eHealth Exchange

Information Handling Practice

eHealth Exchange is a network that enables exchange of healthcare information among its Participants.  More specifically, eHealth Exchange is not a repository of healthcare data but, instead, is simply a secure conduit for exchange among Participants.

On behalf of and as authorized by our Participants pursuant to the provisions of the Data Use Reciprocal Support Agreement, eHealth Exchange receives patient information from eHealth Exchange Participants. The information includes information in the Participant’s electronic medical record for specific individuals who are the subject of an eHealth Exchange transaction. eHealth Exchange participates in the Carequality initiative, which allows Carequality Implementers to exchange electronic health records. eHealth Exchange may participate in other networks or initiatives in the future. Additionally, eHealth Exchange may de-identify and use the information its Participants provide for its business and administrative purposes related to the operation of eHealth Exchange but does not aggregate information that is individually identifiable.

Who can view patients’ healthcare information
via eHealth Exchange?

Can they receive and use the information?​

Healthcare Providers?

Yes

Pharmacies?

Yes

Life Insurers?

Yes, if authorized
by the patient

Veterans Affairs?

Yes

Defense Health Agency?

Yes

Social Security Administration?

Yes, if authorized
by the patient

Employers?

No

Consumers?

Healthcare organizations that have direct relationships with patients are typically required to provide their patients and members electronic access to their healthcare data. The eHealth Exchange is not a Participant with the right to share patient data. The eHealth Exchange enables the sharing of patients’ health information between/among Participant healthcare organizations, but the eHealth Exchange itself does not contribute, request, or initiate the sharing of patient health data. The eHealth Exchange also does not have a direct relationship with patients. Therefore, the eHealth Exchange is not able to provide patients access to their data. Consumers should contact their healthcare providers and health plans to access their data.

Can they share the information?

Healthcare Providers?

Yes

Pharmacies?

Yes

Life Insurers?

No

Veterans Affairs?

Yes

Defense Health Agency?

Yes

Social Security Administration?

No

Employers?

No

Consumers?

Yes

What data are exchanged?

This list represents the data that are most commonly exchanged, but the list is not exhaustive, and the actual data exchanged vary among Participants.

Demographic Information

Financial Information

Clinical Information

Additional facts about patients’ personal information

General Information

What is eHealth Exchange?

eHealth Exchange (“Exchange”) is a group composed of federal agencies and non-federal organizations that came together to improve patient care, streamline disability benefit claims processing, simplify queries initiated by healthcare organizations/agencies, and improve public health reporting through secure, trusted, and interoperable health information exchange.

Where does eHealth Exchange operate?

Active in all 50 states, eHealth Exchange is the largest query-based health information network in the country. Beyond exchanging with eHealth Exchange’s 280+ health systems, federal agencies, providers, and provider collaboratives, eHealth Exchange also provides Participants the optional ability to exchange with other health networks such as Carequality’s 25+ health networks. eHealth Exchange provides a common set of standards, legal rights and obligations, and a governance framework that sets the groundwork for Participants to securely share health data.

Who participates in eHealth Exchange?

eHealth Exchange participation encompasses:
  • 70,000 medical groups
  • 3 federal agencies
    • Department of Defense
    • Department of Veteran Affairs
    • Social Security Administration
  • 5,800 dialysis centers
  • 75% of U.S. hospitals
  • 8,300 pharmacies
  • 61 regional and state Health Information Exchanges (HIE)
  A complete list is provided at https://ehealthexchange.org/participants.

What rules must Participants follow to exchange within eHealth Exchange?

Participants must satisfy the provisions in the DURSA, a comprehensive, multi-party, trust agreement that is entered into voluntarily by public and private organizations (eHealth Exchange Participants) that desire to engage in electronic health information exchange with each other as part of eHealth Exchange. Participants must also meet and comply with the Operating Policies and Procedures, pass testing defined by the eHealth Exchange Validation Plan, and conform to the specifications defined in the Performance and Service specifications.

Does eHealth Exchange allow its Participants to exchange with data sharing networks besides eHealth Exchange?

Yes, since some healthcare entities belong to data sharing networks besides eHealth Exchange, eHealth Exchange Participants may choose whether they wish to exchange with data sharing networks used by other health care entities. Some eHealth Exchange Participants have chosen to exchange with the Carequality-enabled networks listed at https://carequality.org/members-and-supporters via eHealth Exchange. eHealth Exchange may participate in other networks or initiatives in the future.

Does eHealth Exchange charge fees?

