Health information exchanges and the problem of consent

Will health information exchanges provide patient access portals or not?

There are 60 or so regional health information exchanges (HIEs) in the works. They are beset with issues: technology, regulations, competing stakeholders, payment reform uncertainty, sustainability and consent. The last thing they need, it seems, is citizen clients.

It turns out that HIEs have a choice of strategies, at least in the next year or two. Now that proposed Stage 2 Meaningful Use regulations are out mandating secure messaging via the direct protocols for all certified EHR vendors, HIEs can avoid patient access by not storing any information about a patient. Simply put, HIEs can either just relay encrypted messages or they can tackle the problem of consent.

The New York Civil Liberties Union (NYCLU) recently took notice of plans by the SHIN-NY to collect and store data without patient consent by arguing that patient consent will be needed for release of data. Going even further, the SHIN-NY is trying to pass all patient-facing responsibility, including getting consent and providing an accounting for disclosures, to the participating institutions – a plan that surely can’t help their sustainability problem – but I digress.

HIEs like SHIN-NY are making a mockery of HIPAA. Weak as it is, HIPAA at least requires institutions that have data about a patient to share that data with the patient. Stage 2 goes much further than that to include convenient on-line access through portals and downloadable things like Blue Button files. According to their published principles, SHIN-NY is defining itself as exempt from citizen disclosure of the information it stores.

From a legal perspective, the SHIN-NY patient-transparency-avoidance strategy might be that they should be treated like a state agency that collects private information for internal use because they don’t share the information with anyone without patient consent. This, it seems to me, is a major stretch since there’s no way for a patient to actually know specifically what information will be shared about them if they do consent.

It’s time for sunshine in HIEs and an open HIE consent discussion. The principle of “nothing about me without me” comes to mind. HIEs that want to store data about me, first and foremost, must make that data conveniently accessible to me via a Web portal. They should allow me to share that data with trusted institutions using free and simple standards that can limit access to the minimum information necessary.

HIEs are at the crossroads of patient engagement, itself a major thrust of Stage 2. I hope these new publicly funded institutions make the patient-friendly choice.

Adrian Gropper is a medical technology developer and consulting on health services strategy at

Submit a guest post and be heard on social media’s leading physician voice.

Comments are moderated before they are published. Please read the comment policy.

  • Adrian Gropper

    PS: On March 22, ONC released guidance on privacy and security for health information exchanges that receive federal funds. Brian Ahier has an excellent summary and the guidance here:

    The right to individual access and informed consent are optional for HIEs using directed exchange but they are required for aggregators such as SHIN-NY.

  • Anonymous

    What I read in the article above made me want to scream.  The health care industry needs to be ten times more innovative that it has been yet regulations like HIPAA are preventing it. To say that HIPAA is weak it a gross understatement.  The burden that this law places on the health care industry is immense. Case in point – I work with a company that accidentally released a report to one customers that had a claim number and a member number for six members from a different customer.  Both of these numbers are meaningless to anyone that does not have access to the proper administrative systems.  The customer that received this data had no idea from what health plan the data came from.  However, according to HIPAA, this is individually identifiable data and we had to engage in an expensive documentation process.
    HIPAA has grown in to a monster that will kill innovation and increase administrative costs and for what?  Who is ultimately harmed by the release of this information?  The original intent I believe stemmed from the fear that employers would deny employment to people with expensive preexisting conditions.  Aside from the civil litigation that has always been available for such matters, doesn’t the Affordable Care Act put in further protections by preventing health plans from jacking up premiums for high risk members?  Time to REPEAL HIPAA!!!!!

  • Anonymous