A new report from the State Alliance for e-Health warns more-stringent state privacy policies could hinder health information exchange.
The alliance bills itself as a body of elected and appointed state officials that serves as a forum where they "and other stakeholders can share inter- and intra-state health IT best practices and policy solutions." Its 32-page guide
states the intent "to give interim guidance to state leaders" as they implement the IT provisions of the American Recovery and Reinvestment Act. Those sections of the stimulus bill are often referred to as the Health Information Technology for Economic and Clinical Health Act, or HITECH Act.
The report contains six recommended areas of state action. Dealing with privacy issues in general, and state authority to create more-stringent privacy rules than HIPAA specifically, were among the six.
For example, the report warned against states "adopting new privacy policies that diverge greatly from those of neighboring states," alleging that such variance "will affect their ability to move to interstate exchange."
The State Alliance for e-Health was created by the National Governors Association's Center for Best Practices, pursuant to an October 2006 contract
with HHS' Office of the National Coordinator for Health Information Technology for nearly $2 million for the first year, with two years of extension possible.
The report also says the HHS-funded Health Information Security and Privacy Collaboration has examined variations in state privacy laws and "identified some barriers and inconsistencies" among them, but notes that many states have "already moved to address them."
"Much more common" were inconsistencies in provider privacy practices that often had "no basis in law," it said. States need to work on resolving these provider variations by helping them adopt "standardized practices and technology that meet the privacy goals of the exchange."
The report grouped existing state privacy laws into three categories:
- Privacy controls that "strongly control whether information goes to an HIO," or health information organization, in which patients "opt in or opt out, with exceptions made for certain conditions that may be specially protected in state laws."
- "Privacy controls that exert strong controls on who can access the information in an HIO."
- "Privacy controls with multiple variables on both what gets in and who has access" to an HIO, limiting access "to certain entities under certain conditions."
The report appears to recommend the second category of rules, where the focus is not on controlling the movement or storage of data, such as opt out, but on controlling who can access it. Such a framework—with built-in compliance with rules in the second category—"could permit a robust HIO to be created while allowing the patient to determine who could have access to his or her information."
"Controls on information often are triggered by patient consent, but they also may arise from blanket laws that prohibit certain information from being transferred. In such cases, consent may be needed to override the restrictions."
The other five recommended actions were:
- Engaging stakeholders.
- Establishing a state leadership office.
- Preparing state agencies to participate in HITECH activities.
- Determine the business model for the state health information organization.
- Preparing or updating a state plan for adoption of health information exchange
Because of the ARRA, the alliance sees a much larger role for states in the care, feeding and oversight of health information organizations.
"Up to now, states saw exchanges as being primarily financed by the private sector, managed by a consortium of stakeholders and government very lightly (state government often played the role of a stakeholder or facilitator). Many exchange designs were based on the premise that voluntary guidelines would ensure privacy and security. With the passage of HITECH, the perception of government's role in privacy and security has become more defined and the assurance of government oversight will become part of the fabric of consumer protection."
According to the alliance, states will need to be in a strong position to "broker" requests from research institutions, public agencies, provider groups and plans to use health data "so as to assure that privacy will not be breached and data will not be misused."
What do you think? Submit a letter to Your Views. Please include your name, title, company and hometown. Health IT Strategist reserves the right to edit all submissions.
Also, please share your thoughts by taking our latest HITS reader poll.