State Strategies to Address Legal Barriers and Increase Information Flow Between Health Care Providers
Strategy 1: Fully Align State Privacy Laws With HIPAA Through Legislative Change
Several states have fully aligned their laws with HIPAA to simplify privacy laws and promote the streamlined exchange of health information. In recent years, states—including Hawaii, Kansas, Wisconsin and Utah—have passed legislation to allow providers and hospitals to exchange patient information in accordance with HIPAA, superseding all existing, more restrictive state privacy laws. Hawaii and Kansas had a patchwork of 50 and 200 state laws, respectively, before aligning with HIPAA.21 Click here for additional information on Kansas’ approach to full alignment with HIPAA.
Considerations for Full HIPAA Alignment
Although legislative alignment significantly simplifies a state’s legal framework, a potential drawback to pursuing HIPAA alignment is the difficulty in receiving buy-in from stakeholders. First, alignment with HIPAA may improve the flow of information, but it may not reflect the preferences of patients and privacy advocates in a state. These stakeholder groups may be concerned that alignment with HIPAA will undo the state’s previous safeguards against sharing of sensitive health information and lead to situations in which information will be shared against a patient’s will. Many laws that are intended to protect patient privacy were created to increase patient trust and engagement with the health care system, and some advocates fear that removing patient control will damage that trust.22
Stakeholder groups should be brought into discussions about the proper way to use data to improve care and outcomes while protecting patient rights and ensuring trust. Appropriate education is critical in enhancing advocates’ understanding of HIPAA as well as the new opportunities associated with exchange of health information to improve patients’ lives. Discussions should focus on the shared goal of better patient care and how improving the flow of information between providers is critical to preventing errors, misdiagnoses and complications.23
It is important to note that although HIPAA alignment can help solve barriers related to state privacy laws, it will not reduce confusion or difficulty surrounding Part 2. States considering full HIPAA alignment should couple this strategy with educational efforts to help providers understand not only the specific impact of legislative change to state privacy laws but also the legal landscape more broadly, including what is allowable under Part 2.
Strategy 2: Partially Align State Privacy Laws With HIPAA Through Legislative or Regulatory Change
In states where there is not sufficient interest in fully aligning with HIPAA, state leaders may consider a more targeted strategy of aligning only certain laws with HIPAA. The following are examples of approaches to partial HIPAA alignment.
HIPAA-Based Electronic Exchange
Some states have sought to reduce legal barriers by having different disclosure standards for electronic information versus paper records, phone calls and fax. In 2007, Nevada changed its public health and safety code to exempt HIPAA-covered entities from the state’s more stringent health information privacy laws when electronically exchanging information (if the electronic exchange complies with HIPAA). 24 Click here for additional information on Nevada’s approach to partial alignment with HIPAA. Ohio also has adopted this approach, amending its state code to ensure that information exchanged electronically, with certain exceptions, is not subject to any pre-existing state law based on confidentiality, privacy, security or privilege status provisions that are more stringent than HIPAA.25
Amendment of Select State Privacy Laws
In lieu of state legislation that explicitly overrides all state privacy laws to align with HIPAA, states can create legislation that amends language in specific laws to meet the HIPAA standard for certain categories of information. For instance, Colorado amended the Mental Health Practice Act in 2011 to exempt HIPAA-covered entities and their associates from the state’s previous statute requiring consent for any disclosure of mental health treatment information.26
Considerations for Partial HIPAA Alignment
Partial HIPAA alignment will not address all state laws or types of information sharing, but it can offer a solution to some pressing challenges inhibiting information flow. For instance, partial alignment that establishes less restrictive disclosure standards for electronic information sharing that align with HIPAA, as done in Nevada, may be an effective strategy for states given that providers commonly document and share information in an electronic format. Similarly, partial alignment that involves the amendment of a state law governing a primary category of health information—such as mental health information—may be impactful in improving information flow that facilitates more coordinated, whole-person care. It is important to keep in mind that, like full HIPAA alignment, partial alignment may raise concerns among privacy advocates and patients who feel that it reverses the safeguards that a particular state privacy law ensures. Engaging key stakeholders early and often can help mitigate such concerns.
