JJ'Studio - Fotolia

Get started Bring yourself up to speed with our introductory content.

Mass HIway: What are the security risks for healthcare programs?

Healthcare clearinghouses like Mass HIway are a new trend in health IT, but what are the security implications? Expert Mike Chapple explains what you need to know.

The last time I went to the doctor I was asked to sign a consent form for something called Mass HIway. How do state health information exchange programs like Mass HIway comply with HIPAA? Are there security risks I should be aware of when using these sites?

The Massachusetts Health Information Highway (Mass HIway) is an example of a healthcare clearinghouse. These organizations exist throughout the United States and are designed to facilitate the sharing of information between healthcare providers including doctors, hospitals, clinics and insurance companies. The goal is to improve the flow of information so that, for example, if a patient is brought into an emergency room unconscious, the treating physicians can call up the records of his most recent doctor's office visit.

You were asked to sign a consent form because both the doctor's office you visited and Mass HIway are required to comply with the security and privacy provisions of HIPAA. HIPAA applies to three different types of covered entities: healthcare providers -- which includes your doctor -- health insurance plans and health information clearinghouses -- such as Mass HIway.

The Mass HIway program does not provide information to patients directly. It's exclusively for the use of healthcare professionals. There's not much anyone needs to do personally to keep their information secure -- that's the responsibility of the healthcare clearinghouse and providers. The only real decision for the patient is whether he'd like to participate. Keep in mind, however, that doctors may require participation in the healthcare clearinghouse. Patients certainly have the right to revoke their consent, but the physician's office may then choose to drop them and they will lose the benefit of having medical records available to all treating providers.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out what types of companies count as HIPAA business associates

Learn more about the rights of medical identity theft victims under HIPAA

Discover if security gap analysis is important for HIPAA compliance

This was last published in June 2016

Dig Deeper on HIPAA