X
GO
Resource Overview

Conducting an SRA in accordance with HIPAA policy is a complex task, especially for small to medium providers such as community health centers. The HIPAA Security Rule mandates security standards to safeguard electronic Protected Health Information (ePHI) maintained by electronic health record (EHR) technology, with detailed attention to how ePHI is stored, accessed, transmitted, and audited. This rule is different from the HIPAA Privacy Rule, which requires safeguards to protect the privacy of PHI and sets limits and conditions on it use and disclosure. Meaningful Use supports the HIPAA Security Rule. In order to successfully attest to Meaningful Use, providers must conduct a security risk assessment (SRA), implement updates as needed, and correctly identify security deficiencies. By conducting an SRA regularly, providers can identify and document potential threats and vulnerabilities related to data security, and develop a plan of action to mitigate them.

Security vulnerabilities must be addressed before the SRA can be considered complete. Providers must document the process and steps taken to mitigate risks in three main areas: administration, physical environment, and technical hardware and software. The following set of resources provide education, strategies and tools for conducting SRA.

Security Risk Analysis Resources
Strategies for Capturing Outside HIV Test Results for Your Health Center

Strategies for Capturing Outside HIV Test Results for Your Health Center

Providers working with patients coming to or from health centers may need important health information, such as HIV test results, to help care teams provide the best care possible to the patient. What strategies exist to help health centers give and receive data so that providers can render seamless care without interruption? We’re glad you asked. Data sharing agreements, tools, and standard operating procedures (SOP) are a few strategies that health centers can use to ensure a patient’s electronic health record (EHR) is as detailed and up-to-date as possible. 

Establish A Data Sharing Agreement With Other Health Care Providers
Establishing data sharing agreements (DSAs) is an easy way to obtain HIV testing data from other health care providers. What to share, when to share, and how much to share with other health centers can be challenging. Several templates exist for data sharing agreements. The HIPAA Business Associate Agreement is a great example. This agreement lays out the what, who, where, and why of data-sharing between two entities. Consider working with your legal department to develop a standardized data sharing agreement for your health center. The Centers for Disease Control and Prevention (CDC) National Center for HIV/AIDS, Viral Hepatitis, STD, and TB Prevention offer the following data sharing principles to help inform data sharing agreements:

  • Limit sharing of confidential or identifiable information to those with a justifiable public health need; ensure that any data-sharing restrictions do not compromise or impede public health program or disease surveillance activities and that the ORP (Overall Responsible Party) or other appropriate official has approved this access.  
  • Assess the risks and benefits of sharing identifiable data for other than their originally stated purpose or for purposes not covered by existing policies. 
  • Ensure that any public health program with which personally identifiable public health data are shared has data security standards equivalent to those in this document. 
  • Ensure that public health information is released only for purposes related to public health, except where required by law. 
  • Establish procedures, including assessment of risks and benefits, for determining whether to grant requests for aggregate data not covered by existing data-release policies. 
  • Disseminate non-identifiable summary data to stakeholders as soon as possible after data are collected.
  • Assess data quality before disseminating data
  • Ensure that data-release policies define purposes for which the data can be used and provisions to prevent public access to raw data or data tables that could contain indirectly identifying information.

Data Sharing Tools
Health centers can use many data-sharing tools to give and receive data related to HIV testing. Health centers may choose to use tools such as your state or area’s Health Information Exchange (HIE) or DirectTrust. We will talk more about these tools in just a bit. Health centers may also decide to go “old school” and fax record requests between each other before exchanging patient information. Lastly, there may be features already built into your EHR or network that can support data exchange between health centers, such as connection through CommonWell and Carequality or CareEverywhere, which allows Epic users to access results from other Epic users. New rules against information blocking rules prohibit health care providers from blocking information from being shared without specific exceptions, which should continue to expand pathways for efficient data sharing. Be sure to review your data sharing approaches to ensure that they comply with HIPAA and applicable state and local laws related to information security, data sharing, and data privacy. 

Health Information Exchange

A Health Information Exchange is a technological approach that allows health care professionals and patients to securely access and share patient medical information over the internet. The cloud-based service provides ease of sharing no matter where patients are receiving care—specialists’ offices, labs, or emergency rooms. An HIE facilitates safer, more effective care tailored to patients’ unique medical needs. Participation in an HIE can help avoid patient readmissions, reduce medication errors, improve diagnoses and decrease duplicate testing. An HIE is capable of interfacing with EHRs to optimize data sharing. There are currently three key forms of health information exchange:

  • Directed Exchange – ability to send and receive secure information electronically between care providers to support coordinated care
  • Query-based Exchange – ability for providers to find and/or request information on a patient from other providers, often used for unplanned care
  • Consumer Mediated Exchange – ability for patients to aggregate and control the use of their health information among providers

You may be wondering how to access the Health Information Exchange? A quick visit to HealthIT.gov’s webpage can provide you with guidance on getting started with an HIE.

