Kansas Aligns State Privacy Laws with HIPAA as HIE Standard

Today, the State of Kansas’ Senate committee approved (by a vote of 39-0) Senate Bill 133 to align the state’s privacy laws with HIPAA. The Kansas Health Information Exchange, Inc. (the state’s RHIO) testified before the Senate committee to stress that legislation is necessary to harmonize the “patchwork of about 200 statutes and regulations that are primarily focused on particular types of information…”  Representatives of the Kansas HIE explained that creating uniform privacy and security standards in Kansas for electronic HIE is critical because it affects the ability of providers to exchange and share information and coordinate care, which is key to higher quality and more efficient care, and better population health.

Among other things, Senate Bill 133 sets out criteria that providers must meet in order to be protected from prosecution for violating a patient's privacy. Specifically, providers would have to:

  • adhere to the use and disclosure rules in HIPAA;
  • adhere to the requirements in HIPAA for safeguarding patient information;
  • comply with a patient's right to access their own medical information;

The bill also creates a standardized authorization form for providers to give patients before accessing and exchanging their medical information, as well as provides for a "personal representative" for incapacitated adults and minors without legal guardians.

As of January 27, 2011, ONC has approved over $547 million dollars to states in order to further HIE efforts.  Yet, as states gear up to tackle implementing the Operational Plans that they have submitted to ONC, they continue to be faced with many of the same privacy and security questions and issues that have slowed and even stalled HIE progress in the past. 

Before the ONC was established, the Health Information Security and Privacy Collaborative (HISPC) tackled privacy and security law issues for several years.  In HISPC’s Final Report regarding Harmonizing State Privacy Laws, which is posted on ONC’s website, specifically recognizes that inconsistency in state and federal laws in terms of definitions, organizational structure, and content is often cited as a barrier to participation in and implementation of HIE.  In addition, the report notes that stakeholder groups have long indicated that a greater harmonization of state laws would be beneficial and that reform of state laws, combined with revisions in federal laws, must be considered.

During Phase 1 of HISPC's work, extensive discussions and activities with stakeholders determined that lack of clarity and divergent interpretation of legal standards have created barriers to participation in and implementation of HIE. The Report goes on that while some impediments to the exchange of health information are essential to protect privacy interests

[u]nnecessary and unintended barriers resulting from confusion or inconsistency can prevent the timely and appropriate exchange of information essential for medical treatment and population health activities. Whether the movement to transform health care through HIE involves private grassroots efforts, state-specific initiatives, a single federal approach, or any combination thereof, the availability and use of common tools and resources is essential for establishing workable information exchange standards and practices within and among states.

Yet, while these obstacles are now widely-recognized and exhaustively written about, the inconsistencies in varous state laws as they relate to desired federal HIE objectives continues to create confusion and drain resources.  Thus, to date, HIPAA continues to be the main federal legal source that states can look to in order to define what privacy and security standards should apply to electronic HIE – which is what Kansas has done.