• Mission & Governance
• Services Overview
• How to Get Involved
• Standing Committees
• NCSL Foundation

• Issue Areas: A-Z
• State-Federal Relations
• NCSL Standing Committees
• News from D.C. and the States

• About State Legislatures
• Elections, Campaigns & Redistricting
• NCSL's StateConnect Directory
• Web Sites

• Online Guide to NCSL Services
• Staff Sections and Networks
• Meetings & Professional Development
• Staff Directories

• Meetings Calendar
• Online Registration
• Meetings Home Page
• Legislative Summit

• Bookstore
• State Legislatures Magazine
• NCSL's StateConnect Directory

HIPAA: Impacts and Actions by States
Medical record privacy, security and electronic transactions.

Updated: March 18, 2008

The Health Insurance Portability and Accountability Act of 1996, known as HIPAA, continues to have a broad impact on state health policy, as well as on virtually all health providers, insurers and health consumers. Listed below are brief updates and resources of potential interest to state legislatures.

Health Information Technology

NCSL’s Project HITCh—for Health Information Technology Champions—supports state legislative decision-making about HIT. For details about what states are doing, go to www.ncsl.org/programs/health/forum/hitch/.  Also, a 2007 NCSL report describes and provides links to specific state legislation on HIT and public reporting: www.ncsl.org/programs/health/Transparency.htm.

• "Profiles in Progress: State Health IT Initiatives," by the National Association of State CIOs, a compendium highlighting health IT initiatives in all 50 states and D.C.  Released 11/15/06 [54 pages PDF]
• HEALTH INFORMATION TECHNOLOGY:  Efforts Continue but Comprehensive Privacy Approach Needed for National Strategy- Report by the Government Accountability Office identifies challenges that the Department of Health and Human Services faces in trying to protect electronic patient data. However, HHS says that it already has adopted a privacy approach. 6/19/07. [ PDF, 23 pages] 
• CMS Gears Up for South Carolina Test of Personal Health Records - The Centers for Medicare and Medicaid Services project will offer personal health records to 100,000 participants in South Carolina's Medicare fee-for-service program and will include a campaign to encourage use of the PHRs. The results of the South Carolina project will be compared with the results of earlier PHR initiatives. Government Health IT, 1/21/08.
• White House Orders Nationwide Health Information Standards as States Move Ahead, issued 9/4/06 
• E-Scripts (June 12, 2006)
• Health Information at Risk of Piracy, Despite Federal Law, 2/20/06.
• Incorporating Technology report, 2/20/06.

• 2006 Minnesota e-Health Initiative Progress Report to the Minnesota Legislature  [ PDF, 23 pages]
•             Minnesota e-Health Reports and Recommendations
• HIPAA Focus Changes from Compliance to Improving Efficiency, Reducing Costs -Phoenix Health Systems and HIMSS, 2/17/06.
• Steps Toward HIPAA Compliance - HHS summary re: electronic transactions, 10/16/03
• View the Electronic Transactions HIPAA rule online.
• eHealth Initiative - an association with information on commercial and governmental projects. Updated regularly, 2007.

• Physician Use of Electronic Prescribing and Barriers to Adoption

  • Despite the benefits of electronic prescribing, adoption is still modest. Current surveys estimate that between 5% and 18% of physicians and other clinicians are using electronic prescribing.
  • Key barriers to clinician adoption include startup cost, lack of specific reimbursement, and fear of reduced efficiency in the practice.
  • The implementation of the prescribing system must fit into the business flow and enhance knowledge, rather than be viewed as “extra work.” Electronic prescriptions need to be seen, in many ways, as an extension of a written prescription, for adoption to occur. The benefits to all parties – pharmacist, clinician and patient – should be the ultimate goal in the adoption of electronic prescribing.

  Source: Electronic Prescribing: Toward Maximum Value and Rapid Adoption Recommendations for Optimal Design and Implementation to Improve Care, Increase Efficiency and Reduce Costs in Ambulatory Care, a Report of the Electronic Prescribing Initiative eHealth Initiative. 

