When Policy and Care Collide: Part One

Balancing Patient Consent with Patient Safety

By the EHR Association Patient Safety and Public Policy Leadership Workgroups

Navigating the tug-of-war between federal and state regulations has long been a challenge in health care and other industries. Now, with the ubiquity of health data creating both new opportunities and risks, that challenge has never been greater. This dual framework requires healthcare organizations and their technology partners to track and balance confusing and sometimes conflicting compliance efforts, adding administrative burden to the system as a whole and, in some cases, increasing the risk of adverse patient safety events.

Critically, many of the requirements can expose patients to safety risks and undermine clinicians’ trust in exchanged health data. 

One area with a lot of recent activity is patient privacy and consent management. At the federal level, HIPAA establishes the baseline framework for health data privacy, while 42 CFR Part 2 adds heightened safeguards for substance use disorder (SUD) records. Nonetheless, states are also rapidly enacting their own privacy and consent rules, creating a web of requirements that clinicians and health IT developers must navigate. Critically, many of the requirements can expose patients to safety risks and undermine clinicians’ trust in exchanged health data. 

The State-Level Labyrinth

Examples of recent legislation illustrate the breadth of this challenge:

  • Reproductive Health Privacy: Maryland (H.B.812), California (A.B.352), and Massachusetts (S.2543) designate certain reproductive health services as sensitive information, requiring additional protections and generally blocking the transmission of that information.
  • Patient Consent Rules: Maryland and Colorado have introduced new requirements for explicit patient consent, adding further complexity to compliance frameworks.
  • Adolescent/Minor and Parental Access: South Dakota (H.B.1061) and West Virginia (H.B.2402) highlight the tension between HIPAA’s designation of parents/guardians as personal representatives and state laws that define when minors can make their own care decisions.

For clinicians and their staff, this means understanding not only federal requirements but also the nuances of each state’s rules, even when the provider organization operates in or serves patients from multiple jurisdictions. For EHR and other health IT developers, it means coding for inconsistencies, tracking evolving legislation, and building functionality that supports compliance without undermining usability.

The Provider and Developer Burden

Consider California’s A.B. 352, which outlines location-based access requirements for sharing patient data related to reproductive care or gender-affirming care. Clinicians and provider organizations must ensure that patient data access aligns with the location where care is delivered, while developers must design systems flexible enough to facilitate compliance.

This dual burden is significant: Provider organizations must determine when and how to interpret and apply state-specific access flags, often without clear guidance, while also enabling clinical decisions based on data from other sources that may be incomplete due to state restrictions.

This dual burden is significant: Provider organizations must determine when and how to interpret and apply state-specific access flags, often without clear guidance, while also enabling clinical decisions based on data from other sources that may be incomplete due to state restrictions. Developers must make available functionality that ensures systems remain interoperable while blocking information to meet state-specific mandates.

The result is an administrative distraction from the core intent of privacy laws—protecting patient data—shifting focus instead to compliance minutiae.

A Call to Action: Toward Consistency

Clearly, states have the right to enact privacy and consent laws. However, when they act independently in ways that conflict with neighboring states, it can create unnecessary barriers to care and innovation. Much like the interstate highway system, healthcare data does not stop at state borders. Patients routinely seek care outside their home state, yet the growing patch of state requirements creates confusion, operational burden, and friction in the exchange of information.

This regulatory proliferation introduces complexity into health data management processes, generates conflicts across state lines, and ultimately creates segmentation pressure within systems designed for interoperability and seamless exchange. When data must be handled differently based on geography, workflows fragment, access pathways narrow, and the risk of incomplete clinical information increases. 

Further, when clinicians lack timely access to a patient’s full history, medications, diagnoses, prior tests, or consent directives, the consequences move beyond compliance and into the clinical realm. Delayed decisions, duplicative testing, and care coordination breakdowns become more likely. 

Those information gaps are not just administrative challenges. They introduce real patient safety risks, which we will explore in greater detail in part two of this blog series.

Those information gaps are not just administrative challenges. They introduce real patient safety risks, which we will explore in greater detail in part two of this blog series.

The EHR Association continually seeks opportunities to work collaboratively with states to identify how they can best navigate privacy and consent rules without compromising interoperability or safety protections. We are pleased to see that national initiatives such as The Sequoia Project’s Privacy and Consent Workgroup under its Interoperability Matters program are already advancing guidance to states.

Principles for Modernized Privacy Policy

As laws and regulations evolve to meet the realities of new technology and unprecedented connectivity, healthcare data privacy policies must:

  • First and foremost, ensure that patient safety is protected and that their information is available to the right care providers at the right time and in the most useful way possible.
  • Support physicians and other clinicians by enabling data access without unnecessary burden, ensuring high-quality care.
  • Make every effort to avoid confusing consumers and complicating compliance.
  • Advance Interoperability by rejecting the false choice between connectivity and privacy; both are achievable.
  • Encourage innovation by ensuring privacy policies are not barriers to disruptive innovation in healthcare.

Conclusion

The collision of privacy and safety is not inevitable. By fostering collaboration among policymakers, clinicians, provider organizations, and health IT developers, and by prioritizing the shared goal of minimizing patient risk, we can build a framework that protects patient data, supports care delivery, and advances innovation. 

The time to act is now—before the regulatory labyrinth becomes an impenetrable wall.

Part Two of this blog series looks at the challenges clinicians and provider organizations face in complying with diverse state laws while maintaining patient safety.

Leave a comment
by EHR Association on March 5, 2026  •  Permalink
Posted in Health IT Regulation
Tagged , , ,

Posted by EHR Association on March 5, 2026

https://ehrablog.org/2026/03/05/when-policy-and-care-collide-part-one/

Previous Post
Leave a comment

Share your thoughts on this topic!

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Categories

  • Follow EHRA on Twitter

  • Enter your email address to follow this blog and receive notifications of new posts by email.

    Join 198 other subscribers

  • Contact Us

    Kasey Nicholoff
    staff @ ehra.org

    Amanda Patanow
    Communications and Media
    ehracomms @ npccs.com