Learn how state patient data privacy laws complement HIPAA and affect health plans, HIEs, and provider organizations. Learn how to manage compliance across state lines and effectively protect sensitive health information.
In the rapidly evolving world of healthcare, protecting patient data is not just a legal obligation, it is a critical component of patient care. The confidentiality and sensitivity of patient data, which encompasses everything from personal health records to genetic information, requires stringent privacy measures. While federal laws such as the Health Insurance Portability and Accountability Act (HIPAA) set standards for healthcare data protection, state-by-state laws often introduce additional layers of regulation for healthcare organizations. Ensuring compliance with regulatory changes in different states is essential to maintaining trust. For organizations that operate in multiple states, this patchwork of regulations requires a thorough, detailed understanding and an efficient operational framework to adapt to each state's provisions.
Additionally, organizations may have privacy policies that allow patients to limit certain types of information based on their personal circumstances – for example, if a family member is also the patient's primary physician, the patient may not want all aspects of their medical history shared with that family member/physician.
Regulatory requirements for patient data privacy
All healthcare organizations are subject to HIPAA privacy regulations, which are the standard regulations in the U.S. Many states have privacy laws that are stricter than HIPAA and take precedence over the standards set by HIPAA.
State-specific regulations and their impact
For example, California recently passed amendments to its Confidentiality of Medical Information Act (CMIA). The law highlights the complexities and regional variations in managing health data privacy. The law, which goes into effect on July 1, 2024, emphasizes the need for special protections regarding the sharing of data related to abortion, contraception, or gender reassignment treatment, especially across state lines and in the context of legal action. The law mandates segmenting this data from other data in the patient record.
Similarly, Maryland has laws that limit the sharing of data related to abortion care. The Electronic Health Records Data Privacy Bill (SB 786), passed in 2023, provides additional protections for reproductive health information, prohibiting the disclosure of “diagnoses, procedures, medications, or related codes relating to abortion care or other 'sensitive health care services.'”
These new state-specific regulations govern under what circumstances certain data can be shared and when it must be withheld. For example, if a procedure is performed that is legal in one state but illegal in another, these regulations protect patients and providers from legal consequences resulting from the state where the procedure is illegal.
Recent state-specific laws generally address reproductive health, but many states have long had additional requirements to protect certain types of information. For example, Alaska and Mississippi have five categories of information requiring special handling, Delaware and Louisiana have seven, and several more have at least one other category. Common themes are HIV/AIDS, mental health, and substance abuse.
For organizations that share data across state lines, privacy and security are more important than ever.
Towards national interoperability and TEFCA implementation
While the healthcare industry continues to move towards better data sharing through ONC efforts and the recent launch of the Trusted Exchange and Common Framework (TEFCA), technology is evolving to better segment data. The need to tag sensitive data is essential to balance patient privacy with the need to share data to improve patient care and public health. The goal here is to avoid sharing data that could harm patients, not to limit data sharing for treatment or payment purposes. In fact, the HL7® Privacy Policy states that even when certain information is hidden from clinicians, clinical decision support applications can access it to ensure patient safety and quality care. If an alert is triggered and the clinician needs more information, the clinician can override the initial controls that prevent the data from being accessed without consent. Security labels enable technology to provide this functionality.
Technological Advancements in Health Data Segmentation
The regulatory and information exchange landscape is evolving, highlighting the need for more granular control over personal data, recognizing its highly personal nature and the potential impact of mishandling. In its most recent ruling, the HTI-1 rule, ONC emphasizes the need to allow patients to specify what types of data can be shared and what types of data must remain more private. This is important to protect patients from unintended harm, discrimination, or unsafe situations. For example, someone at risk of domestic violence may not want to disclose information about their situation because it could make the situation worse if their intimate partner had access to the information.
Implementing confidentiality policies to identify and protect patient data
All organizations subject to HIPAA, state, or local healthcare or data sharing regulations must have specific policies governing the use and disclosure of patient-level information. The HL7® Information Sensitivity Value Set provides codes to identify the most common policy topics. Examples include ETH, which identifies policies for handling alcohol and drug abuse information, and GDIS, for handling genetic information. These tags should be used within a broader technology framework where data and information flow seamlessly and are appropriately protected from unintended use.
Other than manually identifying and classifying, how can organizations properly tag potentially sensitive data? In some cases, entire document types are considered sensitive. This is true in the areas of behavioral health and substance abuse programs. It becomes even more challenging when portions of a patient’s record may be subject to privacy policies. Consider an annual primary care checkup where the patient revealed a case of intimate partner violence. While the majority of the data derived from the checkup and visit would not be considered sensitive, the case of intimate partner violence would be. Thankfully, there are standard terminologies such as ICD-10-CM, LOINC, and SNOMED that are used to codify data captured in electronic health systems into industry standard terminology. These same codes can be used to tag this information as sensitive and identify the policies that should be used to handle sharing of that information.
Clinical terminology expertise to help address patient data privacy requirements
With thousands of codes in standard terminology used in healthcare today, identifying which codes apply to which sensitive conditions requires clinical expertise. Built by clinical terminology experts with decades of experience, the Health Language Platform provides expertly curated value sets that help automatically identify sensitive information before it is shared with other organizations.
The Health Language Confidential Codes contain 11 vocabulary terms and codes for seven confidential information domains, including family planning, covering the most sensitive areas of reproductive health care. In response to the changing regulatory environment, we have recently added gender affirming care. We will continue to develop additional code groups to represent multifaceted topics in reproductive health care.
Contact us today for more information on navigating the complexities of health data privacy and harnessing the potential of innovative solutions to protect sensitive patient information. Together, we can achieve the delicate balance between the fundamental values of care and confidentiality at the heart of healthcare and advances in technology.
