Securing Sexuality is the podcast and conference promoting sex positive, science based, and secure interpersonal relationships. We give people tips for safer sex in a digital age. We help sextech innovators and toy designers produce safer products. And we educate mental health and medical professionals on these topics so they can better advise their clients. Securing Sexuality provides sex therapists with continuing education (CEs) for AASECT, SSTAR, and SASH around cyber sexuality and social media, and more.
Links from this week’s episode:
Oklahoma's HIE Mandate: Implications for Healthcare Providers, HIPAA Violations and Gender Affirming Care, Progress Notes vs Process Notes, Convenience vs Slippery Slope, Data Collection Risks, Financial Implications for Clinicians and Opting Out of the HIE.
As healthcare providers, we are constantly looking for ways to improve the quality of care we provide to our patients. One way that Oklahoma has claimed to have taken steps towards this goal is by mandating the use of Health Information Exchanges (HIEs). HIEs are electronic systems that allow healthcare providers to share patient health information with other providers and organizations. While this mandate could be beneficial in some ways, it has also had a significant impact on small independent clinicians who may not have the resources or expertise needed to comply with the requirements. In addition, there is a risk of “privacy creep” when using HIEs, which can lead to potential privacy violations if not properly managed.
We explore the impact of Oklahoma's HIE mandate on small independent clinicians and how they can protect themselves from privacy creep. The Oklahoma Health Care Authority (OHCA) implemented an HIE mandate in 2017 that requires all healthcare providers in the state to participate in an approved HIE system by January 1st, 2020. This mandate was created as part of OHCA's efforts to improve patient care and reduce costs by allowing healthcare providers access to more comprehensive patient records.
However, while larger hospitals and health systems have been able to easily implement these changes due to their size and resources, smaller independent clinicians have faced numerous challenges due to their limited resources and lack of expertise in implementing such systems. One major challenge faced by small independent clinicians is cost.
The cost associated with implementing an HIE system can be prohibitive for smaller practices who may not have access to large capital investments or technical support staff needed for implementation. Additionally, many smaller practices lack IT infrastructure or personnel with experience managing such systems which can further add costs associated with training staff or hiring outside consultants for assistance.
Another challenge faced by small independent clinicians is compliance with data security regulations set forth by OHCA as part of their HIE mandate requirements. These regulations require all participating organizations to strictly adhere to HIPAA guidelines when handling patient data as well as ensure proper authentication protocols are followed when accessing records stored within an approved HIE system.
Smaller clinics may not have the necessary technical expertise or personnel needed for ensuring compliance with these regulations which could lead them into legal trouble if they fail to properly manage their data security protocols appropriately.
Finally, the risk of “privacy creep” comes in when using an approved HIE system due its ability to store large amounts of sensitive patient information across multiple organizations without proper oversight or control over who has access to it. This could potentially lead unauthorized individuals gaining access to sensitive medical records without consent from either patients or healthcare providers which could result in serious legal repercussions if discovered.
Fortunately, for those clinicians and clinics that can afford it, there are steps that small independent clinics can take to protect themselves from potential privacy violations while still taking advantage of benefits offered through use of an approved Health Information Exchange.
First, it would be important to ensure all staff members receive proper training on how to handle sensitive medical information according to HIPAA guidelines. Additionally, clinics would need to consider investing in secure authentication methods such as two-factor authentication to help prevent unauthorized individuals gaining access to confidential records stored within an approved exchange.
Finally, regular audits would need to be conducted to ensure all data security protocols are followed correctly in order to maintain compliance with OHCA's regulations regarding use of Health Information Exchanges.
In conclusion, Oklahoma’s mandated use of Health Information Exchanges has had significant impact on small independent clinicians due limited resources available to them to implement such systems properly while still adhering to strict data security regulations set forth OHCA order to protect patients’ confidential information. While taking steps such as providing proper training for staff members, investing secure authentication methods, conducting regular audits to help mitigate risks associated with “privacy creep”, will allow some clinicians and clinics to relatively safely access the benefits of improved quality care offered through use of an exchange, many will not be able to afford the necessary costs. For those who can not – look into Oklahoma’s Hardship Exemption for the Statewide Health Information Exchange.
Hello and welcome to Securing Sexuality, the podcast where we discuss the intersection of intimacy and information security.
