(Revised 1/6/2023; 1/23/2023; 2/11/2023; 3/27/2023; 4/20/2023 – The CT HIE, known as Connie, is new and many aspects of its operations are still in flux. Further, the information I provide is only as good as the information I receive. As I gather new information that contradicts or clarifies old information, I will update this article.)
Connecticut is the 46th state to launch a state-wide health information exchange (HIE). To be truly effective in achieving an HIE’s goal of improving the quality and reducing the cost of healthcare, virtually all healthcare providers in the state must participate in the HIE. And that’s what Connecticut law requires.
The deadline is approaching for Connecticut-licensed healthcare providers to register to participate in the HIE. Many providers, however, have questions and concerns about participating. This is especially true of smaller practices and behavioral health and substance use disorder providers regarding the connection process and the confidentiality of certain records. I will address those issues here as well as provide important background information.
What’s a Health Information Exchange?
A health information exchange “allows doctors, nurses, pharmacists, other health care providers and patients to appropriately access and securely share a patient’s vital medical information electronically—improving the speed, quality, safety and cost of patient care,” according to HealthIT.gov. The idea is this: put everyone’s health records in one place so that healthcare providers can access that information immediately instead of waiting for providers to transfer records.
CT’s HIE: Connie
The state established a separate non-profit legal entity, Health Information Alliance, Inc., to operate Connecticut’s HIE, known as “Connie.” Connecticut law requires that all Connecticut-licensed healthcare providers connect with Connie. Hospitals and clinical labs had to begin the process by May 3, 2022. All other healthcare providers have until May 3, 2023.
Connie is based on technology used widely in other state HIEs. That technology is HITRUST certified, which confirms compliance with strict security rules including HIPAA privacy and security requirements. Policies and procedures from the Office of Health Strategy (OHS) govern Connie’s operation until OHS adopts regulations.
Pros and Cons of an HIE
There is a lot to like about an HIE. Quick and easy access to all of a patient’s health information certainly improves efficiency of treatment and collaboration between providers. And that’s critically important.
On the flip side, HIEs raise some concerns. Like with many technologies convenience and efficiency come with some level of risk. Quick and easy access to all of a patient’s health information by a larger number of individuals increases the chance of inappropriate access. Fortunately, this risk can be managed through rigorous access controls, regular and random audits and sanctions for inappropriate access, as well as other risk management measures. Connie indicates that it will implement adequate risk management measures, although to date, Connie has produced only an 18-page policy and procedures manual that provides very limited information on such measures.
Other concerns involve the impact on healthcare providers without IT infrastructure or large, commonly used electronic health record systems like Epic, or those providers with behavioral health or substance use disorder records subject to privacy laws stricter than HIPAA. The remainder of this article will explore these concerns and offer guidance for ensuring compliance.
I reached out to Connie to discuss the above issues and found that the staff willing to engage and incredibly helpful. I believe that providers will have the same experience.
What Does the Law Require?
The law (CGS §17b-59e) requires that, by May 3, 2023:
(1) each health care provider with an electronic health record system capable of connecting to, and participating in, [Connie] shall apply to begin the process of connecting to, and participating in [Connie] and
(2) each health care provider without an electronic health record system capable of connecting to, and participating in [Connie] shall be capable of sending and receiving secure messages…
The law does not impose any other explicit requirements on providers. In fact, the statute does not require sharing data of any kind. I will flesh out what this means below.
What Exactly Must Happen by May 3, 2023?
On or before May 3, 2023, all licensed healthcare providers in Connecticut must begin the connection process. Beginning the connection process simply involves completing Connie’s on-line connection form by May 3, 2023. The connection process has many steps including signing legal documents (like a Business Associate Agreement with Connie) and addressing technical requirements.
The legal document that Connie expects providers to sign is lengthy and contains many provisions that require careful consideration before signing. Providers should consult with legal counsel before signing any legal documents with Connie. This does not change the fact that providers must sign Connie’s on-line connection form by May 3, 2023 to meet the legal requirement to begin the connection process.
The entire connection process could take several months. For providers using electronic health record systems (EHR) already connected to Connie, the process will move more quickly. For information on connected EHRs visit Connie’s regularly updated list here.
What if the EHR My Practice Uses is not Currently Connected to Connie?
Connie staff will work with all providers to attempt to get EHRs connected. This may require the provider to contact their EHR vendor and ask about connection with an HIE. If the EHR vendor provides services in other states, chances are that the EHR vendor has experience with connecting to an HIE.
If Connie cannot ultimately connect to the EHR you use, you will be treated as a provider “without an electronic health record system capable of connecting to, and participating in [Connie].” (See next section).
Providers should not have to incur substantial costs or spend an unreasonable amount of time to facilitate connection. It is important that providers check with their EHR vendors to determine whether there will be any cost to the provider for the initial connection to Connie or for continued participation in Connie.
