Wednesday, August 25, 2010

Consent Recommendations from the Privacy Tiger Team

I've written several blog posts about the need for consent policy and technology.

For 2011, the Meaningful Use Stage 1 data exchanges are a "push" of data from provider to public health, quality registries, and other providers. Consent is obtained by the provider when the patient is present during an episode of care. The consent process will be driven by Federal/State policy and workflow rather than technology.

For 2013, the data exchanges are likely to be "pull" based on patient controlled consent for release of information from institutions. The consent process will be a marriage of policy and technology.

On August 19, the Privacy and Security Tiger Team released its recommendations for the consent policy to support Stage 1 data exchanges.


Key points include:

When the decision to disclose or exchange the patient’s identifiable health information from the provider’s record is not in the control of the provider or that provider’s organized health care arrangement (“OHCA”), patients should be able to exercise meaningful consent to their participation.

where meaningful consent is defined by

Advanced knowledge/time
Not compelled, or used for discriminatory purposes
Full transparency and education.
Commensurate with Circumstances
Consistent with Patient Expectations
Revocable

Although granular consent is a desirable future goal (i.e. line item redaction of medications depending on the recipient of the data), technology has not yet evolved to the point where this is widely implementable. It is important that ONC find evidence (such as through pilots) for successful models and not rely on theoretical possibilities. In the interim, patient education is paramount. Realistic expectations about privacy need to be established.

State Health Information Exchanges are busy defining their own policies and technologies to support Meaningful Use Stage 1 Data Exchanges:

Core Set
1. Provide patients an electronic copy of their ambulatory, ED or inpatient summary of care record record
2. Transmit prescriptions
3. Capability to exchange key clinical information among care providers and patient authorized entities
4. Report clinical quality measures

Menu Set (must include at least one public health reporting transaction)
5. Incorporate clinical lab tests results into EHRs as structured data
6. Provide summary of care record for patients referred or transition to another provider or setting
7. Capability to submit data to immunization registries, provide syndromic surveillance and lab data to public health agencies

The guidance from Privacy and Security Tiger Team provides a valuable framework to inform state activities. In Massachusetts, we have Chapter 305, which requires opt-in consent for data sharing.

By adopting a national policy that ensures providers educate their patients about Meaningful Use data exchanges and obtain consent before sharing information with outside organizations, we will ensure that patient privacy is protected.

6 comments:

Anonymous said...

"By adopting a national policy that ensures providers educate their patients about Meaningful Use data exchanges and obtain consent before sharing information with outside organizations, we will ensure that patient privacy is protected."

This seems unrealistic. How are doctors supposed to develop and maintain a level of understanding of all of the nuances and possible consequences of all of the consent choices a patient might face? And where will the time come from for this hypothetical conversation between the doctor and every patient?

John Halamka said...

Here's an example of the consent educational materials we've used in our communities.

alexp said...

Pull by 2013... I know it's a goal, but it doesn't seem likely to me.

I'm curious to know what you think the chances are of widespread pull exchanges being a reality by 2013? More than 50% chance? Less than 50%?

Unknown said...

You mentioned on the HIMSS conference call that the NIST Public Health Surveillance Test was wrong. That they would not be using the Case Notification Message Mapping guide from the CDC. I have "scowered" the internet for some type of clarification here, however I can't find anything on the NIST or ONC sites. Did I miss hear you or is this to be announced later by NIST and ONC? Any clarification would be greatly appreciated

John Halamka said...

Doug Fridsma will provide the details at the August 30 HIT Standards Committee meeting/call.

John H. Smith said...

John, can you provide any insights as to how the State of Massachusetts was able to achieved a state level authorization for the consent / exchange of Health Information. What was the process used and can you share any details on the consent authorization workflow?