Policy group says the jumble of state laws governing the sharing of personal health data is too convoluted for a nationwide network to run efficiently.
WASHINGTON--With the incentives provided in the recently signed stimulus package for the adoption of health information technology, lawmakers across the country are expecting to be able to improve their states' health care by collaborating on a nationwide network of health data.
Creating such a network, however, is a dizzying prospect bogged down by conflicting state laws regarding privacy and patient consent, policymakers acknowledged Tuesday at a conference of the National Governors' Association's State Alliance for e-Health.
Laws and policies governing the use of electronic health information vary widely by state, and even within states different agencies interpret the jumble of rules on the books differently, said experts from the Health Information Security and Privacy Collaboration, a multistate collaboration established by RTI International.
Indeed, members of the HISPC said, even their organization has had trouble interpreting the basic elements of the laws.
"At our very first meeting, we started talking about HIE (health information exchange), and we spent two and a half hours trying to decide if HIE is a noun or a verb," said Bill Mitchin, co-chair of the HISPC interstate and intrastate consent policies collaborative. "The answer is both."
To overcome the privacy and consent challenges that exist, Mitchin told policymakers on Tuesday that the states should develop either an interstate compact or language for a uniform law states could adopt to share electronic health information, rather than wait for federal statutes.
Before that can even happen, however, the states will have to work on merely documenting their current laws and policies that pertain to the privacy of health information.
"The laws can be scattered across state codes, and simply finding them can be a long process," said Kelly Coyle, co-chair of another HISPC group.
The HISPC is recommending that states clarify their positions on the terms for disclosing personal health information without patient consent, as well as what the terms should be for receiving patient consent. That information, the HISPC said, should be categorized based on the degree to which states require patient consent.
"If we could document our differences at different agency levels, that would provide us the foundation from which we could develop some consistent principles for moving forward," Mitchin said.
State lawmakers and health care representatives at Tuesday's conference balked at the HISPC's seemingly slow-moving suggestions.
"There must be another recommendation we can make other than to document chaos," said Reed Tuckson, executive vice president and chief of medical affairs for UnitedHealth Group.
"A whole industry could be created just to provide forms" for the process, he said. "This is insane."
Lawmakers and health care representatives also asked the HISPC to clarify why privacy issues were such a critical part of maintaining electronic health records.
"It seems to me there is a big concern about the digitization of data as separate, but if we have the right security measures, that data is no different from the data physically sitting in my office," said Herb Conway, a physician who sits on the New Jersey state legislature. "Are we going to be designing laws that interfere with our ability to have interoperability?"
Mitchin said that digitizing health information creates more potential uses for the information and therefore more potential privacy hazards.
"The data today in electronic form is being used in ways it's not being used in the manual process," he said. "Do you, as a consumer, understand that data's being sold for secondary uses? I'm not sure patients understand."
If states are to have a chance at an interstate compact for sharing health information, they will have to agree to let the compact trump some other state laws, Mitchin said. For instance, he said, states must acknowledge their constitutions have a limited basis of purpose on the issue of health IT, even if certain provisions might appear to be applicable to the subject.
"While we appreciate that different states have different rules, we're trying to find a way to streamline the process so patient treatment is not affected by delays in sharing information," he said.