Cleveland County counselors concerned about new health information law
Mar. 19—Legislation requiring health care providers to enter patient records into an online database has local counselors concerned about client privacy.
In 2021, Senate Bill 574 created the Oklahoma State Health Information Exchange.
In 2022, SB 1369 created the Office of State Coordinator for Health Information Exchange, which is overseen by the Oklahoma Health Care Authority.
The authority will consider implementing the legislation July 1, which would mean all licensed health care providers must join the exchange. Oklahoma health care providers would pay $5,000 to enroll in the system, according to a fact sheet provided by the authority.
The exchange is operated by MyHealth, a Tulsa-based nonprofit. Exchanges are healthcare information databases that allow for patient healthcare records to be shared and accessible to all participating providers.
Health information exchanges are intended to aid in the coordination of care between providers in that a patient's medical records will be readily accessible, thus allowing providers to easily review a patient's health history and decrease redundancies in treatment, such as retesting.
The health care authority's board of directors meets March 22 to establish permanent rules.
Emily Mick, licensed professional counselor and owner of Upstream Counseling Services, 317 W. Main St., said that while the agency says the system is HIPAA compliant, the exchange is harmful.
"Behavioral Health Care has extra protections in HIPAA and is often not included in any kind of health information exchange system, because mental health records and substance abuse treatment records are very sensitive," Mick told The Transcript.
Mick said providers have an oath to consider the possible harm of intervention, and "having the records of mental health treatment accessible by anyone in the system is dangerous."
HIPPA, or Health Insurance Portability and Accountability Act, is a federal law that sets a national standard to protect medical records and other personal health information.
Christina Foss, deputy chief of staff for the Oklahoma Health Care Authority, said the agency understands the importance of privacy considerations, and is working to ensure best practices and appropriate privacy safeguards, including all legal and licensure requirements under HIPAA and other applicable state and federal laws.
"Providers and patients are in control of what data they share. Sensitive information of any type (behavioral or otherwise) is withheld by providers who mark a chart or note as sensitive," Foss said in a statement Friday. "The system conforms to all HIPAA regulations and is regularly audited to ensure compliance."
Foss said any care or services covered under 42 CFR Part 2 are excluded from data transmission, and psychotherapy notes from any provider are marked as sensitive and excluded from transmission to the HIE.
According to the Substance Abuse and Mental Health Services Administration, 42 CFR Part 2 serves to protect patient records created by federally assisted programs for the treatment of substance abuse.
With many health information exchanges, Mick said medical providers put in a patient's name and date of birth, which brings up a prompt asking if the one searching through the database is a provider.
"We're assuming everyone is going to be honest and follow HIPAA law," Mick said. "As someone in the mental health field who has sometimes heard the worst things human beings are willing to do to each other, maybe I'm less likely to believe that."
Mick said the most vulnerable populations will be impacted the most.
"This disproportionately affects women and those of minority status who don't trust that they'll be listened to by their doctors — now add in this additional layer," she said.
Mick said pregnant women struggling with the emotional and psychological aspects of pregnancy may not seek care if they're afraid of current legislation surrounding pregnancy.
"There are many research articles and studies out there about how mental health bias and stigma in medical professions often results in lack of care or insufficient care to an individual having a medical situation because of the assumption that the symptoms being reported, are more of a mental health thing," she said.
Earlier this month, mental health providers formed the Oklahoma Providers for Privacy Coalition.
Shay Espinosa, executive director and co-owner of Integrated Therapy Solutions, 620 NW 5th St. in Moore, said mental health providers are seeking an exemption from the exchange.
"Anything other than black and white is leaving us room for injustice to those that we serve and an inability to protect them," Espinosa said.
According to a fact sheet from the health care authority, patients may decide to restrict medical records shared.
While a patient can fill out an opt-out form, Espinosa said their name and services sought would still be entered into the health information exchange system.
"Even that opt out form identifies the patient's relationship with a mental health provider, and that is not okay," she said. "We need all of those records to be exempted."
Mick and Espinosa raised concerns about the security of the online information.
"We can't ignore the fact that on March 9, Congress's health information exchange DC Health Link was hacked," Espinosa said. "I think it was 200 members of Congress, their information was hacked, so how are we supposed to feel safe knowing that literally just happened this month?"
Mick said she is skeptical about how a patient's care will remain confidential but will also be used to "gather information needed for programs."
Foss said patient specific data will only be available to health care providers involved in a patient's care.
"Data used for public health purposes would only ever be aggregate, de-identified data and would require approval from the security governance committee," Foss said in a statement.
The Oklahoma Health Care Authority amended board meeting is scheduled for 2 p.m. Wednesday. To sign up for public comment, email email@example.com.