Maine Reverts Back to Opt-Out Approach for HIE
In my previous post (April 26, 2011), I discussed legislation proposed by privacy advocates in Maine which would require, among other things, that patients "opt-in" before any information could be collected, accessed or disclosed through Maine's HIE HealthInfoNet. Although HealthInfoNet currently operates under the "opt-out" approach, privacy advocates had pushed for the legislation in order to more adequately safeguard patient privacy. Stakeholders had decided early on in the HIE's development that opt-in was not practical and as such, patients would be automatically enrolled in the HIE. Patients could then exercise their choice to opt-out and have their information deleted from the HIE's central data repository.
After considerable push-back from HealthInfoNet, as well as physicians, hospitals and their respective professional associations, the Maine legislature has reconsidered and revised the proposal.
As rewritten, the proposed legislation would permit HealthInfoNet to continue operating on an opt-out basis, but would dictate specific rules for informing patients of their right to do so. Individuals would need to be provided with, at a minimum:
- A separate form at the point of initial contact with a description of the risks and benefits of participating in the HIE;
- A description of how and where to obtain more information or how to contact the HIE;
- An opportunity for the patient to refuse to participate in the HIE; and
- A declaration that health care treatment would not be withheldfrom the patient solely based upon the patient's refusal to participate in the HIE.
Although information regarding the HIE is currently included on provider and hospital Notice of Privacy Practices, many patients were not aware that their information was being exchanged through the HIE. As Amy Landry, communications director at HealthInfoNet acknowledged, "nobody reads the Notice of Privacy Practices." The proposed legislation reflects a compromise between concerns for patient privacy and awareness and the need of the HIE to have a large enough patient population to be of value to physicians and hospitals.
Furthermore, the proposed legislation would require confidentiality policies and procedures for protecting the confidentiality, security and integrity of health care information. It would also require the HIE to maintain records of all disclosures made by and through the HIE in addition to requiring compliance with all applicable federal laws and regulations dealing with privacy, security and breach notification as defined by 45 CFR Part 160 and 164.
The amended Bill (LD 1337) may be accessed here.