The Security Scrutinizer with Howard Anderson

Patient Consent: A Difficult HIE Issue

Patient Consent: A Difficult HIE Issue

Those advising the federal government on the issue are struggling to reach a consensus. It comes down to a choice between the "opt in" and "opt out" approaches.

Under the "opt-in" approach, patients must give formal consent before any of their records are shared via a health information exchange.

I'm betting that regulators will settle on some sort of middle-of-the-road approach, such as requiring opt-in only for the most sensitive data. 

Under the "opt-out" approach, information is automatically included unless patients choose to withdraw some or all of their records.

Many hybrid approaches also are conceivable. For example, an HIE could require patients to "opt in" for only certain exchanges, such as for mental health records.

At a recent meeting of the HIT Policy Committee, which is advising regulators on this and other issues, proponents of both sides made their case in a lively debate. The committee delayed making a recommendation on the issue, pending further study.

In arguing for the opt-out approach, committee member Neil Calman, M.D., president and CEO of the Institute for Family Health, expressed concerns about the "administrative burden" that would be imposed by asking every patient to sign a consent form. "How many years would it take to get the 100,000 patients in my network to opt in?" he asked.

In advocating the opt-in approach, consumer advocate Gayle Harrell noted: "We have a very distinct right to privacy that's not only guaranteed in our Constitution, but has been upheld in our courts. And there's nothing more private than your healthcare information....Once it's been divulged, there's no way to retrieve it."

Meanwhile, the nation already has 73 operational HIEs and a total of 234 in the works, according to eHealth Initiative, an advocacy group.

The group's new survey of HIEs found that only 18 percent, whether operational or in the planning stages, confirmed that they have a policy requiring patients to "opt in" and give formal consent before any of their records are shared.

Another 41 percent reported they have an opt-out policy, where patients' data is automatically included but they can choose to withdraw. The other HIEs surveyed didn't provide information on the consent issue.

The opt-out approach now dominates the HIE environment because "it's the easiest to do initially," says Jennifer Covich Bordenick, CEO of the eHealth Initiative. But she expects more HIEs may shift to the opt-in approach as they learn of other exchanges that have had success with that model.

Some say that building public trust in HIEs requires giving patients control over who can view their data, and the opt-in model fits best.

Others says asking millions of consumers to take the step of opting in is impractical and unrealistic.

I'm betting that regulators will settle on some sort of middle-of-the-road approach, such as requiring opt-in only for the most sensitive data.

Do you think such an approach is a good idea?

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.