HIE Roundup: New Additions – and New Breaches

Protected patient information needed for better care coordination will flow better in Texas through a new partnership with C3HIE, but perhaps not so well in Oklahoma, where lawmakers have decided to backtrack on a mandate that health care organizations send data to a new state information agency exchange in the field of health care.

A state audit of Access Health CT also found that the HIE suffered 51 personal data breaches at five providers, three of which went unreported.

Interoperability Agreement Connects Texas Hospitals

PointClickCare, a healthcare collaboration platform, and C3HIE, which provides care coordination services, announced a partnership Wednesday to add 40 Texas hospitals to the platform to improve interoperability of patient care across the state.

The partnership combines C3HIE’s admission, discharge and transfer data with the PointClickCare platform and integrates the company’s skilled nursing facility information into the HIE network.

“By giving healthcare teams access to the necessary data, we empower them to make informed decisions together, leading to better health outcomes for the patients they serve,” said Phil Beckett, CEO of C3HIE, in a statement.

PointClickCare said hospital data in Texas has more than tripled in recent months, indicating a need for real-time patient data. Previously, the company worked with the Texas Health Services Authority to expand reporting of emergency department encounters to 100 healthcare facilities in Texas.

Providing “critical data immediately, quickly and reliably” can improve collaboration and healthcare outcomes in Texas, said Brian Drozdowicz, senior vice president and general manager of acute and payer markets at PointClickCare.

HIE fails to report three data breaches

Earlier this month, Connecticut auditors concluded that Access Health CT, the Connecticut HIE, did not take sufficient action to ensure the security of protected consumer data during 14 of 51 data breaches that occurred at five of its sites between July 2021 and April 2023 contractors.

Furthermore, the HIE failed to report three cyber attacks to the public accounts auditors and the state comptroller, a recent investigation found. state control.

By law – Section 4-33a of the General Statutes – Connecticut auditors must be notified of all security breaches.

“The exchange was not aware of the breach of the security reporting requirements of the General Statutes,” the auditors said in the report’s initial finding.

“The exchange has not implemented sufficient internal controls to prevent breaches of customer data.”

The state report also included Access Health CT’s response to the allegation of data security failures:

“In FY23, the exchange amended the supplier agreement with the call center supplier to add additional breach reporting requirements, as well as new penalties for breaches caused by the supplier,” the HIE said.

“Additionally, the exchange requires any vendor that causes a breach to cover the costs of security monitoring for customers who have experienced a breach, and the exchange requires vendors to maintain adequate liability insurance in the event of a breach.”

Access Health CT also noted that it relies on third-party vendors to conduct its regular IT security audits of technology contractor providers whose employees have access to consumer data on its network, and said it complied as soon as it became aware of the reporting requirements in 2021.

“The exchange is reviewing these security audits and requiring vendors to remediate any findings,” the HIE said.

Senate Republican Leader Stephen Harding and Insurance and Real Estate Committee Ranking Senator Tony Hwang commented on the “completely unacceptable” undisclosed breaches in a joint statement.

“If a government agency has a data breach that impacts the people of Connecticut, the public has a right to know,” the spokesperson said.

“We urge the exchange’s officials to seriously reconsider its operations to ensure adequate data protection and transparency of information regarding any data breaches.”

Oklahoma makes HIE voluntary

After creating a new statewide health information exchange and imposing a legislative mandate on providers to transmit and use the new Office of the State Coordinator for Health Information Exchange as part of their operations, the Oklahoma Health Care Authority and its new official proposed its interoperability rules in September 2022.

These rules required reporting by providers, including mental health practitioners, beginning July 1, 2023. After mental health providers and others opted out, the state made it possible for a provider to apply for an exemption using a online form.

However, the Oklahoma Legislature recently changed one word in its update to the entire statute, effectively making the controversial program voluntary for all types of providers, according to a researcher. report Monday in the Oklahoman.

At the time of writing, the revision had not yet been updated in the online OHCA rule, 317:30-3-35which relates to the mandatory data transfer by healthcare providers.

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.