What if My Practice has an EHR that Cannot Connect to Connie or Maintains Only Paper Records?
Healthcare providers that use an EHR that cannot connect to Connie, or those without an EHR are not exempt from compliance. These providers must have (or implement) the capability to send and receive “secure messages that comply with the Direct Project specifications published by the federal Office of the National Coordinator for Health Information Technology.” Unfortunately, these specifications are not user-friendly.
According to Connie, providers will set up a “direct email address” through Connie – by doing so, providers will meet the requirement to have the capability to send and receive secure messages in compliance with the specifications.
Providers without an EHR will NOT be required to transmit records to Connie. The use of the secure email will be for communicating information with other providers when the sending provider deems it appropriate. This is an important clarification from earlier versions of this article.
Notably, providers will need to undergo an identity verification process to set up the secure email account. This requires confirmation of personal information such as name and Social Security Number.
Connie also mentioned to me that practices without an EHR that can connect to Connie are able to enjoy some of the patient care benefits of an HIE by establishing an account with the Connie portal. Portal access would allow providers greater access to their patients’ records, encounters, and health history. This is voluntary and not necessary to meet the mandate. Moreover, it likely will require the execution of a lengthy contract.
Again, providers must complete the connection form by May 3, 2023 even if they do not have an EHR.
How is this Data Sharing Permitted under HIPAA?
Healthcare providers are permitted to share protected health information (PHI) with an HIE like Connie in the same manner that healthcare providers can share PHI with others that are carrying out a function on behalf of the provider: through a business associate relationship and a business associate agreement (BAA). Here, Connie is providing the platform in which licensed providers must participate to facilitate the treatment of patients. The BAA between Connie and the provider must contain all the standard provisions.
As a business associate, Connie must comply with all the same HIPAA Security Rule requirements applicable to healthcare providers. As noted above, the technology Connie uses is certified to meet strict confidentiality standards including HIPAA standards. Connie must also comply with several of the HIPAA Privacy Rule requirements, like the concept of minimum necessary and responding to patient requests for an accounting of disclosures.
Once the data is available in Connie, as permitted under HIPAA, other healthcare providers with approved access can retrieve PHI as needed through the HIE for treatment, payment or healthcare operations purposes. One notable exception is the very narrow category of records knows as “psychotherapy notes” under HIPAA, which are subject to a heightened standard.[i]
Additionally, as discussed below, providers must ensure that they do not release to Connie certain types of PHI that receive greater protection under other laws without meeting the requirements of those laws. In some instances, providers cannot share information for treatment purposes without patient consent. That is the case for most behavioral health and substance use disorder records.
Are Behavioral Health Records Required to be Included?
By way of background, Connecticut law provides greater protection for behavioral health records than HIPAA. Unfortunately, those state laws are clunky and organized by license type making their application difficult.
For example, the statutes that apply to licensed marriage and family therapists (LMFTs) and licensed professional counselors (LPCs) do not permit the providers to share records for treatment purposes. By contrast, the psychiatrist and social worker statutes allow for disclosure for treatment purposes but only after the provider determines that such disclosure is necessary to accomplish treatment or diagnosis goals and the provider must notify the patient.
I asked Connie about managing these differences. Connie responded that “[p]roviders are required to submit only those medical records that they have determined they are legally-permitted to disclose to Connie.” In other words, the ball is in the providers’ court on this one.
For now, it may be best to take a conservative approach. Specifically, providers should conclude that they can legally share behavioral health records with Connie only where the law permits sharing for treatment purposes without any consent or notice to the patient. For most behavioral health providers, this means that you need patient consent or to notify a patient that information is being shared for treatment purposes. In other words, records and communications related to treatment cannot be disclosed to Connie when the patient has not consented or been notified.
To assist, below is a chart of the various behavioral health provider license types and a summary of the relevant part of the confidentiality law that applies.
|License Type||Sharing for Treatment Purposes|
|Psychiatrist||The psychiatrist determines that the disclosure is needed to accomplish the objectives of diagnosis or treatment so long as the patient is informed that the records will be disclosed; not even identity can be disclosed. All other disclosures require patient written consent.|
|Psychologist||Need consent to disclose in civil and criminal actions, juvenile, probate, commitment, and arbitration proceedings (including proceedings preliminary to such actions or proceedings) and legislative and administrative proceedings (includes forensic evaluations tied to any kind of proceeding); can be shared for treatment purposes.|
|LMFT||No ability to disclose for treatment purposes without patient consent.|
|LPC||No ability to disclose for treatment purposes without patient consent.|
|LCSW/LMSW||The LCSW determines that the disclosure is needed to accomplish the objectives of diagnosis or treatment so long as the patient is informed that the records have been disclosed. All other disclosures require patient written consent.|
It is important to note that the statute requiring connection to and participation in Connie does not explicitly mandate or require providers to share patient information. As a result, even though some of the behavioral health confidentiality laws permit the disclosure of behavioral health information when mandated by statute, no such mandate exists here.
