RHIO Regulatory Challenges (Part II)

June 24, 2011
Another common obstacle faced by RHIOs arises from the patchwork nature of state and federal privacy regulations. While the HIPAA Privacy Rule

Another common obstacle faced by RHIOs arises from the patchwork nature of state and federal privacy regulations. While the HIPAA Privacy Rule generally permits the use and disclosure of protected health information ("PHI") for a covered entity's treatment, payment and health care operations purposes, there are state and federal laws that impose additional restrictions on certain categories of especially sensitive information. For example, in California, there are state and federal laws that require patient authorization with respect to disclosures of:

(1) information relating to a patient's participation in outpatient treatment with a psychotherapist (Cal. Civil Code Seciton 56.104);

(2) psychotherapy notes, as defined by HIPAA;

(3) records of the identity, diagnosis, prognosis or treatment of any patient maintained in connection with any program or activity relating to alcoholism or alcohol abuse education, training, treatment, rehabilitation or reseach (42 CFR Section 2.2 and Cal. Health & Safety Code Section 11977);

(4) public health records relating to AIDS (Cal. Health & Safety Code Section 121025(a); and

(5) genetic test results (Cal. Civil Code Section 56.17).

Given that disclosures of these categories of information require patient authorization, some RHIO participating provider agreements simply require that this type of information not be transmitted using the RHIO. Can providers effectively scrub their data to exclude these categories of information? And what if a hospital, medical group or other provider slips up and discloses sensitive medical information through the RHIO without authorization?

Providers must live with these restrictions on a day-to-day basis, regardless of whether they engage in treatment disclosures through a RHIO or more traditional means. However, one difference is that a RHIO's facilitation of electronic exchange of data arguably raises the stakes when providers mistakenly disclose these sensitive categories of information without authorization. Another difference is that participation in a RHIO means (depending upon the RHIO structure) that a provider may have to concern itself not only with its own mistakes in permitting disclosures of sensitive medical information, but also the mistakes of the RHIO entity or RHIO technology vendor.

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?