Creation of State Legislation to
Protect and Facilitate Use and
Exchange of Electronic Health
Information
Shelley Carter, RN, MCRP, MPH1, Maggie Gunter, PhD1,
Bob Mayer2, Randy McDonald, JD1, Kathy England1
Academy Health
Public Health Systems
Washington, DC
June 7, 2008
1Lovelace
2New
1
Clinic Foundation · Albuquerque, New Mexico
Mexico Department of Health - Santa Fe, New Mexico
OVERVIEW
• Background—Health Information Exchange in
New Mexico and HISPC Project—Privacy
Barriers
• Focus on Privacy Legislation
• Methods and Key Tasks
• Key Provisions of NM Draft Legislation
• Introduction and Fate of Privacy Bill
• Results and Next Steps
• Conclusions
2
“Changing conceptions of the
medical record and increasing
automation – are important forces
behind the Commission’s
conviction that now is the proper
time to establish privacy
protection safeguards for medical
records that will enhance the
integrity, and thus the efficacy, of
the medical-care relationship”
3
Report of The Privacy Protection
Study Commission - July, 1977
The Privacy Act of 1974 created the Privacy Protection
Study Commission. Its charter was to study privacy
issues and recommend future legislation.
Concerns with privacy of medical information
are not new.
4
Background
•
Creation of NMHIC
The New Mexico Health Information Collaborative (NMHIC)
was created in late 2004 with funding from AHRQ and community
organizations
•
–
Objective: creation of a health information exchange network for the
state to provide cross-organization data to providers at point of care
and eventually to patients
–
Privacy concerns from the outset—but HIPAA appeared to allow data sharing
across organizations for purposes of treatment, payment, and operations
without patient authorization.
Health Information Security and Privacy Collaborative (HISPC)
Project. AHRQ provided new funding (2006) through RTI
–
–
5
Objectives: to identify and create solutions for key privacy and
security barriers to electronic health information exchange posed by
business practices and state laws
NM selected health information privacy legislation as its
implementation focus
Why New Health Privacy Legislation?
• Our research showed that New Mexico’s health
information protection laws had problems:
–
–
–
–
–
fragmented and dated
addressed only paper-format records
enacted prior to the adoption of the HIPAA Regulations
were more restrictive than HIPAA in some cases
put both EHR and health information exchange development
at possible legal risk, as well as providers
– did not consider potential positive impact of health
information technology on patient care
• Proposed solution: passage of comprehensive new
health information legislation to address issues and
supersede all previous laws
6
Goal of Proposed NM
Legislation
Draft legislation in NM that
authorizes the use of electronic
health records (EHRs) and facilitates
the operation of the health
information exchange (HIE) while
protecting patient privacy
7
Methods and Key Tasks
• Research health information laws in all 50
states
• Initial meetings with privacy experts
• Draft legislation
• Identify legislative sponsors
• Engage stakeholders in the review of
legislation
• Introduce legislation titled “New Mexico
Electronic Health Information Act” during the
2008 Legislative Session
8
New Mexico’s Draft Legislation
• Struggle for balance between needs of
privacy advocates and needs of provider
organizations
• Patient consent required for provider to
access data from outside providers,
even for treatment (more restrictive than
HIPAA)
9
Stakeholder Views Differ:
Patient Privacy Advocates -• Legislation should require substantial safeguards
protecting privacy/security of health information
• Central to the legislation is an individual’s right to
determine access by others (providers/institutions)
to their health information
• Benefits of EHRs and HIE need to be balanced
against possible harm
• “Break the Glass” situations must be clearly defined
• “Opt In” is the preferred method of inclusion
(proactive patient consent or data NOT shared)
10
Views from the
Healthcare Industry
• HIPAA Regulations should be “ceiling”
• More restrictive consent will be
burdensome, expensive, and
unnecessary to protect patient data and
privacy
• More restrictive regulations will
undermine and delay implementation
and benefits of EHRs and health
information exchange
11
The Real Adventure Begins:
NM Legislative Session—Jan. 08
• NM Electronic Health Information Act
introduced as part of Governor’s universal
coverage reform package
• Three components
– Legal authorization of EHRs
– Develop plan to set dates to require
electronic claims, EHRs, and health
information exchange
– Privacy requirements for EHRs and HIE
12
All Aspects Controversial
• EHR Authorization: MD legislator: ”I never use
medical records—a waste of time. We should
carry our health records on a 3” by 5” card, as
they do in Nepal.”
• Resistance to an unfunded mandate for EHRs
• Republicans opposed to Governor’s health
reform proposal—so also opposed this bill
• Privacy controversy (a gulf):
– ACLU wanted stronger privacy protections
and penalties
– Payors and health systems: no stronger than
HIPAA
13
Results and Next Steps
• EHR legislation turned down by Senate
• Identify and educate key legislators as
champions
• EHR bill will be reintroduced (possible
revisions) – 2009 Legislative Session
14
Conclusions
• Resolving privacy and security issues is
essential to building a viable state or national
HIE network
• Key aspect: designing and passing state
privacy legislation addressing patient
consent, user authentication, and
authorization
• Such legislation will provide the legal
foundation for both EHRs and HIEs
• Significant step toward legal interoperability
needed for information sharing among states
15
Albuquerque Balloon Fiesta
October 3 - 12, 2008
Lovelace Clinic Foundation · Albuquerque, NM
Shelley@ LCFresearch.org
16