AHLA's Speaking of Health Law
The American Health Law Association (AHLA) is the largest nonprofit, nonpartisan educational organization devoted to legal issues in the health care field. AHLA's Speaking of Health Law podcasts offer thoughtful analysis and insightful commentary on the legal and policy issues affecting the American health care system.
AHLA's Speaking of Health Law
Integrating HIEs and Digital Health: Where Data Meets Innovation
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Health information exchanges (HIEs) play a vital role in enabling providers and care coordinators to share information in support of patient care. But as telehealth and digital health models expand across state lines, organizations must navigate a patchwork of state laws, consent requirements, and interoperability challenges that often create significant friction in data sharing. Hal Porter, Director of Consulting Services, Clearwater, speaks with Sarah Chasson, General Counsel, Chief Legal Officer, and Chief Privacy Officer, Particle Health, and Jennifer Geetter, Partner, McDermott Will & Schulte LLP, about how evolving federal frameworks, state-level variation, and practical implementation challenges are shaping the future of HIE participation for digital health organizations. Sponsored by Clearwater.
Watch this episode: https://www.youtube.com/watch?v=QtX907OHD84
Learn more about Clearwater: https://clearwatersecurity.com/
Essential Legal Updates, Now in Audio
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Comprehensive members. Get all your health law news from the major media outlets on this podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Stay At the Forefront of Health Legal Education
Learn more about AHLA and the educational resources available to the health law community at https://www.americanhealthlaw.org/.
This episode of AHLA Speaking of Health Law is sponsored by Clearwater. For more information, visit ClearWatersecurity.com.
SPEAKER_00Welcome to the American Health Law Association's Speaking of Health Law Podcast. I'm Hal Porter with Clearwater Security and Compliance, and I'll be your host for today's discussion on integrating HIEs and digital health where data meets innovation. Today we're diving into a critical and increasingly complex topic at the intersection of interoperability, privacy, and digital innovation. And that is how health information exchanges or HIEs and digital health providers can effectively work together. HIEs play a vital role in enabling providers and care coordinators to share information in support of patient care. But as telehealth and digital health models expand across state lines, organizations must navigate a patchwork of state laws, consent requirements, and interoperability challenges that often create significant friction in data sharing. Joining me today are two leaders at the forefront of these issues. Sarah Chaston, General Counsel, Chief Legal Officer and Chief Privacy Officer at Particle Health, and Jennifer Geter, partner at McDermott, Will, and Shelton. I want to thank everyone for joining us today as we explore how evolving federal frameworks, state level variation, and practical implementation challenges are shaping the future of HIE participation for digital health organizations. Sarah, Jennifer, thank you both for being here. Sarah, let's start with you, and then we'll turn to Jennifer for a brief introduction and overview of your work in this space.
SPEAKER_02Sure. Thanks so much for having me, Hal. It's a pleasure to be here. I'm Sarah Chasson, and I lead the legal, regulatory, and compliance and privacy functions at Particle Health, which is a healthcare data interoperability platform. We have several products, but they at the end of the day, what we specialize in doing is getting patient information into the hands of the providers that need it in order to provide treatment for those patients.
SPEAKER_00Thank you, Sarah. And Jennifer?
SPEAKER_03Sure. Glad to be here with Sarah and Uhal. Sarah and I may be two of a small universe of people who find HIEs fascinating. I'm a partner at McDermott, as Hal mentioned, and I focus there on a range of issues at the intersection of computing and healthcare, including AI and HIEs, privacy, genetic information, and glad to be here today.
SPEAKER_00Thank you very much, Jennifer. So, Jennifer, could you start us off with a high-level overview of why HIEs matter in digital health and how their role is evolving?
SPEAKER_03Sure. So HIEs help all sorts of healthcare stakeholders. I know we're going to focus more today on digital health, but when you go to get care, when all of us as patients go to get care, historically, the first thing that happened in the waiting room is we were handed a clipboard. And on that clipboard were a series of forms that we would fill out our allergies, our medications, family history, medical history. And the provider would go over it, but they were really counting on the patient to provide that information, remember that information, and it and uh document it carefully, legibly on those intake forms. And that process is frustrating, frankly, for patients and for providers. Now we don't get all of our care in our neighborhood anymore. And digital health has really expanded the geographic reach of our healthcare providers. They're not typically now entirely within, let's say, a hospital system in our hometown with the integrated providers as sort of adjacent to that hospital system. They could be anywhere. COVID accelerated, we all know this from our own lived experience, the degree to which we are getting care virtually and at a distance from our provider. And we're also often getting digital care as an adjunct to our in-person care. So maybe you have an in-person OB, but you're also getting additional virtual care related to maternal fetal health or prenatal care or other issues related to your pregnancy. And those providers probably are not integrated into your local OB practice. What HIEs do, as Sarah said, is they pull the information about you from all of the providers that you've seen over time and they bring it into one place. You don't have to remember if we're taking 25 milligrams or 50 milligrams of this medication. You don't have to remember when you were first diagnosed with this or that. If you gave your family history once upon a time and now it's a little uh fuzzy, uh maybe you're elderly, maybe you're distracted, uh, that information can be can be pulled from your other providers. And so in anticipation of that visit, the provider can review that information and come into that appointment really ready to use the time that you have with that provider, better prepared, and can have some confidence that if something's missed on the on your in you know your real clipboard, in the virtual world, they've caught it. So HIEs, uh, when they work well and when providers and patients have trust in each other and in them, can uh enable providers to bet to prepare better and provide uh better care in the moment to those patients.
