Explore how state-specific patient data privacy laws complement HIPAA, affecting health plans, HIEs, and provider organizations. Learn how to manage compliance across states to protect sensitive health information effectively.
In the rapidly evolving world of healthcare, protecting patient data is not just a legal obligation but a pivotal element of patient care. The intimacy and sensitivity of patient data—encompassing everything from personal health records to genetic information—demand stringent privacy measures. While federal laws such as the Health Insurance Portability and Accountability Act (HIPAA) set a baseline for healthcare data protection, state-specific laws often introduce additional layers of regulation for healthcare organizations. Ensuring compliance with regulatory changes across different states is imperative to maintain trust. For any organization operating in multiple states, this patchwork of regulations requires a vigorous, detailed understanding and an efficient operational framework to adapt to each state’s stipulations.
Additionally, organizations may have privacy policies that allow patients to restrict certain types of information based on their personal situations. For instance, when a family member is also the patient's physician, the patient may not want all aspects of their medical history shared with that family member/physician.
Regulatory requirements for patient data privacy
All healthcare entities are subject to HIPAA privacy regulations, which provide the baseline regulation for the United States. Many states have privacy laws that are more stringent than HIPAA and take precedence over the baseline set by HIPAA.
State-specific regulations and their implications
For example, California recently passed an amendment to the Confidentiality of Medical Information Act (CMIA), a law that highlights the complexity and regional variability in managing healthcare data privacy. The legislation, effective July 1, 2024, underscores the need for special protections around the sharing of data related to abortion, contraception, or gender-affirming care, especially across state lines and in the context of legal action. It provides for the requirement of segmenting this data from other data in a patient's record.
Similarly, Maryland has a law that restricts the sharing of data related to abortion care. The Electronic Health Record Data Privacy bill (SB 786), passed in 2023, provides extra protection for reproductive health information and prohibits the disclosure of “diagnosis, procedure, medication, or related codes for abortion care and other ‘sensitive health services.’”
These new state-specific regulations specify under what circumstances certain data can be shared and when it is necessary to refrain from sharing. For instance, when a procedure is performed in one state where it is legal, but the same procedure is not legal in another state, these regulations protect the patient and provider from facing legal consequences originating from the state where the procedure is not legal.
While the recent state-specific legislation generally refers to reproductive health, many states have had additional requirements to safeguard specific types of information for some time now. For Instance, Alaska and Mississippi name five specific categories of information that require special handling, Delaware and Louisiana name seven, and several states name at least one category. Common themes are HIV/AIDS, mental health, and substance abuse.
Privacy and security are more essential now than ever for any organization sharing data across state lines.
Moving towards nationwide interoperability and the introduction of TEFCA
As the healthcare industry continues to move towards better data sharing through the efforts of the ONC and the recent launch of the Trusted Exchange and Common Framework (TEFCA), technology evolves to better segment data. Balancing patient privacy with the need for data sharing to improve patient care and population health makes the need to tag sensitive data an imperative. The goal here is to avoid sharing data that might harm a patient, not to limit data sharing for the purpose of treatment or payment. In fact, the HL7® privacy policy specifically states that even when specific information is hidden from a clinician, clinical decision support applications can still access that information to ensure patient safety and quality care. When an alert triggers and a clinician needs more information, break-the-glass functionality allows a clinician to override the initial control that prevents them from accessing the data without consent. Security labels allow the technological ability to provide this functionality.
Technical advances in health data segmentation
The evolving regulatory and exchange landscape highlights the need for more granular control over personal data driven by the recognition of its deeply personal nature and the potential consequences of its mishandling. In its most recent ruling, the HTI-1 rule, the ONC highlights the need for patients to be able to specify what types of data can be shared and what types of data need to be held in stricter privacy. This is important to protect patients from unintended harm, discrimination, or unsafe situations. For example, a person at risk for domestic violence would not want to disclose information about their circumstances if their intimate partner had access as that could escalate the situation.
Implementing sensitivity policies to identify and protect patient data
Every organization that is subject to HIPAA, state, or regional healthcare or data-sharing regulations should have specific policies that govern the use and disclosure of patient-level information. HL7® Information Sensitivity value setprovides codes that identify the topics of the most common policies. Examples include ETH for identifying a policy for handling alcohol or drug abuse information or GDIS for handling genetic information. These tags should be used in a broader technical framework that allows for data and information to flow seamlessly while being protected appropriately from unintended use.
Short of manual identification and classification, how can an organization correctly tag potentially sensitive data? In some instances, an entire document type is considered sensitive. This is true in the domain of behavioral health or substance abuse programs. It becomes more difficult when a portion of a patient record could be subject to a privacy policy. Consider a primary care annual wellness exam where the patient disclosed an instance of intimate partner violence. The wellness exam and much of the data from that visit are not considered sensitive, but the instance of intimate partner violence is. Thankfully, there are standard vocabularies like ICD-10-CM, LOINC, and SNOMED that are used in electronic health systems to codify the data being captured to industry-standard terminology. Those same codes can be used to tag this information as sensitive and identify the policy that should be used to handle the sharing of that information.
Clinical terminology expertise to help you navigate patient data privacy requirements
With thousands of codes in the standard terminologies used in healthcare today, you need clinical expertise to identify which codes indicate what sensitive conditions they apply to. Built by clinical terminology experts with decades of experience, the Health Language Platform offers professionally curated value sets that can help you automate the identification of sensitive information before you share it with other organizations.
The Health Language sensitivity codes contain codes from eleven different vocabularies, and seven domains of sensitive information, including family planning, covering the most sensitive areas of reproductive health care. In response to the changing regulatory environment, we have recently added gender affirming care and will be continuing to develop additional code groups representing the multi-faceted topic of reproductive health.
For more insights on navigating the complexities of healthcare data privacy and harnessing the potential of innovative solutions to protect sensitive patient information, reach out today. Together we can achieve a delicate balance between technological advancement and the fundamental values of care and confidentiality that lie at the heart of healthcare.