This information is for reference purposes only. It was current when produced and may now be outdated. Archive material is no longer maintained, and some links may not work. Persons with disabilities having difficulty accessing this information should contact us at: Let us know the nature of the problem, the Web address of what you want, and your contact information.
Please go to for current information.

Health Information Exchange Policy Issues

Background |  Areas of Current Investigation


In today's age of electronic transactions, electronically available health care data, such as clinical, administrative, and financial information, abounds. These data are vulnerable to abuse and the headlines are rife with stories of sensitive data about patients--such as HIV status or mental health records--being lost or stolen. There is concern that disclosure of such information may lead to harm in terms of denied employment, claims, and discrimination. Such abuses have led to the enactment of the Health Information Portability and Accountability Act (HIPAA) statutes, which aim to ensure that medical data, including electronically available clinical data, is secured properly and that its use and transmission are strictly regulated.

The evolution of health information exchange (HIE) has required data sharing across the boundaries of often competing institutions, with the hope of reducing wasted health care resources (i.e., reducing test duplication and fostering better medication reconciliation, better and more timely care, and improved care coordination among fragmented provider systems). Such sharing of data has been problematic because of a lack of trust among these otherwise competing institutions. This policy page addresses how these challenges are being overcome and what new policiesare being embraced.

As organizations begin to share sensitive information across political, geographical, and institutional boundaries, close attention must be given to developing the correct policies and procedures for ensuring safe transmission and use of this information.

Strategies for Developing Effective Policies and Procedures

Because electronic information systems are not generally designed to interact with each other, some standardization must occur to facilitate communication. While it is clear that standards will be required for the technical aspects of HIE, it is not immediately obvious that standardized policies and practices also will be necessary for the smooth and secure exchange of electronic health information.

For example, having an agreement among participants in data exchange activities about the practices that will be followed to ensure that only authorized users within an institution are permitted access to protected information will give greater assurance--beyond what protections technology provides--regarding the security of data when it leaves the originating entity. This is indeed the core of the HIPAA regulation. Standardizing these types of practices, as well as the technology, is an additional way to assure participants that their expectations about privacy and security are met. In a sense, not only does the technology need to be interoperable, but also the related policies and practices.

Whenever new ways of exchanging data are being considered, in whatever medium, attention must be paid to how existing data protections are extended or adapted across these new connections and relationships. In addition, new exchanges and relationships call for a fresh analysis of privacy and security practices so that any newly created vulnerabilities do not undermine the overall system of protections.

The acronym RHIO (Regional Health Information Organizations) is a new term that is being used in many discussions of health IT and HIE. In thinking about the role of State and local policy makers in HIE development, consider that "regional health information organization" implies that a fully formed entity exists with rules of engagement and a model for operation. The inclination may be to wait until a RHIO is up and running before considering policy issues, i.e., if there is no RHIO functioning, there is no need to engage in a review of policy issues. That may not be a wise approach.

It is important for the focus to remain on health information exchange between different entities whenever it occurs. Whether a formal entity is established to govern that exchange, once patient data leaves the control of the original entity holding it (including the patient), certain policy problems emerge. It is critical to ensure the privacy and security of protected health information, monitor access to the data, monitor use of the data, address malpractice issues for clinicians, and assess economic impacts.

In other words, the movement of patient health information has implications for the patient and the marketplace. And these are all issues that have historically been addressed within States and communities. So when health IT and HIE are discussed, consideration should be given to building a consensus at both the community and State level around common or standardized principles and policies that can be adopted by the participants in the exchange.

Policy and Technology Solutions Must Be Linked

The ability to exchange and transmit information in support of improved care delivery for individual patients and improved population health requires an extensive commitment to developing policies over a wide range of issues. These include

  • Data use limitations.
  • Data ownership.
  • Governance.
  • Liability.
  • Anti-trust.
  • Roles and responsibilities of individualsand organizations. 