SPEAKER_00So Sarah, could you briefly tell us uh in plain language what an HIE is?
SPEAKER_02You know, as Jennifer alluded to, you can um think of it as plumbing that lets your medical records move between your primary care doctor, a specialist, a hospital, or even a telehealth app that you use from your couch. Um there are a couple of players that are worth knowing about when we talk about health information exchanges or HIEs. You have the HIEs themselves, which are the networks that facilitate the data sharing. And then you have something called a QHAN, which is a qualified health information network. Those are designed under a federal framework called TEFCA to connect different networks together on a national scale. Think of it as like a network of different networks that could be regional. Um care quality is another kind of network of networks that also um, you know, unites a bunch of different plumbing arrangements from different health systems. Um, beyond that, you've got EHR vendors. Um, those are a really critical part of the HIE infrastructure because they build the electronic health record systems that doctors use every day and contain the bulk of the data that is going to be moved throughout this typing. Um, you have providers and payers, sort of, you know, hospitals, clinics, insurance companies, all of whom are contributing data about you when your doctor orders labs or when your um use uh provider submits a claim for an encounter that you received. There's also public health agencies that need data for things like disease surveillance. And then finally, patients are also, you know, really the most important people in the HIE network ecosystem because they're ultimately the people whose information is being shared and who benefit the most when all of this works well.
SPEAKER_00Absolutely. Well, thank you, Sarah. That was very concise. I appreciate that. Um, Jennifer, as as as both of you have kind of mentioned, some benefits of um you know, of HIEs uh in the digital health space, what what are some of the key benefits beyond what we've already touched, or what you guys have already touched on with regard to HIEs in the digital health space?
SPEAKER_03So a couple that I might add are uh helping to assist with provider burnout. Um the the paperwork burden on providers is immense uh from a documentation perspective, from an intake perspective, from a billing perspective. There's no one solution that's going to respond to all of that. But uh the digitalization of information from HIEs can reduce some of that prep and documentation burden. I think a second is in that doctor-patient encounter, allowing patients and providers to really focus a bit better on the issue of the day as opposed to all of the pre-work to make sure that the provider has that information. I think another advantage is reaching out to patients, equipped with information to allow to help that patient understand why it's really important to come in. So providers can be monitoring their patients as part of their treatment in between visits and triaging who they need to reach out to. They can also use that function to not have to focus on something. So going back to our pregnant uh patient who perhaps had her flu shot through her primary care doctor, and the provider, the OB now has visibility into that and doesn't have to spend time uh reiminding her patient to have her flu shot. It's been taken care of. So I think it can sort of reduce some of the noise in those encounters. Um, another thing that it can help do is enable patients to get their own information. Sarah mentioned the person on the, you know, the person with an app on her couch. We get a lot of information and we a lot of care, a lot of health and wellness from the apps on our phone. And many of those apps work better when they can retrieve information from some of your more sort of regular routine providers. And so patients are also using these HIEs to gain information that they want to help manage, to manage their own care. I think another really important thing is our emergencies. So if you are, if you fall ill away from home or you fall sick away from home, and your provider can identify you but doesn't know where you've been seen, this can allow them to get information far from home when perhaps you're not really able to participate in your own care. So I know we're going to talk about some of the regulatory and patient trust challenges later, but when HIEs work well in the background, um, you know, patients and providers value having that information on hand.
SPEAKER_00Absolutely, absolutely. That's a great point. And and you know, we've talked about several key benefits kind of across the paradigm. And as HIEs take on a larger role, uh kind of a key question becomes how do they balance trust and privacy within an increasingly complex regulatory landscape? Um, Jennifer, I'm gonna stay with you for just a second. What do you see as the central challenge for HIEs in digital health right now?
