Healthit.gov  /  Health IT Dashboard  /  Data  /  State Health IT Privacy and Consent Laws and Policies

/data

State Health IT Privacy and Consent Laws and Policies

This data was collected by the Office of the National Coordinator for Health IT in coordination with Clinovations and the George Washington University Milken Institute of Public Health. ONC and its partners collected the data through research of state government and health information organization websites. The dataset provides policy and law details for four distinct policies or laws, and, where available, hyperlinks to official state records or websites. These four policies or laws are: 1) State Health Information Exchange (HIE) Consent Policies; 2) State-Sponsored HIE Consent Policies; 3) State Laws Requiring Authorization to Disclose Mental Health Information for Treatment, Payment, and Health Care Operations (TPO); and 4) State Laws that Apply a Minimum Necessary Standard to Treatment Disclosures of Mental Health Information.

Data Source: US state public records and databases

Data Range: September, 2016

Last Updated: 07/12/2017

Download: [.csv]

API: https://dashboard.healthit.gov/api/open-api.php?source=state-health-it-privacy-consent-law-policies.csv
*This data is API accessible. See /api for documentation and guidance on how to use the API.

Methods and Notes: State Health IT Privacy and Consent Laws and Policies were developed by Office of National Coordinator for Health IT in coordination with Clinovations and the George Washington University Milken Institute of Public Health. ONC and its partners collected the data through research of state government and health information organization websites. It is intended to provide information on state laws and policies governing patient consent for exchange of personal health information as well as standards and authorization required for the disclosure of patient mental health information.

Documentation:
Documentation data: [.json]

