Navigating State Health Data Laws Without Compromising Patient Safety

By the EHR Association Patient Safety and Public Policy Leadership Workgroups

In Part One of this series, we examined the policy implications of the labyrinth of state-level privacy and consent regulations and their effects on physicians and other clinicians, health IT developers, and patients. In Part Two, we look at the challenges clinicians face in complying with diverse state laws while maintaining patient safety.

The core of the Hippocratic Oath, as taken by physicians, is to “advocate for the sick, respect patient confidentiality, and abstain from harm.” What Hippocrates could not have predicted, however, was the critical role that patient information would play in enabling physicians and other clinicians to fulfill their obligations and commitments to provide care and to do no harm. 

Restricting appropriate access to, or exchange of, essential health information can impair a clinician’s ability to provide safe and effective care. Conversely, exposing sensitive patient information beyond the care team may compromise confidentiality and introduce complications for the patient. Interestingly, these are two sides of the same coin: policy requirements that could pose potential risks to patient safety. 

Currently, statehouses are reshaping the rules for health data at a record pace; in some cases, in ways that could inadvertently create patient safety risks if not managed with clinical realities and modern interoperability practices in mind.

Currently, statehouses are reshaping the rules for health data at a record pace; in some cases, in ways that could inadvertently create patient safety risks if not managed with clinical realities and modern interoperability practices in mind. One area getting a lot of attention is patient consent management and the resulting data flow — or protection — across different scenarios. Some state laws limit or prohibit the flow of sensitive information, while others mandate broader sharing or eliminate the need for permission in cases where data may have been withheld previously. 

Even when the authors behind the legislation are well-intentioned, each situation can introduce patient risk. 

The Labyrinth: Privacy Baselines vs. State Overlays

While HIPAA remains the national baseline for health data privacy requirements, several states have taken action to augment or more explicitly require certain data privacy rules, primarily for reproductive, behavioral, and gender-affirming care, as well as other sensitive health information. The result is a compliance labyrinth that clinicians, provider organizations, EHRs, and HIEs must navigate in real time, often during critical care windows. 

The patchwork of state privacy laws has always been a challenge, but the complexity described here has expanded markedly since 2023.  These state mandates can require data segmentation of certain patient data, health information exchange opt-outs, or limitations on when data can be withheld from various stakeholders, thereby creating requirements that complicate medication reconciliation, diagnostic decisions, and care coordination. More than 20 states now enforce comprehensive privacy laws that, at a minimum, introduce complexities into health data management. In the worst cases, they create conflicts across state lines and could inadvertently cause safety issues for patients.

More than 20 states now enforce comprehensive privacy laws that, at a minimum, introduce complexities into health data management. In the worst cases, they create conflicts across state lines and could inadvertently cause safety issues for patients.

The following examples — drawn from three states that take very different approaches — illustrate the challenge confronting clinicians and health IT developers as they navigate the current state-level regulatory environment.

For example, Maryland has strengthened its data governance and privacy posture across agencies (e.g., MDH Data Use Policy; executive orders on safeguards), and the state is preparing to roll out a statewide consent management application that will allow patients to opt out of EHI sharing (with defined exceptions) and require HIEs (including EHRs) to query and honor an opt-out status before sharing data. 

More specific to this conversation, Maryland law also mandates that EHRs block information related to abortion and other reproductive services from being shared when a patient’s larger medical record is exchanged. This creates situations that may impact patient safety.

• Consent timing gaps create dangerous information voids. A woman who has a surgical abortion on Thursday may consent to share that information with her primary care physician. However, the law didn’t consider her possible preference to pre-authorize sharing with any EDs or urgent care centers she might visit days later. Therefore, if she presents to an ED on Saturday with complications, severe bleeding, or drug interactions, clinicians will not have access to critical information, such as procedural details, medications administered, or potential complications from the recent procedure.
• Segmentation creates an incomplete clinical picture. When reproductive health information is walled off from standard HIE sharing, EDs and other clinical teams lose visibility into recent procedures, current medications (like antibiotics or pain management), contraindications, or complications that could be directly relevant to acute presentations. This segmentation issue extends beyond reproductive care; behavioral health notes, gender affirming care documentation, and other “sensitive” categories face similar isolation, potentially causing clinicians to miss drug-drug interactions, prior adverse reactions, or key diagnostic information during critical care windows.

