A report that Manatt Health Solutions produced this year for the state of Tennessee shines a light on the privacy and security issues states are grappling with. Stakeholders may recognize the need for a statewide approach, but the challenge is greater than answering specific legal questions. It has to do with developing trust and building consensus, which are time-consuming processes.
The Volunteer State recently created a public-private partnership that will serve as the state-designated entity to coordinate health information exchange efforts. The not-for-profit Health Information Partnership for Tennessee (HIP TN) is organizing various work groups that will develop a statewide strategic HIE plan.
Manatt produced a report called "Advancing Statewide eHealth Efforts" to help the state decide how to maximize ARRA funding opportunities and further leverage the progress it has already made in health information technology. The report's section on privacy and security paints an honest picture of the myriad challenges the state faces as it moves from a few successful HIEs to contemplating a statwide effort.
Tennessee has two operational HIEs at opposite ends of the state geographically, CareSpark and MidSouth eHealth Alliance, as well as Shared Health, a for-profit venture of BlueCross Blue Shield to make Medicaid claims data available statewide. The Manatt report lists eight separate issues on which the three organizations have divergent privacy and security guidelines, reflecting their differing perspectives. They include opt-in or opt-out policies, consent and notification documents, authorized uses of shared data, and patient access to EHR data.
While there are several advantages to a statewide privacy and security policy, some stakeholders told Manatt they don't trust the state government to develop it. "Several RHIOs express concern about direct State management in the establishment of uniform privacy and security guidelines," the report notes, "based upon past perceptions of inconsistent, intrusive and coercive tactics in other aspects of State involvement in HIE operations." Ouch!
On the other hand, the report continues, some people have expressed concern that the existing eHealth Advisory Council is dominated by commercial as opposed to patient care interests. This is a complaint often expressed by patient privacy advocates. Although the report suggests that provisions for consumer access and secondary use of data should be considered for inclusion in the set of issues to be decided through the statewide collaborative process, it admits that these issues raise concerns among providers, and "may not be feasible to address as part of initial statewide policy guidelines."
And while some players are leery of mandates, others note that if adherence to guidelines is voluntary, it may create competitive advantages for those who don't participate. So will HIP TN be able to balance patient privacy advocates, competing business interests, and a general distrust of state government entities to find common ground on privacy and security in Tennessee? It will be interesting to see how these issues play out there and in the 49 other states over the next year or so.