I'm Wolf Goerlich.
He's a hacker and I'm Stefani Goerlich.
She's a sex therapist and together we're going to discuss what safe sex looks like in a digital age.
But today we're asking, what the actual fuck, Oklahoma?
Well, speaking of the intersection of sexuality and technology, I know your world has been rocked by some new rules coming out of Oklahoma, specifically mandating the use of Oklahoma's technology.
Yeah, so I mean, to say my world is a little complicated because I am not licensed in Oklahoma. So this isn't a rule that applies to me right now. But it is a rule that was passed as an emergency rule last year and now they're going through the process of final board approval and making it a permanent rule.
And what they're doing is they're creating something called a health information exchange for every health care provider in the state of Oklahoma. And mental health providers are qualified health providers, so we are included in that. And what it is requiring is that every single medical provider in the state opt into a common system. They're calling it the HIE, the health information exchange. And they have to contribute their clients' data.
They have to upload progress notes and diagnostic assessments and a whole bunch of things that we traditionally think about as being protected under HIPAA and therefore only between the provider and the patient. In Oklahoma, they're saying, well, in order to improve continuity of care, in order to make things easier for patients between providers, we're just going to centralize everything and make it all one happy location.
Which, you know, as somebody that is not a fan of giant piles of personal information about people, I suspect you understand why I have a problem with it.
And this isn't necessarily unique to Oklahoma, right?
Health information exchanges have been around for a while. There's one to the federal government. There's one in some other states like Arkansas, Arizona. There's ones in regions. Like I'm thinking about the New England Health Exchange. So the concept has been out for a while. But one of the things that Oklahoma is doing is mandating it.
And there's a lot of rules and regulations around it that are specifically hitting the sex therapy world. So talk to me about that.
Why are you so upset about this?
Why did you want to wake me up last night and podcast in the middle of the night?
So I think it's bigger than just sex therapy, because not every state has a robust population of sex therapists. A lot of general mental health providers do similar work. They work with clients who are questioning their gender. They work with clients who are dealing with trauma. They work with all sorts of people without necessarily having a sex therapy certification.
And one of the things that is really freaking people out about this is the fact that diagnostic codes and progress notes will be mandated to be uploaded and shared. So what that effectively does is that creates a database of everybody in the state who is seeking gender affirming care, who perhaps has a sexual health diagnosis or a paraphilia diagnosis.
If clinicians are not judicious and ethical in how they write their notes, might expose people to a lot of personal information being made available to literally any other Oklahoma health care provider. And this is incredibly troublesome because we are seeing such targeted attacks on women seeking abortion care. We're seeing targeted attacks on people who are gender nonconforming. We are seeing states passing laws allowing discrimination against LGBTQI folks.
And so what this is doing is creating a database of deeply personal information that is not intended to be a weapon against those communities, but absolutely could be.
If somebody is seeing a sex therapist in Norman, Oklahoma, because they aren't sure if they feel comfortable in the body that they were born into, and they need to go to an orthopedic surgeon in Tulsa, that orthopedic surgeon theoretically could see their gender dysphoria diagnosis and either decline to treat them or just treat them poorly. If there are any number of things that could happen.
The fact that they're aggregating such personal information from people's mental health care is really, really troubling. And I want to come back to just a minute, some of the ways that this could go wrong that we've already seen in other HIEs, again, health information exchanges. But before I do that, back up a bit, because you've talked to me in the past about progress versus process notes.
And I've sat in on your classes where you stress the difference between these. And I understand like one is generally subpoenaable and another one is protected. And I've gotten that off of things you told me about your witness work. So explain to me, the rest of us, what the difference is between those two and why inclusion of both of those increases risk.
I don't know on what I've read whether or not process notes are included. I don't know. The language isn't specific. It doesn't say. The proposed rule language, which we're going to put in the show notes, is only about five pages. And that includes sections that have been struck out of the final draft. In therapy, there are two different kinds of notes that clinicians take.
There are our progress notes, which should be sort of a subjective and objective assessment of the client's progress towards the goals that they have set. And then there are our process notes, which are our personal reflections on our treatment strategies, our thoughts and leanings.