SPEAKER_03Well, I central challenge is um there's probably a few. You know, one is Sarah mentioned it being a plumbing network. I think another way to think about it as a highway, and we we like to talk about the information highway beyond being a bit of a cliche, it's actually I think a very useful visual for your question. When we drive across the country, there are some state-to-state variations, um, speed limits, no turn on red, but by and large, we don't we can drive the same in every state. We don't change the side of the road we you know drive on. Um, our cars don't change shape. A stop sign literally doesn't change its shape. When it comes to the transfer of health information, we're not there yet. So I think one of our main challenges, we talk about a plumbing system or a highway, but we have a very fractured system. And that fractured system from a regulatory perspective sits on top of providers and patients that don't have proximity to one another. So we really need trust because when I show up in my doctor's visit and my doctor seems to know a lot about me, that can either be really reassuring because I feel well cared for, or it can be unsettling. I didn't tell my doctor that. How do how do they know? And so we're trying to overlay, you know, almost instantaneous data availability on top of a regulatory system that includes federal rules, it includes state rules, even inside states, there can be different rules. So I'd say the first challenge we have is that the very power of HIEs is connecting distant providers with one another in their common care of a patient, but that distance stresses, places stress on uh patient trust. And we can talk later about some things that folks can do to respond to that. I think the second is unlike other jurisdictions around the world, we do not have an integrated sort of privacy regulatory regime. And that may be to our benefit. Um, it's a complicated question about whether or not we would want to scrap state law, scrap HIPAA, and have one sort of overarching data uh framework, like they do, for example, in Europe. Our system might have advantages for the US sort of culture and legal regime, but it also has consequences, which is that data is moving in and out of different legal jurisdictions. So if we go back to our highway analogy, it's switching from the left side of the road to the right side of the road, and suddenly red lights mean green lights and stop signs look like yield signs. And that literally can be how it feels for national companies that are trying to roll out solutions that have to be nationwide. It's also confusing for patients. They could have certain rights in some states, different rights, you know, in other states within their state of residence, they could have certain rights with respect to their mental health information, different rights with respect to, let's say, their primary care information. So building trust with that kind of diversity among legal approaches can be hard. I'd say another challenge is data tagging. This is not a particularly exciting topic, but it's essential to comply uh with this sort of fractured approach. So the data in your EHR is not all going to be treated the same within a state and across states, and also knowing where you got certain data and what you're allowed to use it for. And it's very hard to tag retrospectively. So building that architecture, um, and this is true especially for the folks in the middle layer that Sarah was talking about, um, who are receiving data uh from lots of different sources and have to keep track of the rules that are imposed on all of those data sources. So I think the difficulty of data tagging in our current architecture is another challenge I'd mention.
SPEAKER_00Thank you very much, Jan. I appreciate that. Um really it's very interesting, you know, how many challenges that that there are there uh currently. Uh Sarah, you know, based on that, what what kind of practical changes do you see that these frameworks introduce for digital or excuse me, for data sharing and network participation?
SPEAKER_02Um great question. I see a couple of different uh different practical changes. The biggest shift, I think, is that we're moving from a world where data sharing was largely voluntary and ad hoc to one where there are real expectations and in some cases even requirements to participate. Um the federal rules around information blocking, for example, mean that when healthcare organized that healthcare organizations generally can't refuse to share their electronic health information when somebody's querying for a legitimate purpose, such as treatment of a patient and there's no applicable exception. That was a huge key change. Um, you know, on the network participation side, um, frameworks like TEFCA and CareQuality are creating standardized on-ramps. So instead of negotiating sort of one-off data sharing arrangements with every partner that you are exchanging your data with, if you work um to gain access to this broader network, you work under a common set of rules. And for digital health companies, that's a huge opportunity because it means you can potentially access patient records at scale without having to build out, you know, hundreds of individual negotiations. But with that, you know, you have to understand that there are a lot of obligations, right? You need to understand what you're signing up for. As Jen said, how the data that you have can and cannot be used, um, what your data sharing obligations are under various bidirectionality requirements, because these are um these networks are all set up um under a reciprocity system, right? If you're going to draw down data from the network, you have to give your net new clinical data back to the network so that it sort of self-rejuvenates. Um, so there's that requirement. You know, do you have the consent to be able to do the bidirectional exchange that's necessary to keep this entire system going? And then as Jen mentioned, the state-specific requirements being layered on top of the federal framework. You know, it's more structured, which is great, but it also means more homework for legal and compliance teams.
