RHIO Regulatory Challenges (Part II)

June 24, 2011
Another common obstacle faced by RHIOs arises from the patchwork nature of state and federal privacy regulations. While the HIPAA Privacy Rule

Another common obstacle faced by RHIOs arises from the patchwork nature of state and federal privacy regulations. While the HIPAA Privacy Rule generally permits the use and disclosure of protected health information ("PHI") for a covered entity's treatment, payment and health care operations purposes, there are state and federal laws that impose additional restrictions on certain categories of especially sensitive information. For example, in California, there are state and federal laws that require patient authorization with respect to disclosures of:

(1) information relating to a patient's participation in outpatient treatment with a psychotherapist (Cal. Civil Code Seciton 56.104);

(2) psychotherapy notes, as defined by HIPAA;

(3) records of the identity, diagnosis, prognosis or treatment of any patient maintained in connection with any program or activity relating to alcoholism or alcohol abuse education, training, treatment, rehabilitation or reseach (42 CFR Section 2.2 and Cal. Health & Safety Code Section 11977);

(4) public health records relating to AIDS (Cal. Health & Safety Code Section 121025(a); and

(5) genetic test results (Cal. Civil Code Section 56.17).

Given that disclosures of these categories of information require patient authorization, some RHIO participating provider agreements simply require that this type of information not be transmitted using the RHIO. Can providers effectively scrub their data to exclude these categories of information? And what if a hospital, medical group or other provider slips up and discloses sensitive medical information through the RHIO without authorization?

Providers must live with these restrictions on a day-to-day basis, regardless of whether they engage in treatment disclosures through a RHIO or more traditional means. However, one difference is that a RHIO's facilitation of electronic exchange of data arguably raises the stakes when providers mistakenly disclose these sensitive categories of information without authorization. Another difference is that participation in a RHIO means (depending upon the RHIO structure) that a provider may have to concern itself not only with its own mistakes in permitting disclosures of sensitive medical information, but also the mistakes of the RHIO entity or RHIO technology vendor.

Sponsored Recommendations

Going Beyond the Smart Room: Empowering Nursing & Clinical Staff with Ambient Technology, Observation, and Documentation

Discover how ambient AI technology is revolutionizing nursing workflows and empowering clinical staff at scale. Learn about how Orlando Health implemented innovative strategies...

Enabling efficiencies in patient care and healthcare operations

Labor shortages. Burnout. Gaps in access to care. The healthcare industry has rising patient, caregiver and stakeholder expectations around customer experiences, increasing the...

Findings on the Healthcare Industry’s Lag to Adopt Technologies to Improve Data Management and Patient Care

Join us for this April 30th webinar to learn about 2024's State of the Market Report: New Challenges in Health Data Management.

Findings on the Healthcare Industry’s Lag to Adopt Technologies to Improve Data Management and Patient Care

2024's State of the Market Report: New Challenges in Health Data Management