HIPAA and HIE – part 2: Point-to-Point Connections

This is the second in a 4-part series on the HIPAA implications of Health Information Exchange (HIE). In the first installment, we reviewed the Community Chart Sharing approach. In this installment, we will review the point-to-point connection approach; in the 3rd installment we will review the library-style approach. In the 4th article we will try to present a framework for HIPAA that can address all 3 HIE styles, and at the same time “keep it simple” for the patient end-user.

This second in the series will examine the point-to-point method of exchanging health information

Point-to-point data sharing
Getting a patient’s health information from one physician (doc A) to recipient (doc B) by fax or by mail has been the traditional way of achieving health information exchange in a paper-based environment. For the purposes of rendering health care, selected elements of a chart note (from doc A’s records) are copied and typically appended to a referral form, and then sent to a known recipient (doc B) – this would be a “push” method of sending data. If the patient shows up at doc B’s office and no records have yet been sent, then a referral request is sent from doc B’s practice to doc A, and the requested records are then selected and sent to doc B – this would be a “pull” method of sending data.

Faxing has been the traditional way of point-to-point data exchange. There is a risk, of course – hopefully, the correct fax number has been dialed (and the Protected Health Information, or PHI, has not been inadvertently sent to the local pizza parlor!).

In point-to-point data exchange, the intermediary – the phone company – does not keep any copies of the content sent. There is a record of the transmission having been made, mainly used for billing by the transport intermediary (the phone company). But the phone company does not keep a copy of the faxed-file contents.

Permission is quite simple – doc B is to receive the specified records from doc A. No one else houses the PHI.

Other types of point-to-point sharing
Beyond the very-familiar fax method of data sharing, other newer technologies basically accomplish the same thing, but with somewhat safer methods. The Direct Project is essentially a point-to-point method of encrypted data sharing between known parties (doc A and doc B). To date, the Direct Project has been piloted in a number of local regions, but is not (yet) in universal usage.

Some regional Health Information Exchanges have envisioned data sharing as being point-to-point, with no capture of the content of the data by the HIE intermediary. This is different that the “library-style” HIE, which will be reviewed in the next article in this series.

Assumptions made by this method
Several assumptions are made when referring to this method as “Health Information Exchange.” The first assumption is that health data (EHR data) is local to each practice. Different systems, likely using different EHR vendors, maintain the data housed in each physician practice. Therefore getting data from doc A to doc B will involve packaging up the data to be sent into some form of standard document (a CCR or CCD), sending it across the Internet in a secure fashion to the recipient, and then interpreting that document at the receiving end.

Community-based Chart Sharing does not involve this method, and represents a new paradigm in health data exchange, as reviewed in the first article in this series.

When the ONC and CMS developed criteria for Stage 1 Meaningful Use, one of the requirements was to demonstrate “Electronic Exchange of Clinical Information” (core measure #14). Specifically, eligible professionals need to send clinical information “between different legal entities with distinct certified EHR technology.” The potential that all members within a given community might be on a single web-based EHR system, and exchange of clinical information between such practices (distinct legal entities) would occur via Community-based Chart Sharing was not a concept that was considered when creating this rule.

Another criticism of point-to-point health data exchange has been that the standardized data types being exchanged are very whole-document oriented, and it has been difficult for many vendors to redact specific items (certain diagnoses, events, medications, lab results, etc.) that the patient does not want shared (or that local law prohibits sending without specific higher-level permission). Redaction is simple with paper-based fax data exchange, but the current generation of vendor EHR technology is hard-pressed to accomplish more granular permissions around exactly what is to be shared – this is easier to accomplish with newer next-generation Community Chart Sharing approaches than the whole-document CCD approach.

Nevertheless, accommodation of point-to-point data sharing, using the standard document packages that have been defined (CCD and CCR), is a norm that all EHRs must support. Actually making the connections, however, even with the Direct Project in the landscape, is still a pretty embryonic space, and evolution of networks that can connect everyone together is something on the forefront for 2012. We’re not there yet.

This is the second method of Health Information Exchange models we will review. In the next segment, we will review “library-style” data exchange. We will then pull it all together in the last installment of the series and address how HIPAA can address each of these information-sharing scenarios in a unified way.