As the Veterans Affairs Department put another toe in the water of electronic health information exchange with the private sector, one of the oldest and most prominent of the nation's regional health information exchanges will adapt to the VA's legal and cultural approach to privacy protection.
VA brings stricter info-sharing controls to Ind.
Last week, the VA announced it will run a pilot project with the Indianapolis-based Indiana Health Information Exchange as part of the government's virtual lifetime electronic record project, an ongoing federal effort announced last year by President Barack Obama to provide veterans and active-duty armed-services personnel with a longitudinal electronic health record.
The 153-hospital, 768-clinic Veterans Health Administration also has clinical information-sharing tests under way in San Diego with the Defense Department and the integrated delivery network Kaiser Permanente and in the Hampton/Tidewater area of Virginia with the MedVirginia RHIO.
According to VA spokeswoman Josephine Schuda, the VA will use the same technology to offer veterans electronic privacy consent directives in Indianapolis that it is developing in conjunction with the San Diego pilot. The patient consent management technology is being developed in collaboration with several standards-development organizations, including Health Level 7 and the Organization for the Advancement of Structured Information Standards, or OASIS, as well as the federal Health Information Technology Standards Panel.
A federal law specifically constrains the VA from disclosing certain sensitive healthcare information of veterans without their consent. The law requires the VA to protect the veteran's "identity, diagnosis, prognosis or treatment" involving any programs of "education, training, treatment, rehabilitation or research relating to drug abuse, alcoholism or alcohol abuse, infection with the human immunodeficiency virus, or sickle cell anemia.”
In contrast, the Indiana Health Information Exchange is far less constrained legally and culturally in its approach to privacy and patient consent. Unlike states that require patient consent for the release of certain sensitive information, such as HIV status, Indiana relies on the Health Insurance Portability and Accountability Act of 1996 as its main health information privacy law. In 2003, the Bush administration revised the HIPAA privacy rule to authorize the exchange of patients' health information without patient consent for treatment, payment and a broad category of uses lumped under "other healthcare operations."
The IHIE uses a centralized database called a record locator service that keeps track of whether and where a patient's records are being stored by participating providers in the providers' databases, called "edge proxies." According to J. Marc Overhage, a physician and the president and CEO of the IHIE, privacy protection is a matter of discussion between the patient and the provider, but with the provider having the final say.
Under the IHIE technical framework, Overhage explains, "Each provider that participates makes their data available to their edge proxy, but what it really means is the data doesn't go anywhere except to their business associate who maintains a database on their behalf. No data is intermingled and exchanged; it's just available in their edge proxy."
Clinicians, in conversation with their patients, will determine whether their information is shared with the IHIE, according to Overhage. A patient may say, “I don't want that information shared. And then the provider has the option to say, OK, I agree with that, and then that data is not put into the edge proxy.
"The intent is clear that the patient and physician should control the way the data is used," Overhage said. But, he said, "When the data is put into the edge proxy, it is the provider's data. And that goes into the record-locator service. It is provided notice that that information is in the edge proxy. If a patient comes through the emergency room, they are provided that institution's notice of privacy practices that says we're going to ask other doctors for information about you."
The roots of the Indianapolis-based IHIE run back to 1969 and the founding of the Regenstrief Institute at Indiana University, the institute's pioneering work in medical informatics, the deployment in 1972 of an early EHR system at what was then known as Wishard Memorial Hospital in Indianapolis, now Wishard Health Services, and the first exchange of information between Wishard and Community Hospital East in 1994.
From those early efforts, the Indianapolis Network for Patient Care evolved to provide basic data to emergency rooms throughout the city. That spawned the IHIE, which was incorporated in 2004.
The IHIE had five founding hospitals, plus ICareConnect, a physician-led IT exchange; and BioCrossroads, a public-private partnership to develop business in the community. BioCrossroads members include the consolidated city-county government of Indianapolis and Marion County, Indiana and Purdue universities and a number of corporations. Pharmaceutical giant Eli Lilly and Co. and the nation's largest for-profit health insurance company, WellPoint, both based in Indianapolis, have officers on the BioCrossroads board, and BioCrossroads President and CEO David Johnson is secretary-treasurer of the IHIE.
Overhage said the collaboration with the VA will provide a learning opportunity for the IHIE.
"The way the VA is working in the pilot is that there is a face-to-face consent process with the patient," Overhage said. "They will meet with representatives of the VA. They will be briefed in how the exchange works and so on, and then they will decide how they will participate, and then they will be flagged in their system as participating. So, if that patient shows up at Wishard, we will query the VA for that data. If the patient has asked to participate, we will get data back, and if they don't agree to participate, we won't get data back."
"We're pretty excited to see how we fit," Overhage said. He said he's also eager to learn more about the VA's privacy protection policies and technology.
The VA experience could come in handy for the IHIE as federal policymakers review tweaking federal privacy and security guidelines.
Send us a letter
Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.