SPEAKER_03Can I can I add something to what Sarah said? Um, since we're talking about digital health providers, I think consent can be hard for digital health providers in general. Um, you know, when you're sitting in a waiting room, you have nothing better to do. Uh so you sit there and you read the forms and you, or you don't read the forms, but you fill them out, you sign them. I think in in the digital world, people expect the same kind of expediency in their healthcare transactions as they get from all the other apps on their phone. And so adding additional consents relating to HIEs can be tough because HIE participation is often something best discussed with a patient. Um, and as you're sort of trying to click through consents, it can be challenging. I think another operational challenge is that a lot of these digital health vendors are they're they're a little bespoke. They have a particular audience, they're handling the high-risk patients for a particular health plan. They offer um, you know, a particular type of mental health services, they offer fertility services, you know, they are plugging in to supplement your brick and mortar care. And to to Sarah's point about the bidirectionality, um, they they may have a very different subset of information than the information that information that's out there about their patients on the HIEs. So thinking through how the give to get works when the data sharing can look a little bit like a seesaw, I think is something that is still sort of getting um thought through. And then finally, it's not always great to get more data than you need. So uh figuring out with your implementer exactly what you need. The data you get can become a burden. And so um fine-tuning the information you're getting for the particular treatment purpose that you that you need it, I think is important. And then lastly, I would I would just say not all healthcare providers have a good approximate consent moment. You know, for example, laboratories can struggle with this, clinical laboratories that are offering a vital consenting service, um, but don't necessarily interact directly with the patient prior to getting really involved in their care, but are involved in their treatment. And so some of these sort of practical issues in in drawing down information from HIEs, I think remain um under development.
SPEAKER_00Very good point. Um, so you know, we both of you have talked very uh succinctly about you know potential opportunities for for digital health companies and also the challenges, some of the challenges that they're facing and the HIEs are facing. Uh, where do you see opportunities versus uncertainties for the digital health companies?
SPEAKER_02You know, we've been talking a lot about uh consent. And I do think that uh combining the consent function in a way that also allows for patient education into the value of data sharing is a huge opportunity. And whoever gets that right, I think is going to have a lot of stickiness in their product and also a lot of a much facilitate a closer bond with the between the patient and the provider. Uh, you know, no one wants to think that they're, you know, signing up to get their health records and then suddenly realizing like out of the blue that they're you know being spammed by somebody for some product that they, you know, had no interest in and just wanted a discrete, you know, sense of, you know, a discrete result from their query. So it's um people need to, you know, the people that can educate as to how this can benefit you, what you are actually agreeing to, what you do not have to agree to in order to facilitate the service, I think is going to be, you know, a big opportunity for digital healthcare providers.
SPEAKER_03I 100% agree with Sarah. I think providers need a strategy on offense for talking to their patients, um, um, inviting patients to understand how providers are caring about them and using HIEs to do it. It can it can feel great when your provider knows something about you, and it can also feel a little creepy if you don't understand how. A provider came to understand. I think also it's an important opportunity to share with patients how different types of health information relate to their care. They may not realize why their mental health information is relevant to this other type of care they're they're getting over here. So it can be a conversation starter. I do think investing in a consent platform that keeps track of what patients have consented to, thinks about that multi-state strategy, thinking of that as part of your architecture. We used to talk about privacy by design. I think we are going to need to think about consent by design in the same way. And it can then serve as a platform for other types of emerging consent issues, like AI scribes, for example, right? So we have more and more components of care that have their own modular consent obligations. I think digital health providers need to think about. The other place where I think there is an opportunity is in this pre-work for appointments. You know, the getting ready to take care of a patient, making your outreach to that patient more effective and more informed. And oftentimes we have clinical decision support tools that are running on that data to help those providers monitor, triage in between visits. We know that our healthcare system breaks down on prevention and on caring for patients in between face-to-face interactions. And so I think HIEs and these other types of automated tools can work in concert. And this is a critical issue for providers on value-based care, right? They're looking for every possible advantage to catch things early and take better care for their patients. And HIEs are a critical part of that.
SPEAKER_00And you both have mentioned challenges in that space. And so we'd like to take a moment to look at how the federal and state frameworks are evolving to address them. Sarah, what are your thoughts regarding current and possible federal efforts?
