Wyoming is looking at repealing the Hospital Records Act of 1991, which was passed to ensure that hospitals are taking steps to protect patient data privacy. The law was enacted five years prior to the Health Insurance Portability and Accountability Act (HIPAA) of 1996. It mandated hospitals to employ privacy and security measures that were similar to what the HIPAA introduced later.
The following points are covered by the Hospital Records Act:
- Getting patient consent before disclosure of patient information
- Confining disclosures of patient information by hospitals
- Posting notices about privacy practices
- Identifying the persons permitted to take action on patient’s behalf
- Implementing security measures
- Specifying retention periods for health files
There’s no problem with the Hospital Records Act, in fact, it is very effective. But its protections became redundant once the HIPAA and its Privacy and Security Rules were implemented considering that all hospitals need to follow the HIPAA Rules covering the same issues. HIPAA additionally required more data protections and gave patients a lot more rights.
Even though the objectives of the HIPAA and the state law are the same, the two regulations have several differences that are creating issues for hospitals and the authorities. Having two sets of regulations to comply with is putting a higher regulatory burden on hospitals. Also, complying with the state law but not with the HIPAA could put the hospital at risk of penalty charges.
Doctor’s offices are required to comply with the HIPAA only, while hospitals ought to comply with two laws. By repealing the Hospital Records Act, the compliance requirement will be standardized for all healthcare service providers.
The sponsors of the bill (Senate File 96 SF0096) were Sen. Dave Kinskey (R-Sheridan); Rep. Mark Kinner (R-Sheridan) and Rep. Cyrus Western (R-Big Horn). If this bill (which was introduced on January 29, 2019) is approved, Wyoming’s Hospital Records Act would be repealed. Patient privacy protections would then just depend on the compliance of healthcare providers with the HIPAA. In that instance, hospital compliance with regulatory requirements will be more straightforward.