Recently, we received an interesting question – “Are there ‘state-specific’ rules for patient data privacy, possibly different than the Health Insurance Portability and Accountability Act (HIPAA)? How do these rules affect compliance and care delivery?”
All health care provider organizations, health care clearinghouses, and their business associates are required to follow HIPAA rules (see HIPAA: The Final Act). But there are also “state-specific” rules for privacy compliance – what some have termed “Baby HIPAAs” because they also govern much of the same protected health information as the federal regulation. And every state has its own set of privacy regulations that govern access to protected health information, and the use, collection and disclosure of that information. This includes things like privacy and confidentiality, licensure laws, maintenance of patient medical records, and what medical records need to include.
The key is – like any state and federal law that governs the same activity – the rules can be different, they just can’t be in conflict. For example, states can have more stringent rules, or rules that cover very narrow groups of payers, consumers, or providers. In general, HIPAA preempts state law (see Laws and Regulations Governing the Disclosure of Health Information); except when one of the following conditions is met:
- A provision in state law is more stringent than the federal rule
- An exception is made by the secretary of Health and Human Services
- The state law relates to public health surveillance and reporting
- The state law relates to reporting for the purpose of management or financial audits, program monitoring and evaluation, and licensure or certification of facilities or individuals
How many total laws are there? The short answer is, a lot. According to Health Information & The Law – A project of the George Washington University’s Hirsh Health Law and Policy Program and the Robert Wood Johnson Foundation – there are 1,455 state laws for privacy and confidentiality alone, leading to a wide variation in statutes. For example, Oklahoma has one law in place for privacy (the disclosure of substance abuse treatment records), while New York has 113 different privacy laws (see Health Information & The Law: States).
A multi-year, ongoing effort by the Health Information Privacy & Security Collaboration (HISPC) has found that when reviewing state privacy laws and regulations, those laws are frequently antiquated, paper-based, and in conflict with electronic health information exchange (see Harmonizing State Privacy Law). If you’re operating in a single state, you’ve probably incorporated these state-specific regulations into your standard operating procedures. But if you are (or are planning) to operate in more than one state, complying with new regulations from other states can also be close to impossible.
And to help “smooth over” that challenge, the Office of the National Coordinator for Health Information Technology (ONC) provided a draft “roadmap” to achieve basic electronic health data interoperability by 2017 (see Connecting Health and Care for the Nation A Shared Nationwide Interoperability Roadmap and Federal Health IT Coordinator Sets 2017 As Deadline For Interoperable EHRs). This “roadmap” won’t replace state laws, but will attempt to make it easier for health information exchange by providing an “interoperable health IT ecosystem” that makes data, including protected health information, available despite “disparate products and organizations” – including varying state laws. What the ONC defined as “the ability of a system to exchange electronic health information with and use electronic health information from other systems without special effort on the part of the user.”
The ONC’s draft roadmap highlighted four critical actions that must take place:
- Establish a coordinated governance framework and process for nationwide health information technology interoperability
- Improve technical standards and implementation guidance for sharing and using a common clinical data set
- Enhance incentives for sharing electronic health information according to common technical standards, starting with a common clinical data set
- Clarify privacy and security requirements that enable interoperability
Will this work? The ONC is very up-front that “it is not realistic to suggest that all health information needs will be met with a single electronic health information sharing approach.” And I do not expect that the different state statutes are going away – but if smoothing over the “special effort on the part of the user” is what it takes to keep up with hundreds of different laws, it’s a step in the right direction.
The ONC finalized this plan in October, in a move that Tom Sullivan, Editor-in-Chief, Healthcare IT News describes (see ONC reveals final interoperability roadmap) as ONCs intent to, “enable the sending, receiving, finding and using of health data domains with an eye on improving care quality and outcomes….expand data sources and increase the number of users to create healthier populations at a lower cost….[and] build a learning health system by 2024.”
My colleague Nic Cuccia, provided some perspective on the compliance issues, and the challenge this places on organizations’ care delivery – he writes:
This is an interesting topic, and a common complaint from customers with regard to the prohibitive nature of HIPAA compliance overall and “Baby HIPAAs” specifically. Many companies overdo it in order to be all things to all regulatory entities – the Office of the National Coordinator for Health Information Technology (ONC) included – and end up with workflow that leads to MORE errors, and decreased compliance, security, and quality of service delivery. I work with organizations on data governance and process analysis, and that is really centered around “undoing the overdoing” of compliance processes they have put in place over the years. Some organizations have dug themselves quite a hole.
It’s too early to tell if this ambitious goal will work, but according to a recent survey by Scrypt, only 46% of health care providers have “some” confidence that the industry can meet the above goals, and 23% have no confidence of that at all (see Majority of Providers Confident in HIPAA Compliance Policies). I expect it will take a lot more buy-in than that – and in the meantime, provider organizations will have to continue navigating a list of different, state-specific rules with significant effort on their part.