State Regulations in Health Information Disclosure: Examining the Interoperability of Health Information Exchange Across States

Background: There are distinctions in privacy requirements for disclosure of protected health information (PHI) set by both federal and state laws. The lack of consistent legislation at the state level has resulted in variations with respect to how and when PHI may be disclosed. A common set of policies is a critical component to achieve the goal of interoperable electronic health information exchange (HIE).

Objective: To investigate state laws and regulations that are related to PHI disclosure by the source, holder, and type of PHI data.

Methods: Data were provided by 11 states that participated in a Multi-State Consent Collaborative Project. Information pertaining to state laws and regulations related to the disclosure of an adult person's PHI for emergency and non-emergency treatment was analyzed via both quantitative (descriptive statistics) and qualitative analyses (network analysis).

Results: Findings showed that all states regulate disclosures of PHI by the data holder, mainly by facility and provider type. Wisconsin regulates disclosures through all three types – facility, records, and provider; whereas Oklahoma and Utah regulate only by the type of records (e.g., communicable disease and controlled private records). Except for Oklahoma, Utah, Rhode Island, all other states regulate disclosures of PHI by the facility, the data were created by. Other than Utah, all states regulate PHI disclosures by data type. Almost all states have limitations on the disclosure of PHI related to mental health and HIV/AIDS.

Conclusion: There are differences in how state laws and regulations treat disclosures of PHI. In order to have efficient interoperable health information exchange, these discrepancies should be resolved. Concurrently, consistent state laws and regulations related to electronic HIE should not put the confidentiality of patient information at stake.