Meanwhile, in moves designed to clarify parental rights to medical records, EHRs, and patient portals, both West Virginia and South Dakota recently enacted laws that explicitly prevent parents from being denied access to their minor child’s health information. These laws can unintentionally undermine clinical safety when a child, fearing disclosure to a parent, withholds information from their clinician or when a clinician feels compelled to limit documentation detail to protect the child, creating a potential continuity-of-care issue. 

In West Virginia in 2025, lawmakers followed up on the passage of HB2402, which provides access to the medical records of children taken into state custody, by introducing SB286 to clarify that parents and kinship caregivers cannot be denied access to a minor child’s medical records, except in limited circumstances. If enacted, SB286 would codify parental access rights in multiple bills and prevent clinicians from withholding a minor’s health records from parents or guardians except under narrowly defined circumstances.

Also in 2025, South Dakota enacted HB1061, which prohibits healthcare providers from restricting or denying a parent or guardian’s access to a minor’s medical records, electronic health information, or patient portal. The law applies when the parent or guardian has authority to make healthcare decisions for the child and reflects a broader statewide push toward parental rights in healthcare.

Clinical Scenarios Where Patients Are Most at Risk

The risk to patients posed by state-level requirements governing access to or exchange of health data is most pronounced in several key areas, including the ED. Consider what could happen to a patient who, unaware of the full impact, opts out of HIE data sharing, or whose data sharing is restricted, unbeknownst to clinicians, and later arrives at the ED in extremis. 

Conversely, when a minor patient chooses not to disclose relevant health information due to concerns about parental/state guardian reprisals, laws that remove the option to withhold patient data at the request of the minor patient can lead to functionally similar outcomes, where healthcare professionals do not have visibility into all relevant clinical information.

Given advances in health data sharing, time-constrained ED clinicians often assume that a patient’s data is fully accessible to them through common exchange practices, such as connections to the state’s HIE or a TEFCA QHIN. Based on that assumption, any lack of patient data may be interpreted as indicating no significant medical history (unless other indicators of comorbidities are present). 

If access to the patient’s medication list or procedure history is blocked or limited, it can precipitate adverse events or missed contraindications.

However, when information has been blocked or withheld, that assumption no longer holds, as relevant patient data exists but is not visible to the clinician. If access to the patient’s medication list or procedure history is blocked or limited, it can precipitate adverse events or missed contraindications. Further, if clinicians repeatedly encounter care situations where the data in front of them is incomplete, they could, over time, stop trusting exchanged patient data entirely.

Leadership Imperative: Understand the Risks

For clinical and IT health leaders, the mission is dual: to respect state privacy/sharing mandates and to shield patients from unintended clinical fallout. This creates a real challenge for compliance departments and clinicians alike, potentially necessitating investments in consent intelligence, workflow adjustments to ensure data segmentation is handled correctly, retraining to ensure appropriate information sharing, and the application of AI governance and best practices, including measurement systems that surface privacy-related safety risks early.

We must all — policymakers, provider organization leadership, physicians and other clinicians, and health IT developers — collectively ensure we understand existing and potential legislation and regulations, and how they may conflict with the safe provision of care. 

Conclusion

Ultimately, patients should have control over their data and be able to decide if and when it should be shared. However, these decisions should be made with a clear understanding of the associated risks and benefits, as discussed with their care team. 

If we collectively get this right, there won’t be a need to choose between protecting data privacy and ensuring the safety of the care process. Instead, we can be confident that systems exist that allow patients to control their data without sacrificing the clinical protections afforded by a complete, timely, and accurate record.