Health Information Technology – Health Information Exchange: The Texas Medical Association recognizes the following principles concerning electronic health information exchange (HIE):
- Patient safety, privacy, and quality of care are the guiding principles of all HIE efforts; cost reduction and efficiency are expected byproducts.
- TMA is a professional organization for physicians and as such recognizes that some parts of patients’ medical records should be considered the intellectual property of the physician. HIE efforts should recognize that the physician’s work product has value for which he or she, along with the patient, has intrinsic ownership, and therefore both should control its use. Patient records are the documentation of interactions between physicians and patients. Patient privacy protections that traditionally exist in the patient-physician relationship continue to apply where HIT is used. Physicians must uphold their responsibility to protect and secure all information related to the sacred patient-physician relationship.
- Patients have the right to withhold information. Physicians may provide a notice to users that the record is incomplete when a patient withholds information.
- Patient privacy and confidentiality shall be maintained in all HIE efforts by using secure systems and transmission methods.
- Patients must have complete control over all uses of individually identified medical data. Except for emergencies, or otherwise as required by law, their medical data must not be disclosed or disseminated to third parties without patient consent.
- Open standards for the interoperable electronic transmission of clinical data should be mutually acceptable to the medical community and compatible with national and regional standards.
Foundational Principles for HIE Participation
- Participation in HIE, beyond that required by law or in emergencies, should be determined at the local level. Regardless, participants should be able to withdraw upon reasonable notice.
- HIE should strive to provide, at the point of care as part of the physician’s workflow, complete, timely, and relevant patient-focused information in a fully enabled electronic information environment designed to engage patients, transform care delivery, and improve population health. Patients and physicians will have confidence that personal health information is reliable; private; secure; and used with patient consent in appropriate, beneficial ways for patient and public good.
- Any costs of supporting systems should be borne by all stakeholders, clearly defined, fair, simple to understand, and accountable, and should support the financial viability of the considered practice.
- To ensure HIE activity remains focused on the patient interest, HIE governance should be representative of and responsive to the needs and concerns of stakeholders, with particular attention to the concerns of physicians and patients.
- To protect the interest of patients, an HIE provider or entity must define whether and how it will share information for public health research, and surveillance and evaluation of health care quality. When participants choose to allow these uses, patient information must be deidentified unless informed consent has been obtained and can be documented.
- An HIE provider or entity must be designed and function to enable and enhance coordinated collaboration for improving health and patient safety. Participants should give consideration to special populations who are otherwise incapable of representing themselves (e.g., children; the aged; people who are disabled, uninsured, or homeless).
- The patient’s Social Security number should not be used as the de facto unique patient identifier.
- Patient data should be transmitted over a secure network, with provisions for authentication and encryption in accordance with HIPAA and other appropriate guidelines. Standard email services do not meet these guidelines. HIE participants need to be aware of potential security risks, including unauthorized physical access and security of computer hardware, and guard against them with technologies such as automatic logout and password protection.
- HIE operations will not modify original patient data in any way.
- The HIE entity or provider must have a means to audit, track, and use reasonable efforts to ensure the integrity of all entities or individuals engaged in receiving and converting transaction data.
- Dissemination of information identifiable with a specific patient is permissible only when the patient provides express permission to do so.
- The HIE entity or provider should maintain and enforce strict conflict of interest policies that require members to disclose all possible conflicts of interest, to recuse themselves from deliberations on matters in which they have a conflict of interest, and to abstain from voting on such matters. The HIE must further maintain financial transparency in its operations, acknowledging all material sources and uses of funds.
- State support for HIE is important. However, state government’s primary role should be to foster coordination of HIE efforts, including providing access to funding or other financial incentives that promote the adoption of health information technologies. TMA opposes a governmental entity owning or primarily controlling an HIE entity or provider.
- TMA physicians should cooperate with nongovernmental entities developing HIE solutions with minimal mandates, but only where it leads to physicians’ stewardship of the data they produce, and patients’ control over data that may identify them.
- TMA supports national health information standards such as Nationwide Health Information Network, HL7, Continuity of Care Record (CCR)/Continuity of Care Document (CCD), and other standards adopted by the Centers for Medicare & Medicaid Services. In addition to the CCR/CCD contents, HIE participants’ data also should include labs, radiology results (text), history and physical, discharge summaries, and progress and other notes.
- TMA supports HIE participation of the U.S. Department of Veterans Affairs, U.S. Department of Defense, the uninsured, and other populations that may have medical records inadequately integrated into the health care system.
- TMA supports a legislative safe harbor that limits a physician’s liability exposure if patient data provided to an HIE by the physician are breached due to the actions or inactions of the HIE, another HIE participant, or any other person. Each participating individual or entity should be responsible only for their own actions or inactions as these relate to a possible breach of protected health information provided to an HIE.
Data Warehouses — Principles for the Collection, Use, and Warehousing of EHRs and Claims Data
TMA supports policy that any payer, clearinghouse, vendor, or other entity that collects, warehouses, and uses EHRs and claims data adhere to the following principles. For purposes of this policy, the compilation of electronic records in a physician’s office does not constitute a data warehouse.
- EHRs and claims data transmitted for any purpose to a third party must contain the minimum necessary needed to accomplish the intended purpose. TMA supports the development of simple and efficient tools to facilitate extraction and submission of such data sets.
- The physician and his or her patients must be informed of and provide permission for third-party analyses undertaken with the physician’s EHR and claims data, including the data being studied and how the results will be used.
- The physician must be compensated by the requesting entity for any additional work required to collect data.
- Criteria developed for the analysis of physician claims or medical record data must be open for review and input.
- Methods and criteria for analyzing the EHR and claims data must be provided to the physician or an independent third party so that reanalysis of the data can be performed.
- An appeals process must be in place for a physician to appeal, prior to public release, any adverse decision derived from an analysis of his or her EHR and claims data.
- Clinical data collected by a data exchange network and searchable by a record locator service must be accessible only for payment and health care processes.
- The warehouse vendor must take the necessary steps to ensure the confidentiality and integrity of patient records and claims data.
- Organizations that store, transmit, or use patient records or claims data must have internal policies and procedures in place that adequately protect the integrity, security, and confidentiality of such data.
- EHR data must remain accessible to authorized users for purposes of treatment, public health, patient safety, quality improvement, medical liability defense, and research.
- Following the request from a physician to transfer his or her data to another data warehouse, the current warehouse vendor must transfer the EHR and claims data and must delete or destroy the data from its data warehouse once the transfer has been completed and confirmed, at the request of the physician or patient. (Previously 265.029; CPMS; Rep. 2-A-18).
Last Updated On
September 20, 2018