This information is for reference purposes only. It was current when produced and may now be outdated. Archive material is no longer maintained, and some links may not work. Persons with disabilities having difficulty accessing this information should contact us at: https://info.ahrq.gov. Let us know the nature of the problem, the Web address of what you want, and your contact information.
Please go to www.ahrq.gov for current information.
- Patient focus:
- Business Operations focus:
- Weak policies
- Narrow policies
- Legal focus:
- Weak understanding of the law
- Antiquated state laws
- Regional focus:
Establishing patient consent. Clarifying and coordinating patient consent and authorization for data uses and disclosures is a paramount concern. A related issue is how to adequately prepare patients to make informed decisions about the disposition of their clinical data.
Business operations focus:
Electronicization. The vast majority of health care providers in Kansas have not yet adopted electronic information technologies to manage and store clinical data. Current information safeguards, therefore, are overwhelmingly manual. Adaptation of existing policies and procedures to an interoperable electronic environment presents a significant challenge.
Weak policies. Health information exchange security in many places is governed by workgroup behavior norms rather than adherence to formal policies and procedures, even where formal policies and procedures do exist. Though behaviors and policies often coincide, in some cases behavioral norms circumvent policies.
Narrow policies. Many providers handle protected health information in non-clinical applications such as billing systems. Formal polices and procedures for protecting information privacy and security are common in such venues. However, these policies and procedures focus mainly on internal business operations and largely do not address information exchanges with outside parties, except for claims submissions for payment.
KS LWG analysis of scenarios identified broader legal concerns than were identified by other stakeholders
Weak understanding of the law. Most businesses diligently attempt to comply with Kansas law and with their individual interpretations of HIPAA. But state privacy and confidentiality laws are fragmented and are weakly understood. Interpretations of the law vary greatly, so the quality of implementation may be inconsistent and "HIPAA compliance" can become a pretext for unnecessarily complicating or denying requests for HIE.
Antiquated state laws. Kansas statutes and administrative regulations are antiquated and largely fail to contemplate electronic health information exchange. Stakeholders seem to be unaware of or unconcerned with the potential legal pitfalls resulting from the interplay between state law and administrative regulation and HIPAA requirements, even though they are keenly aware of the need to honor patient privacy. "HIPAA" may then become the rubric for any restrictions on HIE to maintain patient privacy.
Multi-state solutions. Much health information exchange in eastern Kansas is interstate; therefore business and legal solutions must be coordinated regionally
Previous Slide Contents Next Slide