does CORHIO share my health information with insurance companies or health plans?
CORHIO recently began providing Kaiser Permanente with information on patients/members who are enrolled in their health plan. No other health plans are participating with the CORHIO health information exchange (HIE) at this time.
Other health plans may decide to participate in the CORHIO HIE network by accessing information pertaining only to their enrolled members. The information may be used to enhance care coordination for health plan members and to strengthen data analysis for the purposes of managing population health and improving patient outcomes. All health plans participating with CORHIO must comply with HIPAA rules.
+Can I request changes to my health record or other information
included in the HIE?
Yes, you can request revisions and corrections to your health
records by talking with your health care provider who is the
owner/creator of the record in question. CORHIO does not alter your
health information in any way; the HIE simply provides a method to
privately and securely transport health information from one
provider to another.
+Is some of my most sensitive health information provided extra
Certain kinds of health information, including mental health
notes, substance use and genetic testing, are subject to additional
legal protections. These additional protections may include a
requirement that express written consent be obtained for each
release of protected information and other requirements relating to
the form of the consent or other information that must be provided
to the patient at the time of consent.
All health care providers participating in CORHIO are required
to comply with such laws and regulations and ensure these special
protections are provided to this important and sensitive health
+What does it mean when CORHIO says it uses technology provided
To implement the most cost-effective, robust health information
exchange (HIE) possible, CORHIO is using HIE technology provided by
a company called Medicity. The decision to use Medicity technology
was made after an eight-month review process that included more
than 100 individuals representing hospitals, health clinics,
physicians and health plans from across the state.
In January 2011, Medicity was acquired by Aetna. For more
information about the acquisition, please view
this FAQ (PDF).