Health information exchanges (HIEs) are being created by states, professional associations, and many others even as you read this very article. Marketplace incentives and health care reform are encouraging the creation of HIEs, including those in North Carolina, this past year. What does this all mean, and how can a provider get ready? Providers should familiarize themselves with the legal and operational issues associated with HIEs. Participation in a HIE raises issues of information privacy and security, patient access and rights, professional liability, and data property rights. Likewise, incentives for providers adopting electronic medical records also raise tax and fraud and abuse considerations. In the near future, a HIE, as a keeper of all electronic health information, may become the most powerful player in health care delivery and you want to know what you are or will be dealing with now as opposed to later. Providers, either by themselves or through a professional association, need to take on an active role in forming HIEs to be part of the decisionmaking process and the policy setting. In brief, providers should consider how they will manage risks and obligations associated with HIE, including the following:

Privacy and Security of Health Information. Providers participating in HIEs must consider how this participation affects the confidentiality of patient information, the medical record (from documentation to designated record sets), as well as the privacy and security of patient information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). Participants in HIEs will need to be able to navigate federal and state law and regulations on consent, confidentiality by type of provider or type of health information, and restrictions on the use and security of such information. Getting information into and out of a HIE are critical threshold issues.

Patient Access and Patient Rights. Providers will need to have systems in place to permit patient access and to protect patient rights when participating in a HIE. As records become increasingly electronic, providers and patients will encounter new software and media hurdles in this process, as well as cost and implementation issues.

Provider Liability. HIEs introduce significant new liability for providers. First, HIEs are vulnerable to privacy and security threats like health care providers, but HIEs represent an additional access point to a provider’s information and opportunity for a potential data breach of the providers by others not under the provider’s control. HIEs will likely set specific breach notification timeframes (potentially as short as 1 hour), liability for intrusions “through” a provider’s link to the HIE (potentially unlimited), and other requirements either through contract or policies of which providers need to be informed and on alert. The importance of a provider’s privacy and security policies and procedures cannot be overstated because missteps can mean significant breach notification expenses, loss of business revenue, civil liability, and even in extreme cases, criminal liability. Second, HIEs represent an additional exposure for professional liability if information is inaccurate, incomplete, or not timely entered. Third, mistakenly transmitting health information of patients who have opted out of the HIE is yet another potential grounds for provider liability. It is a delicate balance between a patient’s right to control his or her health information and a health care provider’s need to have complete health information to provide quality health care services. These represent new twists on provider liability.

Property Rights in the Information. Health information is an asset for providers, patients, marketers, and a host of others. Thus, who owns the data in the HIE (and what rights the owner has) is a key issue to resolve.

Fraud and Abuse and Tax Issues. To the extent that providers are considering donating technology or electronic medical records systems, these donations implicate fraud and abuse laws and the tax exempt status of a provider. While donating technology as part of a provider’s development of a health information infrastructure with affiliated or associated practitioners may make good business sense, there are a number of legal restrictions to consider before such donations begin.

Summary. Providers should assess how their current policies and procedures, existing contractual obligations, and insurance coverage may be implicated (and need to be changed or updated) by participation in a HIE. Engage legal advisors in this review process, as well as key employees from information technology, privacy and security, and other key departments. Doing your homework now means less heartache later when implementation and participation will consume much of the applicable information technology budget. The ultimate value in a HIE is the exchange of accurate information in a timely manner to provide quality care, but achieving this requires advance work and consideration of these many issues to reduce the associated risks of participation.