Yes, eHealth Exchange Participants pay eHealth Exchange the annual fees published on our website.

Permission to access, share, and use patients’ healthcare data

How is patient consent to the exchange of information via eHealth Exchange managed?

The eHealth Exchange Data Use Reciprocal Support Agreement (DURSA) requires every eHealth Exchange Participant to only request, use, or disclose patient information if the request, use, or disclosure is permitted by law. In order to effectively operate the eHealth Exchange Network, eHealth Exchange operates as a business associate of each Participant, where the business associate contract requires eHealth Exchange to protect the privacy and security of patient information. Some uses and disclosures that are permitted by law require patient consent or authorization, while others do not. HIPAA generally permits providers, health plans, and other covered entities to use and disclose patient information for purposes of Treatment, Payment, and Healthcare Operations without obtaining the individual’s consent or authorization. Some states, however, may impose addition consent requirements where HIPAA does not. Before exchanging patient data for any purpose that requires patient consent, it is the responsibility of covered healthcare providers and health plans to ask patients whether their healthcare data should be exchanged or, if authorization is required, to obtain the patient’s written authorization. Some healthcare organizations collect patient consents via an “opt-in” model, where patients must affirmatively elect to share their data as specified. Other healthcare organizations utilize an “opt-out” process, where they share data with other trusted organizations unless the patient explicitly chooses to not have his/her data exchanged. Some states have laws that require either an opt-in or opt-out model, while other states leave it up to the provider or other healthcare organization to determine its own consent process. Patients should inform each of their healthcare providers and health plans regarding whether the patient wants his/her data shared via eHealth Exchange.

May patients’ healthcare data be shared with public health authorities without patient consent?

In certain situations, yes. Applicable law sometimes requires healthcare providers to share certain patient health information with public health authorities. For example, most states require providers to report certain communicable diseases to the state health authority, even if the patient has not consented to the disclosure. eHealth Exchange is one way providers may connect with public health authorities for purposes of sharing relevant health information.

May the Social Security Administration (SSA) electronically retrieve patients’ healthcare data if patients apply for disability benefits?

The SSA may retrieve patients’ medical information only for patients who have provided the SSA with a signed authorization form.

May life insurance companies electronically retrieve patients’ healthcare data if patients apply for a life insurance policy?

Life insurance companies and their intermediaries may retrieve patients’ medical information only for patients who have provided them with signed authorization forms.

Does eHealth Exchange use patients’ information for marketing purposes?

No

Does eHealth Exchange sell patients’ information?

No

Does eHealth Exchange use patients’ information for medical research purposes?

No

Does eHealth Exchange anonymize patient information for medical or public health research?

No, eHealth Exchange may de-identify and use patient information for its business and administrative purposes related to the operation of eHealth Exchange only (not for medical or public health research purposes). eHealth Exchange does not aggregate data containing individually identifiable information.

May eHealth Exchange disclose patient information to comply with a subpoena, court order, search warrant, or similar legal process?

Yes, eHealth Exchange may disclose patient information as required by law.

Where may patients and healthcare entities submit additional questions or concerns?

Patients and healthcare entities with questions or concerns about how information is used may contact CIO@ehealthexchange.org.

Data Security

Does eHealth Exchange store patient data?

eHealth Exchange serves as an intermediary that relays health information from trusted Participants when such information is requested by a trusted Participant. As a conduit for the exchange of information, eHealth Exchange stores patients’ encrypted clinical information for up to up to two hours to ensure completion of the transmission to the requesting Participant. eHealth Exchange stores the entire computerized transaction for up to 7 days, in case technical troubleshooting is required. Lists of queries made (without any clinical data) are stored indefinitely for auditing purposes. No patient demographic or clinical data are maintained on the eHealth Exchange Hub “dashboard,” which is used by Participants to track how many exchanges are transacted by each eHealth Exchange Participant.

Does eHealth Exchange track which Participants request information, receive information, and the type of information involved?

Yes, audit logs (without clinical data) are stored by eHealth Exchange indefinitely for auditing purposes.

Is eHealth Exchange’s exchange technology certified?

Yes, eHealth Exchange’s exchange technology platform is HITRUST Common Security Framework-certified.

Does eHealth Exchange store patient data outside the United States?

No

Are there eHealth Exchange personnel outside the United States accessing patient data?

No

Are patient data protected by HIPAA when transmitted or received by eHealth Exchange?

eHealth Exchange must protect data it receives or transmits that constitute “Protected Health Information” or “PHI” under the provisions of the HIPAA Privacy