Privacy & Security for RHIOs/HIEs

Information and data exchange is a critical to the delivery of quality patient care services and effectiveness of healthcare organizations. The benefits of appropriate sharing of health information among patients, physicians, and other authorized participants in the healthcare delivery value chain, are nearly universally understood and desired. A RHIO, or regional health information organization, is a group of organizations with a business stake in improving the quality, safety and efficiency of healthcare delivery that comes together to exchange information for these purposes. The terms RHIO and Health Information Exchange, or “HIE, are often used interchangeably.

RHIOs must maintain the privacy and security of protected health information (PHI) and must do so in a manner that complies with the Health Insurance Portability and Accountability Act (HIPAA) privacy and security standards. This is true despite the fact that these standards will not apply directly to most RHIOs, because most RHIOs will not be covered entities. However, covered entities that participate in a RHIO by either providing data to the RHIO or obtaining data from the RHIO must comply with the privacy and security rules and will want to ensure compliance by the RHIO. Accordingly, RHIOs must build information privacy and security into both their technology and business processes.


HIMSS and AHIMA recently have formed a joint work group responsible for development of a white paper focused around privacy and security within the HIE environment. This white paper will be provided free to the general public and published in the HIMSS Privacy and Security Toolkit and will made available in the HIE resources and tools section of the HIMSS and AHIMA websites . Look for more information to come, or contact:

Staff Contacts:

Pam Matthews, Sr. Director, Healthcare Information Systems
Phone: (706) 838-0583

Lisa A. Gallagher, BSEE, CISM, CPHIMS
Senior Director, Privacy and Security
(703) 562-8816

Reports, White Papers