Health Data, Privacy and Security, Regulatory and Health Industry

Oklahoma Health Information Mandate Raises Privacy Concerns

Editor's note: According to a June 23, 2023, report by KFOR-TV, Oklahoma Governor Kevin Stitt rejected proposed administrative rule changes approved by the Oklahoma Health Care Authority to implement a health information exchange. The authority will work with the governor's office and legislators on next steps, the report says.

Beginning this summer, Oklahoma will mandate provider participation in its statewide health information exchange (HIE). The controversial move has sparked backlash and comes after Oklahoma's legislature in 2022 passed SB 1369, which created the Office of the State Coordinator for HIE within the Oklahoma Health Care Authority (OHCA). 

The legislation requires all healthcare entities licensed in the state to utilize and establish connections with the database by July 1. The measure aims to create a central repository of health records, making them more accessible to providers to improve care quality and outcomes. MyHealth, an HIE in the state since 2010, will operate the new network in partnership with OHCA and Orion Health. 

Oklahoma ranks 45th in state healthcare rankings, according to the United Health Foundation, and over 90 percent of Oklahomans have health records in multiple care delivery systems, so this integrated approach will enable providers to improve care coordination and outcomes through data sharing, says Stephen Miller, CHCIO, state coordinator for Oklahoma’s HIE. His office consulted CIVITAS Networks for Health and states that have launched similar mandates, such as Nebraska and North Carolina. 

For health information (HI) professionals, the HIE brings changes. They must navigate the state's connection process and work closely with their electronic health record (EHR) vendors to establish accurate data flows. They also must determine the data for submission and ensure it aligns with federal, state, and organizational guidelines. They will likely need to focus on data integrity, educating those inputting information into patient records on best practices and performing audits more frequently. 

Despite the potential benefits, the legislation has faced significant opposition. Providers are frustrated with the financial and technological strain they say the mandate creates. And in March, days before the OHCA board of directors finalized the exchange's administrative rules, hundreds of protesters marched on the state capitol over mental health privacy concerns. In addition, behavioral health providers have threatened to forfeit their licensure to avoid joining and subsequently sharing sensitive patient information in what they perceive as a code of ethics violation. 

Miller says only high-priority data elements, like those outlined in the United States Core Data for Interoperability, and public health metrics, such as discharge reporting, reportable conditions, and disease surveillance, will be included for transmission.  

He says psychotherapy notes and data related to the treatment of substance abuse disorders are never exchanged. "Certain behavioral health specialties in Oklahoma already have provisions in their licensure laws that prevent them from sharing data without written patient consent, and any patient can opt out of the HIE," he says.  

Mandating HIE Participation 

About 75 percent of hospitals nationwide already participate in at least one HIE, according to the latest report from the Office of the National Coordinator for Health Information Technology. Still, research suggests mandating participation at the state level may have merit.  

According to a 2022 study in The New England Journal of Medicine, states with legislation requiring patients to opt in by default, like Oklahoma, see a 16 percent jump in provider HIE use. And those receiving state, federal, or private funding or charging fees to participating organizations increase HIE usage by 18 percent. OHCA receives budget support from the state and some federal funding for HIE costs associated with serving the Medicaid population. According to Miller, Oklahoma providers will also pay an average connection fee of $5,000 and a monthly subscription fee between $20 to $55.  

More states may push for 100 percent HIE participation, says Seth Jeremy Katz, MPH, RHIA, FAHIMA, vice president of health information management (HIM) and revenue cycle at University Health in Kansas City, MO. But he expects legislatures are more likely to invest in improving the quantity and quality of data instead. 

"We need to get past this point of being petrified to share any information beyond basic data," he says, whether those fears arise from insufficient infrastructure or patient privacy. "[Organizations] should be sharing pretty much everything, with some exceptions."  

For example, Katz hopes providers will consider the bigger picture when it comes to mental health data. "All that data is pertinent to ensuring patients receive the best care and treatment," he says, adding that his organization navigated similar worries when it first began sharing data. "It's clearly treatment, payment, and healthcare operations (TPO) and protected by HIPAA (Health Insurance Portability and Accountability Act of 1996)."  

Federal legislation may facilitate greater interoperability by easing those fears and redefining patient protections. In April, the Department of Health and Human Services announced a proposed rule to strengthen patient privacy for reproductive healthcare, which has been a point of contention for patients and providers since the overturning of Roe v. Wade. Another proposed rule would allow patients to submit a one-time consent for their substance abuse treatment records to be used and disclosed for all future TPO operations.     

Balancing Privacy and EHR Logistics 

To address provider concerns, OHCA has formed a clinical-quality committee open to any provider in the state. The group will help define "appropriate and fair metrics" for HIE utilization that will be "very achievable" for all participating providers and improve patient outcomes, Miller says.  

OHCA has also made exemptions available for those unable to connect due to practice size, provider type, technological capability, or financial hardship.  

Data elements sent to the HIE will vary by provider type, and each organization must determine the appropriate data set to upload. However, most will be limited by the functionality of their EHR, which typically will not permit highly selective sharing, says Lori Black, MHA, RHIA, CHPS, CHDA, advocacy director for the Oklahoma Health Information Management Association (OkHIMA) and director of HIM operations for Integris Health. 

"If patients had to consent and opt in for mental health, we would exclude that information from being shared to the HIE for all patients," she says. But making such a move at the organizational level could negatively impact outside providers who already rely on the data, she adds. "We can turn sharing of all health information off and on per patient but cannot segment types of information at that level." 

The push for nationwide interoperability will likely only intensify, so these complex problems offer an opportunity for data managers to share their expertise and become more involved in preparing their organizations for greater connectivity, says Black. HI professionals may worry that interoperability will reduce their workload or eliminate their position, but Black encourages a shift in perspective. 

"Outside of compliance, nobody in the organization knows health information laws like [HI professionals] do. So there's a big opportunity to get involved, do more auditing, join MyHealth committees, educate employees and providers on data integrity best practices, and advocate for the patient and all the benefits that HIEs can have," she says.  

To that end, Black is already collaborating with her EHR vendor to explore customized data-sharing and integration possibilities. And as a member of MyHealth's operations management committee, she has begun discussions on developing a single sign-on for users to access the exchange through their existing EHR login. 

Health Information's Role in Defining Data  

Although several organizations applied for Trusted Exchange Framework and Common Agreement (TEFCA) approval to begin the process for consideration to become a qualified health information network, organizations should avoid placing the onus of interoperability problem-solving on EHR vendors and IT departments, says Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, vice president of privacy, compliance, and regulatory policy at MRO, a clinical data exchange company. She says that vendors remain substantial partners in the process, but health information managers should take the lead in educating their organizations and determining how incoming data integrates into the EHR and workflows.  

"Because so many people are entering information into the health record, like free text, HIM has to define the source of truth — the data elements — and the data collection processes," says Bowen. 

Without well-defined integration policies, critical information, such as admission, discharge, and transfer notifications, may be missed, increasing the risk of malpractice claims. Inaccurate data integration could also hinder the ability to fully evaluate deidentified health data and get ahead of public health emergencies. 

"Interoperability is the future, and we're going to see more benefits of it as time progresses," says Bowen. "There's a larger need now more than ever for people to understand the flow of data; what they're entering, where it's coming from and going, and what it's being used for. HIM professionals must get down to that level [of understanding]."  


Steph Weber is a Midwest-based freelance journalist specializing in healthcare and law.