One major issue facing private and public Health Information Exchanges (HIE) is how to ensure patients privacy preferences are respected by obtaining their consent before data is shared. This Boston Globe article illustrates the complexity of the issue.
Today I met with a multi-disciplinary team of attorneys, vendor experts, and IT leaders to discuss BIDMC's approach to private HIE consent.
After two hours of discussion, here's what we agreed upon:
Patients and families should be able to control the flow of their data among institutions. The ability for the patient to chose what flows where for what purpose is "meaningful consent"
To achieve "meaningful consent" we will ask all the patients of our 1800 BIDMC associated ambulatory clinicians to opt in for data sharing among the clinicians coordinating their care.
Patients may revoke this consent at any time.
Consent for patients under 18 years old and not emancipated will be sought from their parents. Upon turning 18, the patients themselves will select their consent preferences.
The process for sharing data will function as follows
*Authorized clinicians with a need to know clinical information for treatment, payment or operations will electronically request a view of data from a community practice using our "magic button" protocol
Only patients shared in common between the two organizations can be queried.
All requests will be audited.
Data will be displayed from organizations where the patient has opted in for disclosure of their information. There will not be a "break the glass" feature to override patient privacy preferences (or lack of preferences).
We feel that asking for opt in consent to disclose is the most patient centric approach to protecting privacy and today we agreed to do it for all our community practices, both private and owned.
This practice mirrors what the Massachusetts public HIE will do as it evolves from a "push" model to a "pull" model" over the next few years. Starting this month, we'll record opt in consents at the BIDMC community level, but by 2014 all consents will be recorded at the state level.
Opt in consent to disclose with the ease of opting out at any time will work well for private and public HIEs.
State HIEs typically believe they will be able to associate patient consent with their Master Patient Index (MPI). The MPI, however is not voluntary or under patient control unless patients are allowed to voluntarily identify themselves using a Direct email address (or equivalent).
ReplyDeleteIt's good to see BIDMC adopting meaningful consent practices in your private exchange among HIPAA-Covered Entities that have a direct patient relationship. It's premature, however, to extrapolate these practices to HIEs, all payer claims databases (APCDs), MPIs and other data aggregators that are not HIPAA CEs and have no direct relationship with the patient.
Adrian