When drawing up plans for Florida HIE, the folks building it made the decision to leave the data where it already resided: With the participants.

“One of the issues is that Florida is a pretty conservative state and there was a lot of fear from the physicians that their data would be harvested and sold,” said Florida HIE program director Janet Hofmeister. “Generally, they feel strongly that the data is theirs, they want to keep control of it, and they don’t want people having the ability to share it without their consent.”

[Q&A: On the inevitability of an HIX delay.]

That sentiment might be even more prevalent than expected in the provider community. Almost lost among the stunning data breach statistics the Ponemon Institute uncovered with its third annual study on Patient Privacy and Data Security are some brow-raising findings about how mightily privacy and security concerns weigh on providers considering joining an HIE.

Indeed, 66 percent of the 80 healthcare organizations Ponemon Institute surveyed in its field research indicated having only some or no confidence in the security and privacy of patient data in HIEs.

What’s more, even among those healthcare entities Ponemon researched that are involved with an HIE, 34 percent of responding organizations are not confident that patient privacy can be maintained in that kind of IT environment.

“Health information exchanges really sound like a good idea, and it’s being pushed pretty heavily by our federal government but we’re basically seeing that 35 percent of responding organizations have no plans to become a member of a health information exchange,” said Larry Ponemon, chairman of the Ponemon Institute.

To address security concerns, Florida HIE works with physician practices, health networks, and payers to institute privacy and security best practices on both its Direct secure messaging and patient lookup services. The health systems that join have to meet certain requirements for different levels of security and most of the large hospitals are “very aware of HIPAA and have those security controls in place,” Hofmeister explained. 

But for the multitude of small and mid-tier providers, privacy and security present a challenge because often those providers lack a budget or IT talent to implement a system that would meet those requirements, said Scott Lundstrom, group vice president of IDC Health Insights.

With an eye on the future, Florida HIE is looking to bring in EHR vendors, Hofmeister said. Lundstrom noted that is a common approach, wherein “integrated delivery networks are using HIEs to create a single view of the patient across their payer and provider business.”

Indeed, there’s little doubt the model is gathering momentum. Whether privacy and security issues will prove to be the biggest HIE stumbling block, and one that ultimately scares off a large percentage of providers, is likely to remain unresolved for the foreseeable future.

[See also: HIT guru reflects on data breach, right way to respond]

“It’s a difficult question,” Florida HIE’s Hofmeister said. “Security and privacy have to be handled at the point the patient is seen.” That’s because patients have to understand that their data will be queried if they allow it, Hofmeister added, and of course they have to sign the requisite HIPAA forms. 

But Ponemon’s report – which found that during the last two years 94 percent of hospitals have experienced a data breach and 45 percent of those had 5 data breaches – is not likely to allay any privacy and security fears.

“So the general provider view,” Ponemon explained, “is that health information exchanges need to be seen as secure and safe before gaining wider-scale adoption.”