Medical Record Privacy:

As of April 14, 2003 "health plans, hospitals, doctors and other health care providers around the country must comply with new federal privacy regulations," according to Secretary Tommy Thompson of the Department of Health and Human Services (HHS). Billions of dollars are being spent to bring public and private sector records into compliance. The following is the department's description, stated in April, 2003:
"These new federal health privacy regulations set a national floor of privacy protections that will reassure patients that their medical records are kept confidential. The rules will help to ensure appropriate privacy safeguards are in place as we harness information technologies to improve the quality of care provided to patients. Consumers will benefit from these new limits on the way their personal medical records may be used or disclosed by those entrusted with this sensitive information.

The new protections give patients greater access to their own medical records and more control over how their personal information is used by their health plans and health care providers. Consumers will get a notice explaining how their health plans, doctors, pharmacies and other health care providers use, disclose and protect their personal information. In addition, consumers will have the ability to see and copy their health records and to request corrections of any errors included in their records. Consumers may file complaints about privacy issues with their health plans or providers or with our Office for Civil Rights."

PRIVACY ON-LINE RESOURCES:

• "Health Privacy" - NCSL web menu page, part of general state privacy actions, by Legislative Information Services. Updated 2007.
• "Surveys show public distrusts HIPAA; researchers detest it" - Nearly three of five Americans agree that the privacy of their health information is not well protected by federal and state laws and organizational practices. Report in GovHealthIT.com 10/2/07. 
• Warnings Over Privacy of U.S. Health Network - New York Times, 2/18/2007.
• "Personal Health Records: The People's Choice?" National Health Policy Forum, 11/30/06.  
• HEALTH INFORMATION TECHNOLOGY:  Efforts Continue but Comprehensive Privacy Approach Needed for National Strategy- Report by the Government Accountability Office identifies challenges that the Department of Health and Human Services faces in trying to protect electronic patient data. However, HHS says that it already has adopted a privacy approach. 6/19/07. [ PDF, 23 pages] 

• Balancing Patient Privacy with the Need to Know  Obtaining a patient's health history is vital to ensuring proper treatment, yet disclosing information about mental health or substance abuse can result in social stigma, job loss, or even criminal prosecution. A new issue brief considers how best to balance privacy and disclosure in an age when sharing information has never been easier.  CA Healthcare Foundation brief, 3/08

• "Many U.S. Adults are Satisfied with Use of Their Personal Health Information; Some Withhold Information Due to Medical Data Security Worries" - While many U.S. adults indicate that they are generally satisfied with how their personal health information is used, a substantial number has serious reservations about the confidentiality and security of their health data, with some withholding information due to these concerns, according to a survey conducted by Harris Interactive.   3/26/07.

•  Less Than 25% of Medical Privacy Complaints Investigated Less than a quarter of the total medical privacy complaints lodged with the US Department of Health and Human Services (HHS) were deemed eligible for further investigation, reports Melamedia's 3rd Annual Review of Medical Privacy and Security Enforcement. 12/14/06 
• Medical Privacy - National Standards to Protect the Privacy of Personal Health Information - detailed explanations by the HHS Office for Civil Rights, update July 2004.
• Survey Finds HIPAA Compliance Low - AHIMA 4/18/06 Compliance with federal privacy rules regarding patients' medical records that went into effect three years ago has declined, according to an annual American Health Information Management Association survey, Government Health IT reports.  The survey of 1,117 hospitals and health systems found that 85% of respondents said they are mostly compliant with HIPAA privacy rules, compared with 91% in 2005. "A slight drop in the number of facilities reporting themselves to be fully or mostly compliant with HIPAA should serve as a warning to the industry that compliance should not be taken for granted," said AHIMA President Jill Callahan Dennis (Ferris, Government Health IT, 4/19).   Fifty-five percent of respondents said lack of resources was the chief barrier to complete compliance, Health Data Management reports. They also cited as barriers a loss of senior management support and less focus on the privacy rule by some staff.  
       The survey, which was conducted in January 2006, also asked about compliance with HIPAA security rules. It found that one year after the compliance date, 25% of respondents said their organizations are fully compliant, and half of respondents said their organizations are between 85% and 95% compliant, Health Data Management reports. A survey a year earlier found that 17% of organizations believed they were fully compliant and 43% believed they were substantially compliant (Health Data Management, 4/19).  The complete report is available online.
  
