Examples of State Strategies to Address Legal Barriers and Increase Information Flow Between Health Care Providers
Kansas: Full Alignment With HIPAA
In Kansas, the Kansas Health Information Technology Act of 2011 aligned the state’s laws with HIPAA, superseding the state’s previously existing health privacy laws. The language used in the law is as follows:43
KSA 65-6823. Kansas health information technology and exchange act; purpose.
(a) It is the purpose of this act to harmonize state law with the HIPAA privacy rule with respect to individual access to protected health information, proper safeguarding of protected health information, and the use and disclosure of protected health information for purposes of facilitating the development and use of health information technology and health information exchange.
65-6825. Same; use and disclosure of protected health information.
(a) No covered entity shall use or disclose protected health information except as follows:
(1) Use and disclosure of protected health information consistent with an authorization
that satisfies the requirements of 45 C.F.R. 164.508;
(2) use and disclosure of protected health information without an authorization as
permitted under 45 C.F.R. 164.502, 164.506, 164.508, 164.510 and 164.512; or
(3) use and disclosure of protected health information as required under 45 C.F.R. 164.502.
Nevada: Partial Alignment With HIPAA for Electronic Exchange
In 2007, Nevada changed its public health and safety code to exempt HIPAA-covered entities from the state’s more stringent health information privacy laws when exchanging information electronically as long as the electronic exchange complies with HIPAA. The following is an excerpt of the Nevada statute:
NRS 439.538 Electronic transmission of health information: Exemption from state law concerning privacy or confidentiality of certain health information; ability of person to opt out of electronic disclosure of certain health information.44
1. If a covered entity transmits electronically individually identifiable health information in compliance with the provisions of:
(a) The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191; and
(b) NRS 439.581 to 439.595, inclusive, and the regulations adopted pursuant thereto, which
govern the electronic transmission of such information, the covered entity is, for purposes of
the electronic transmission, exempt from any state law that contains more stringent requirements
or provisions concerning the privacy or confidentiality of individually identifiable health
2. A covered entity that makes individually identifiable health information available electronically pursuant to subsection 1 shall allow any person to opt out of having his or her individually identifiable health information disclosed electronically to other covered entities, except:
(a) As required by the administrative simplification provisions of the Health Insurance Portability
and Accountability Act of 1996, Public Law 104-191.
(b) As otherwise required by a state law.
(c) That a person who is a recipient of Medicaid or insurance pursuant to the Children’s Health
Insurance Program may not opt out of having his or her individually identifiable health
information disclosed electronically.
3. As used in this section, “covered entity” has the meaning ascribed to it in 45 C.F.R. § 160.103.
Michigan: Standardized Behavioral Health Consent Form
Michigan created a standardized consent form for sharing behavioral health information.45 The form allows patients to designate which providers are allowed to share their information and which information should not be shared as well as allowing patients to withdraw consent. It was created to address administrative difficulties resulting from providers and hospitals across the state requiring the use of varied, individual consent forms. In 2014, the Michigan legislature passed Public Act 129 (PA 129) as an amendment to the state’s mental health code.46 PA 129 required both the development of a standardized form that would comply with relevant state and federal law and that behavioral health providers honor the form if a patient or another provider uses it. Michigan is also working to create an electronic version of the consent form that providers can incorporate into their EHR interfaces so that it fits more easily into their workflow.
Oregon: State Guidance and Education
The OHA has created a Behavioral Health Information Sharing Advisory Group that aims to “assist providers in determining when behavioral health information can be shared without consent, and work to clarify misconceptions and confusion about applicable state and federal privacy laws that may currently limit information sharing.”47 The advisory group shares publications and hosts webinars to clarify what kind of information sharing is allowed under state and federal law, with the goal of further enabling the electronic exchange of patient data for improved physical and behavioral health care coordination. The group has also partnered with the state’s department of justice in order to ensure correct interpretation of the law and to create webinars communicating allowable exchange of information.48