Governors Recommend Aligning State Privacy Laws with HIPAAMove Seen as a Way to Ease Health Information Exchange
The National Governors Association, in a new road map for improving nationwide secure health data exchange, proposes that states attempt to better align their privacy laws to the federal HIPAA Privacy Rule to help remove legal barriers.
Now that electronic health records are commonly used at most U.S. healthcare organizations, regulators are exploring how to encourage and ease the secure exchange of health data nationwide to help improve clinician decision-making and patient care outcomes.
The NGA's report, Getting the Right Information to the Right Health Care Providers at the Right Time: A Road Map for States to Improve Health Information Flow Between Providers, released on Dec. 9, was supported by funding from the Office of the National Coordinator for Health IT, says Lucia Savage ONC's chief privacy officer.
The NGA is a bipartisan organization of the nation's governors that's designed to promote visionary state leadership and share best practices with a collective voice on national policy.
ONC last year issued its own road map, Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Road Map.
"Multiple and diverse state laws for health information privacy and confusion about HIPAA often prevent health information from flowing where and when it is needed," Savage wrote in a blog.
"These barriers to the seamless and secure flow of electronic health information can also be exacerbated by organizational privacy policies that fail to take advantage of how HIPAA can support exchange of health information, or slow adoption of technical solutions that can help facilitate both privacy compliance and exchange," she says. "While we have worked with the [Department of Health and Human Services'] Office for Civil Rights to produce consumer-friendly resources to address some of these challenges, we know there is still work to do, particularly with our partners in state governments."
Obstacles to Secure Data Exchange
John Houston, vice president of privacy and information security and associate counsel at the University of Pittsburgh Medical Center, says widely varying state privacy laws do, indeed, act as a "significant barrier" to exchanging information.
"Some states are more protective regarding what information can be shared and what type of patient consent is required," he says. "This inconsistency can be very difficult to manage, especially in the context of the volume of records that are shared, as well as the automated systems that are employed to exchange the information."
The NGA report notes that many states have privacy laws pertaining to health information that are stricter than HIPAA, restricting disclosure of specific categories of information deemed to be sensitive, such as mental health and communicable disease information, without explicit consent from the patient.
"Further, hospital systems and provider groups are responsible for setting their own privacy policies, which vary and in some cases are more restrictive than federal or state laws based on narrow legal interpretation," the report notes. "Hospital systems and provider groups may apply a more restrictive interpretation of the law to avoid legal risks associated with improperly sharing patient information. The variable nature of hospital and other provider policies creates a further layer of complexity on top of federal and state laws and can be an additional barrier to sharing patient information."
Obstacles to Data Exchange
The NGA report notes that as a result of a variety of legal and market-based barriers, the exchange of clinical health information between providers either does not occur or occurs in a manner that does not allow for meaningful use of data to support optimal patient care.
The NGA roadmap makes a number of recommendations for possible strategies for overcoming barriers. For example, it recommends state consider:
- Fully aligning state privacy laws with HIPAA by passing a law that supersedes all more restrictive state privacy laws to allow providers and hospitals to exchange information in accordance with HIPAA;
- Partially aligning state privacy laws with HIPAA by amending select statutes to allow certain types of information, such as information exchanged electronically, to be exchanged in accordance with HIPAA;
- Creating standardized patient consent forms that provide a "one-stop" approach to gaining patient permission for sharing information;
- Issuing guidance and providing education to providers about how to comply with state and federal law, including clarifying legal intent and addressing common misconceptions.
Change Is Difficult
Some privacy and security experts say better alignment of state privacy laws with HIPAA would ease many of the problems that healthcare entities and health information exchange organizations encounter when sharing patient data across state lines.
But getting all 50 states to change their laws may be unrealistic.
"I suspect that certain states that have very demanding confidentiality laws will continue to push to keep their more demanding laws - just because," Houston says.
"I would love, love, love to see the state law[s] aligned with HIPAA," says privacy attorney Kirk Nahra of the law firm Wiley Rein. "The problem today is primarily that there are just too many laws with too many provisions that we can't realistically understand in today's environment. They were passed often decades ago in very different environments to deal with specific limited problems. It is too complicated to figure out what these laws say, what they all are and how they compare to HIPAA."
If states would fully or partially align their privacy laws with HIPAA, data exchange likely would be less complicated for those attempting to securely pass along patient data to those in other states, UPMC's Houston says.
"As long as the laws are fully aligned - including for sensitive information - HIV, drug and alcohol treatment information, psychiatric information, etc. - it would make it easier and more predictable," he says. "Simply trying to determine what state laws are can be difficult. Then, making sure that a request complies with a state law can be difficult as well. Today, a hospital is dependent on the provider of the record to dictate what consents are required."
But Deborah Peel, M.D., a psychoanalyst and founder of advocacy group, Patient Privacy Rights, would like states to retain the ability to adopt privacy laws that are stricter than HIPAA.
"All states used to require consent before health data could be shared with other doctors," she says. "Retaining those laws, which trump HIPAA - which was, by law, designed to be the 'floor' for privacy, not the 'ceiling' - will ensure that patients are willing to talk freely with their doctors, who respect their rights to control the most personal information about themselves."
NGA's report notes that some states have already made changes in privacy laws to help promote secure health data exchange.
For instance, some states have sought to reduce legal barriers by having different disclosure standards for electronic information versus paper records, phone calls or faxes. Ohio, for example, has amended its state code to ensure that information exchanged electronically, with certain exceptions, is not subject to any state laws that are more stringent than HIPAA.
Houston says standardizing the process for gaining patient consent for sharing information across state lines, as the NGA suggests, also would be helpful. "However, depending on how specific the consent is, it may place a significant burden on providers to both track and ensure that the consent is being honored," he notes. "Therefore, the standard consent must also be 'practical.'"