Early experience with large-scale information exchange suggests that policy and technology are inextricably linked where health information collection and exchange are concerned. One cannot implement an effective exchange without sound policies, and sound policies cannot be created without a clear understanding of a specific exchange's technical constraints and capabilities. The technical challenges are associated with linking information across an extremely diverse and highly fragmented system of health care. The policy challenges, particularly privacy concerns, are affected by such factors as the technology used, community needs, market economics, and the way in which systems of exchange are created.

Privacy and Security

One of the key areas of policy and technical debate in which States and communities must engage involves the need to maintain public trust in electronic data exchange. There is great potential value in HIE; when doctors, nurses, and other health care professionals have access to the information they need at the time they need it, mistakes are avoided, care is more effective, and lives are saved. But the sharing of patient information across electronic networks cannot be taken lightly. Many surveys have shown that Americans are very worried about the privacy of their personal health information. Although making such information available through HIEs can increase the value to the individual, it should not be associated with an undue risk. Although it is impossible to guarantee 100 percent privacy of health information, even using paper medical files, technical and policy approaches to maintaining the highest level of privacy and security are essential. HIE must be completed in a way that protects patient privacy and improves health care safety and quality. AHRQ has continued support for addressing these HIE privacy and security issues.

Areas of Current Investigation

AHRQ's Health IT and HIE Goals

The focus of AHRQ's health IT investments has been on addressing how to adopt health IT and HIEto achieve desired results. In addition to assessing the potential of specific applications through competitive grants, there is also an attempt, through both the grants and the State and regional demonstration contracts, to identify the issues communities are struggling with in HIE development, how they may be answering these policy questions, and how to communicate what is being learned to the health care community so that the same mistakes are not repeated.

The results from the AHRQ health IT projects are only just beginning to be made available, but two points are becoming clear:

  • It's not all about technology, as one of the grantees says, "it's one part technology and two parts systems and culture change."
  • The process of solving the policy questions is just as important as the solution. 

The process is important because of the nature of the issues. The policy questions identified above go straight to community trust in new electronic information exchange.

Recommendations and tools that can help speed up the process include the Common Framework described below or the State-level HIE materials funded by the Office of the National Coordinator. Still, each community and State must engage as many stakeholders as possible in decisionmaking about what information will be exchanged when, how, by whom, and under what protections. Transparency is required, including in financial arrangements. This is absolutely essential to the trust that is needed for buy-in by clinicians, payers, and, most importantly, patients and consumers. Without significant participation in these new HIEs, the benefits being sought cannot be realized.

State legislators have a new resource for support in addressing these issues. The National Conference of State Legislatures has established Health Information Technology Champions (HITCh), with a focus on the particular needs of State policymakers. NCSL's Project HITCh seeks to build State legislative capacity related to health IT and its use in improving quality at both individual and system levels.

Connecting for Health Common Framework

Several AHRQ staff and many AHRQ contractors and grantees have participated in the development of the Connecting for Health Common Framework: Resources for Health Information Exchange. The Common Framework is a small set of nationally uniform technical and policy guidelines for health care organizations that share a big objective: rapid attainment of widespread information-sharing in support of modern health care practice.

The first version of the Common Framework, publicly released on April 6, 2006, comprises a set of free resources with 16 policy guides and technical documents designed to advance HIE when and where it is needed in a private and secure manner. The guidelines contained in the Common Framework are associated with a specific technical architecture and privacy safeguards, but many of the principles may be applicable to a broader range of approaches to health information exchange. The guidelines may be adopted by any network, regardless of its size or underlying hardware and software. The Common Framework puts forth a model of HIE that:

  • Protects patient privacy by allowing health information to remain under local control, avoiding the need for a large, centralized database or for the creation of a national patient ID.
  • Avoids large-scale disruption and huge up-front capital investments by making use of existing hardware and software.
  • Supports better informed policymaking around HIE.
  • Establishes trust among collaborating organizations by applying well-vetted model contract language to fit their needs.
  • Supports privacy and security solutions for interoperable HIE. 

Overview of the Common Framework (PPT, 5269 KB)

Visit Connecting for Health for more information, for access to the complete framework, and to register for discussion forums related to the Common Framework.

