Share
HIE Readiness
This tool acquaints nursing homes with the efforts being made to form health information exchange (HIE) organizations throughout the
country, and to determine readiness for participation in any formal HIE program in local communities. The concept of exchange of health
information is an important one for nursing homes because of the considerable movement of individuals across care delivery
organizations. This tool provides resources and suggestions for improving exchange of health information across the continuum of care,
which aids in care coordination.
Instructions for Use
1. Consider the business case for participating in some form of HIE. Use the HIMSS Dashboard tool
(www.himss.org/StateDashboard/default.aspx) to obtain information about HIE activity in your state.
2. Use the Readiness Checklist that follows to determine your specific needs with respect to formal and informal exchange of health
information across the continuum of care. Use the checklist as a trigger to develop policies and procedures for such exchange,
paper-based forms that are more amenable to providing needed information, functional requirements for your HIT selection, and
ideas for other technology supports for information management and exchange.
3. Complete the Technical Security Control Analysis table below to identify your current technical security controls and determine
any needed changes.
Definitions of Health Information Exchange
The National Alliance for Health Information Technology, under federal contract, sought industry consensus on the use and definitions of
specific information technology terms. The following terms and definitions were included in its May 20, 2008, report:
 Health information exchange: The electronic movement of health-related information among organizations according to
nationally recognized standards.
 Health information organization: An organization that oversees and governs the exchange of health-related information among
organizations according to nationally recognized standards.
 Regional health information organization: A health information organization that brings together health care stakeholders
within a defined geographic area and governs health information exchange among them for the purpose of improving health and
care in that community.
Despite these definitions, health information exchange (HIE) has different meaning to different groups. In general, HIE is about
exchanging health information across disparate settings. This may include providers exchanging information outside their integrated
delivery network and among organizations that may compete with one another. Participants in an HIE may include all types of providers,
including hospitals, physician offices, long term care facilities, pharmacies, medical device providers, and public health departments.
Employers, payers, and the federal government—the largest payer—are interested in efficiencies and efficacy for the health care delivery
Share – HIE Readiness - 1
system. Many of them participate in HIE organizations. Consumers directly or through their families and other caregivers also have
become more engaged in their health and health care through personal health records (PHR) and HIE services.
The goals of HIE are to provide seamless exchange of health information in support of:
 Improved care delivery
 Preventive and population health
 Efficiencies for health care delivery
 Consumer empowerment
Terminology varies for HIE. Health information organizations are the various parties who have formally joined together to exchange
health information in a private and secure manner. These groups also may be referred to as local health information organizations (LHIO),
regional health information organizations (RHIO), subnetwork organizations (SNO), connected communities, etc. Vendors who formally
support HIE with various technologies to exchange data and integrate systems might be referred to as HIE vendors, HIE service providers,
network providers, etc. eHealth Exchange, http://healthewayinc.org/index.php/exchange, is a web-service based series of specifications,
used by federal agencies and non-federal organizations, designed to securely exchange health care related data.
Business Case for Nursing Home Participation in HIE
This excerpt from the Report on Health Information Exchange in Post-Acute and Long-Term Care makes an excellent case for nursing
home participation in HIE:i
Clinicians require accurate and timely data to provide high quality patient care (Institute of Medicine, 2001). Nowhere is this more
important than at times of care transition, when patients are transferred from one health setting to another. Transfers among care
settings are common. Twenty-three percent of hospitalized patients over the age of 65 are discharged to another institution, and 12
percent are discharged from hospital with skilled home care services (Agency for Healthcare Research & Quality HCUPnet, 1999).
An estimated 19 percent of patients discharged from a hospital to a skilled nursing facility (SNF) are re-admitted to the hospital
within 30 days (Kramer, Eilertsen, Lin & Hutt, 2000). One study tracked post-hospital transitions for 30 days in a large, nationally
representative sample of Medicare beneficiaries. Transitions in this study were defined as transfers to or from an acute hospital,
emergency department, skilled nursing or rehabilitation facility, or home with or without home health care. Overall, 46 unique care
patterns were identified during this relatively brief time period (Coleman, Min, Chomiak & Kramer, 2004b).
