Patient Consent: The Great Debate

Weighing Options for Records Exchange Authorizations
Patient Consent: The Great Debate
Should patients be required to "opt in" to give consent for their records to be exchanged among organizations? Or should consent be considered automatic unless patients "opt out?"

Those important questions provoked a lively debate at the HIT Policy Committee meeting July 21. The committee drafts policy recommendations that often find their way into federal healthcare regulations.

At the meeting, the leaders of the Privacy & Security Tiger Team, which is advising the committee on health information exchange issues, acknowledged the team had not reached a consensus on the consent issue. And the debate continued during the committee's session, which concluded with the panel acknowledging the consent issue required further discussion before any policy is recommended.

Under the Health Information Technology for Economic and Clinical Health Act, states are receiving federal grants to help develop and promote health information exchanges. Dozens of local, regional and statewide HIEs, using a wide variety of models and policies, are in the formative stages across the nation.

Administrative Burden?

In arguing for the opt-out approach, committee member Neil Calman, M.D., president and CEO of the Institute for Family Health, a family practice organization serving Harlem, expressed concerns about the "administrative burden" that would be imposed by asking every patient to sign a consent form. "How many years would it take to get the 100,000 patients in my network to opt in?" he asked.

"This would be incredibly time-consuming," he added. "It would take years for everyone to make appropriate connections with the healthcare system and sign a consent form."

Taking the opt-out approach is far more practical, he argued. But he acknowledged that such an approach must be paired with very strict guidelines on how exchanged data can be stored and used.

Constitutional Right

In arguing for the opt-in approach, consumer advocate Gayle Harrell, a former Florida state legislator, noted: "We have a very distinct right to privacy that's not only guaranteed in our Constitution, but has been upheld in our courts. And there's nothing more private than your healthcare information ... Once it's been divulged, there's no way to retrieve it."

Harrell called for a "full public debate" on the patient consent issue before any regulations are drafted.

"The public is very concerned" about the privacy of their health information, she stressed, pointing to the official federal list of more than 110 major breaches reported since last September.

When Is Consent Needed?

Although the policy committee postponed any decisions on the patient consent issue, committee members told the tiger team that it was moving in the right direction in pinpointing some circumstances under which obtaining patient consent, using a yet-to-be-determined method, should be required. A few of the many examples of those circumstances are:

  • The patient's health information is no longer under the control of either the patient or their physician;
  • The information is retained for future use by a third party;
  • The information deals with behavioral health, substance abuse or other sensitive issues.

One guiding principal for handling patient consent is "Patients should not be surprised to learn what happens to their data," said Paul Egerman, a software entrepreneur who co-chairs the tiger team.

Meaningful Choice

The committee also said the tiger team was on the right track in how it defined the elements of what it called a "meaningful choice" system for patient consent. For example, the team said such a consent approach would:

  • Give patients adequate time to make a choice about consent outside of the urgent need for care;
  • Provide patients with education on the consent options;
  • Enforce policies consistent with patient expectations for privacy, health and safety.

The tiger team's recommendations presented July 21 can be found at the ONC website.

The team plans to present the committee with a broader package of security recommendations for information exchange on Aug. 19. The effort is designed to help guide further development of the National Health Information Network. NHIN is a group of standards for secure data exchange at the local, regional, state and national level.

The team will recommend that organizations that run health information exchanges follow "fair information practices," said Deven McGraw, team co-chair and director of the health privacy project at the Center for Democracy & Technology. These include such factors as limitations on the use of data as well as security safeguards.

Last month, the committee endorsed the tiger teams' recommendations for some preliminary guidelines for limited exchange of patient information between two organizations. At the July 21 committee meeting, team members noted that obtaining formal patient consent for such exchanges is not necessary because the patient is already involved in approving such decisions as a referral to a specialist.

On the Horizon

The policy committee advises the Office of the National Coordinator for Health Information Technology within the Department of Health and Human Services. Ultimately, HHS approves all policies.

In August, ONC will issue a "request for information" seeking ideas for creating NHIN "governance" policies to help build trust in various networking efforts, Mary Jo Deering, an ONC staff member, said at the July 21 committee meeting.

A proposed rule on NHIN governance will be issued in early 2011, she said. The rule will address a wide variety of interoperability issues, including how to handle patient consent and identity verification, she explained.

Regulators ultimately must also determine whether to mandate that all health information exchanges use the NHIN standards, she added.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.