If I want to remind myself to revisit a topic a client brought up in one session next time I see them, I might jot a note to myself in the process notes. If I am thinking that maybe I need to reevaluate their diagnosis, I might note that in my process notes I might say, you know, rule out, I don't know, bipolar disorder.
The process notes are the clinicians' personal records of our process of therapy. The progress notes are the client's records of effectively their medical progress in their treatment.
Now, if you had asked me two months ago if process notes were ever publicly available, I would have told you no, because I was trained in Michigan. I did all of my education in Michigan. And in Michigan, progress notes can be requested by insurance companies. They can be subpoenaed by attorneys. But process notes are considered the work product of the therapist, and they are absolutely confidential.
I was doing a workshop for a group of fellow therapists all around the country, and somebody actually told me that in her state that wasn't the case. In her state, process notes were not given that same sort of higher degree of protection. So I don't know yet what Oklahoma will require the participants to upload.
And we don't know if what's legal here is what's legal there, or whether or not laws can change to make things that were once protected slightly less protected. But what we can say is that even the most surface level of things, the diagnostic code that we have to give a client who is using their insurance to pay for their care, or in my world, I'm private practice. I don't bill insurance.
But if my clients want to seek reimbursement for their therapy from their insurance company, I still have to diagnose them. There has to be a diagnostic code attached to the receipt that they submit to their insurance companies.
So if somebody is struggling with gender dysphoria, if somebody is struggling with a fetishistic disorder, if somebody is struggling with who knows, let's go female arousal disorder, anything that they don't want to be shared with others, and that frankly, they shouldn't have to share because it's not relevant to the rest of their medical care, that is being mandated in the state of Oklahoma to be uploaded to this new centralized system, along with their progress notes, which depending upon how a therapist was taught to write them, may contain more information than they would want out and publicly available for the general health care system in their state.
Well, and I hate that this even happens. But one of the things that tends to happen is people with a little bit more resources can get a little bit better privacy, a little bit better protection. And I know that some people go to private pay therapists specifically for, I don't want a diagnostic code. I don't want notes being tracked. I don't want this information going into my medical record.
I want to have an open and honest and direct conversation with my therapist that doesn't go any further.
And so does this just mean that everyone in Oklahoma is going to switch if they have the money and the means to a private pay therapist?
You know, that actually won't help them in this case, because private pay therapists are included in the way this rule is written.
The language of the rule specifically says whether or not you accept Medicaid and Medicare, which are the government insurances, whether or not you accept private insurance or whether you are private pay and accept no insurance at all, you are still going to be legally required to join this HIE and to upload your client's notes.
From what I understand from the people in the state that I've talked to, there hopefully will be some kind of mechanism for individual clients to choose to opt out. But from what I understand, that mechanism is being made to be intentionally rather clunky.
Right now, the current proposal is that they would need to submit a hard copy signed and notarized form to the state in order to opt out of this HIE. They wouldn't be able to just, when they do their informed consent with their primary care doctor or their orthopedist or their therapist, to say, no, I don't want this. They would actually have to opt out directly to the state.
And whenever you add a layer of steps or a degree of difficulty, fewer and fewer people are going to have the time and inclination to do that. Yeah.
I mean, the minute you said paper, I'm like, oh, I would never be able to do that. I get distracted and not know where the stamps are. The other thing that I think is important here that's not so much about the client side, but the provider side is, you mentioned people with more resources have more options.
And one of the things that's really unfair about how this is written is that while it is being mandated for providers, they are being required to pay a fee to join.
Again, much like the opt out system, the fee is not yet settled, but from the professional organizations that are publishing information about this, the figure they're hearing is $5,000. And that would be $5,000 either per group or per provider. So if somebody has a large multi-location practice with 50 providers, all generating income for them, they're going to pay $5,000.
And if somebody is like me, a sole provider with a small caseload, they are also going to pay $5,000. And what that means is that this disproportionately impacts small independent clinicians. So this is horrific for our clients. And it's also going to drive a lot of Oklahoma small practitioners, either small groups or individuals out of business because they won't be able to afford to pay a huge fee that is mandated.
And they would also need to switch their current EMR system, electronic medical record, because part of the rule is requiring that their EMR be compliant with this HIE. I feel like I'm speaking alphabet soup right now. And right now, there's only one that is compliant with Oklahoma's HIE. And shockingly, it's built by the same people that built the HIE itself.
