Patient Consent: A Closer LookDeven McGraw Explains Tiger Team Recommendations
In an interview (complete transcript below), attorney Deven McGraw says the recommendations, which federal regulators are now considering for policymaking, make it clear that patient consent should be obtained before a third party, such as a health information exchange, takes over control of who can access their records. She also:
- Describes why the tiger team concluded that advanced technologies that would enable patients to specify which specific portions of their records could be accessed by a particular organization is not yet ready for implementation.
- Outlines why the Markle Foundation's "blue button" model for offering patients easy access to their records via secure websites holds "tremendous promise."
- Acknowledges that many healthcare security issues still need to be resolved and speculates on the role the tiger team, or a privacy/security workgroup, might play.
McGraw is director of the health privacy project at the Center for Democracy & Technology, a Washington-based, not-for-profit civil liberties organization. She focuses on developing and promoting policies that ensure the privacy of personal health information that is electronically shared.
In addition to serving as co-chair of the tiger team, she serves on the HIT Policy Committee, a federal advisory panel to the HHS Office of the National Coordinator for Health IT, and co-chairs its information exchange and privacy/security workgroups.
HOWARD ANDERSON: This summer, you served as co-chair of the privacy and security "tiger team" that developed a set of recommendations about patient consent issues for the exchange of clinical information. Those recommendations were recently approved by the Health IT Policy Committee and now are under consideration for future federal policy making. Pease summarize for us what you think were the most significant recommendations of the tiger team and why.
DEVEN MCGRAW: The significant recommendations fall into three buckets. The first is the requirement for robust adoption and implementation of what are called "fair information practices" by all entities involved in health information exchange. That includes healthcare providers, health information organizations, health information exchanges or any intermediary that might be hired by providers to assist them in moving health information for treatment purposes....
Clearly, the fair information practices are the foundation for privacy and security policies in sectors other than healthcare. In fact, they are the foundation for HIPAA. But we are really looking for very clear sets of limitations on how these sort of intermediary entities, in particular, can collect, use, disclose, re-use or retain healthcare information.
The other two pieces, which are closely related, are the circumstances under which a patient's consent should be required, and whether the EHR technology that we've got in place is mature enough to put in place requirements for more granular consent than "yes, I'm in" or "no I'm not in." We looked to the foundation of the doctor/patient relationship as being the locus of trust for health information exchange, at least from a patient standpoint. And so when the provider keeps control of disclosures of a record, there isn't really a need to put additional patient consent requirements in place beyond what might already be in place in current law, which we are not disrupting because the patient really does depend on the provider to make those choices for him or her.
When you move to situations like a centralized regional health information organization, for example where the control over who discloses the data is now not in the hands of the provider but in the hands of an intermediary...(that requires patient consent). It's disruptive to that trust relationship that we talked about.
Then the third bucket is about whether we've got the technology in place for honoring a patient's consent at a more granular level than yes or no. It's a bit of a "glass half full" story there. We had a hearing on this. We definitely saw some technology that was impressive, but there just isn't widespread implementation or adoption of it yet, and so it's really too early to put some requirements for this technology to be used. But certainly, it's an area that the Office of the National Coordinator for Health IT should play a role in developing further, such as through pilots and demonstrations.
ANDERSON: And all these recommendations apply to stage one of the Medicare and Medicaid electronic health record incentive program, right?
MCGRAW: Yes that's correct. We really started with exchange for stage one of achieving "meaningful use" of EHRs for the incentive program. That involves provider-to-provider exchange for treatment purposes and data exchange for quality assurance and public health. The piece of stage one that we didn't get to, which we hope to get to in the near future, is exchange of data with patients. There are clearly some issues there with respect to patient identification, authorization and transparency that we haven't really fully flushed out.
ANDERSON: So do you see the recommendations as a starting point for dealing with patient consent issues? And if so, what work remains to be done to give patients more control over how their data is used and who accesses it?
MCGRAW: Yes this is definitely step one of what I think is the need for more recommendations in the future that give patients more control over their data than they have in the healthcare system currently. I don't think that we will reassess the recommendations that we have already made on consent, which deal with provider-to-provider exchange of data for stage one. But that universe of stage one exchange is pretty narrow. When you think about all the other purposes for which health information is exchanged today, there is a much broader universe out there, and we would use our recommendations that apply to stage one to begin thinking about how that applies to other types of health information exchange, and to ensure that patients have strong rights to access and share copies of their data according to their preferences.
ANDERSON: So what advice would you give to emerging health information exchange projects about key steps they can take now to ensure the privacy and security of data that is either stored centrally or exchanged on an as-needed basis?