As national awareness of medical errors and quality deficiencies that occur within particular care settings continues to rise
(Institute of Medicine, 2000), expanding evidence points to similar problems that occur during care transitions. Significant lapses
in information transfer threaten patient safety; each time a patient's medical record is re-created, it increases the chance for a
medical error and subsequent harm to occur. Inadequate information transfer can potentially increase healthcare expenditures,
largely due to recidivism back to high-intensity care settings. Further, re-creation of essential information is not only inefficient but
also can increase costs due to redundant ordering of laboratory tests, diagnostic imaging, and procedures (Institute of Medicine,
Share – HIE Readiness - 2
2001; Coleman & Berenson, 2004; van Walraven, Seth & Laupacis, 2002b; van Walraven, Seth, Austin & Laupacis, 2002a;
Coleman & Fox, 2004a).
Quantitative evidence increasingly indicates that patient safety is jeopardized during transitional care. Medication errors pose a
significant threat to patients undergoing transitions (Forster, Murff, Peterson, Gandhi & Bates, 2003). Receiving care in multiple
settings often means that patients obtain medications from different prescribers. Clinicians rarely have complete information to
adequately monitor the entire regimen, much less intervene to reduce discrepancies, duplications, or errors. For example, Boockvar
and colleagues studied the series of transfers from a long-term care (LTC) nursing home to a hospital and then back to the LTC
nursing home. On average, residents experienced three medication changes that led to an adverse drug event 20 percent of the time
(Boockvar et al., 2004). Qualitative studies consistently have shown that patients and their caregivers are unprepared for their role
in the next care setting, do not understand essential steps in the management of their condition, and are unable to contact
appropriate healthcare practitioners for guidance (Weaver, Perloff & Waters, 1998; vom Eigen, Walker, Edgman-Levitan, Cleary
& Delbanco, 1999; Harrison & Verhoef, 2002; Coleman et al., 2002; Levine, 1998). Each of these types of problems conspire to
increase rates of recidivism to high-intensity care settings when patients' care needs at lower-cost settings are not met (Beers,
Sliwkowski & Brooks, 1992; Coleman et al., 2004b; Moore, Wisnevesky, Williams & McGinn, 2003; van Walraven et al., 2002a).
Readiness Checklist
Use the following checklist to identify specific needs for HIE. Use the results to develop your own action plan and to encourage formal
participation in HIE.
Need
On admission of a resident . . .
Transfer data received prior to resident arrival
Transfer data received in a consistent format
Transfer data received using standard definitions of terms
Transfer legible data when received
Consistent, complete, and accurate data received on an
individual’s identity
Consistent, complete, and accurate data received on an
individual’s primary caregiver, ability and willingness to
provide ongoing care, and community support being used
Consistent, complete, and accurate data received on an
individual’s primary care provider
Consistent, complete, and accurate data received on
coverage and benefits
Advance directives, including power of attorney, received
Consistent, complete, and accurate data received on current
medications
Share – HIE Readiness - 3
Agree
Neutral
Disagree
Don’t
Know
Action Plan
Need
Consistent, complete, and accurate data received on
medication history
Consistent, complete, and accurate data received on
allergies and intolerances
Consistent, complete, and accurate data received on current
diagnoses and problems
Consistent data received on recent laboratory results
Consistent data received on recent diagnostic imaging
studies
Consistent data received on recent assessments
Consistent data received on functional and cognitive status
Consistent data received on an individual’s language and
literacy level
Consistent data received relative to dietary needs
Consistent data received relative to social service needs
Consistent data received relative to various therapy service
requirements
Consistent data received relative to durable medical
equipment use
Ability to incorporate transfer data directly into facility’s
information systems to reduce or eliminate transcription
Ability to incorporate transfer data directly into facility’s
information systems to reduce or eliminate repetitive data
collection
During resident’s stay . . .
Laboratory results received directly into facility’s information
systems to reduce or eliminate repetitive data collection
Diagnostic imaging studies results received directly into
facility’s information systems
Ability to exchange Information with resident’s provider and
bring it directly into facility’s information systems
Ability to exchange information with consultants, therapists,
or other providers external to the nursing home and bring it
directly into facility’s information systems
Ability to connect to payers for coverage and benefit
information
Ability to transmit data to public health as may be required
Ability to exchange information with resident’s family
members or caregivers as applicable
Share – HIE Readiness - 4
Agree
Neutral
Disagree
Don’t
Know
Action Plan
Need
Agree
Neutral
Disagree
Don’t
Know
Action Plan
Upon transfer of a resident . . .
