Home > Appendices

State Law Challenges

The variety of state health privacy laws that layer on HIPAA can add complexity and create confusion about the sharing of health information within states and among providers. State laws governing the sharing of health information exist as a patchwork, differing from one state to the next, whereby information sharing may not take place because providers or HIOs do not feel they can abide by all the laws pertaining to exchange or information sharing occurs but at great cost and complexity, using resources that could otherwise be devoted to other purposes. Specific challenges are discussed below.

Burdensome Consent Requirements

Even when patient information can legally be shared with patient consent for purposes of improving the quality and efficiency of care, the requirement to obtain and document patient consent can be difficult for providers, who may not feel comfortable explaining consent to the patient and may not have time to ensure that the information is shared in accordance with the law.94

Confusion, Misinterpretation and Restrictive Interpretation of Laws

The intent of state health privacy laws is often a source of confusion for providers and organizations. State laws may include terms that are left undefined and unclear. For example, state laws may allow the sharing of information without patient consent “when necessary for treatment”95 or “when it is in the best interest of the patient.”96 Such terms can be ambiguous and may be difficult to interpret, particularly if that interpretation occurs on a case-by-case basis by hospitals and providers without reliance on IT systems that can automatically adhere to the patient’s predefined consent preferences. Furthermore, generalized terms are especially challenging to interpret when operationalizing electronic information systems.97 There may be confusion about whether legal language covers different components of the medical record, such as prescription drug codes or codes showing a referral to a behavioral health practitioner. HIPAA, in contrast, clearly defines the exception it creates for “psychiatric notes separately maintained.”
Hospital systems and provider groups are responsible for setting their own privacy policies, which can vary based on their interpretation of the law. These entities may apply a more restrictive interpretation of the law to avoid legal risks associated with improperly sharing patient information. The variable nature of hospital policies creates a further layer of complexity on top of federal and state laws and can be an additional barrier to sharing patient information.

Complicated Technology

Creating health information systems that are compatible with the intricacies and variability of state laws is difficult and adds costly complexity to establishing an interoperable EHR or HIO platform. Providers and technology are far from achieving the goal of computable privacy, in which technology is able to consistently capture, communicate and process patient choices for where their data should flow while at the same time operationalizing compliance with applicable laws.98

One solution is the creation of data segmentation capabilities in EHRs. “Data segmentation” refers to the use of technological applications, such as electronic labeling or tagging, to allow an individual or entity to share only certain segments of a patient’s record. Given that it is a relatively new mechanism for separating information according to consent preferences, many providers do not yet have the technology required to segment data, although this may change with the introduction of the new optional Data Segmentation for Privacy (DS4P) standard for certified EHRs in 2018.99 The DS4P standard applies to both sending and receiving data, and EHRs that use this standard would provide the technical capability to enable a sending provider to tag a record and a receiving provider to recognize that tag. The tag would alert the provider to sensitive data in the record and the need to follow appropriate state or federal law when accessing the information. The standard is optional, however, and providers would need to request that their vendor include the capability in their EHR.100

Interstate Data-Exchange Issues

There are many instances where health information needs to flow between providers in different states. For instance, neighboring states may have residents who live on the state border and travel across state lines frequently to receive care, or individuals may travel to another state, experience a health crisis and require care in that state. In addition, providers and hospital systems that have locations in multiple states and are subject to each state’s laws. In these situations, providers and health systems may adopt policies that adhere to whichever state has the most protective policies to minimize risk and avoid administrative and technical complexity. This approach can significantly restrict the flow of critical information between providers.