Another common obstacle faced by RHIOs arises from the patchwork nature of state and federal privacy regulations. While the HIPAA Privacy Rule generally permits the use and disclosure of protected health information ("PHI") for a covered entity's treatment, payment and health care operations purposes, there are state and federal laws that impose additional restrictions on certain categories of especially sensitive information. For example, in California, there are state and federal laws that require patient authorization with respect to disclosures of:
(1) information relating to a patient's participation in outpatient treatment with a psychotherapist (Cal. Civil Code Seciton 56.104);
(2) psychotherapy notes, as defined by HIPAA;
(3) records of the identity, diagnosis, prognosis or treatment of any patient maintained in connection with any program or activity relating to alcoholism or alcohol abuse education, training, treatment, rehabilitation or reseach (42 CFR Section 2.2 and Cal. Health & Safety Code Section 11977);
(4) public health records relating to AIDS (Cal. Health & Safety Code Section 121025(a); and
(5) genetic test results (Cal. Civil Code Section 56.17).
Given that disclosures of these categories of information require patient authorization, some RHIO participating provider agreements simply require that this type of information not be transmitted using the RHIO. Can providers effectively scrub their data to exclude these categories of information? And what if a hospital, medical group or other provider slips up and discloses sensitive medical information through the RHIO without authorization?
Providers must live with these restrictions on a day-to-day basis, regardless of whether they engage in treatment disclosures through a RHIO or more traditional means. However, one difference is that a RHIO's facilitation of electronic exchange of data arguably raises the stakes when providers mistakenly disclose these sensitive categories of information without authorization. Another difference is that participation in a RHIO means (depending upon the RHIO structure) that a provider may have to concern itself not only with its own mistakes in permitting disclosures of sensitive medical information, but also the mistakes of the RHIO entity or RHIO technology vendor.