SPEAKER_02To me, one of the things that's going to be a sea change, and you know, the Trump administration is really doubling down on this is information blocking. The 21st Century Cures Act made it so that healthcare providers, health IT developers, and HIEs generally can't engage in practices that interfere with the access, the exchange, or use of electronic health information. There are exceptions, but the default rule is that you're going to be uh sharing and uh you know data should be flowing is the expectation of the federal government. Um there have been a lot of uh practices by you know health systems or other participants in the HIE ecosystem that you know have been operating at odds with that directive. And so looking forward to seeing what you know ASTP and and uh you know the other folks over um at you know the OIG's office are going to be doing to kind of free up the flow of data. Um the second is uh you know is TEFCA, which is you know the main federally sponsored um trusted exchange framework and common agreement. Um and it's the federal government's effort to create a nationwide interoperability network, sitting along a couple of others that are still a little more robust than TEFCA is right now. But the idea is if you connect up through a QHAN under TEFCA, you can exchange data with any other participant without needing a separate agreement. And that's um, I'm really looking forward to watching how the current administration approaches um that kind of initiative going forward, whether there's going to be, you know, new rulemaking, what kind of support and role it views for TEFCA, um, and what it's going to do to, you know, uh fulfill the mandate that is set forth for it for making sure the data is getting to all the places it needs to go to drive better patient care.
SPEAKER_00Absolutely. So, Jennifer, where do you see the biggest variation across states, uh particularly maybe around consent?
SPEAKER_03So consent is the main source of variation across uh state law. So states come in all flavors. Um, so we have a lot of states that are opt-in states. Um the HIE requires affirmative patient authorization, patient consent, uh, before a treating provider can share records. And because of the bi-directional component that Sarah mentioned, um, if a provider can't share records, it can constrain their ability to receive records about that cohort of patients. We have some states where you're out of HIE exchange unless you opt-in. Um, but then broad consent can enable, can enable your opt-in. And this circles back to the conversation Sarah prompted about having those good conversations with patients. Um, you know, New York would be, I think, a good example uh of an opt-in state where there's a specific consent. Again, this made a lot of sense when you got care locally. So if you signed the New Yorkshire um consent form, you know, chances are doctors, New Jersey, Connecticut, New York, you are you are covered. It's it's just very hard when you scale that uh in a virtual environment. Um you also have opt-out states. You're in exchange unless you ask to come out. And in some cases, that you are entitled to notice of your ability to opt out. So you need to be presented with this option. Um and there are different ways in which that opt-out can be operationalized, um, and and the level of um detail, you know, can you opt out of some sharing and not others? The more choices you give, you know, the better patients may feel, but the operational burden gets really, really hard and it introduces some subjectivity. Uh, what exactly was the mental health information? What wasn't? So you have to be very cautious about adding that level of granularity. If you extend it, patients are going to rely on it, and there can be a real disconnect between what you think they're agreeing to and what they thought they were agreeing to. Um, then there's you know, additional, uh there's states that have sort of no flexibility, then there are states that have specific types of information. So um post-DOBS, there are um post the Supreme Court's decision in Dobbs, there are certain states that are concerned about extra protections around reproductive health decision making. Um, many states um add protections for other types of sensitive information, mental health or genetic information. The last thing I'd mentioned, Hal is these are not always HIE-specific protections. So you could have a state, for example, that discusses at the HIE level opt-out, but in its specific regulatory section where it's talking about mental health information that might predate their HIE policy making, they have you must have specific consent before you can share mental health information. And they these are just not harmonized. And so which rule controls? Is it the rule that talks about HIEs? Is it the is it the rule that talks about mental health? Um, for virtual platforms, there can sometimes be an advantage to creating as best as you can a one-size fits-all you know approach to try to have a consent module that balances two things. The greatest possibility for opt-in, because again, I think providers really do believe these HIEs help, but um minimizing the burden of having to do state-by-state variations. And so that's something that's a business decision that virtual care providers um, you know, sometimes have to consider.
SPEAKER_00Um so yeah, you know, my my next question is um I think you've you've answered it a little bit, uh so uh, but you know, uh given all of the rules and and the the state-to-state regulatory requirements and federal, um, you know, obviously they're they're designed to protect patients, but you know, do they really meaningfully protect patients? Uh I think you've indicated as well, you know, that it does add complexity, um, potentially without clear benefit. So um what are your thoughts uh with regard to are they actually you know uh meeting the requirements that they've set to meaningfully protect the patients at this point? And and do you see that potentially getting worse, getting better?