So there are layers upon layers of unfairnesses and potential for abuse built into this. And I predict that if this goes through as written, people in Oklahoma are going to see a lot of their therapists either dropping their licenses and rebranding themselves as life coaches to be exempt from this, or simply saying, I can't afford to keep seeing you and going and doing something else.
I was going to ask you about that because that was my next thought was, could you just become a life coach?
Yeah, you absolutely could. I've read the language of the rule, and the language of the rule specifically says all health care providers in Oklahoma. And they define health care providers as people who have health care practice licenses.
So speech, language, pathology, occupational therapy, social work, marriage and family therapists, all of those. One of the big problems with life coaches or sex coaches as a discipline is that they are completely unregulated. Life is not a state in the country that mandates licensure for coaches. Anybody Wolfgang, you tomorrow could hang out a shingle and call yourself a life coach. And nobody in Michigan can say boo about it.
And that is true everywhere. So while historically, as a, I like to think, highly trained and relatively competent provider, I have had issues with people declaring themselves to be life coaches and operating without any sort of oversight. In Oklahoma, that's going to be one of the only options that mental health providers have if they do not want to have to participate in the system.
But again, it feels to me that it's putting a lot of pressure on folks who are already in a bad situation, right?
You mentioned the example of a person who may be trans or determining if they're trans, you know, a person who may be going through and considering her options about an abortion, the person who may be working through same sex relationships, the person, the person, the person. So here we already have small groups who are under a lot of pressure.
And now we're telling them that to make sure that your healthcare information doesn't get used against you, mental health care information doesn't get used against you, we need you to A, pay out of pocket and B, go to a group that is largely, if not wholly unregulated.
Oh, it is wholly and entirely unregulated. Yes.
Isn't this basically back alley therapy at that point?
100%. I don't like that at all. And much like other back alley procedures, the provider runs the risk of being accused of practicing without a license. Sure. But this creates innumerable ethical issues for the provider. It exposes our clients to a tremendous amount of risk.
And I realized that there is a certain demographic that is listening to this and going, what's the big deal?
The vast majority of people in this are not getting therapy. They just want to be able to coordinate their dialysis between their nephrologist and their primary care doctor. And I get that. I get that there is an argument for convenience to be made here. But the one thing that I've learned from hanging out with hackers is that convenience is one of the easiest ways to shove somebody down a slippery slope.
And we already live in a state where the governor of Texas was asking the DMV to provide him with a list of anybody that had changed their gender markers. We already live in a country where the governor of Florida is trying to create his own personal state guard that's exempt from any sort of federal oversight. We live in really weird and dangerous times right now.
Tennessee just outlawed drag queens while West Virginia just shot down a ban on child marriages. The idea of rationality has gone out the window in our country right now. And so even if this HIE is being created with the best of intentions right now, it can and almost inevitably will be exploited, especially because we're talking about a much more conservative area like Oklahoma.
Well either used by those in power for legal reasons or abused by others for illegal reasons. Whenever there's a collection of data, that becomes a very large target. And I mentioned that Oklahoma is not the only state to have a health information exchange. There are other states, there are other regions. One of the regions is the New England HIE.
And it wasn't that long ago, just a few years ago, that a vendor, so third party individual who had access, leveraged that access, got into areas he shouldn't, and downloaded several thousand patient records. At least 4,000 patient records were downloaded and accessed. So in the New England example, yes, that was bad. No way around that.
But if we consider folks who have an ulterior motive to go after certain marginalized populations, be it transgender, be it people getting an abortion, be it any number of ways that people form romantic and sexual relationships, this idea that someone could gain access to that database and dump people who match that and then have that list is very concerning to me.
People go to therapy to talk about things that they need a safe place to talk about. And one of the reasons why it becomes so easy for privacy violations and privacy creep to happen is because sometimes the earliest examples are examples that we don't necessarily want to have to care about, or they're not necessarily empathetic examples.
But I think about my colleagues at the Association for the Prevention of Sexual Abuse, who work with people who are dealing with an attraction to minors. And I think about how many of their clients came to them because they wanted to work through this and they wanted to remain safe members of the community. And they wanted to be able to do whatever they needed to do to not hurt anybody else.
