Patient Consent Guidelines EndorsedRecommendations Cover Exchange of Records
But the recommendations stop short of endorsing an opt-in or opt-out approach to consent. Instead, they spell out what constitutes meaningful consent, using either approach, including a requirement that patients are educated about their options.
In the opt-in model, patients have to explicitly give their consent for data to be exchanged. In the opt-out model, patients are assumed to have granted their consent unless they opt out.
A recent study found that only 18 percent of health information exchanges in operation or under development have a formal policy requiring patients to opt-in and give formal consent before any of their records are shared.
Tiger Team RecommendationsOn Aug. 19, the Health IT Policy Committee approved a final, revised set of recommendations from a privacy and security tiger team that has been meeting all summer to address issues related to the exchange of records. Their recommendations were included in a 19-page letter to the committee.
David Blumenthal, the Department of Health and Human Services' national coordinator for health information technology, will determine whether to use the recommendations in proposed federal policies, which HHS ultimately would have to approve.
The tiger team's recommendations only apply to a narrow set of transactions required to achieve stage one "meaningful use" of electronic records to qualify for Medicare or Medicaid EHR incentive payments under the HITECH Act. These transactions include the exchange of information for treatment and care coordination, certain quality reports to federal regulators and certain public health reports.
The recommendations state that obtaining patient consent for the direct exchange of information between two provider organizations, such as when ordering a radiology exam, is not necessary "beyond what is required in current law or what has been customary practice." But, in many cases, patient consent would be required for the exchange of data that involves a third party, such as a health information exchange or an e-prescribing gateway.
Consent RequirementsUnder the recommendations, obtaining patient consent would be required if:
- Data is exchanged using a health information organization -- the body that runs an HIE or similar exchange -- that uses a centralized model, which retains identifiable patient data and makes that information available to other parties.
- Data is exchanged using a health information organization that uses a federated model, where it doesn't store data but has links to where the information is located and can make it available to others.
- Data is aggregated outside the control of the provider organization, such as when an e-prescribing gateway reformats prescription data and creates a medication profile on the patient.
Meaningful ConsentKey components of meaningful consent, whether using the opt-in or opt-out model, include, among others:
- Giving patients enough time to make a decision about consent. "Ideally it should be outside of an urgent need for care," says Deven McGraw, co-chair of the tiger team and director of the health privacy project at the Center for Democracy & Technology.
- Providing a clear explanation of the consent choices and all their consequences.
- Refraining from making the granting of consent for data exchange a condition of receiving necessary medical services.
- Enabling patients to revoke consent at any time.
The responsibility for educating patients about consent rests with the hospital or clinic providing treatment, although the provider can delegate administrative functions to a third party, according to the recommendations.
Addressing concerns about the administrative burden of hospitals and clinics managing consent, the tiger team urges that federal regulators, health information organizations and regional extension centers for the EHR incentive program all offer consumers education about the consent issue, says Paul Egerman, a software entrepreneur who co-chairs the tiger team. These agencies also should offer providers model consent language and educational materials to share with patients, according to the tiger team recommendations.
Granular ConsentOn the issue of whether to give patients the opportunity to consent to sharing some, but not all, of their health information, the tiger team called for more study.
Because the technology available for granting this kind of "granular consent," such as to exclude the exchange of mental health records, is relatively new and untested, the tiger team recommends that HHS conduct pilot tests to confirm what technologies and strategies work best, Egerman says.
Until those pilots can be conducted and policies enacted, organizations attempting to offer granular consent must ensure that "patients understand the implications of their decisions and the extent to which their requests can be honored, and we encourage setting realistic expectations," the tiger team stressed in its letter.
What's Next?After a summer of meeting twice most weeks, the tiger team is awaiting direction from Blumenthal's office on what issues, if any, to tackle next. It notes in its letter that issues it has yet to address include rules for exchanging data with patients and sharing information for research.
The Office of the National Coordinator for Health IT expects to soon issue a request for information seeking ideas for creating National Health Information Network governance policies. NHIN is an emerging group of standards for secure data exchange at the local, regional, state and, ultimately, the national level.
A proposed rule on NHIN governance will be issued in early 2010, Mary Jo Deering, an Office of the National Coordinator staff member, said at the July 21 HIT Policy Committee meeting. The rule will address a wide variety of interoperability issues, including how to handle patient consent, she explained. Regulators ultimately must also determine whether to mandate that all HIEs use the NHIN standards, she added.