Most HIPAA forms you sign have a clause that allows the provider to release your medical data to others involved in treating you. But that's all on paper. If you have an accident in Boston but live in Maine, that Boston ER needs proof from your Maine doctor that you consented to sharing your information. That usually happens by fax, which can delay treatment. (There are some exceptions for emergencies, but the burden of proof is on the provider that it was an emergency.)
There is no standard release, so many providers need to read what you signed to see if they're covered -- that's why there are very complicated, labor-intensive systems in place to validate these consents, creating a huge, avoidable burden on the health system.
In the context of EHRs and HIEs, that permission is usually represented by a check box saying you agreed to share personal health data -- but other providers don't know what you actually signed, putting therm at risk. The feds are working with several nonprofits to come up with standard permissions that can be reduced to check boxes that would be shared across EHRs, so no one has to fax and read the actual signed permissions. However, that's years away. Meanwhile, some EHRs keep a scan of the signed consent, so it can be faxed when needed.
Then there's the mental health issue: HIPAA and HITech give special protections to mental health conditions, requiring they not be shared even within a provider's organization unless extra permission is attained. The stigma around mental health is one reason for this extra protection, but that separation is technically difficult to enforce: An EHR can automatically mask out mental health treatments in the EHR based on the use of their treatment codes, but it can't scrub the doctor's free-form notes related to mental health, for example.
Such separation is also unhealthy: Mental health conditions and treatments interact with physical health conditions and treatments, putting patients and providers alike at risk when this information is obscured. Now that the Affordable Care Act (aka Obamacare) puts mental health on parity with physical health in terms of insurance coverage, maybe we can stop perpetuating the stigma of mental health and treat the patient holistically -- and share that critical information among providers without fear. If need be, regulations could be put in place to penalize those who discriminate against patients with such conditions.
Another issue is that the privacy rules could inhibit medical research based on all that electronic patient data. Even when anonymized, it doesn't take much context to identify who an actual patient was based on a few factors such as age, treatment location, and medical conditions. Right now, that's a potential privacy breach under HIPAA and HITech. But should it be?
Privacy is important, but the health care system envisioned by those Clinton-era policies is supposed to be a collaborative one where patients are treated as part of the process and providers can't "own" patients by withholding information from other (competing) providers. That expanded-network notion requires privacy be relaxed within that network, while maintained so that employers, salespeople, and the rest can't abuse it.
Thus, the HIPAA and HITech laws need to be reformed to allow any provider to obtain a patient's records to treat that person. The Affordable Care Act forbids the kinds of patient-removal schemes practiced by insurance companies in the past; there are now protections in place that should permit a relaxation of the privacy components of HIPAA, at least for data exchange among licensed health care providers. That'll make the technology easier to implement as well.