And to have their records with perhaps a pedophilia diagnosis uploaded to a state system, you're talking about a lot of people who are struggling with feelings that they themselves find horrifying, that they themselves are actively desperately trying to rid themselves of.
And we're exposing them to blackmail, we're exposing them to discrimination, we're exposing them to vigilante, quote unquote, justice, all because of this, it'll be so convenient if your pharmacist already has your vaccination records sort of system.
You know, you bring up that particular population of folks. I know some people are going to be like, well, wait a minute, I don't know if I have a lot of empathy for that group. Maybe they should be tagged, maybe they should be identified.
What would you say to folks who think that way?
I would say even if you genuinely believe that, and I don't, I don't think the people who have not committed crimes and who are actively desperately trying to avoid committing crimes should be tagged. But even if you do think that, this is not the system to do that.
Having an arbitrary code available to anybody with a medical license in the state to do a database filter search for and find people, that's not justice, that's not innocent until proven guilty. That's not how our criminal justice system is set up.
So even if we have to start with some of the least empathetic case examples for exploitation here, we have to remember, at the risk of sounding schmaltzy, that we are Americans and that we have a sort of foundational agreement around what justice looks like in this country. And somebody cannot, should not have their therapy records weaponized against them because they might maybe someday potentially think about the idea of committing a crime.
I think that makes a lot of sense and something you said earlier was privacy creep. I oftentimes get very concerned when someone's like, it's okay if we take away privacy or security for that group because they deserve it and they're not you. It doesn't seem to take long before that exception creeps forward into other areas.
What can people do?
You mentioned the laws being discussed right now. It was passed in an emergency fashion already.
What are the options?
So the public comment period will have ended by the time this episode airs.
However, the board is scheduled to meet to discuss the final rule on, let me find it again. This is taking too long. I opened the wrong document. The board is scheduled to rule on it. Just cut this whole section out because whatever I have open doesn't have that date.
By the time this episode airs, the public comments will have closed and the board meeting happens on March 22nd, which is just a couple days after the second episode airs. So if this is of concern to you, when you're listening to this, you will have about 72 hours to reach out to the Oklahoma state health authority and to make your opinions known about this ahead of the March 22nd board meeting.
As you have said, it was already approved on an emergency basis. It is fully expected that they're going to approve it at this point. It's a rubber stamp process for it to be implemented in July. If it is approved on the 22nd, then the next best thing you can be doing is depending upon what state you live in.
If you live in Oklahoma, contact the governor, contact the state health authority, make sure they know between now and July that you do not want this rule implemented. A rule that is created is a rule that can be unwritten and replaced with other rules.
If you do not live in Oklahoma and you are a mental health provider, a counselor, a marriage and family therapist, a social worker, a psychologist, you need to be calling our professional organizations, NASW, AAMFT, all of those, reach out to your professional body and demand that they say something publicly about what is happening in Oklahoma. We have large collective voices, but sometimes these large institutions run slowly.
The more of us they hear from, the more likely they are to use their legislative policy and advocacy resources to get the message through to Oklahoma.
Then finally, if you are neither a resident of Oklahoma nor a mental health provider and you are just now asking the same question I started with, which is what the actual fuck, please don't hesitate to reach out to your own state senators, your own state legislatures, your own local elected officials and ask them to consider proposing legislation that will strengthen privacy rights for therapy clients, that will exempt process notes from being discoverable, that will prohibit therapy records from being included in state health information exchanges.
There are things you can do if you find this as appalling as we do to proactively work to protect yourself and others from what is happening in Oklahoma right now. All good tips. All good tips. I think it's always important when we do these episodes to recognize we have an international audience. Thank you for tuning in. Please pour one out for your friends in America and our friends in Oklahoma.
With that, appreciate you tuning in for Securing Sexuality, your source for information you need to protect yourself and your relationships. Securing Sexuality is brought to you by the Bound Together Foundation, a 501c3 nonprofit. From the bedroom to the cloud, we're here to help you navigate safe sex at a digital age.
Be sure to check out our website, securingsexuality.com for more information about the topics we've discussed here today, as well as our live conference in Detroit. And join us again for more fascinating conversations about the intersection of sexuality and technology. Have a great week. Thank you.