HIPAA privacy rule still causing confusion

It's been more than 10 years since the Health Insurance Portability and Accountability Act became law, but many healthcare practitioners across the country are still unsure of what the law requires and how its provisions interact with other state and federal privacy laws, according to participants in a federally funded healthcare privacy research project who are meeting in Bethesda, Md., this week.

That sense of confusion won't be alleviated even after the two-day national gathering of the 33-state, Health Information Security and Privacy Collaboration ends today.

The HISPC was created last year by the not-for-profit RTI International under a $17.23 million contract with the Agency for Healthcare Research and Quality to identify best practices in privacy protection efforts as well as variances in laws and business practices that pose barriers to nationwide sharing of electronic health information.

Wrapping up Monday’s daylong track of panel sessions on HIPAA, discussion leader William Braithwaite said, "The most useful but frustrating point of the whole discussion was we brought out a lot of questions. We didn’t have a lot of answers." Braithwaite is a physician IT expert who worked at HHS in the 1990s and advised the Clinton administration in shaping the HIPAA legislation.

If there was a consensus on how the states were going to address these variances, it wasn't readily apparent Monday. For example the two neighboring states of Minnesota and Wisconsin are taking vastly different approaches to requirements on patient consent to sharing of their medical information.

The HIPAA privacy rule does not require consent to share medical records for treatment, payment or "other healthcare operations," but it provides that states may have more stringent privacy policies and many do.

Minnesota, for example, requires a patient's consent to share healthcare information for treatment, payment and most other healthcare operations. It is considering legislation that merely tweaks its provider liability law covering privacy disclosures. It is largely keeping its state privacy protections—some of the most stringent in the nation—intact, according to its HISPC representatives.

A delegate from Wisconsin, meanwhile, said their electronic health board is recommending that the state further relax its already less-strict privacy law to allow data sharing without patient consent for the medical records of mental health patients, records that are classified by most states as highly confidential and, in most states, are subject to tighter disclosure rules than other healthcare information.

Despite the regulatory differences between the two states, a pair of provider groups, one on each side of the Minnesota/Wisconsin border, is working on an interstate record exchange, according to Wisconsin privacy program and policy analyst Stacia Jankowski.

What do you think? Write us with your comments at Please include your name, title and hometown.