Tuesday, February 21, 2012

HIE Consent Policy

I was recently asked how consent policy can evolve in Massachusetts to balance patient privacy preferences and the need to coordinate care/optimize population health.    Here's the letter I wrote to stakeholders about it:

"My name is John D. Halamka MD and I serve as chief information officer of Beth Israel Deaconess Medical Center, co-chair of the Massachusetts HIT/HIE Advisory Committee, and co-chair of the  HIT Standards Committee.

In my role as a CIO and clinician, I have been passionate about the need to electronically coordinate care to improve quality, safety, and efficiency.

My wife was recently diagnosed with Breast Cancer and her treatment has relied on the secure exchange of healthcare records with her consent.

The consent model that has worked best throughout the Commonwealth is 'Opt in consent to disclose at each institution'.    This means that no data is exchanged between organizations until the patient consents to the release of information from the sending institution (the place where the data was generated).   This consent stays in force until a patient revokes it.  

A separate consent to view the data at the receiving institution is not needed.   There is no need to re-consent the patient at each episode of care.

We've implemented this model in the New England Healthcare Exchange Network (NEHEN), in the Department of Public Health immunization registry, and in the design of the statewide healthcare data exchange that the MassHealth is building.

Opt in to disclose is straightforward to implement and support.  It's easy to enforce and audit.

The one complexity to this approach is the data sharing of records containing HIV information.    Current and proposed Massachusetts regulations require opt in consent to view at each episode of care in addition to opt in consent to disclose.

Consenting the patient at each release of information is challenging to implement, difficult to audit, and likely impossible to enforce.   Security experts agree that easy to implement, easy to audit, enforceable approaches are much more secure than complex, challenging and cumbersome approaches.

I believe that Massachusetts stakeholders will support opt in consent to disclose at each institution as the single best approach for the release of all healthcare data.   Implementing this uniformly across the Commonwealth will ensure respect for patient privacy is maintained, care delivery organizations can support healthcare data exchange processes, and IT departments can implement the necessary applications.

As a CIO, physician, and husband of a cancer patient, I highly recommend we consider this simplification of current regulation and legislation.


John D. Halamka MD"

Privacy protection will always be a journey, but we need to start somewhere and I hope my comments above seem reasonable.


John Moehrke said...


I agree that Opt-IN is a reasonable approach and one that would leave the patient the least surprised. What I am not clear on is exactly what you mean by 'Opt in consent to disclose at each institution'.

Is this:
a) at the custodian institution. That is they get a Opt-IN to share with anyone that asks. Classic where the paperwork is captured at the publishing organization on their own paper.
b) at each requesting institution. That is each institution that wants access gets an Opt-IN to request data. So the paperwork is done at the requesting organization on the requesting organization paper.
c) the Opt-IN authorizes one requesting institution as recorded at the custodian institution. (Key-HIE does this) The paperwork is done at the requesting organization on the custodian's paper.
d) other

I ask because each of these is doable, but some are far more easy than others. In the (a) case there is no need to communicate consent information at all, where as (c) requires multiple rounds of communication and a whole new legal landscape.

John Halamka said...

To clarify what I mean by "Opt in consent to disclose at each institution" - the patient opts in to disclose data at the institution where the data was generated. The requestor does not obtain consent to view, it just accepts the consent to disclose from the institution that is sending the data.

Anne Kelly said...

Does Opt-IN include Behavioral Health & substance abuse/addiction data?

John Moehrke said...

Thanks. So I understand you are talking about (a).

Yes, this is the most easy to enforce. It needs only be enforced by data holders. Thus there is no need to even communicate the consent to the data requester. The data requester either gets data, because there is a consent on file; or they don't. Not needing to communicate the consent or the rules of the consent greatly simplify.

This is the model used in the NwHIN-Exchange today.

The data requester should then use their own rules for governing the data once they get their hands on it.

Typically it is best to have an overall governance policy that prohibits re-disclosure in original form. Meaning that you don't republish the original document that you didn't originally author; but are allowed to author new documents that might contain and reference the original document.

joebeone said...

We're doing some qualitative research under the HHS SHARPS grant with HIV and privacy perceptions as EMRs go from paper to electronic. I'd love to see a pointer to the current and proposed MA law that requires frequent opt-in consent.

Jean Stanford said...

We have created an open source patient consent policy management tool in the cloud that is available for your use now.

Essentially it allows the patient to designate who they want to share data with (e.g., by name, institution, referral relationship to PCP, etc.) and what data they wish to share (e.g. allergies) and for what purposes (treatment, research, etc.).

When a request for data is received, there is a policy reasoner that examines the request and presents the record holder with the relevant patient policies for that request (e.g., "The request is from an allowed physician but only allergy data is allowed to be communicated".

Clearly this is just the beginning of national-scale consent management tool development, but it is a reasonable platform for initial capabilities and can be scaled for your own institutional use if you like.

Full details here: http://sourceforge.net/projects/kaironconsents/

Jean Stanford

Vanessa Sarmiento said...

I agree with the opt-in model for many reasons, especially for safety and privacy rights.

My questions are:

1. How does the consumer opt-in (What is the process)?

2. Must all hospitals and providers require consumer consent?

3. Are all providers in Massachusetts committed to this process? I recently had my mammogram done and I do not remember being educated about an opt-in consent.

Thank you,
Vanessa Sarmiento