|
Reprints
From a technical standpoint, she adds, rules that are uniform across the country are much easier for software vendors and for implementation teams to put in place.
DON'T MESS WITH TEXAS' PHI
Also on the privacy and security front, the Texas Legislature raised some eyebrows this year by passing HB 300, which among other things, requires ongoing employee training about laws concerning protected health information (PHI) and increases penalties for the wrongful disclosure of PHI.
“It's ironic that a Republican-controlled legislature that is against most forms of regulation would pass something like this unanimously,” says Michael Silhol, an attorney in the healthcare practice group of Haynes and Boone LLP in Dallas. “This is pretty heavy-handed. It replicates a lot of HIPAA, but these people believe HIPAA doesn't go far enough.” The biggest difference, he says, is in the definition of a covered entity. “You have one definition for HIPAA and HITECH and another for Texas.”
“What it does more than anything else is monkey with the thresholds,” says Michael Frederick, chief information security officer at Baylor Health Care System in Dallas. For instance, HB 300 shortens the window of time to respond to a request from patients for their EHR data in electronic format to 15 days from 30 days, the federal standard under HIPAA. The biggest impact on hospitals might involve training. An employee must complete training about handling PHI within 60 days of hire and such training must be repeated at least once every two years, a more stringent requirement than the HIPAA Privacy Rule.
Tony Gilman, CEO of the Texas Health Services Authority (THSA), a public-private cooperative charged with developing standards for interoperable healthcare in the state, says Texas has always had a strong history of protecting patient information, “so it wasn't surprising that this was something the legislature chose to address as we move from paper to electronic exchange of information. We have had a different definition of covered entity since 2001, but this extends the current law from a paper domain to an electronic one.”
I THINK IT IS VERY BENEFICIAL TO HAVE THIS CLARITY AT THE STATE LEVEL. WE SEE THE FEDERAL REQUIREMENTS AS THE FLOOR AND BY NO MEANS THE BEST PRACTICES. -EDWARD MARX
Edward Marx, senior vice president and chief information officer for 24-hospital Texas Health Resources and THSA chair, says THSA made a concerted effort to get input from CIOs and CISOs and held stakeholder meetings prior to HB 300′s passage.
“I think it is very beneficial to have this clarity at the state level,” Marx adds. “We see the federal requirements as the floor and by no means the best practices. I think the CIOs in our state don't accept just meeting minimum standards. Why not take it to another level and raise the bar for ourselves?”
LEGISLATING CONSENT
Besides the security and governance of health information exchanges, state legislatures, and designated HIT entities are grappling with patient consent issues. In this year's legislative session in Maine, a bill drafted with the support of the Maine Civil Liberties Union was introduced that would require the state's HIE to switch from an opt-out model of consent to opt-in, which leaders of the state's HealthInfoNet HIE thought would be unworkable. A compromise was crafted that gives patients a separate form about the HIE and explicitly offers the opportunity to opt out.
That contentious issue is being played out all across the country. “Consent is going from the theoretical to the implementation phase and adjustments are having to be made,” says Ree Sailors, program director of health IT for the National Governors Association. Some states that started with Medicaid as the lead agency began with opt-out as the default and have had to adjust as the public learns more about health data exchange, she adds.
Boston Medical Center CIO Meg Aranow believes that it would help to have privacy and consent policies developed on the national level. “Having each state work out their own rules and then have to harmonize with each other for interstate exchange is more work than necessary,” she says.