SPEAKER_03That's Raphne. I mean, I mean, I I think there's different ways to think about consent. So take the HIPAA approach. Um, when the HIPAA privacy we're one into effect, it it's it does have an authorization, has a consent concept, but it also has something called the notice of privacy practices, right? These are the notices that every covered entity provider or plan needs to make available to patients and members that basically says here's all the things we're allowed to use your information for, and here's all the ways we're allowed to disclose it. And it set kind of a bar, a floor of commonality. So there were still there are still certain uses and disclosures that require authorization, but there are a lot that don't. And when you go and get health care or you get health insurance from a HIPAA-regulated entity, a good deal of what can happen to your information is preset. Now, you might object to some of those things. You might not like it, you might not always think the public policy is right, but it really reduces the decision-making burden on patients and reduces some of the variability. And so, with at the federal level, I think one of the benefits of HIPAA is that it uh creates a set of common expectations at the federal level about what you can and cannot do. So we could we could begin to explore that. And it's possible that TEFCA will kind of act as that coalescing force to reduce some of the variation. Of course, that means that, you know, it it limits the bespoke options available to people, but it can, I think, over time set a set of expectations. And, you know, how one of the ways we think about privacy in other settings in in law is a reasonable expectation of privacy, which um is a little bit of a chicken and egg. It becomes reasonable when people tell us that we should or shouldn't expect to be private about it. And then when we depart from that, it's reasonable or not reasonable, but it does create a common conversation about trade-offs. And I think just one thing I would say, and I know Sarah has thoughts about this, every data exchange model is a set of trade-offs. If we want absolute privacy, we we can't share our information. HIPAA is a set of trade-offs. We're going to allow certain types of uses and disclosures to happen without patient authorization. And some patients are going to be comfortable with those, some patients aren't. Um, we're gonna privilege law enforcement in certain cases, not in others. I mean, every privacy framework, whether we're aware of it or not, is a set of trade-offs. And HIEs are the same. We are uh prioritizing the exchange of information to take care of patients, to enable patients to have access to their information. There are some consequences to that. And we can continue to have a conversation about where those lines should be. But I think, you know, to have an honest conversation about the importance of health information exchange means also having an honest conversation about those trade-offs, and then, you know, obviously trying to mitigate as much as possible. So, yes, I think the protections help. I do think that the more we try to uh have a lot of variation, we we have to contend with some confusion.
SPEAKER_00Well, thank you. Um so uh, you know, these regulatory efforts are obviously are critical, um, but ultimately their success really depends on on one thing, and that's that's patient trust. Um let's take a couple of minutes to talk about how patients fit into the equation. Um Sarah, what does getting consent right look like for a digital health company that's operating across state lines?
SPEAKER_02Uh I think getting consent right means a lot more than just checking uh the legal boxes. I mean, you can stop at that if you want to, but I would posit that you're gonna have some, you know, patient retention issues and you know, a hard time scaling your business if you are just stopping at checking your legal boxes. Um, you know, double-clicking on something Jen said sort of at the top of the hour is that, you know, when HIEs and digital health information exchange really does add a layer of distance. When you share something with your doctor in a clinic that feels personal, it feels contained. You know exactly why the doctor is going to be using it because hopefully they've explained that to you. But when it flows through HIE to other participants in a network, the patient may not have a clear picture of who's seen their data or why. Um, it might not map onto your expectation as a patient as to um what your data is gonna be used used for. And, you know, it might be you're giving up data that you would happily share with your care team, but you know, at the same time, you're also permitting uses that might surprise or concern you if you knew about them. So I think that, you know, if you're gonna try to get consent right, um, you need to write them in plain language. You need to explain the benefits of data sharing, you need to be proactive about telling patients about where their data is going to be used and how that is going to ultimately benefit them, as well as, you know, be honest about concerns that folks, you know, might have. I think you need to also, you know, build in your strong projection protections for highly sensitive information and explain those. You know, compliance is just a floor. You should be earning your patients' trust through your consent, and that should be the goal of your consent framework, both from a business perspective and because it's the right thing to do.
SPEAKER_00Um so yeah, that sounds like some critical key design considerations around you know, clear consent, explanation of benefits, proactive strategies, you know, uh being honest and forthright, and the protection of highly sensitive information. Um Jennifer, where do organizations struggle the most from a legal interpretation, technical implementation, or patient experience?
