Creation of State Legislation to Protect and Facilitate Use and Exchange of Electronic Health Information Shelley Carter, RN, MCRP, MPH1, Maggie Gunter, PhD1, Bob Mayer2, Randy McDonald, JD1, Kathy England1 Academy Health Public Health Systems Washington, DC June 7, 2008 1Lovelace 2New 1 Clinic Foundation · Albuquerque, New Mexico Mexico Department of Health - Santa Fe, New Mexico OVERVIEW • Background—Health Information Exchange in New Mexico and HISPC Project—Privacy Barriers • Focus on Privacy Legislation • Methods and Key Tasks • Key Provisions of NM Draft Legislation • Introduction and Fate of Privacy Bill • Results and Next Steps • Conclusions 2 “Changing conceptions of the medical record and increasing automation – are important forces behind the Commission’s conviction that now is the proper time to establish privacy protection safeguards for medical records that will enhance the integrity, and thus the efficacy, of the medical-care relationship” 3 Report of The Privacy Protection Study Commission - July, 1977 The Privacy Act of 1974 created the Privacy Protection Study Commission. Its charter was to study privacy issues and recommend future legislation. Concerns with privacy of medical information are not new. 4 Background • Creation of NMHIC The New Mexico Health Information Collaborative (NMHIC) was created in late 2004 with funding from AHRQ and community organizations • – Objective: creation of a health information exchange network for the state to provide cross-organization data to providers at point of care and eventually to patients – Privacy concerns from the outset—but HIPAA appeared to allow data sharing across organizations for purposes of treatment, payment, and operations without patient authorization. Health Information Security and Privacy Collaborative (HISPC) Project. AHRQ provided new funding (2006) through RTI – – 5 Objectives: to identify and create solutions for key privacy and security barriers to electronic health information exchange posed by business practices and state laws NM selected health information privacy legislation as its implementation focus Why New Health Privacy Legislation? • Our research showed that New Mexico’s health information protection laws had problems: – – – – – fragmented and dated addressed only paper-format records enacted prior to the adoption of the HIPAA Regulations were more restrictive than HIPAA in some cases put both EHR and health information exchange development at possible legal risk, as well as providers – did not consider potential positive impact of health information technology on patient care • Proposed solution: passage of comprehensive new health information legislation to address issues and supersede all previous laws 6 Goal of Proposed NM Legislation Draft legislation in NM that authorizes the use of electronic health records (EHRs) and facilitates the operation of the health information exchange (HIE) while protecting patient privacy 7 Methods and Key Tasks • Research health information laws in all 50 states • Initial meetings with privacy experts • Draft legislation • Identify legislative sponsors • Engage stakeholders in the review of legislation • Introduce legislation titled “New Mexico Electronic Health Information Act” during the 2008 Legislative Session 8 New Mexico’s Draft Legislation • Struggle for balance between needs of privacy advocates and needs of provider organizations • Patient consent required for provider to access data from outside providers, even for treatment (more restrictive than HIPAA) 9 Stakeholder Views Differ: Patient Privacy Advocates -• Legislation should require substantial safeguards protecting privacy/security of health information • Central to the legislation is an individual’s right to determine access by others (providers/institutions) to their health information • Benefits of EHRs and HIE need to be balanced against possible harm • “Break the Glass” situations must be clearly defined • “Opt In” is the preferred method of inclusion (proactive patient consent or data NOT shared) 10 Views from the Healthcare Industry • HIPAA Regulations should be “ceiling” • More restrictive consent will be burdensome, expensive, and unnecessary to protect patient data and privacy • More restrictive regulations will undermine and delay implementation and benefits of EHRs and health information exchange 11 The Real Adventure Begins: NM Legislative Session—Jan. 08 • NM Electronic Health Information Act introduced as part of Governor’s universal coverage reform package • Three components – Legal authorization of EHRs – Develop plan to set dates to require electronic claims, EHRs, and health information exchange – Privacy requirements for EHRs and HIE 12 All Aspects Controversial • EHR Authorization: MD legislator: ”I never use medical records—a waste of time. We should carry our health records on a 3” by 5” card, as they do in Nepal.” • Resistance to an unfunded mandate for EHRs • Republicans opposed to Governor’s health reform proposal—so also opposed this bill • Privacy controversy (a gulf): – ACLU wanted stronger privacy protections and penalties – Payors and health systems: no stronger than HIPAA 13 Results and Next Steps • EHR legislation turned down by Senate • Identify and educate key legislators as champions • EHR bill will be reintroduced (possible revisions) – 2009 Legislative Session 14 Conclusions • Resolving privacy and security issues is essential to building a viable state or national HIE network • Key aspect: designing and passing state privacy legislation addressing patient consent, user authentication, and authorization • Such legislation will provide the legal foundation for both EHRs and HIEs • Significant step toward legal interoperability needed for information sharing among states 15 Albuquerque Balloon Fiesta October 3 - 12, 2008 Lovelace Clinic Foundation · Albuquerque, NM Shelley@ LCFresearch.org 16