By Ken Kleinberg, Point-of-Care Partners, Practice Lead, Innovative Technologies
By Brett Kinsler, Strategic Interests, Partner, Clinical Services & Informatics
In our previous post, we discussed the importance and some of the challenges of a consent management program. Now, let’s look at some other areas that require examination and decisions in the consent management process.
Major Consent Considerations
Here are some of the most important issues that organizations need to consider for robust implementation in support of meaningful patient consent management:
- Authorization Models: range from opt-in or opt-out (may be at the organization or the state level, and may have huge implications for adoption/success with opt-out being the preferred approach), and hybrids that require opt-in for sensitive information, such as HIV or controlled substances or other specific PHI (personal health information) or demographics related to age or guardianship.
- Initiating Party: consent initiation may be performed by the provider, the patient, or either, in addition to a parent/guardian or healthcare proxy (how this consent is verified and passed from stakeholder to stakeholder is a key challenge in consent management).
- Initiation Domain: may be at the point of care, online, or a mixture of options. COVID-19 has led to waiver programs that temporarily change these policies. Such changes may become permanent. Areas subject to natural disasters (e.g., hurricanes, tornados, flooding, wildfires) may want to specifically plan for such occurrences.
- Data Sharing: basic choice to share all data or can be more granular to select certain types of data by sensitivity level (a key challenge here is that omission of data, such as a diagnosis for mental illness, may still be discerned if other information that is shared, such a medication used to treat mental illness, is included for medication reconciliation safety purposes).
- Provider Data Access: may be granted to a particular provider, organization, or multiple providers (community consent) based on the model deployed. Some models permit emergency access or may blanket restrict all access regardless of an emergency event occurrence. Use of audit trails can be key here to track unwarranted access.
- Patient Data Access: models may provide ability to access and/or suggest changes - this access can be more complex based on age (restrictions for teenagers, for example, which can differ by state or organization), family member access (divorced/separated, step-parent), etc. As there can by high complexity here and no easy answers, this can be a major impediment to more sophisticated consent implementation.
- Alteration and Revocation: patient changes to consent may be retrospective, prospective, or contain options of either. For example, revoking consent may or may not remove access to some or all historic data. Changes to consent may be entered by the patient, provider, or either and may occur at the local or statewide level – timing may also be an issue (e.g., batch vs. real-time).
- Alignment with Federal Policies: HIPAA, TEFCA, Part II regulations, etc., does not necessarily reconcile fundamental policy differences across regions or states.
- Data Types: Can include both HIPAA-covered and non-HIPAA-covered data such as advance directives, MOLST (Medical Orders for Life-Sustaining Treatment) data, genetic information, patient generated health data from wearables and home devices, AI/ML generated data, etc.
Additional Technical and Organization Considerations
Among the technical issues of implementing consent management are:
- Integration Technologies - leveraging FHIR APIs when feasible and including approaches to integrate with other consent requirements, EHRs, advanced directives, etc.
- Authentication and Tracking – Identity management, OAuth/UMA, audit capabilities
- Promulgating Consent to Other Entities – Differences in terminology and lack of adequate mapping may contribute to lowest common denominator filtering where granularity of consent is lost
- Workflow - including the ability to support authorized queries, and allow patients the ability to view and manage consent preferences online
Organizational considerations include:
- Consent Strategy – who in the organization decides what approach the organization should take to consent management – should it be based on what others have done (e.g., identification of best practices) – how should it mesh with state or federal policy – could the organization’s consent approach be a competitive differentiator?
- Governance – who has the authority to change, interpret or enforce policies
- Changing Landscapes - Keeping up with potential legislative changes, such as concerning the management of sensitive substance use, mental health, and HIV data as well as overall consent models.
- Advocacy – what approaches and levers do organizations have to influence policy
- Outreach approaches – including provider and patient communication, education, training and activation/engagement.
Effective and meaningful consent that supports information sharing and action requires a balance between a patient’s willingness to provide access to their private information, the need for providers and other stakeholders to access patient data to impact clinical outcomes, population health, the patient experience, and the patient’s willingness and ability to play a larger role in their own health and health information. Better use of technology and processes for consent can enhance the effectiveness and efficiency for stakeholders across regions, states, and the nation. Leveraging the expertise of a team who understands stakeholder alignment, consent management strategy, and is skilled in development and deployment will ensure the success of your organization’s consent program.