SPEAKER_03I think there are a couple of challenges. So one is this is just one consent that providers uh need to get. And uh, you know, for our digital health providers, again, uh patients come into the digital environment sort of expecting that it'll feel like all the other digital environments. So they should be able to get onto that telehealth platform with the same ease that they can get, you know, a directions app on their phone. Um and these are like worlds apart. So suddenly there's a consent to get telehealth, a consent to treat, a consent for billing, you know, a consent for your AI scribe, a consent for HIE, and um that can wear patients down. Um and it can, you know, patients can start to pass through some of these. Um, so I think one is just how when do you present this consent? Um, and how do you balance it with all the other ones you need? Now, one thing that some providers want to think about is whether it's a consent they want to get at their first visit. So for some providers, it's really important to get this consent in advance because they need to go into that first visit equipped with information. So they want to have front-loaded this consent. But in other cases, they're having kind of an introductory appointment and it would be unsettling for a provider, for that patient, for that provider to be particularly well informed, frankly. Um, and so it's better to hold off on this particular consent until you've established a little bit of a relationship. In certain high-risk communities that also have a lot of distrust of the medical community, the timing and the discussion around this consent can be important. So I think balancing it with the other ones you have and being thoughtful about timing is important. You also have to be able to handle revocation. People change their minds. Um, they they read something in the newspaper and they, you know, get nervous and they take it back. Um, so uh being ready to implement revocation. I think organizations should also give their providers training and talking points and how to talk about this. Um providers are not sure, in my experience, about how to talk about an HIE, how to introduce the conversation. So if we're going to do what Sarah suggested, and I completely agree with it, that consent is a conversation and a form, it's not just a form, then you need to empower people to have that conversation. And I think that can be unsettling for providers who who don't feel they can lead that conversation if it's not an area that they that they know well. Um investing in a consent platform, if you are multi-state and you work in states with very different rules, you do need a technical solution to, I think, this operational challenge to keep, you know, to keep track of this. Um, so I think those are some of the things that are really important. The last thing I would say is talk to your implementer. Um they do this all the time for lots of uh entities, providers across the ecosystem. So, you know, part of their job is to be, they could be called facilitators, and it would be kind of the same thing. What information do you need? How should I get it? How do I fill out these forms? What are the rules? What's reasonable? What feels bi-directional? And your implementer could be your EHR company, it could be a company like Particle. But I think really having a thoughtful conversation about how you're going to implement your needs on an HIE is something we didn't talk a lot about today, but I think is an important step.
SPEAKER_02Yeah, and just to, you know, to echo that, Jen, you know, I have those conversations with customers, potential customers all of the time. Um, you know, what does my consent workflow need to look like? Am I set up for that? Can I share this data back? Can should I share this data back? No, and there's certain requirements of the frameworks. You know, there's, you know, a list of 21 different classes of information that, you know, is required to be shared. But, you know, then there's also the ability of organizations to establish organizational rules that if they can support withholding certain certain pieces of information because they're unduly sensitive or because the consent process in their state does not allow for that particular item to be shared. That can all be worked through, but you know, you need to bring legal compliance and product teams together early before you flip the switch on an HIE connection. You need to, you need to think through all of these issues in one integrated way.
SPEAKER_00Absolutely. And I think I think that segues into, you know, really kind of our next area here of focusing in on, you know, what does it mean uh in practice for legal and compliance teams? Um so Jennifer, what what's one strategy or approach that has been particularly effective in navigating HIE participation in your experience?
SPEAKER_03Well, I would say talk to your implementer. I really think that is key. Uh, and there's lots of different kinds of implementers out there, like I said. Um, but if there's a glitch on HIE, and what I mean by that is a disagreement, uh, confusion, concern about why are these requests coming, because that's part of what HIEs do, right? They act as I'm trying to think of what the right analogy is here, Sarah, with plumbing. But you know, they they at the intersection, they're the stoplight, they still tell people when to go. And um I think I think of us as ways, for example.
SPEAKER_02Like, you know, because we're just particle at least is ways, way it's it's set up. You know, we take data from a whole bunch of different sources um and kind of federate it into one into one place so that you get like the driver on the road is telling you there's an accident. Yeah. Forget the plumbing. I'm with you now on the highway, you know. So it's like we'll get we'll get driver feedback. We'll get, you know, we'll get somebody saying, you know, there's a police officer up ahead. Look out, you know, and we can bring all of that together into one streamlined, you know, data delivery system.
SPEAKER_03Yeah. And I think the reason that's so important is there are going to be misunderstandings, right? With all of these distant players, there's going to be activity on the network that doesn't, that we can't make sense of at the beginning. And it's the implementers that then come to the HIEs and try to sort through those issues. And so equipping your implementer with the information they need to say, I know this might have looked, you know, unusual or this activity looked out of sorts, but here's why it happened, um, I think is important. So a key thing, again, is to really make sure your your implementer understands how your business works and the kind of information you're in a position to share, the kind of information uh that you're not. And then I think the second that I mentioned already, but I do want to underscore is talking with your providers. I have a lot of clients where compliance legal comes to me and says, but our providers aren't comfortable with this. Or we've looked at the law and we're thinking we think we're allowed to share this type of sensitive information, but our providers are uncomfortable with it. I think that's a stop, drop, and roll moment where you need to talk to your providers, understand their reservations. Maybe they're hearing something from patients that we we need to give some concern and attention. tension to because the providers are that interface. Or maybe the providers are worried about tension with their patients, patients leaving, patient anger, because they're gonna they're gonna get the brunt of that and just need more education and support. So um I I think those kinds of conversations are are really important. Implementer and with your doctor, your provider community.
