Analysis: HIEs and Patient Consent

Providing Patients With Control Over Who Accesses Records
Analysis: HIEs and Patient Consent
Federal regulators are grappling with the issue of obtaining patient consent for the exchange of healthcare records among organizations in a region, state or, ultimately, nationally.

Many evolving health information exchanges are relying on local hospitals and clinics to obtain patient consent. The Greater Cincinnati HealthBridge, like many other HIEs, asks local providers to inform patients that if they don't want their information exchanged, they can sign a form to "opt out."

One recent survey of health information exchanges found that only 18 percent have a policy requiring patients to "opt-in" and give formal consent before any of their records are shared via the networks.

HealthBridge, however, has asked area security officers to study whether its approach to consent needs to be fine-tuned.

Meanwhile, three state-funded pilot projects in Washington are experimenting with a health record bank model designed to give patients far more control over who accesses their records. And one consumer advocate hopes the record bank approach ultimately could be a national model for patient consent for health information exchange.

Momentum Building

The HITECH Act, which will provide billions of dollars in funding to hospitals and physicians for adopting electronic health records, is also funding state efforts to promote the exchange of data. Such exchanges, for example, could give emergency rooms access to the records of out-of-town patients in need of urgent treatment.

Federal regulators are refining standards, called the National Health Information Network, that ultimately could pave the way for national data exchange. And they're attempting to devise ways to govern the organizations using the NHIN standards to make sure they're all playing by the same rules.

But just what should be done to make sure patients have consented for their information to be exchanged among organizations both near and far?


Recently, a privacy and security tiger team came up with recommendations about when patient consent is required. Under the recommendations, obtaining patient consent for health information exchange would be required if:

  • Data is exchanged using a health information organization -- the body that runs an HIE or similar exchange -- that uses a centralized model, which retains identifiable patient data and makes that information available to other parties;
  • Data is exchanged using a health information organization that uses a federated model, where it doesn't store data but has links to where the information is located and can make it available to others;
  • Data is aggregated outside the control of the provider organization, such as when an e-prescribing gateway reformats prescription data and creates a medication profile on the patient.

Key components of meaningful consent include, according to the tiger team:

  • Giving patients enough time to make a decision about consent;
  • Providing a clear explanation of the consent choices and all their consequences;
  • Refraining from making the granting of consent for data exchange a condition of receiving necessary medical services;
  • Enabling patients to revoke consent at any time.

Regulators are now considering whether to incorporate those recommendations into new federal rules.

Current Policies

Meanwhile, a look at how one of the nation's oldest health information exchanges -- and one of the newest pilot projects - are dealing with patient consent offers insights into how complex the issue really is.

The Greater Cincinnati HealthBridge, founded in 1997, now serves 28 hospitals and about 5,500 physicians and is expanding to serve the Dayton area. The HIE primarily serves as a conduit for information. But it automatically reformats all information before it's exchanged so it's received in a standardized format, explains Trudi Matthews, director of policy.

"From the very beginning, our participants have preferred to handle the issue of patient consent," Matthews notes. Thus, the hospitals and physicians explain the HIE to patients and offer them the opportunity to opt out of having their information exchanged.

In light of tougher HIPAA privacy and security rules under the HITECH Act and other emerging regulations, however, the Cincinnati HIE has asked privacy and security officers from member organizations to take a close look at a number of issues, including patient consent, Matthews adds. That group will devise new recommendations, including how best to accommodate patient consent, how to provide patients with access to their own information and how to educate patients about the issues.

Health Record Banks

Meanwhile, the state of Washington is spending a total of $3 million to fund tests of the health record bank model in three communities. About 1,200 patients are involved in the projects, which will wrap up next summer.

This model is envisioned as a way to give patients better access to all their medical records as well as better control over who can view them, explains Juan Alaniz, project coordinator at the Washington State Health Care Authority. If the pilots prove successful, he says, the record banks eventually could evolve into a method that health information exchanges could use to handle patient consent.

In the pilots, patients ask a record bank to electronically gather their medical data from multiple sources, including physicians, hospitals, pharmacies and others. Patients can enter data into the record bank, such as information about over-the-counter medications, using personal health record software from Microsoft HealthVault or Google Health. In addition, patients can specify which organizations can view specific portions of their records.

"Patients get full control over who sees their information in the record bank," Alaniz says. "In many cases, those with chronic conditions or the elderly may designate a relative who can also view their records."

Patients receive alerts when an organization accesses their information via the record bank. In the pilots, only the organizations that provided data for the banks can access information.

Over the long haul, if many HIEs linked to record banks, patients could, theoretically, receive alerts when anyone views their record in the bank or makes a request to access information, Alaniz notes. But for now, those involved in the pilots are tackling the difficult challenge of creating a viable financial model for the record banks.

Consumer Advocate's View

Consumer advocate Deborah Peel, M.D., founder of Patient Privacy Rights, sees health records banks as the best way to give patients the right to control their records. "It's the only way that patients can control the flow of information," she contends.

She envisions a day when, if data needs to be transmitted anywhere in the nation, "You simply ask me, through the record bank, if you can use my information for a purpose and then, automatically, my pre-approved rules say 'yes' or 'no' or I'm pinged on a cell phone to agree to what you want."

Peel also argues that the record bank model would create a much more complete record than electronic health records maintained by physicians or hospitals or personal health records maintained by patients.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.