December 1, 2015

Variation in State Privacy Laws

Travis Good, MD

Co-founder & Chief Technology Officer

Now that the turkeys have been stuffed and our shopping bags have been filled, it’s back to business and time to continue the conversation from our last post, Insufficiencies in Standards for EHR Interoperability. Moving on to the next item on GAO’s list, we tackle the second preeminent challenge the industry faces to achieving true interoperability – variation in state privacy laws.

You actually may recall a post done back in July titled Fifty States of HIPAA that discusses what may be advantageous to the standardization of HIPAA in response to Chilmark Research’s post HIPAA Must Die. With the topic now resurfacing, a strong argument towards this standardization can be made when considering the national interoperability initiative.

Washington, Oregon, Idaho and Utah – what do you they have in common? Geographically similarly but if you’re looking at their respective state privacy laws, not very much. With HIPAA enacted, a precedence is set but it is one of complete subjectivity. For example, the differences in granting individual access to medical records:

Washington – Health care providers must permit a patient to examine or copy his or her recorded health care information no later than 15 days after receiving a written request.

Oregon – Individuals in Oregon have the right to access and review their own protected health information. Or. Admin. R. 847-012-0000: A physician must permit a patient to inspect, or must provide a copy or summary of the patient’s medical record within 30 days after receiving a request.

Idaho – No law specifically granting individual access rights so HIPAA applies.

Utah – Non-covered health care providers must permit a patient to inspect or obtain a copy of his or her records unless access is restricted by law or judicial order. Providers must comply with HIPAA deadlines when providing a copy of a patient’s records.

Other differences will have a greater effect on the interoperability initiative. Some states require further patient consent when exchanging sensitive health data such as mental health information or HIV status. It was even reported by one representative in the GAO report that they do not even include any mental health information in their patient health records, regardless of patient consent due to the sensitivity of being in violation of privacy rules.

As previously stated, these initiatives reported upon are nowhere near complete as the representatives came to the consensus that further actions must be taken to fully address the challenges in variations. More explicitly, it was said that ‘education on or federal guidance about the application of privacy laws and liability issues would reduce confusion and increase willingness to exchange information across state lines.’ But also it seems the key difference between state regulations revolves around patient consent so standardization around this should be highly considered.

Look for future posts exploring the other three initiatives coming in the near future, or simply subscribe to our blog to receive email notifications when new publications occur.

What are your thoughts on the barriers to interoperability? Share them with us by sending us a tweet or email.

Further Reading:

  1. Why Interoperability?
  2. What is the cost of a HIPAA audit?
  3. Top EHR Vendors (Epic, McKesson, etc.) Meet to Determine Interoperability Metrics
tag Interoperability