SPEAKER_00Absolutely. So Sarah, do you see a a single or maybe multiple common mistakes or or blind spots that digital health organizations are making in this regard?
SPEAKER_02I do. And you know the the one for me the big uh you know it's it's nothing that we haven't said before today, but you know, product needs to be talking to patients and providers so that they can all figure out how to work together seamlessly. I'm not going to say the regulatory aspect of this is easy, but you know if you're working with a sophisticated implementer, they know what they're doing. And you should be looking for an implementer that is going to as Jen said really do a deep dive into your business and they're going to be before they put you onto the network through their compliance process they'll be able to surface a lot of these issues for you. So it's going to be helpful if you've brought the right stakeholders together in the first place to have that conversation.
SPEAKER_00Thank you. So we've we've touched on a number of important considerations for forgivations and uh in this digital health space today. You know what are some of the key takeaways that you would like for our our uh audience to take away from from this conversation regarding HIEs and digital health organizations?
SPEAKER_02Very well I'll go I'll go first. I mean I think you know there's some people that love a really good surprise like they're like thrilled to go to a party and learn it's like a surprise party or someone's getting married or whatever. This is not one of those areas where you should be thinking oh you know what this could work out really well. You need to plan you need to think through from the you know the perspective of you know from your 95 year old grandmother down to like you know your 17 year old teen who is like was born with a phone in their hand. You know, what are the concerns that your different patient populations are going to have same with providers you know um there's still a lot of providers out there um you know that still have paper records you know that are if they're not participating in insurance they're going to come from a different background a different view of um what's acceptable how they want to interact with their patients um and you need to make sure that you know if you want this healthcare ecosystem to work and I would strongly suggest that it's in all of our interests to get it right um you need to really make sure that you've thought through the consequences of how you're gonna be sharing and explaining that to all of the interested constituencies.
SPEAKER_03I would I would say to well maybe three first I know so not come as a surprise but lawyers are your friends on this. I mean the law is complicated and you got to get it right um and then build from that. So you know check on those state rules follow the developments in Tesca Tesca's in its early innings it's gonna add additional um disclosure pathways that you want to keep track of I think um the second is patient trust the law is a floor so obviously you have to do that but there's often a gap and I know we've talked about this but I think it's worth underscoring there's a gap between what the law allows and what patients expect. We know from years and years of experience that HIPAA prohibits all sorts of things that patients don't really care about and permits things that actually they're surprised to find out are allowed. And I think the HIE world is is no different. So really um earning your patients trust, helping them understand um how information is going to be used and then finally is the data tagging. HIEs are going to continue to grow and uh use cases are going to get more complex. And data tagging can be hard to do in in the rear view mirror. It's easier to do out at out of the gate. So and and I would say it pays all sorts of other dividends.
SPEAKER_02You know one thing Jen we haven't talked about is the role of really like understanding your BAAs as part of your data tagging operation. Like you know before youC your engineering team on the data tagging, you really need to understand what privileges have people given to you with their data. And it may be very different depending upon who you're getting it from. So there's just an old-fashioned charting, you know, and like slow diagramming that that needs to get done so that you make sure that you're honoring your commitments not just to your data sources, but the data sources are honoring their commitments to their patients.
SPEAKER_03Yeah and a lot of sorry it's such a great point because a lot of these business associates have an upstream entity and a downstream entity so they kind of have a bit of a HIPAA sandwich so they have these directions, you know these obligations and rights going both ways. And that also is replicated on the TECA system. So TEFA information um once it lands in a business associate you know can sometimes be treated a bit differently.
SPEAKER_00So I think Sarah's absolutely right excellent well Sarah Jennifer thank you so much for uh the insights that you've shown today and that you provided us today. This has been a very uh valuable discussion on how HIEs and digital health are evolving and what it means from a legal and compliance perspective. And thank you to our audience for joining us today. We hope that this conversation has provided helpful perspective on the evolving role of HIEs and digital health from a legal and compliance standpoint. On behalf of the American Health Law Association, thank you for joining us for this episode of Speaking of Health Law.
SPEAKER_01I'm pal Porter with Clearwater Security and Compliance and we look forward to continuing these important conversations If you enjoyed this episode be sure to subscribe to AHLA Speaking of Health Law wherever you get your podcasts. For more information about AHLA and the educational resources available to the health law community visit americanhealthlaw.org and stay updated on breaking healthcare industry news from the major media outlets with AHLA's Health Law daily podcast exclusively for AHLA comprehensive members. To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org slash daily podcast