SB195 Clarify and Enhance Privacy Protections for Electronic Health Records

Joint Committee on Economic Development & Emerging Technologies

The Massachusetts Health & Hospital Association (MHA), on behalf of its member hospitals and health systems, appreciates this opportunity to submit comments in opposition to SB195, "An Act to Clarify and Enhance Privacy Protections for Electronic Health Records (EHRs)."

MHA is opposed to SB195 given existing state and federal requirements and the current level of statewide collaborative efforts and activities on the Health Information Technology (HIT) front. We believe SB195 would actually impede the progress that state government and innovative healthcare providers have made in developing an interoperable healthcare information and exchange system. For example, Section 1 of SB195 would prevent providers from sharing clinical information for the treatment of a patient unless the patient specifically authorizes the information to be shared via electronic means. This effectively means that if a provider refers a patient to a lab or to another healthcare provider for ancillary-level services, the treating provider would need to obtain an authorization from the patient to receive information from the referring provider as well as a separate authorization to be part of, and receive information from, the electronic information system. This may not be the intent of this section, but, as drafted, it would impose an unnecessary administrative barrier to medical records/information that would impede the adoption of EHR systems by providers throughout the state.

SB195 would also require organizations funded by the E-Health Institute Fund to conduct security audits on their EHR networks. However, Massachusetts already is at the forefront in the development of EHR systems and the protection of patient privacy, as advanced and supported by both federal and state healthcare reform laws. In addition, the state's Health Information Technology Council already has a multi-stakeholder committee of experts, including consumers, who are reviewing concerns related to patient privacy and the security of patient health information for health information exchanges. The audits directed by SB195 ignore the collaborative efforts of stakeholders to secure patient privacy at the outset.

Ch. 305 of the Acts of 2008, as most recently updated by Section 136 of Chapter 224 of the Acts of 2012, already directs the Executive Office of Health and Human Services (EOHHS) and the HIT Council to, among other provisions: (1) ensure that each patient will have secure electronic access to such patient’s EHRs with each of such patient’s providers; (2) ensure that the design of the statewide health information exchange (HIE) includes the ability to transmit copies of EHRs to patients directly or allow facilities to provide mechanisms for such patient to access such patient’s own EHR; and (3) require that all providers in the commonwealth shall implement fully interoperable EHR systems that connect to the statewide HIE.

These existing acts also direct the commonwealth’s HIT Council to develop a state plan that must: (a) provide consumers with secure, electronic access to their own medical information; (b) give patients the option of allowing only designated healthcare providers to disseminate their individually identifiable information; and (c) ensure that EHR systems are fully interoperable and secure and that sensitive patient information is kept confidential. In addition, the statewide HIT plan must: 1) establish a mechanism to allow patients to opt-in to a health information network and to opt-out at any time; and 2) require data encryption, unique alpha-numerical identifiers and password protection for patient information and develop other methods to prevent unauthorized access to identifiable health information; and 3) develop and distribute to authorized users of the health information network and to prospective network participants, written guidelines addressing privacy, confidentiality and security of health information and inform individuals of what information about them is available, who may access their information, and the purposes for which their information may be accessed.

While MHA and our members strongly agree that appropriate privacy protections must be put into place to ensure stakeholder trust in any EHR system, the creation of potentially duplicative and conflicting state requirements as directed under SB195 will make it problematic for the state to develop interoperable systems. The legislature should not delay and complicate the expansion of EHRs and the HIE, which is an express goal of Ch. 224. The ability of these new technologies to improve quality and reduce costs through the exchange of health data will assist in the transformation of our healthcare system. The current review requirements and standards that have been put forward by Chapter 305, Chapter 224, EOHHS and the state's HIT Council already help ensure the security and privacy of patient health information. We are opposed to SB195 because the adoption of the provisions set forth in this legislation directly conflicts with the ongoing security and privacy protections being put into place by state regulators and, prior to the development of final national standards on the compatibility and appropriateness of EHRs, could impede further adoption of this technology and restrict the ability of physicians, hospitals, and the commonwealth, to access our fair share of federal funding through the ARRA/HITECH Act.

Thank you for the opportunity to offer testimony on this important matter. If you have any questions regarding this testimony, or require further information, please contact Michael Sroczynski, MHA's Vice President of Government Advocacy, at (781) 262-6055 or Sroczynski@mhalink.org.