Do we really need HIPAA and fifty different state versions of HIPAA to make patient data private and secure?

And HIPAA has a lot of company. Each state also has different rules for telemedicine, for credentialing, for nurse staffing levels, for reimbursement, and the list goes on. The time has come for healthcare providers and other stakeholders to call for a harmonized regulatory regime for a tangle of issues in healthcare. Providers with operations in a single state may be less likely to feel the negative impact of all these rules for separate states. But consolidation and centralization are causing more HCOs to operate in multiple states and everyone is affected by differences between state and federal rules, especially in privacy and security.

Reading through the responses to ONC’s Interoperability Roadmap, the volume and intensity of concerns about data privacy and security shines through. Provider organizations, HIT vendors, and individuals had a constellation of privacy and security observations and requriements. Some were clearly worried about data being misused. Others were concerned about liability. Still others fretted about the costs of compliance. A common thread concerned the challenge of observing the federally-mandated HIPAA rules and fifty different state “baby” HIPAA rules. HIT vendors have long since adjusted to this maze of regulations – but not without cost. For HIPAA support, most have invested significantly in product development to be able to operate across the states.

More than 70 years ago the banking industry, confronted by 50 different state regulatory schemes, took direct action. They eventually convinced all of the states to enact a regulatory regime called the Uniform Commercial Code (UCC). The goal was to harmonize state laws to make banking and commerce across state lines rational and coherent.  Working from a set of rules of the road endorsed by a single, private “standards” organization, each state enacted laws that enabled interstate banking and commerce while preserving some flexibility for local conditions and requirements. This system has evolved over the years and continues to make it easy and predictable for enterprises to bank, conduct business, and generally follow the rules. Instructively for healthcare, the system also meant that the feds never needed to pass similar and competing laws.

Applying the UCC approach has several advantages for the healthcare industry. Consistent rules and procedures make it less costly for HIT vendors to build and deploy their products, an hopefully pass those savings to their HCO customers. For those who disfavor national regulations, this approach provides the predictability that HCOs desire with less red tape. The idea is not completely alien to healthcare – the Uniform Anatomical Gift Act has been around since 1968.

As the commenters to the Interoperability Roadmap so eloquently described, simplified administrative processes that also provide important protections for patients will be important in the coming transformation of healthcare. Now would be a good time to look more closely at best practices in another industry and determine how healthcare could benefit from some level of uniformity across the states.