This is an area in which I think we will see more guidance. I am hopeful that Connie will explicitly acknowledge that behavioral health practitioners do not need to connect to Connie but, instead, they will be treated like a provider without an EHR. In that case, the provider would need to establish a secure email account with Connie for direct messaging with other treatment providers and can share information on an individual basis when permitted by law. But that’s just my hope.
None of this, however, should delay a provider’s initiation of the connection process with Connie. Again, all licensed healthcare providers must begin the connection process by May 3, 2023.
Are 42 CFR Part 2 Records to be Included?
Connie will provide a “Substance Use Disorder Treatment for Facilities Regulated by 42 CFR Part 2 Attestation Form” during the legal document process. If the provider is not subject to 42 CFR Part 2 (Part 2 Provider) and it does not collect Part 2 records from a Part 2 provider, it will select option 1. Unfortunately, Connie provides no option for non-Part 2 providers who collect Part 2 records. The Part 2 restrictions remain with the records when transmitted to a non-Part 2 provider. It is unclear how Connie will manage this category.
Option 2 is for Part 2 Providers that can ensure that no Part 2 records are sent to Connie. Part 2 Providers that cannot ensure that no Part 2 records are sent to Connie must select option 3.
Option 3 is the best option if the provider offers services in addition to substance use disorder treatment and it is possible that Part 2 records could be transmitted to Connie along with other records. For example, for a federally qualified health center that qualifies as a Part 2 provider, its primary care records about a patient also receiving medication assisted substance use disorder treatment may be considered a Part 2 record. It would be difficult to separate out those records.
If a Part 2 Provider is less than certain about avoiding the transmission of Part 2 records to Connie, it is best to select option 3. Option 3 will trigger Connie to enter into a qualified service organization agreement (QSOA) with the provider, which is required before a Part 2 Provider can share records with another organization to provide certain services. A QSOA is like a BAA.
If a QSOA is implemented, Connie explained that the following process would apply:
Organizations that sign the QSOA (along with Connie’s regular data sharing agreements) can send a patient panel to Connie (at this time, Connie is only accepting patient panels from those organizations). Sharing a patient panel enables Part 2 providers to see their patient’s clinical data in the Connie portal. For these organizations, Connie takes additional measures to protect data including flagging the provider as needing to comply with 42 CFR Part 2 rules, blocking the provider from showing up on the patient’s care team, and aliasing the name of the provider to further hide the patient’s connection to the program.
This solution, however, works only for providers performing only substance use disorder treatment services. Providers offering services in addition substance use disorder treatment will not easily be able to provide just patient panel information for substance use disorder treatment patients. They will also struggle to strip substance use disorder treatment information out of other records. In the QSOA, the provider agrees to provide only patient panel information for substance use disorder treatment information. Therefore, providers with records containing substance use disorder treatment information along with other information should not share those records.
What if a Patient Does Not Want Their Data Shared?
Patients will have the option to opt-out of Connie, but they must do so with Connie directly and Connie will manage the opt-outs. Providers should direct patients to Connie’s website for opt-out information. In terms of addressing patient concerns about opting out with Connie instead of the provider, Connie offered the following:
[W]e believe that managing the opt outs at Connie provides patients with a more efficient process. Patients register their opt-out decision one time through the Connie website and do not have to register their opt-out decision with each provider. Similarly, patients can revoke their consent decision once without having to go back to each provider to update their decision.
What are the Penalties for Non-compliance?
The statute does not address penalties for non-compliance, however, the forthcoming regulations from OHS may answer this question. Because the trigger for compliance is licensure in Connecticut, it is reasonable to conclude that failure to comply may impact license renewal.
We will continue to learn more as May 3, 2023 approaches. Providers should not hold off on initiating the connection process. Completing the connection form by May 3, 2023 will satisfy providers’ obligation under the law. Providers should not rush, however, to sign any contracts with Connie. Take the time necessary to consider the implications of any agreements and seek the advice of legal counsel.
Special thanks to Connie’s staff and legal counsel for taking the time to share insights and information with me.
[i] Psychotherapy notes are a very narrow subset of clinician notes that: (1) must be totally separate from the other records; (2) document or analyze the contents of conversation during a private counseling session; and (3) do not include prescriptions, dates and times of service, modalities of treatment, clinical test results and summaries of diagnosis, functional status, the treatment plan, symptoms, prognosis, or progress to date. Only EHRs set up specifically to maintain psychotherapy notes have records that can meet this definition. The fact that notes reflect a psychotherapy session does not make the notes “psychotherapy notes” under HIPAA.