The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and 42 Code of Federal Regulations (CFR) Part 2 provide a baseline for the privacy of health information. However, state health information privacy and consent laws and policies vary widely across the U.S., and impose more requirements. These various laws can make it harder for patients to understand what the state laws do and what their consent choices are. Differences can also make it harder for providers to electronically share patients’ information and consent choices across state lines.
In Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Road Map [PDF – 2.7 MB], ONC committed to helping ease confusion around multiple and diverse laws. As part of this pledge, ONC has worked with many partners to develop resources for state policymakers and others who want to navigate the complex privacy and consent legal landscape.
Resources
-
National Governors Association (NGA) State Roadmap – In 2015, ONC awarded a cooperative funding agreement to the NGA to develop a state road map. The road map provides concrete steps states can take to improve electronic information flow for providers who want to share patient data. Titled Getting the Right Information to the Right Health Care Providers at the Right Time: A Road Map for States to Improve Health Information Flow Between Providers [PDF - 5.56M], the road map is available for review and download.
-
State Health Information Exchange (HIE) Consent Policies and State Disclosure Laws for Mental Health Information –In 2016, ONC contracted with Clinovations Government + Health and the Department of Health Policy and Management, Milken Institute School of Public Health at the George Washington University to compile four documents that provide a view of the various state privacy and consent laws and policies:
-
State HIE Consent Policies: Opt-In or Opt-Out [PDF - 430 KB]– A comparative overview of patient consent policies that govern state HIEs.
-
\State-Sponsored Health Information Exchange (HIE) Organizations’ Consent Policies: Opt-In or Opt-Out [PDF - 550 KB]– A comparative overview of patient consent policies that govern state-sponsored HIEs.
-
State Laws Requiring Authorization to Disclose Mental Health Information for Treatment, Payment, or Healthcare Operations [PDF - 493 KB]– Comparative information about state laws that, unlike HIPAA, require patient authorization before mental health information can be disclosed for treatment, payment, or healthcare operations.
-
State Laws that Apply a Minimum Necessary Standard to Treatment Disclosures of Mental Health Information [PDF - 453 KB] – Comparative information about state laws that apply a minimum necessary standard for treatment disclosures of mental health information (unlike HIPAA, which only applies a minimum necessary standard to exchange for health care operations purposes).
-
To see any single state’s information on all four topics, visit the dashboard for State Health IT Privacy and Consent Laws and Policies.
-
-
NGA Health Division Website – The NGA road map and additional resources to help states improve health information flow between providers.
-
George Washington University’s Health Information and the Law Website – Resources for federal and state health laws, news, and analysis.
Disclaimer
The information here is not intended to serve as legal adivce nor should it substitute for legal counsel. The information presented is not exhaustive, and readers are encouraged to seek additional guidance to supplement the information contained herein.