• "Newborn Genetic Screening Privacy Laws" - Includes state laws that go beyond HIPAA. NCSL compilation from 2002.
• Bill Would Limit Obtaining, Selling Medical Records  The Missouri Senate on April 13, 2006 unanimously passed legislation (SB 1041) that would make it a crime to sell or obtain patients' health records without their consent. The bill now goes the House. AP/Kansas City Star.  
• NASCIO's Federal Privacy Law Compendium Description Page NASCIO's Federal Privacy Law Compendium summarizes 10 federal privacy laws, including HIPAA, and provides states with a starting point to determine how the summarized laws might apply to them. (2005)
•  New Web Tool Helps Emergency Planners Comply with Health Privacy  - NGA summary of HHS guidelines, 07/13/06 
• DOJ Limits Prosecution of HIPAA Violations - article by iHealthBeat.org describing exemptions from prosection for most non-health entities and individuals, 6/7/05.
  • HIPAA Enforcement: Legal Opinion by the Dept. of Justice Legal Counsel, 6/1/05.
• HIPAA Privacy Rule and Public Health - updated summary from CDC, emphasizing state and local government agency actions, 4/11/03.
• HHS Statement for Implementation , News release, 4/11/03.
• Health Information Privacy (HIPAA) Notices Have Improved Public's Confidence That Their Medical information Is Being Handled Properly - Yahoo News, 2/24/05.
• HIPAAComply.com - a commercial online resource.

HIPAA State Actions: Overviews and Examples:

• State Health Privacy Laws (2002) -a 50-state survey and database of existing state policies already in place, published by the Health Privacy Project.
• Arkansas: What Is HIPAA? -general information for providers, consumers and public agencies. Link update 2007. 
• California Department of Health Services (CDHS) Office of HIPAA Compliance (OHC) - updated materials, 2007.
• Connecticut: Notice of Privacy Practices, effective 4/14/03.  Link update 2007. 
• Florida: HIPAA Information - a history of compliance activities, 2002-2005 (no longer active) 
• Maryland: HIPAA Information - another resource information site.  Link update 2007. 
  • HIPAA: Guide to Privacy Readiness, II - Maryland's 50-page print format guide for affected parties, dated 2003. Link update 2007. 
• New York State Central HIPAA Coordination Project - Link update 2007.
• South Carolina HIPAA office, web site link update 2007.
• Utah: HIPAA State Law Guide - This guide results from the workgroup's combined efforts in applying standard preemption analysis to existing Utah state laws ~  Link update 2007.
• Washington State's HIPAA Partnership - guidelines for public and private sector, last updated 2006
• States Find New Medical Privacy Rules Costly, Confusing - Stateline news feature, 5/8/03. [updated 10/06]

In a separate process, HHS also has issued a Final Security Rule requiring health plans, certain health care providers and health information clearinghouses to establish "adequate administrative, physical, and technical safeguards to prevent unauthorized access to electronic patient health information."  Most covered entities will have until April 21, 2005 to comply with the new security standards.

• "HIPAA Security Rule Compliance Remains Low."  Though the deadline for compliance with the HIPAA Security Rule passed over a year ago, 80% of payers and only 56% of providers who responded to the US Healthcare Industry HIPAA Summer 2006 Survey have implemented the Security standards. 10/12/06 
• CMS Issues New Guidance for HIPAA Security Rule - article by iHealthBeat.org, 05/9/05

 --------------

NOTE: NCSL provides links to other Web sites from time to time for information purposes only. Providing these links does not necessarily indicate NCSL's support or endorsement of the site.

Return to  Health Finance  ||  Health Insurance and Managed Care Overviw  ||  Health Topics, A to Z