Data FieldData DescriptionAdditional Information
stateState // The state in which has the privacy and consent policies for exchange of personal health information or standards and authorization requirement. This variable is applicable for all privacy and consent policies.
state_abbreviationState abbreviation // State abbreviationThis variable is applicable for all privacy and consent policies.
consent_authorization_policyType of policy // This dataset contains state policy information in four areas: 1) State Health Information Exchange (HIE) Consent Policies; 2) State-Sponsored HIE Consent Policies; 3) State Laws Requiring Authorization to Disclose Mental Health Information for Treatment, Payment, and Health Care Operations (TPO); 4) State Laws that Apply a Minimum Necessary Standard to Treatment Disclosures of Mental Health Information.The field contains one of four possible values: state sponsored HIE organization consent policies; state HIE consent policies; apply minimum necessary standard to treatment disclosures of mental health info; require auth to disclose mental health info for TPO.
organization_launch_dateOrganization and launch date // Organizations that serve as the state-sponsored and designated entity for HIE for each of the 50 states plus the District of Columbia. The launch date for when the HIE was functional and operational is included.This variable is only applicable to state sponsored HIE organization consent policies.
type_of_consent_policyTypes of consent policy // The type of consent policy that the respective state-designated HIE has adopted. Broadly, these policies fall under two categories: opt-out -patients may be automatically enrolled in the HIE but are given the opportunity to opt out of having their information stored and/or disclosed by the HIE; and opt-in - patient consent is required in order for patient health information to be stored and/or disclosed by the HIE. However, some state policies fall outside of these two broad categories, in which case descriptions of the policies are included.This variable is only applicable to state Health Information Exchange (HIE) consent policie and state-sponsored HIE consent policies.
details_of_consent_policyDetails of consent policy // If available, this variable provides a description of the depth of the consent policy for each respective state-designated HIE organization and how it works.This variable is only applicable to state Health Information Exchange (HIE) consent policie and state-sponsored HIE consent policies.
patient_notification_methodsPatient notification methods // If available, this variable includes information on the methods and materials used by the respective state-designated HIE organizations to notify patients/consumers of their consent and/or privacy and security policies.This variable is only applicable to state sponsored HIE organization consent policies.
additional_informationAdditional information // Information and materials that provide additional insight and understanding regarding each respective state-designated HIE, their consent policies, and/or privacy and security policies. This variable is only applicable to state sponsored HIE organization consent policies.
websites_and_publicly_available_resourcesWebsite and publicly available resources // Website and publicly available resourcesThis variable is only applicable to state Health Information Exchange (HIE) consent policies and state-sponsored HIE consent policies.
scope_of_consent_policyScope of consent policy // The breadth of the state HIE consent policy's applicability. When a consent policy applies statewide, it usually applies in one of the following ways: 1) by giving rights to all patients in the state; 2) by requiring healthcare providers to abide by the consent policy; or 3) by requiring health information organizations in the state to abide by the consent policy. When a consent policy does not apply statewide, this column describes the organization(s) required to follow the state HIE consent policy.This variable is only applicable to state Health Information Exchange (HIE) consent policies.
source_of_consent_policySource of consent policy // The most authoritative source that articulates the patient consent policy: statute, regulation, or a state agency-produced policy document. A statute is a formal written enactment of the state legislative body that has the force of law. A regulation is a rule of order prescribed by an authorized body (e.g. state agency) that also has the force of law. A state-agency produced policy document provides guidance for the implementation or operation of a particular statute or regulation, but does not have the force of law. Statutes and regulations are the most authoritative sources of law in a state and must be complied with; state agency-produced policy document provide explanatory guidance to assist with compliance. The source is hyperlinked to the relevant statute, regulation, or policy document for that state.This variable is only applicable to state Health Information Exchange (HIE) consent policies.
source_of_consent_policy_urlSource of consent policy url // The web address for the state policy document referred to in the source of consent policy field.This variable is only applicable to state Health Information Exchange (HIE) consent policies.
state_involvement_in_creating_consent_policy_if_source_is_not_a_statute_regulationState's involvement in creating consent policy if policy is not a state statute or regulation // For statutes and regulations, the source of the consent policy is clear (state legislatures and state agencies, respectively). For states where the most authoritative source articulating the consent policy is a state agency-produced policy document, this variable provides information on the connection between the state government and the agency or organization that produced the consent policy. The following types of policies are not considered to be produced by a state agency and as such are NOT included, even where the HIE is state-designated: Policies articulated by HIEs that are neither a state government entity nor actively run, overseen, or managed by a state government entity; Policies articulated by HIEs in states that only provide funding for HIE activities without conditioning the funding upon adherence to state-approved patient consent requirements; Policies articulated by HIEs in states where state actors may participate as stakeholders on the board of the state-designated HIE but do not have any powers of oversight or approval.This variable is only applicable to state Health Information Exchange (HIE) consent policies.
statewide_applicability_y_nStatewide applicability // Whether or not a state's consent policy applies statewide [Yes/No] (i.e., to all HIEs operating in the state). Most state HIE consent policies that do not apply statewide only apply to the state-run HIEs in those states.This variable is only applicable to state Health Information Exchange (HIE) consent policies.
applies_minimum_necessary_standard_to_treatment_disclosuresApplies minimum necessary standard to treatment disclosures where mental health information is being disclosed // Whether or not a state applies the minimum necessary standard to treatment disclosures where mental health information is being disclosed (Yes/No). Under the HIPAA Privacy Rule, disclosures for treatment, payment, and healthcare operations (TPO) do not require patient authorization. The Privacy Rule also requires that most disclosures be limited to the "minimum [amount of protected health information] necessary" to achieve the purpose for which the information was released or requested. HIPAA does not apply this limitation to disclosures for treatment purposes. However, some states have enacted statutes or regulations that apply the minimum necessary standard to treatment disclosures where mental health information is being disclosed, which is a stronger standard than HIPAA and therefore is not preempted by federal law.This variable is only applicable to state laws that apply a minimum necessary standard to treatment disclosures of mental health information.
requires_authorization_for_one_or_more_tpo_disclosures_that_would_be_permitted_under_hipaa_without_authorizationRequires authorization for one or more TPO disclosures that would be permitted under HIPAA without authorization // Requires authorization for one or more TPO disclosures that would be permitted under HIPAA without authorization (Yes/No). Under the HIPAA Privacy Rule, disclosures for treatment, payment, and healthcare operations (TPO) do not require patient authorization. However, some states have enacted statutes or regulations that require authorization to disclose mental health information, either from the patient (or their representative in the case of incapacity) or from an authority like a mental health program director. This additional authorization requirement in the case of mental health information is a stronger standard than HIPAA and therefore is not preempted by federal law.This variable is only applicable to state laws and policies that require authorization to disclose mental health information for treatment, payment and health care operations.
citation_of_statute_or_regulationCitation of statute or regulation // Statute or regulation enacted by state.This variable is only applicable to state laws that apply a minimum necessary standard to treatment disclosures of mental health information and laws and policies that require authorization to disclose mental health information for treatment, payment and health care operations.
citation_of_statute_or_regulation_urlStatute or regulation url // The web address of the statute or regulation enacted by the state.This variable is only applicable to state laws that apply a minimum necessary standard to treatment disclosures of mental health information and laws and policies that require authorization to disclose mental health information for treatment, payment and health care operations.
narrative_description_of_state_lawNarrative description of state law // Description of state lawThis variable is only applicable to state laws that apply a minimum necessary standard to treatment disclosures of mental health information and laws and policies that require authorization to disclose mental health information for treatment, payment and health care operations.
definition_or_scope_of_information_material_covered_by_policyDefinition or scope of information material covered by policy // Definition or scope of information/material covered by application of minimum necessary requirement or additional authorization requirement.This variable is only applicable to state laws that apply a minimum necessary standard to treatment disclosures of mental health information and laws and policies that require authorization to disclose mental health information for treatment, payment and health care operations.

This is an ongoing project managed by the Office of the National Coordinator for Health Information Technology, an agency of the Department of Health and Human Services. If you have any questions or concerns about this documentation, please contact ONC.Request@hhs.gov