| state | State // The state in which has the privacy and consent policies for exchange of personal health information or standards and authorization requirement. |
|---|
| state_abbreviation | State abbreviation // State abbreviation |
|---|
| consent_authorization_policy | Type of policy // This dataset contains state policy information in four areas: 1) State Health Information Exchange (HIE) Consent Policies; 2) State-Sponsored HIE Consent Policies; 3) State Laws Requiring Authorization to Disclose Mental Health Information for Treatment, Payment, and Health Care Operations (TPO); 4) State Laws that Apply a Minimum Necessary Standard to Treatment Disclosures of Mental Health Information. |
|---|
| organization_launch_date | Organization and launch date // Organizations that serve as the state-sponsored and designated entity for HIE for each of the 50 states plus the District of Columbia. The launch date for when the HIE was functional and operational is included. |
|---|
| type_of_consent_policy | Types of consent policy // The type of consent policy that the respective state-designated HIE has adopted. Broadly, these policies fall under two categories: opt-out -patients may be automatically enrolled in the HIE but are given the opportunity to opt out of having their information stored and/or disclosed by the HIE; and opt-in – patient consent is required in order for patient health information to be stored and/or disclosed by the HIE. However, some state policies fall outside of these two broad categories, in which case descriptions of the policies are included. |
|---|
| details_of_consent_policy | Details of consent policy // If available, this variable provides a description of the depth of the consent policy for each respective state-designated HIE organization and how it works. |
|---|
| patient_notification_methods | Patient notification methods // If available, this variable includes information on the methods and materials used by the respective state-designated HIE organizations to notify patients/consumers of their consent and/or privacy and security policies. |
|---|
| additional_information | Additional information // Information and materials that provide additional insight and understanding regarding each respective state-designated HIE, their consent policies, and/or privacy and security policies. |
|---|
| websites_and_publicly_available_resources | Website and publicly available resources // Website and publicly available resources |
|---|
| scope_of_consent_policy | Scope of consent policy // The breadth of the state HIE consent policy’s applicability. When a consent policy applies statewide, it usually applies in one of the following ways: 1) by giving rights to all patients in the state; 2) by requiring healthcare providers to abide by the consent policy; or 3) by requiring health information organizations in the state to abide by the consent policy. When a consent policy does not apply statewide, this column describes the organization(s) required to follow the state HIE consent policy. |
|---|
| source_of_consent_policy | Source of consent policy // The most authoritative source that articulates the patient consent policy: statute, regulation, or a state agency-produced policy document. A statute is a formal written enactment of the state legislative body that has the force of law. A regulation is a rule of order prescribed by an authorized body (e.g. state agency) that also has the force of law. A state-agency produced policy document provides guidance for the implementation or operation of a particular statute or regulation, but does not have the force of law. Statutes and regulations are the most authoritative sources of law in a state and must be complied with; state agency-produced policy document provide explanatory guidance to assist with compliance. The source is hyperlinked to the relevant statute, regulation, or policy document for that state. |
|---|
| source_of_consent_policy_url | Source of consent policy url // The web address for the state policy document referred to in the source of consent policy field. |
|---|
| state_involvement_in_creating_consent_policy_if_source_is_not_a_statute_regulation | State’s involvement in creating consent policy if policy is not a state statute or regulation // For statutes and regulations, the source of the consent policy is clear (state legislatures and state agencies, respectively). For states where the most authoritative source articulating the consent policy is a state agency-produced policy document, this variable provides information on the connection between the state government and the agency or organization that produced the consent policy. The following types of policies are not considered to be produced by a state agency and as such are NOT included, even where the HIE is state-designated: Policies articulated by HIEs that are neither a state government entity nor actively run, overseen, or managed by a state government entity; Policies articulated by HIEs in states that only provide funding for HIE activities without conditioning the funding upon adherence to state-approved patient consent requirements; Policies articulated by HIEs in states where state actors may participate as stakeholders on the board of the state-designated HIE but do not have any powers of oversight or approval. |
|---|
| statewide_applicability_y_n | Statewide applicability // Whether or not a state’s consent policy applies statewide [Yes/No] (i.e., to all HIEs operating in the state). Most state HIE consent policies that do not apply statewide only apply to the state-run HIEs in those states. |
|---|
| applies_minimum_necessary_standard_to_treatment_disclosures | Applies minimum necessary standard to treatment disclosures where mental health information is being disclosed // Whether or not a state applies the minimum necessary standard to treatment disclosures where mental health information is being disclosed (Yes/No). Under the HIPAA Privacy Rule, disclosures for treatment, payment, and healthcare operations (TPO) do not require patient authorization. The Privacy Rule also requires that most disclosures be limited to the “minimum [amount of protected health information] necessary” to achieve the purpose for which the information was released or requested. HIPAA does not apply this limitation to disclosures for treatment purposes. However, some states have enacted statutes or regulations that apply the minimum necessary standard to treatment disclosures where mental health information is being disclosed, which is a stronger standard than HIPAA and therefore is not preempted by federal law. |
|---|
| requires_authorization_for_one_or_more_tpo_disclosures_that_would_be_permitted_under_hipaa_without_authorization | Requires authorization for one or more TPO disclosures that would be permitted under HIPAA without authorization // Requires authorization for one or more TPO disclosures that would be permitted under HIPAA without authorization (Yes/No). Under the HIPAA Privacy Rule, disclosures for treatment, payment, and healthcare operations (TPO) do not require patient authorization. However, some states have enacted statutes or regulations that require authorization to disclose mental health information, either from the patient (or their representative in the case of incapacity) or from an authority like a mental health program director. This additional authorization requirement in the case of mental health information is a stronger standard than HIPAA and therefore is not preempted by federal law. |
|---|
| citation_of_statute_or_regulation | Citation of statute or regulation // Statute or regulation enacted by state. |
|---|
| citation_of_statute_or_regulation_url | Statute or regulation url // The web address of the statute or regulation enacted by the state. |
|---|
| narrative_description_of_state_law | Narrative description of state law // Description of state law |
|---|
| definition_or_scope_of_information_material_covered_by_policy | Definition or scope of information material covered by policy // Definition or scope of information/material covered by application of minimum necessary requirement or additional authorization requirement. |
|---|
Datasets