By Ken Kleinberg, Point-of-Care Partners, Practice Lead, Innovative Technologies
By Brett Kinsler, Strategic Interests, Partner, Clinical Services & Informatics
Sign here. On the surface, patient consent is such a simple principle. Patients communicate their desire to share their health information or accept (or deny) a treatment. The most common broad consent is often the only option given to patients, and generally includes the concept of informed consent, emphasizing the patient’s role in the decision-making process and a section to address common patient questions. More granular approaches to consent offer a myriad of options that may specifically assess patient desires and choices to protect privacy and security.
All (Regulated) Stakeholders Take Note
Stakeholders that need to manage consent effectively include health systems, providers, EHR (Enterprise Health Record) vendors, health information exchanges (HIEs), health information networks (HINS), labs, pharmacies, and payers/health plans. Organizations do not necessarily have to have direct patient interaction to be concerned with consent, as is the case with many HIEs that are not patient facing. Patient portals and the newer world of consumer apps are clearly access vehicles where consent may come also into play. The recently finalized rules from CMS and ONC have a lot to say about information exchange and patient access – and while they have yet to be tested, they clearly put a greater responsibility on the patient for managing consent in the permissions they agree to. In many cases, these decisions have implications outside the protections of HIPAA (consumer beware).
The Office of the National Coordinator for health IT (ONC) feels patients need to understand their role and options so that they make meaningful and informed consent decisions – they refer to this as meaningful consent. If patients fail to participate in the process, they risk having too much or too little information shared, leading to potentially dire consequences to their health and private lives. But even once consent is granted, accounting for the responsibility organizations undertake in caring for patients (and their data), leaves much to consider and balance.
Pitfalls of Getting it Wrong
Organizations implementing an effective consent process, including appropriate sharing among multiple stakeholders and regions, face an incredibly complex task. Those who do not have the needed policy/regulatory knowledge, systems, technology, processes, and workflow to properly enable meaningful patient consent may suffer serious repercussions including lawsuits, fines, loss of accreditation, reduction in public trust, or worse. They may also experience loss of revenue, patients, value-based care payments and other incentives.
Poor consent management by industry players may influence the establishment of even greater future barriers and regulations to the exchange of information that truly needs to be shared. We will face the implications of our failure to act responsibly and strategically. Patient advocacy and privacy groups already have a great deal of ammunition regarding lack of patient protections either through mistakes or more purposeful intent, such as sharing information for commercial gain or other purposes beyond what is legal or ethical.
Consent at the State Level
Variations in regulation, approach and methodology to consent within and across states pose challenges to the interoperable exchange of health information. This influences the approaches taken by HIEs that operate in those states or a region that spans states (in addition, cross-state HIE partnerships are not uncommon). Some areas use an opt-in model, requiring patients to consent to the sharing of their data. These systems provide much less information than areas with an opt-out model, whereby default participation and sharing is assumed unless specifically revoked. Certain approaches have been shown to actually increase barriers to health information exchange, placing a greater administrative burden on less technologically advanced organizations. Some providers within and across states may find themselves having to interact with multiple entities to share and access clinical information and, thus, require multiple complex interfaces and workflows to serve their geography well.
Several states have taken a statewide approach to consent, which, while challenging to implement and maintain, provides marked benefits to patients and users. To successfully define and deploy statewide consent capability, a state needs to evaluate and incorporate stakeholder requirements, design solutions (which may include a consent registry) and create an approach to address these requirements that meets the needs of everyone. To ensure successful deployment and sustainability, states need to embrace a funding and program management approach that allows stakeholders to migrate from their current approaches, and solve workflow issues related to the collection and management of consent. This is a complex undertaking that benefits from outside experts to manage the alignment of stakeholders and develop effective and efficient approaches.
In our next post, we will look more closely at the most important issues for stakeholders to consider, especially regional and state HIEs, regarding the implementation of consent including organizational and technical considerations.