DirectTrust

Established in 2012, DirectTrust provides organizations with the ability to exchange information via direct messaging for organizations who may not utilize an HIE due to limited funding or resources. With DirectTrust, organizations can set up reciprocal DSAs. As part of an agreement, organizations may choose to send patient information in batches on a daily, weekly, or monthly basis using DirectTrust via a secure email or through their EHR. To exchange messages via Direct, health centers need to partner with a HISP (health information service provider). A Health Information Service Provider, or HISP, is an accredited network service operator that enables nationwide clinical data exchange using Direct Secure Messaging. Health centers interested in DirectTrust must obtain membership and pay an annual fee. Membership is open to any individual or organization with interest in secure and trusted exchange of sensitive information. Members include systems integrators and exchanges, like health information service providers (HISPs) and HIEs, healthcare providers like hospital systems and clinics, insurance payers, governmental agencies, individuals and consumers, and other organizations with interest in data sharing.

Manual Records Requests
Traditional, single record manual release forms are still in use today. Health centers may have standard forms that are faxed to other health centers to obtain patient records. Though rare, health center staff may also travel to health centers to obtain records and hand-carry them back to their health center. Either way, once the data is received, health center staff may import the information manually into the patient's EHR.

Create a Standard Operating Procedure (SOP) or Standardized Workflow
Once you have a plan to obtain HIV test results for your patients, work with your health Information Technology (IT) team to determine how you will integrate this information into your EHR as part of your workflow. You can do this by developing an SOP document. Simply put, an SOP document is a list of written instructions for completing processes. For example, if a client brings in a hard copy of their HIV test results to your health center, will data entry personnel be required to place this information in the notes, or will there be a checkbox or other location in the patient’s history where the results need to be recorded? Once you have a scanned copy of a patient’s hard copy results, will you destroy the original? Will you require your team to alert providers that the client was tested elsewhere or will that be documented in the history? These are just a few questions to think about as you develop your SOP. As you work through your processes, it’s important to frequently update your SOP if you find any breakdown in your operations or find strategies for reducing steps to getting tasks completed. 


Health Information Exchange | HealthIT.gov. (2019). Healthit.gov. https://www.healthit.gov/topic/health-it-and-health-information-exchange-basics/health-information-exchange
HHS/CDC/NCHHSTP. (2011). National Center for HIV/AIDS, Viral Hepatitis, STD, and TB Prevention Data Security and Confidentiality Guidelines for HIV, Viral Hepatitis, Sexually Transmitted Disease, and Tuberculosis Programs: Standards to Facilitate Sharing and Use of Surveillance D. https://www.cdc.gov/nchhstp/programintegration/docs/PCSIDataSecurityGuidelines.pdf
Home» DirectTrust. (n.d.). DirectTrust. https://directtrust.org/
Pennar, A. L., Dark, T., Simpson, K. N., Gurung, S., Cain, D., Fan, C., Parsons, J. T., & Naar, S. (2019). Cascade Monitoring in Multidisciplinary Adolescent HIV Care Settings: Protocol for Utilizing Electronic Health Records. JMIR Research Protocols, 8(5). https://doi.org/10.2196/11185
Rights (OCR), O. for C. (2015, September 10). HIPAA for Professionals. HHS.gov. https://www.hhs.gov/hipaa/for-professionals/index.html?language=es
State Medical Records Laws - FindLaw. (2017). Findlaw. https://statelaws.findlaw.com/health-care-laws/medical-records.html
 

Print
13001

Acknowledgements

This resource collection was cultivated and developed by the HITEQ team with valuable suggestions and contributions from HITEQ Project collaborators.

Looking for something different or have something you think could assist?

HITEQ works to provide top quality resources, but know your needs can be specific. If you are just not finding the right resource or have a highly explicit need then please use the Request a Resource button below so that we can try to better understand your requirements.

If on the other hand you know of a great resource already or have one that you have developed then please get in touch with us by clicking on the Share a Resource button below. We are always on the hunt for tools that can better server Health Centers.

Request a Resource  Share a Resource
Learning Progress
Quick Feedback Request
Highlighted Resources & Events
Need Assistance?
Would you like more assistance regarding Privacy and Security strategies or support in using any of the include resource sets?

  Request Support

 

Upcoming Events
The Quadruple Aim
Quadruple Aim

A Conceptual Framework

Improving the U.S. health care system requires four aims: improving the experience of care, improving the health of populations, reducing per capita costs and improving care team well-being. HITEQ Center resources seek to provide content and direction aligned with the goals of the Quadruple Aim

Learn More