This article is published in collaboration with Moxe Health.
Imagine you rented or bought a new house and, when setting up your utilities, the power company made you give them a pile of money, a physical credit card, checkbook, and access to your bank account. They’ll just take whatever is needed each month to cover your bill, and if you wanted to see your bill, you would need to pay them an additional $5 and get it mailed, faxed, or delivered on a CD.
This scenario sounds absurd, right? There’s no way this power company would have many happy customers.
Why the absurd scenario? Something similar can happen with healthcare data exchange. A vendor can say, “We’ll just send everything to requestors, and they’ll take only the data they need and are authorized to take.” An exchange vendor could also say, “Having an open pipeline of clinical data is too risky (agreed, by the way), so you need to filter the data before it leaves your electronic health record (EHR). Once you’ve provided us with the data that you’re OK sending, we’ll get it to the requestor.” 
There are several big problems with both clinical data exchange scenarios. In the first scenario, you are putting a lot of trust in the people requesting and receiving the data. You’re not only trusting that their intentions are pure, but also that they understand and are adhering to all the federal and state rules and regulations surrounding clinical data as well as the policies and preferences of your organization. In this scenario, you’re also trusting that requestors are not in cahoots with those who have a vested interest in clinical data. It’s no surprise that clinical data is a hot commodity.
I don’t think you’d find many patients who are OK with providers sending their entire health record to all parties requesting data. Patients assume the organizations where they receive care are safeguarding their information to the best of their ability, not sending it out into the universe with a hope and a prayer that there will only be good, competent actors on the other end.
Now, let’s look at the second scenario, the “you do all of the hard work to give us the curated data, and we’ll serve as the delivery drivers” one. The problem here is that exchange vendors are asking provider organizations — who are stretched incredibly thin — to do the heavy lifting for them and monetize delivery and distribution. In this scenario, there are also likely missed opportunities for data contextualization and understanding, because no one (or machine) is looking at the data picture at a use-case or specific purpose level to deliver valuable insights that could aid in a patient’s care.
At this point, you may be saying, “That’s all well and good, but how can I figure out how a potential data exchange vendor will handle my organization’s data?”
Here are questions I’d encourage you to ask potential clinical data exchange partners so you understand their capabilities and commitments when it comes to data security and privacy.
Key Considerations When Looking for a Vendor 
Before you ask these questions, a word of encouragement: Don’t be afraid to be annoying. It’s easy for vendors to give answers that make it appear that a solution checks all your boxes. If you are asking questions but getting vague answers or someone is hesitant to get into the nitty gritty details of how their technology works, please keep pressing on.
 - What do you do to ensure that only the right information is shared? 
 How will a potential vendor safeguard your data? Will they only serve in a “delivery driver” role, putting the onus on your organization or the requesting organization to do the data filtration and any data contextualization for them? What access controls do they have in place to ensure data is safeguarded and only shared with those authorized to obtain it?
 
- Who else do you share data with? Who are you authorized to share with? Who are they authorized to share with?
 Follow data down the pipeline to fully understand where it could end up. Is the vendor a truly neutral party, or do they have a financial interest in sharing data with others, like pharmaceutical companies? Will the data remain in the United States, or could it end up in other countries and be governed by those countries’ privacy laws? How would your patients feel if they knew their data was being monetized for purposes outside their care and treatment?
 
 Related to this, ask how many of their employees will have access to your data. What will they do with that access? Ideally, from a privacy and security perspective, you want as little human interference with your data as possible.
 
- What kind of security and privacy audits have you done? What are your results?
 While your organization may have its own security questionnaire, a third-party audit that looks at data security and trust principles will give you a more complete picture. Ideally, data exchange partners should complete a System and Organization Controls (SOC) 2 Type II and/or Health Information Trust Alliance (HITRUST) audit annually.
 
 Another important question related to this one: Have you employed any outside organizations to help you achieve any of your certifications? An organization employed by your potential vendor has a vested interest in helping the vendor achieve whatever certification they are being paid to help them achieve. If a vendor is using an outside organization to aid in obtaining a certification, can you trust that organization is an honest, neutral party?
 
 It’s one thing for a prospective vendor to tell you they’re committed to securing your data and protecting patient privacy; it’s another to have a third party tell you how they accomplish that. Any potential vendor should expect you will want to see a third-party audit.
 
- How do you ensure you can meet all your turnaround times/commitments? 
 Is the vendor using humans to process records? Even the most skilled employees can only process about 10 records per hour. Comparatively, a 100 percent digital solution can process thousands of records per hour. Vendors who use computers to process records can easily handle spikes in request volumes; how do vendors that rely on people for processing requests handle those spikes?
These are just four questions I believe are critical to ask any potential data exchange vendor. Hopefully, you have a much more extensive list of questions to ask that are tailored to your organization’s specific circumstances.
Don’t be afraid to ask tough questions and push potential vendors to give detailed answers. When patient privacy and information security are at risk, you can’t be too careful!
Mike Arce is chief administration officer for Moxe Health. He joined the company in 2015 and has played a significant role in growing the company and advancing solutions. 
About Moxe Health
Moxe connects the healthcare ecosystem with high quality, precise, actionable data to drive meaningful collaboration. Compatible with the leading EHRs, the company helps providers securely share necessary data in a compliant, privacy-minded manner.