Ability to supply standardized information on resident’s goals,
baseline functional status, active medical and behavioral
health problems, medication regimen, family or support
resources, durable medical equipment needs, and ability for
self-care directly to another provider’s information system
Ability to supply standardized information (as above) in an efax, email, PHR, and/or paper format as recipient requires,
including for ambulance services
Ability to manage referrals to other providers electronically
HIT Technical Security Controls Analysis
Security controls become increasingly important as more health information technology (HIT) is adopted. This analysis identifies the
technical security controls in place in your current HIT applications, helps you determine where controls are adequate or where they may
need to be made stronger, and which controls you will need in new HIT acquisitions. This tool should be completed by the project
manager or IT staff, and reviewed by the HIT steering committee and other organizational unit responsible for oversight of security
compliance. Complete the following steps:
1. Note who compiled the information and the date compiled in the document footer.
2. List all information systems applications present, and add, delete, or update as new applications are acquired.
3. Assess and record the application criticality for each application:
Mission critical: your organization cannot survive without this application.
Critical: this application is very important to your organization and would be difficult to manage without this application.
Important: this application is necessary for key functions, but there are alternatives to achieve the functionality without the
application.
Deferrable: the application is useful, but the organization could operate for some period of time without it.
Unknown: the application’s criticality to the organization needs to be determined.
4. Identify whether or not this application stores and/or transmits protected health information (PHI) according to the HIPAA
definition.
5. Assess and record the application’s data sensitivity:
Unrestricted: anyone can have access to the data processed by this application.
Restricted: specific policies dictate who may have access to the data processed by this application (e.g., only a physician who is
treating a specific patient).
Need to know: special sensitivities would require extra security precautions (e.g., this application includes a patient’s real name
for insurance purposes, even though a pseudonym has been given to the resident to retain anonymity for all other components of
care).
Share – HIE Readiness - 5
6. Determine whether the application requires unique user identification for access. Distinguish between available control and
actually used.
7. Identify the type of access controls used in the application:
User-based: access is based on the identity of the user alone (e.g., Paul Smith has been given access to this application).
Role-based: access is based on the role of the individual as authorized by the organization (e.g., Paul Smith is a physician and has
access to all data in the application).
Context-based: access is based on the role of the individual as authorized by the organization and the relationship the individual
has to data in the application, location at which the individual accesses the application, and/or at any time or with other constraints
around access (e.g., Dr. Smith may access only patients with whom he has a documented treatment relationship, unless he is
accessing the application from the Emergency Department on Sundays; in that case he has access to all patients in the hospital).
8. Identify whether emergency access control capability exists and is used. This is frequently called “break-the-glass,” and enables an
individual who does not normally have access to gain access via a second level of control, followed with special logging of the
access in an audit trail.
9. Identify the form of authentication required for the user to access the application and/or data within the application. These forms
include password, PIN, token, callback, biometric, among others.
10. Identify the type of audit controls in the application by type (below) and lowest level available (e.g., network level, application
level, patient record [file level], Data element [field level]).
Audit Write: a log of all changes is kept by the system
Audit Read: a log of each time a viewing takes place
11. Identify whether there is auto log off so that the application accessibility times out after a specific period of time. Record time in
minutes.
Technical Security Control Analysis
Application
Application
Criticality
Store/
Transmit
PHI?
Data
Sensitivity
Unique User ID?
Available
Share – HIE Readiness - 6
Used
Access
Control
Emergency
Access?
Form of
Authentication
Audit Control
Write Access?
Audit Control
Read Access?
Auto Log
Off?
Level
Available
Level
Available
Y/N
Used
Used
Time in
Minutes
For support using the toolkit
Stratis Health  Health Information Technology Services
952-854-3306  info@stratishealth.org
www.stratishealth.org
This toolkit was prepared by Stratis Health, the Minnesota Medicare Quality Improvement Organization, under contract with the Centers for Medicare &
Medicaid Services (CMS), an agency of the U.S. Department of Health and Human Services. The materials do not necessarily reflect CMS policy. 10SOWMN-SIP-HIT-13-06 031313
i
Report on Health Information Exchange in Post-Acute and Long-Term Care, U.S. Department of Health and Human Services, Assistant Secretary for
Planning and Evaluation, Office of Disability, Aging, and Long-Term Care Policy, February 2007. http://aspe.hhs.gov/daltcp/reports/2007/HIErpt.pdf
Share – HIE Readiness - 7