A recent virtual roundtable hosted by Symantec on health information exchanges (HIEs) highlighted the different approaches states are taking to protect patient health information.

Oregon is blessed with having a culture for well-documented public processes and embracing the planning process, according to Carol Robinson, State Health IT Coordinator for Oregon State Health Information Technology Oversight Council or HITOC. The state also enjoys a high rate of EHR adoption, with more than 65 percent of providers with some sort of electronic system in their offices, she said.

Oregon will submit its strategic and operational plans to the Office of the National Coordinator in August. The state will take a phased approach to implementation, with Phase 1 focused on the development of the rules of the road for local and regional HIEs. Meanwhile, its workgroups are meeting to flesh out more specialized issues according to their expertise. Robinson said some of the determinations being made are choosing which centralized services will be of value to the state and analyzing gaps for a statewide HIE.

New York State, on the other hand, is mature in its statewide efforts for an HIE. It has 12 independently operated regional health information organizations (RHIOs), which are all involved in state efforts to provide feedback on policy and state guidance for the sharing of data across RHIOs, said Stephen Allen, director of operations for HealtheLink, the Western New York Clinical Information Exchange.

"Privacy and security is a huge thing here in New York," he said. While there are state-level privacy and security rules, the state is giving each HIE and RHIO the option of how to implement it, such as practice or group-level consent versus region-wide consent for all HIE participants. Ultimately, stakeholders are trying to ensure that consent is captured and communicated effectively, he said.

Meanwhile, Texas has decided to put the consumer at the table, said Manfred Sternberg, Chair of the Texas Health Services Authority Board. Operating on the notion that the masses aren't trusting of government, the state has created a public-private partnership to develop the statewide HIE.

Texas is in the early stages of development, but Sternberg said his preference is to push for an opt-in model and a health record bank system, both of which would give more consumer empowerment over the privacy and security of their data by allowing them to determine who sees what data.
The RHIOs in New York State have differing privacy models. HealtheLink uses an opt-in model with a positive informed consent, which 95 percent of patients have signed thus far when presented with the form, said Allen.
 
The percentage of denials is higher in specialties than with primary care physician offices and hospitals, he said. Overall, Allen said he's pleased with the high percentage of patients granting consent, thanks to a lot of community outreach and education, including press coverage, media and community events.

Oregon is looking at patient consent and how data should be provided to caregivers, as well as how to overlap federal and state policy, given that health is local and regional, as well, Robinson said. Inter-state data sharing makes planning even more complicated, as Oregon meets with state leaders in Idaho and Washington, its border neighbors.

"You have to set up privacy and security policy that will work with providers and consumers," she said. The task is to make consumers feel comfortable about HIE while ensuring that maximum goals of healthcare improvement are met, she said.

Stakeholders are debating whether to impose an opt-in or opt-out policy. Oregon is currently engaged in public vetting process. Communication is the key, Robinson said. Helping consumers and patients understand the value of information at the point of care is critical, just as developing adequate privacy and rigorous security mechanisms in the technology is, she said. The consumer message needs to be crafted in a way that speaks to the value rather than the fear of what HIE can bring to consumers and the community.