Protected patient information that’s needed for better care coordination will flow better in Texas through a new partnership with C3HIE, but maybe not as well in Oklahoma, where legislators decided to back off on a mandate that healthcare facilities must send data to a new state health information exchange.
Also, a state audit of Access Health CT found that the HIE suffered 51 personal data breaches across five vendors, with three unreported.
Interoperability deal links Texas hospitals
PointClickCare, a care collaboration platform, and C3HIE, which provides care coordination services, announced a partnership Wednesday to add 40 Texas hospitals to the platform to improve patient care interoperability across they state.
The partnership combines C3HIE’s admission, discharge and transfer data to the PointClickCare platform, and integrates the company’s skilled nursing facility information into the HIE’s network.
“By providing care teams with access to the necessary data, we empower them to make well-informed decisions together, leading to better health outcomes for the patients they serve,” Phil Beckett, C3HIE CEO, said in a statement.
PointClickCare said that hospital data in Texas more than tripled in recent months, and indicates a need for real-time patient data. Previously, the company partnered with Texas Health Services Authority to expand emergency department-encounter notification across 100 Texas healthcare facilities.
Providing “critical data directly, promptly and reliably” can improve collaboration and enhanced care outcomes in Texas, added Brian Drozdowicz, senior vice president and general manager of acute and payer markets at PointClickCare.
HIE fails to report three data breaches
Earlier this month, Connecticut auditors concluded that Access Health CT, the Connecticut HIE, did not take sufficient action to ensure the security of protected consumer data during 14 of 51 data breaches that occurred from July 2021 through April 2023 at five of its contractors.
Further, the HIE failed to report three cyberattacks to the Auditors of Public Accounts and the State Comptroller, according to a recent state audit.
By law – Section 4-33a of the General Statutes – Connecticut’s auditors must be informed of all security breaches.
“The exchange was not aware of the breach of security notification requirements of the General Statutes,” the auditors said in the report’s first finding.
“The exchange did not implement sufficient internal controls to prevent breaches of client data.”
The state report also included Access Health CT’s response to the charge of failed data security:
“In FY23, the exchange amended its vendor agreement with its call center vendor to add additional breach reporting requirements as well as new penalties for breaches caused by the vendor,” the HIE said.
“In addition, the exchange requires any vendor causing a breach to cover the cost of security monitoring for clients who experienced a breach and requires vendors to maintain sufficient liability insurance in case of a breach.”
Access Health CT also noted that it relies on third-party vendors to conduct its regular IT security audits of vendor-technology contractors whose employees have access to consumer data in its network and said it complied once it became aware of reporting requirements in 2021.
“The exchange reviews these security audits and requires vendors to remediate any findings,” the HIE said.
Senate Republican Leader Stephen Harding and Insurance and Real Estate Committee Ranking Senator Tony Hwang commented on the “completely unacceptable” undisclosed breaches in a joint statement.
“When a government agency has a data breach impacting the people of Connecticut, the public has a right to know,” the said.
“We urge officials at the exchange to seriously reevaluate its operations to ensure adequate protection of data and the transparency of information related to any data breaches.”
Oklahoma makes HIE voluntary
After creating a new statewide health information exchange and imposing a legislative mandate on providers to transmit and utilize the new Office of the State Coordinator for Health Information Exchange as part of operations, the Oklahoma Health Care Authority and its new officer proposed its interoperability rules in September 2022.
Those rules required reporting by providers, including mental health practitioners beginning on July 1, 2023. After mental health providers and others pushed back, the state made it possible for a provider to request an exemption using an online form.
However, the Oklahoma Legislature recently changed one word in its update of the full statute, effectively making the controversial program voluntary for all provider types, according to a report Monday in the Oklahoman.
As of press time, the revision was not yet updated in the online OHCA rule, 317:30-3-35, which covers mandatory data transmission by healthcare providers.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.