Privacy and Security Solutions for Interoperable Health Information Exchange

In September 2005, AHRQ awarded an 18-month, $11.5 million contract to RTI International in a national effort to address privacy and security policy questions with HIEs. The Privacy and Security Contract term has been extended to 19 months and the funding has increased to $17.23 million. Under the Contract, RTI is implementing its Health Information Security and Privacy Collaboration (HISPC), under which it has subcontracted with 33 States and Puerto Rico to assist with the following:

  • Identifying variations in organization-level business privacy and security policies and practices that affect electronic clinical HIE.
  • For those practices that States consider desirable (thought they may affect HIE); documenting and incorporating them into proposed solutions.
  • For those with a negative impact, identifying the source(s) of the policy or practice and proposing alternatives.
  • Preserving privacy and security protections as much as possible in a manner consistent with interoperable electronic HIE.
  • Incorporating State and community interests and promoting stakeholder identification of practical solutions and implementation strategies through an open and transparent consensus-building process.
  • Leavingbehind in States and communities a knowledge base about privacy and security issues in electronic HIE that endures to inform future HIE activities. 

Summary of the HISPC Findings

The report of the HISPC consortium illuminated several issues:

  • Fear, uncertainty, and doubt will impede HIE and HIT Initiatives for the time being.
  • In June 2007, the GAO reported similar issues.
  • States are starting to understand the problems and the issues.
  • States are formulating solutions for the following areas:
    • Practice and Policy
    • Legal and Regulatory
    • Technology and Data Standards
    • Education and Outreach 
  • In the near future, we will see new recommendations that cover multistate and national transactions. 

To learn more about specific State HISPC activities, visit Health Information Privacy and Security Collaboration. For additional information on HISPC overall, please visit

The STARK Legislation

One of the big ticket items being debated today is the Stark ("Anti-Kickback") legislation. Briefly, this legislation was enacted to prevent conflict of interest violations among physicians and practice groups. Envisioned initially by Representative Pete Stark, the law prohibits physicians from referring to sites where that physician has a conflicting financial interest, as this may lead to overutilization of services, especially for Medicare and Medicaid patients.

Stark I, enacted in 1989, was restricted to referrals for laboratory services. Stark II, in 1993, extended this to include other services. Stark II has come under fire by many physician groups who argue that it is too prohibitive and represents an unwarranted intrusion into the practice of medicine. In particular, it may prevent the participation ofphysicians in managed care groups. Stark III was published in March 2008 and clarifies some of these issues. This new rule:

  • Modifies physician recruitment restrictions.
  • Provides more flexibility in complying with nonmonetary compensation limits.
  • Reduces the administrative burden of complying with some exceptions to the Stark limitations.
  • "Clarifies" CMS' "interpretation of existing regulations." 

So how do the Stark regulations affect health IT? Compensation packages available to clinicians when joining a managed care group would allow them to receive the benefits of an electronic health record (EHR) at reduced cost. In the early stages of the Stark regulations, this option was prohibited. With the most recent enactment, certain provisions allow for such options, to a certain extent. Called the EHR Rules and the e-Prescribing rules, these provisions allow clinicians to get the benefit of an EHR at reduced cost from their managed care organizations. Specifically, the EHR rule states that hospitals and other entities involved in the delivery of health care may transfer EHR technology to physicians as long as the selection of recipients is not related to the generation of business or other transactions of financial consequence among the parties. The rule further requires that at least 15 percent of the cost of the EHR be paid to the providing entity by the participating clinician. This cost sharing must happen before or at the time of acquisition of the EHR and cannot be financed by the donor. Furthermore, the technology must be interoperable.

The e-Prescribing rules are similar to those for EHR but more restrictive. Specifically, technology that has uses outside of the e-Prescribing function, such as billing, is prohibited under these rules. Similarly, the recipient physician must serve on the medical staff of the health care delivery entity--hospital or group practice--that is providing the e-Prescribing technology. Details of the Stark Regulations may be found on the Centers for Medicare and Medicaid Services' Physician Self Referral Web site.

The information on this page is archived and provided for reference purposes only.