Strategy 3: Create Standardized Consent Forms
Standardized consent forms have the potential to reduce provider confusion about what they can share under the law and help clarify patient rights and provider responsibilities. They minimize the burden on providers, who may currently be responsible for creating their own consent forms for information sharing, and can help reduce the significant variability in forms from practice to practice. A standardized consent form provides a “one-stop” approach to obtaining patient consent that is good for a certain period of time and that other providers will accept. In addition to reducing the burden on providers, this standardization can improve patient understanding of consent if the form clearly explains to patients what their consent means.
The creation of a standardized consent form requires input and buy-in from a diverse set of stakeholder groups, and the process can help foster greater trust in the information being shared. New York has created a standardized consent form to allow providers to obtain a one-time consent for information categories more protected than HIPAA.27 Similarly, Michigan has created a standardized consent form for sharing behavioral health information.28 Click here for additional information on Michigan’s approach to standardized consent forms.
Considerations for Standardized Consent Forms
Currently, no state mandates the use of a consent form, so provider buy-in is essential to ensuring that the form is actually used. If providers and their legal counsel are reluctant to adopt the form, relying instead on their own consent forms, there will still be issues with disparate consent forms and multiple consents. Michigan’s Department of Health and Human Services, which houses the state’s consent form on its website and promotes its use, has noted that an important strategy in reaching providers and legal counsel is emphasizing the value of information sharing for improved patient care.29 Stakeholders may have concerns about minimizing their risk, but ultimately the need to improve patient care was a unifying message.
Strategy 4: State Guidance and Education
One of the main obstacles to exchange of health information is concern among providers and legal counsel about what is allowed under federal and state law and associated fear of liability, particularly with regard to HIPAA (for further discussion of HIPAA, see Appendix B.)
States can consider issuing guidance to address such concerns and help providers better understand privacy laws. Such guidance could include frequently asked questions (or FAQs) or case studies that provide clarity on specific scenarios and areas of common confusion related to permissible exchange.30 For example, the New York State Department of Health posts a comparison chart on its website to show where HIPAA and state law differ and which law prevails.31 Guidance could also take the form of a letter from the state secretary of health to providers, hospital IT officers or hospital privacy counsels explaining the legal parameters of certain types of data exchange, such as ICD-10 codes or narrative notes. In addition, state agencies can conduct provider surveys and interviews so that they can better understand the challenges providers face, to focus guidance appropriately and provide examples based on actual questions.
Some state agencies have taken steps to connect providers to a wider array of resources and training materials. The Oregon Health Authority (OHA) has created a Behavioral Health Information Sharing Advisory Group that aims to help providers better understand what information sharing is allowed under federal and state law.32 Click here for additional information on Oregon’s approach to guidance and education.
Private or state-designated entities can facilitate education efforts, as well. In Kansas, the private HIO KHIN employed an extensive direct communication strategy to educate providers, hospitals and health networks about KHIN participation and best practices and to debunk incorrect assumptions and misconceptions about what can be shared under federal and state law.33 As another example, Arizona’s Health e-Connections HIO developed a toolkit to help providers understand the parameters of participation in the HIO as well as rules and regulations for sharing patient information.34
Considerations for State Guidance and Education
When conducting outreach and education, it is crucial to reach multiple branches of a provider organization or hospital’s leadership because of the varying priorities and responsibilities within a given organization that must come together to achieve the overall mission. Decision making and education efforts should, at a minimum, engage the organization’s chief information officer, legal counsel and head of population health efforts, all of whom have unique and important perspectives. If, for example, information sharing decisions were made exclusively by a privacy and compliance officer, that individual may prioritize privacy considerations above the ability to make accurate and timely health care decisions, which could significantly limit the ability to share information within and across systems, aggregate data for quality improvement and population health planning or meaningfully participate in VBP initiatives. Ultimately, the need to ensure the privacy and security of health information must be balanced with the need for adequate information flow to deliver the highest quality care, which requires the engagement of multidisciplinary teams in an organization, from physicians to staff registering patients at admission.