Frequently Asked Questions

Have more questions? Feel free to Contact us

Health information exchanges and health information exchange organizations can provide many important benefits for providers, patients and hospitals, such as:

  • Enhanced care coordination through communication between providers is of critical importance for patient care and leads to improved outcomes and patient safety. It can also reduce or eliminate redundant and unnecessary testing.
  • Access to the right information, at the right time, for providers, patients and all other stakeholders.
  • Improved efficiency and reliability through the elimination of unnecessary paperwork and providing caregivers with clinical decision support tools.
  • Improved quality and safety through a reduction of medication and medical errors.

DIRECT is a secure email messaging service leveraging secure, encrypted and HIPAA-compliant services.

  • State-level HIEs included DIRECT as part of their service offerings as required by the HITECH State Health Information Exchange Cooperative Agreement Program supported by the Office of the National Coordinator (ONC) for Health Information Technology.
  • Other health information exchanges and providers leverage use of DIRECT email services to support their basic information exchange activities.

The U.S. Department of Health and Human Services' HIPAA requires HIEs/HIOs to have privacy and security policies and procedures in place to safeguard health information when it is exchange. Privacy and security considerations may include the following:

  • The HIE/HIO sets the policies and procedures that apply to the devices or systems. The process of exchanging health information assumes that detailed data-sharing agreements among the providers and between the providers and the HIE/HIO are all in place.
  • There should be trust agreements with all HIE participants. These agreements define who can access and change data. All HIE participants must agree to follow the privacy and security policies that govern data protection and use. There are also federal and state laws regarding who can access data. Audits should be continuously performed to monitor data access.
  • There should be different levels of access control, depending upon the role of the user. Each level should be secured by permission controls, and may include two- or multiple-factor authentication requirements for increased security. Only the providers who are treating patients, and their associated staff who are specifically given rights to the HIE/HIO, should be able to access patient records.
  • Privacy and security standards require encryption of data at rest (in the providers' servers) and in transmission (between providers, via the HIE/HIO).