Information Handling Practice
eHealth Exchange is a network that enables exchange of healthcare information among its Participants. More specifically, eHealth Exchange is not a repository of healthcare data but, instead, is simply a secure conduit for exchange among Participants.
Summary
On behalf of and as authorized by our Participants pursuant to the provisions of the Data Use Reciprocal Support Agreement, eHealth Exchange receives patient information from eHealth Exchange Participants. The information includes information in the Participant’s electronic medical record for specific individuals who are the subject of an eHealth Exchange transaction. eHealth Exchange participates in the Carequality initiative, which allows Carequality Implementers to exchange electronic health records. eHealth Exchange may participate in other networks or initiatives in the future. Additionally, eHealth Exchange may de-identify and use the information its Participants provide for its business and administrative purposes related to the operation of eHealth Exchange but does not aggregate information that is individually identifiable.
Who can request patients’ healthcare information via eHealth Exchange?
| Can they receive and use the information? | Can they share the information? | |
|---|---|---|
| Healthcare Providers? | Yes | Yes |
| Veterans Affairs, Defense Health Agency, Indian Health Service? | Yes | Yes |
| Pharmacies? | Yes | Yes |
| Health Insurers? | Yes | Yes |
| Life Insurers? | Yes, if authorized by the patient | No |
| Social Security Administration? | Yes, if authorized by the patient | No |
| Federal Drug Administration? | Yes | Yes |
| Employers? | No | Not applicable |
| Consumers? |
eHealth Exchange is not a Participant with the right to share patient data. eHealth Exchange enables the sharing of patients’ health information between/among Participant healthcare organizations, but eHealth Exchange itself does not contribute, request, or initiate the sharing of patient health data. eHealth Exchange also does not have a direct relationship with patients. Lastly, eHealth Exchange does not store patients’ health data. Therefore, eHealth Exchange is not able to provide patients direct access to their data. However, healthcare organizations that have direct relationships with patients are typically required to provide their patients and members electronic access to their healthcare data. If those organizations are eHealth Exchange Participants, they are permitted to offer consumers a way to request their health data, including data from other eHealth Exchange Participants. Consumers should contact their healthcare providers and health plans to access their data. |
Yes |
What Data are exchanged?
This list represents the data that are most commonly exchanged, but the list is not exhaustive, and the actual data exchanged vary among Participants.
Demographic Information
- Patient Name
- Address
- Phone
- Date of Birth
- Gender
- Social Security Number
- Medical Record Numbers
Financial Information
- Insurance Identifiers
Clinical Information
- Medical Conditions
- Allergies
- Medications
- Vaccinations
- Lab and Pathology Results
- Radiology Reports
- Procedures
- Clinical Reports
- Clinical Care Team
Additional facts about patients’ personal information
General Information
What is eHealth Exchange?
Where does eHealth Exchange operate?
Active in all 50 states, eHealth Exchange is the largest query-based health information network in the country.
Beyond exchanging with eHealth Exchange’s 300+ health systems, federal agencies, providers, and provider collaboratives, eHealth Exchange also provides Participants the optional ability to exchange with other health networks such as Carequality’s 35+ health networks.
Who participates in eHealth Exchange?
- 70,000 medical groups
- 5 federal agencies
- Department of Defense
- Department of Veteran Affairs
- Social Security Administration
- Federal Drug Administration
- Indian Health Service
- 85% dialysis centers
- 75% of U.S. hospitals
- 58 regional and state Health Information Exchanges (HIEs)
- 70 public health jurisdictions
- Payers in 34 states
What rules must Participants follow to exchange within eHealth Exchange?
- DURSA: https://ehealthexchange.org/dursa/
- Operating Policy and Procedures: https://ehealthexchange.org/policies
- Onboarding: https://ehealthexchange.org/onboarding
Does eHealth Exchange allow its Participants to exchange with data sharing networks besides eHealth Exchange?
Does eHealth Exchange charge fees?
Permission to access, share, and use patients’ healthcare data
How is patient consent to the exchange of information via eHealth Exchange managed?
The eHealth Exchange Data Use Reciprocal Support Agreement (DURSA) requires every eHealth Exchange Participant to only request, use, or disclose patient information if the request, use, or disclosure is permitted by law. In order to effectively operate the eHealth Exchange Network, eHealth Exchange operates as a business associate of each Participant, where the business associate contract requires eHealth Exchange to protect the privacy and security of patient information.
Some uses and disclosures that are permitted by law require patient consent or authorization, while others do not. HIPAA generally permits providers, health plans, and other covered entities to use and disclose patient information for purposes of Treatment, Payment, and Healthcare Operations without obtaining the individual’s consent or authorization. Some states, however, may impose addition consent requirements where HIPAA does not. Before exchanging patient data for any purpose that requires patient consent, it is the responsibility of covered healthcare providers and health plans to ask patients whether their healthcare data should be exchanged or, if authorization is required, to obtain the patient’s written authorization.
Some healthcare organizations collect patient consents via an “opt-in” model, where patients must affirmatively elect to share their data as specified. Other healthcare organizations utilize an “opt-out” process, where they share data with other trusted organizations unless the patient explicitly chooses to not have his/her data exchanged. Some states have laws that require either an opt-in or opt-out model, while other states leave it up to the provider or other healthcare organization to determine its own consent process.
May patients’ healthcare data be shared with public health authorities without patient consent?
May the Social Security Administration (SSA) electronically retrieve patients’ healthcare data if patients apply for disability benefits?
May life insurance companies electronically retrieve patients’ healthcare data if patients apply for a life insurance policy?
Does eHealth Exchange use patients’ information for marketing purposes?
Does eHealth Exchange sell patients’ information?
Does eHealth Exchange use patients’ information for medical research purposes?
Does eHealth Exchange anonymize patient information for medical or public health research?
May eHealth Exchange disclose patient information to comply with a subpoena, court order, search warrant, or similar legal process?
Where may patients and healthcare entities submit additional questions or concerns?
Data Security
Does eHealth Exchange store patient data?
eHealth Exchange serves as an intermediary that relays health information from trusted Participants when such information is requested by a trusted Participant.
As a conduit for the exchange of information, eHealth Exchange stores patients’ encrypted clinical information for up to two hours to ensure completion of the transmission to the requesting Participant. eHealth Exchange stores the entire computerized transaction for up to 7 days, in case technical troubleshooting is required. Lists of queries made (without any clinical data) are stored indefinitely for auditing purposes.
