Educating Patients and Providers about HIPAA and State and Local Privacy and Security Practices, Policies and Laws

The Privacy and Security Solutions for Interoperable Health Information Exchange project coordinated 33 states and Puerto Rico to assess the variation in privacy and security related business practices, policies, and state laws that might impede the electronic exchange of electronic health information. Stakeholders in the 33 states and Puerto Rico reviewed 18 health information exchange scenarios including 2 related to public health and biosurveillance. The results of the analysis indicate that one of the foremost barriers to the electronic exchange of data between health care organizations is disagreement on what kinds of information can be shared with whom and for what purpose. This is complicated by multiple interpretations of the HIPAA privacy rule and a lack of awareness of relevant state privacy law which is difficult to find and frequently misinterpreted by the oragnizations and providers needing to exchange information. This frequently leads to patient data not being exchanged as needed. One solution to these issues is to educate both healthcare consumers and organizations about the HIPAA provisions and the specific requirements that a given state imposes above and beyond HIPAA. Patients specifically need to better understand their rights and responsibilities with regard to their health information. Recommendations for consumer and patient education will be made along with discussion of the risks and rewards to consumers of moving from paper-based to electronic health information exchange.