Regional health information organizations (RHIOs) and other health care data exchange ventures continue to confront a series of common privacy regulatory hurdles under the HIPAA Privacy Rule. Â One critical issue is the regulation and monitoring of the purposes for which data is accessed. For example, the HIPAA Privacy Rule generally permits a covered entity to disclose protected health information to another covered entity for treatment purposes. But if a hospital contracts with the RHIO entity, which, in turn, contracts with the other providers participating in the exchange, how does the hospital obtain adequate assurances that PHI is being accessed only for permitted treatment purposes? Â Is it enough for the RHIO entity to require all participating providers to contractually agree that they will access data only for treatment purposes? Â Should each participating provider acknowledge the purpose of its access prior to viewing or downloading data? Â Should the RHIO indemnify the hospital for damages arising from improper access to data? Â How rigorous should the RHIO's access controls be in order to detect and prevent improper access?
Because health care data exchange entities are typically not directly regulated by HIPAA, it is ultimately the responsibility of each covered entity to ensure that it is disclosing PHI in accordance with HIPAA restrictions, even if it is making that disclosure through a RHIO or other intermediary entity. Â There are many regulatory and liability issues that have hobbled the progress of the movement toward RHIOs, but this is certainly a recurring theme in the negotiations ....