A Work in Progress, Connecticut’s Health Information Exchange Offers Little Transparency, Few Guarantees on Patient Privacy


TwitterFacebookCopy LinkPrintEmail

Asked whether the state’s new Health Information Exchange would release the names of companies that purchase or have access to patient records, a state official told CT Examiner that the nonprofit would follow state and federal privacy laws, but would not release that information to the public.

Sumit Sajnani, the chairman of the board of directors of Connie, the nonprofit set up to manage the exchange, said that releasing the names of companies who request access to specific data sets would be “tricky,” given that agreements may be signed under a name different than one the company does business under. 

“The reason it gets tricky with the actual [data use agreement] is which entity signs it may not be the ‘Doing Business As’ entity type of thing that’s out there,” Sajnani said.

In contrast to a quasi-public like Access Health, for example, the practices of Connie, as a nonprofit, are not subject to Freedom of Information Law.

Advocates question transparency

A lack of transparency is one of a number of concerns raised by patient advocates, who have also repeatedly questioned the strength of privacy protections in place for patient information shared on the exchange.

In 2020, a letter signed by twenty-two patient advocates raised concerns about the nonprofit’s intention to sell “subscriptions” to organizations who want access to the data. In May 2021, the advocates followed up with the organization, saying that their concerns had not been addressed.  They also raised concerns about the composition of the board overseeing the exchange, which advocates said “has only representatives from insurers, large health systems, and state agencies.” 

The nine member board includes four government officials, as well as four representatives from the hospital and insurance industry – representatives of ProHealth Physicians, a subsidiary of UnitedHealth Group; Yale New Haven Health System; Griffin Hospital, a subsidiary of Planetree International and a Yale School of Medicine affiliate; and Elevance Health, the insurer formerly known as Anthem.  

The board also includes a patient advocate, Jose Crespo, who sits on the New Haven Board of Aldermen, and is an employee for Cornell Scott – Hill Health Center.

The big picture on patient records

The idea of a health information exchange, run by a nonprofit, is not new or unique to Connecticut — 45 states already have such systems, some also run by nonprofits with boards composed of representatives from the insurance and healthcare industries.

But concerns about the use of patient data have been growing. 

A story published by The Intercept in August, reported that UnitedHealthcare had hidden its involvement in a Yale study about surprise billing practices that ultimately worked to the company’s advantage. 

And recently, the Federal Trade Commission ordered the company GoodRx to stop sharing health data with advertisers. 

Data privacy

Sajnani told CT Examiner that Connie, which is still in the process of entering data into the exchange, is not yet offering subscriptions or access to patient health records to any organization other than healthcare providers.

He said that data would only be made available in an aggregate form, and that “re-identifying” individual data points would be forbidden. 

Organizations given access to the data, Sajnani said, would be required each year to ensure that there were no data breaches, and that they would be required to destroy the data after they were done using it. 

Information sharing would also be governed by the federal privacy laws, and state regulations on data sharing. 

Jenn Searls, who served as chief operating officer for Southern New England Health before joining Connie as its executive director, offered assurances last month at a press conference that access to patient records would be limited by federal Health Insurance Portability and Accountability, or HIPAA, regulations, as well as state privacy laws.

“If — you know — Bob’s Mechanic Shop wants to get access to data, that’s not a HIPAA- covered reason why they should have access to it,” said Searls. 

But Ellen Andrews, executive director for the CT Health Policy Project, a nonpartisan policy-focused nonprofit, and a signer of the advocacy letter, said that HIPAA doesn’t offer much protection. 

“All you have to do is sign a data use agreement and you can have anything,” Andrews said. 

She also pointed out that not all organizations and companies are subject to HIPAA. 

As an example of an entity not subject to HIPAA rules, Andrews gave the possibility of a drug company that might pay for data that could identify patients who might be targeted for their products. 

Searls said in an email to CT Examiner that this kind of organization “wouldn’t be permitted to purchase a subscription for data because it falls outside the authorized access permitted in our data release policy.” 

Sajnani said that Connie also has the ability to restrict how organizations use the data as part of the agreement they sign, and that those restrictions could depend on the organization itself. 

“If a [healthcare] provider was to ask us for certain data … there’s a greater level of expectation that you understand how to deal with this data and you have existing infrastructure in place, versus if a [entity not covered by HIPAA] was asking for data, there might be greater scrutiny on how you would do the data,” said Sajnani.

Rather than a general rule, he said those restrictions would be determined on a case-by-case basis. 

The data privacy policy for Connecticut’s Health Information Exchange includes three types of acceptable data sharing: access for healthcare providers, access for researchers and “service disclosures” — which Sajnani said could include insurance companies. 

But “service disclosure” does not appear to have any limitations beyond the requirement that the cooperation given access would have the “commercially reasonable administrative, technical and physical safeguards” to protect the data and “minimize” the risk of data breaches. 

It’s also unclear who will qualify for researcher access.

As of now, Sujnani said, the only research organizations allowed would be academic institutions. But he said that it had been “hotly debated” at board meetings whether or not to allow companies access to aggregated data for non-academic research. He gave the example of a pharmaceutical company that might want the data as it’s developing a product.

“We are sort of dipping our toes in this and trying to get a sense of what types of requests we’re going to be getting,” said Sajnani. “Would we provide those types of aggregate data to non-academic research … that is an open question still.”  

Sources of income

Hospitals were required by state law to connect to the exchange by May 2022. Other medical providers must connect by May 2023. 

To date, nearly every large hospital system in the state, including Yale New Haven Health, Hartford Healthcare, Trinity Health, UConn Health and Nuvance Health, have at least begun the process of signing on. 

Searls said that about 75 percent of the state’s hospitals are connected to the exchange, and that she said she expects that number  to reach 90 percent by this spring. She said they also wanted to connect at least three-quarters of medical offices and outpatient clinics, and at least 75 percent of the skilled nursing facilities. Only a small number of nursing facilities are currently connected to the exchange. 

Connie had relied on federal dollars until that funding expired in September.

But for Connie to be self-sustaining financially, Searls said the nonprofit plans to fund itself by creating a “portal” that would allow home and community-based services run through the Department of Social Services to access patient health information, and with federal dollars for data sharing with Medicaid.

Sajnani said the exchange also planned to make the data available to the insurance companies  – within limits. But he said that insurance companies would only be able to see information about patients they are currently covering, and only for the amount of time that they have been covered  — with exceptions for a limited number of health conditions.

He said that subscriptions for insurers could include service like “encounter notifications,” to alert an insurance company in advance of a claim for a healthcare visit, or when a patient is readmitted to a hospital for the same condition — possibly indicating a quality of care problem. 

Searls said that the Health Information Exchange actually promotes transparency. 

She said it will allow doctors and other healthcare providers to provide patients with a list of the organizations that have looked at their data. She also noted that patients may opt out of record sharing.

“One of the things that I like about Connie is, we’re not adding access that people didn’t have. What we’re doing is making [it] transparent and accountable,” said Searls. 

The exchange was touted by doctors, hospital executives and government officials at a recent press conference for its potential to save lives by providing doctors with critical patient information in the case of an emergency. They said it would also lower costs by reducing duplicative procedures. 

And Andrews told CT Examiner that she also believes the state needs a health information exchange. But she said that patients need to have confidence that their privacy is protected.

“People need to believe that it is secure and only the right people are seeing it,” she said.

Emilia Otte

Emilia Otte covers health and education for the Connecticut Examiner. In 2022 Otte was awarded "Rookie of the Year," by the New England Newspaper & Press Association.