State-by-State Legal Inconsistencies Challenge Adolescent Patient Privacy

May 11, 2022 - State and federal legal inconsistencies, the proliferation of EHRs, and information blocking rules under the 21st Century Cures Act present challenges to preserving adolescent patient privacy, an article published recently in Pediatrics suggested.

The 21st Century Cures Act and advancements in EHR technology and interoperability have enabled the rapid sharing of medical information, allowing patients to take ownership of their health records. But for adolescents, these provisions may also allow providers to share clinical information with parents.

“A rich evidence base demonstrates that adolescents are more likely to seek health care for potentially sensitive issues such as sexuality, mental health, and drug use if they can provide their own consent and be confident that their health information is private,” the article acknowledged.

“However, parents and guardians also have responsibilities pertaining to care for minor patients. Long-established state laws are often inconsistent in how they address these conflicting objectives, resulting in varying regulations from state to state.

Each state has its patchwork of privacy laws stitched together with federal HIPAA requirements that contain specific protections for minors. The article suggested that these legal inconsistencies create barriers to providing nationwide privacy protections to minors.

READ MORE: New Framework Helps Healthcare Assess Privacy, Security of Digital Health Apps

For example, researchers observed that adolescents in Alabama may consent to immunizations if they are 14 years or older or if they graduated high school. But in Arizona, minors cannot consent to immunizations unless court-ordered.

In a handful of states, such as Florida and Georgia, minors can consent to HIV testing and treatment. But in states such as Massachusetts and Maine, minors cannot consent to HIV testing and treatment. Other states have no explicit policies on the matter.

In Iowa, adolescents can consent to a sexual assault evaluation, but the treatment information cannot be kept confidential from parents. In New Jersey, minors can only consent to an evaluation if they are at least 13 years old.

“Although the best clinical practices to support adolescent autonomy should transcend state lines, state law variations make it nearly impossible to provide the privacy protection that is supported by medical societies, including the American Academy of Pediatrics (AAP), to support adolescent autonomy,” the article stated.

In addition to inconsistent state laws, researchers pointed out that increasing EHR interoperability, the advent of OpenNotes, and information blocking rules under the 21st Century Cures Act have made it even more difficult to maintain adolescent patient privacy.

READ MORE: US Offers $15M Reward For Information About Conti Ransomware

“Gaining access to health information empowers adolescent patients and improves patient care; however, harmful consequences can arise when parents or guardians inappropriately access certain personal health information,” the article continued.

“Appropriate implementation of the privacy exceptions in the Final Rule requires an understanding of the state and federal protection rights of the adolescents within the EHR. Faced with conflicting laws, health care organizations may choose to take no action, which is likely not supportive of high quality care that ensures privacy protection.”

Pediatric providers, EHR developers and designers, and policymakers have been tasked with promoting interoperability and patient access to health information while maintaining adolescent patient privacy. Providers must abide by various state laws that conflict with the best practices created by medical societies.

In accompanying commentary published in Pediatrics, researchers presented a call to action with the goal of harmonizing state laws to provide privacy protections for adolescents that align with professional and ethical guidelines.

“This is a laudable goal that, if achievable, would simplify the task of adolescent health care providers, information technology administrators, EHR vendors, and the legal counsel who advise them,” the article noted. “Nevertheless, the pursuit of this goal at the present time entails substantial risk.”

READ MORE: HC3: Ransomware Groups Leveraged Remote Access, Encryption Tools in Q1

Researchers pointed out that many adolescent consent laws have been in place for more than four decades. There have been several failed attempts at repealing these laws entirely.

“Most recently, attempts are being made in some states to disallow minor consent for health care under the guise of ‘parents’ rights,’” the accompanying article mentioned.

“At the same time, intense controversies around issues such as abortion and transgender care for young people make the current climate less than hospitable to efforts that might entail expansion of minor consent laws and confidentiality protection in some states.”

The article recommended that healthcare professionals continue to support efforts to develop technical capabilities within EHRs that would allow sensitive information to be protected when legally or ethically necessary.

In addition, the article suggested that the healthcare community develop recommendations for policymakers regarding what adolescent privacy laws should include.