MCGRAW: Be aware that the decisions you make about how you structure your health information exchange matter. So to the extent that we created a set of core values that set forth that the doctor/patient relationship or the patient/hospital relationship is the locus of trust for confidential information exchange -- if you were to structure your health information exchange to preserve that relationship, you would really be taking some steps to bolster the public's trust in what you are doing. Now if you choose a type of structure that does divest control over disclosure from the provider, such as aggregating data in a centralized database, you really ought to give patients the opportunity for meaningful consent before their data is included in such an arrangement.
And then, of course, with respect to the fair information practices recommendation that I set forth earlier, it is equally as important, if not more important, to make very good decisions about who is going to be able to access the data in or through your exchange and for what purposes, making sure that those purposes are narrowly defined and are appropriate for the goals that you want to achieve from a healthcare standpoint, and that you are very transparent with the public about how this takes place.
ANDERSON: The tiger team concluded that it was premature to give patients the opportunity to consent to sharing some, but not all, of their health information, because the technology for granting this kind of granular consent is relatively new and more tests are needed. Explain how you reached that conclusion, how you expect the technologies to evolve over time, and when you think the technology will be ready for prime-time.
MCGRAW: What drove us to this conclusion was a very interesting day-long hearing that took place in June in Washington, where we invited a number of innovators who are either developing or actually implementing more granular consent technology. We heard, for example, from some vendors who commonly work with substance abuse treatment facilities. Substance abuse treatment facilities that are federally funded are required to get consent to all disclosures of information from patient records under federal law. So those providers have been, for a long time, accustomed to dealing with getting more granular consent from patients, and we had that demonstration.
But what was interesting even from that vendor is that, most patients, in fact, allow for usage of data across the board. The percentage is higher than 90 percent, so even with that model and that set of laws that arguably require more granularities, I don't know that the model has been fully tested, since patients don't typically ask for the technology to honor the more granular consents very often.
We also had a demonstration from the VA of a system that they've been working on, but it's not being used yet...but it is certainly showing some impressive prospects for use. So what we're worried about is that the market demand for these technologies will be relatively low if so few patients ask for them, and yet for those patients for whom it is of high value, it might not be available since the providers might not necessarily generate the demand for it. So we do think that ONC should put some money behind some pilots to test the implementation of these more promising technologies and see how well they work and how well they are used before making it a requirement. But we really do see the need to step to more rigorous technology requirements in order to be able to implement more granular consents. We just didn't think we could do it right away. The technology just wasn't in a place for it to happen for stage one.
ANDERSON: The Center for Democracy and Technology has endorsed the Markle Foundation's proposal, which they call "blue button." It is an approach that offers patients easy access to their records. By clicking a blue button on a secured website for example, patients would be able to access certain health information and download it. Why do you think this approach is a good idea, and do you think federal regulators should consider requiring those receiving incentive payments for EHRs to adopt some sort of an approach along these lines?
MCGRAW: I think it has tremendous promise to provide an easy way for patients to get copies of the data they are likely to care about the most -- lab results, medication history, discharge instructions, diagnoses, the sort of nuts and bolts of what you would need as a patient in order to help to better manage your own care. It is not the entire universe of information patients might want, but it's a decent slice. In most cases, when covered entities are asked to provide a copy of the record, if they can make it available in this way, it's both easy for them and it is easy for the patient. And we know from looking at enforcement statistics from the HHS Office for Civil Rights that the inability to access copies of their own record is one of the top five HIPAA complaints that come in their door.
So this is clearly an area where a lot of work needs to be done. And certainly regulators should consider allowing a blue button type of an approach to be an acceptable way for providers to either comply with meaningful use requirements for the EHR incentives or comply with their HIPAA obligations to provide patients with access and copies of electronic data. That kind of action by regulators could go a long way toward correcting the problem that we have today, which is the patients have too many obstacles to getting copies of their data.
ANDERSON: Finally what's next for the tiger team? Do you expect the group to remain active and tackle new specific projects or do you know yet?
MCGRAW: I don't know exactly what will happen, but the need for further work on privacy and security issues from a policy standpoint is clearly there. There were many, many times during our tiger team discussions over the summer that issues arose that we deliberately "put in the parking lot." We actually had kind of a running joke on which parking lot was it in: Was it in the "valet lot," so urgent that we needed to get to it right away? Or was it out in the "economy lot" and maybe we could take care of it later? But the list is long, and I know that the team can't keep up the grueling schedule that we set for ourselves over the summer.
There is definitely a need for a group that is already accustomed to working together, as we are, to continue to take on these issues going forward, and to pick them off one by one. So while I'm confident that there will be some more privacy and security work done by the Health IT Policy Committee, which necessitates a sub-group, whether it's the tiger team, or whether we will look to the larger workgroup that we had before is still a bit of an unknown.
But as much as I miss some of the input that we had from our larger workgroup, I do see the advantage of working with a smaller tiger team. It just gets you to closure and decisions much more quickly. If we continued that, though, we would have to come up with some more effective ways to engage the public in our discussions more....We've just got to think more creatively and do better in gathering public input.