As featured in For The Record
The healthcare industry is in the midst of a debate about how best to handle consumer consent concerns in a health information exchange setting.
Despite increasingly stringent privacy and security regulations, the Indiana Health Information Exchange (IHIE), launched in 2004, now includes more than 60 participating hospitals, the nation’s largest health insurer, and nearly 16,000 physicians—and it shows no signs of slowing down
How do HIEs like the one in Indiana balance competing interests and still experience exponential growth during a time when expanded HIPAA regulations can become a major obstacle?
It all goes back to consumer consent, says IHIE President and CEO J. Marc Overhage, MD, PhD. “We established trust early on by working with the hospitals, labs, and others to ensure that our standards, particularly in the areas of privacy and security, met stringent requirements,” he says. “Our data sources adhere to consent requirements under Indiana law, which has helped support the growth and participation in our exchange.”information exchange setting.
Although Indiana law doesn’t require consumer consent for the electronic exchange of most types of health information, the IHIE’s data sources (eg, hospitals) do inform patients in their notice of privacy practices that information may be used or disclosed for multiple purposes, says Overhage.
“IHIE data sources have mutually agreed that certain information will not be included in the HIE, like behavioral and mental health. Providers have agreed through contractual arrangements to suppress data if a patient informs the provider in writing that he or she doesn’t wish to have any information shared for treatment purposes,” he says.
Importance of Consumer Consent
Giving patients control over who can access information may be one way HIEs can obtain much-needed consent. It may also reflect patients’ continued fear of data breaches and mistrust of nonphysician recipients. According to a HealthDay/Harris Interactive survey, 78% of U.S. adults said physicians should have access to information included in their EHRs while only 30% said insurers should have access. The poll results are based on an online survey of 2,035 U.S adults conducted from June 8 to 10.
Obtaining consumer consent continues to challenge HIEs nationwide, yet it’s a crucial part of long-term sustainability, says Melissa M. Goldstein, JD, who serves as an associate professor in the health policy department in the School of Public Health and Health Services at the George Washington University Medical Center in Washington, D.C. As part of a contract with the Office of the National Coordinator to explore issues of privacy and security in electronic data exchange, Goldstein coauthored “Consumer Consent Options for Electronic Health Information Exchange: Policy Considerations and Analysis.”
The white paper, which explores the advantages and disadvantages of five different consent models for HIEs, should help policymakers and others involved in creating HIEs move forward, says Goldstein. The five models are as follows:
- No consent: Patients’ health information is automatically included, and they cannot opt out.
- Opt out: Patients’ health information is automatically included, but they can opt out completely.
- Opt out with exceptions: Patients’ information is automatically included, but they can opt out completely or allow only select data to be included.
- Opt in: No patient health information is included, and patients must actively express consent to be included; however, if they do so, their information must be all in or all out.
- Opt in with restrictions: No patient health information is included; however, patients may allow a subset of select data to be included.
HIEs are also using multiple variations of these five consent models, says Goldstein, adding that the variety is an important part of determining which model(s) will ultimately be successful. “I think it’s a reality of the way we decide things—trying to figure out what works and what doesn’t,” she says. “I think it will likely be disappointing for the organizations that don’t succeed, but some designs will be more successful than others.”
An important part of ensuring success is recognizing that each primary stakeholder (ie, patients, physicians, insurers) has valid concerns an HIE must address in order to survive and thrive, says Goldstein. “We [as consumers] have the right to decide what procedures we want and what types of medical interventions we’re going to pursue. Those decisions are based on autonomy and individualistic preferences,” she says. “A lot of people feel very strongly that health information exchange shouldn’t be any different.”
On the other hand, many physicians believe they can’t make informed decisions without having access to all patient information. “The important point to remember is that we’re not balancing patients against providers; it’s not an adversarial relationship or an argument. Both sides have real concerns,” Goldstein says.
Lee Barrett, executive director of the Electronic Healthcare Network Accreditation Commission (EHNAC), agrees: “Payers want to reduce costs, providers want to improve the quality of care and have easy access to information, and patients still want some control over who is accessing the information. We need to be aware that all of these stakeholders have different objectives, and we need to be able to manage those objectives.”
Consumer consent and trust have become such touchstone issues that the EHNAC has developed an HIE accreditation model, a large component of which pertains to privacy, confidentiality, and security. In August, the commission announced that the Utah Health Information Network had become the first exchange to gain its stamp of approval. Accredited status lasts for two years, after which an HIE may be evaluated for reaccreditation.
Establishing this type of third-party oversight will not only help raise the bar in terms of privacy and security but also help enhance patients’ level of confidence and ease perceived concerns about exchanging information in an electronic environment, says Barrett.
The accreditation process will become increasingly important as HIEs continue to grow nationwide. The HITECH Act, which provides $564 million through its State Health Information Exchange grant programs, has awarded cooperative agreements to 56 states, eligible territories, and qualified state-designated entities to promote HIEs and achieve widespread and sustainable exchange of electronic health information.
As HITECH has spurred an increased interest in state initiatives, more HIEs are starting to pay closer attention to data encryption and audit trails, says David Finn, CISA, CISM, HIT officer for Symantec. “It’s helpful that meaningful use requires that all that data be exchanged securely. It has shifted the focus, and I think people are starting to understand that you have to address those issues up front,” he says.
More emphasis on privacy and security will only help enhance patient trust and increase the likelihood that patients will consent to having their information shared, Finn says.
Symantec, which partners with state and private HIEs, offers various storage management, encryption, and Internet authentication applications that exchanges can customize to meet their specific policies. Finn says the HIEs with which the company currently works use various consent models depending on their unique needs.
As HIEs grow on local, state, and national levels, the interplay between privacy and consumer consent has become more apparent, says Lorraine Fernandes, RHIA, vice president and healthcare industry ambassador for Initiate, which provides data management solutions to HIEs nationwide. “You build consumer trust by managing the confidentiality of the patient record according to the consent preferences while ensuring you have security procedures and technology to safeguard the privacy of the record,” she says. Being able to manage consumer preferences for consent is the foundation for building trust and participation in the HIE, according to Fernandes.
Pros and Cons of Each Model
Experts agree that choosing a consent model is an important part of establishing an HIE and that there is no one-size-fits-all solution. The following is an explanation of some of the advantages and disadvantages inherent in each model:.
Although this model includes the least administrative overhead, minimum paperwork, and maximum participation, the one drawback is that consumers don’t have the option to keep their information private should they want to do so, says Finn. Because the default is to include all patient information, patients may not receive proper education about the HIE’s purpose, which could be detrimental to its success and growth, he adds
This model may be problematic in terms of achieving a national health information network because it allows patients to opt out completely, which essentially defeats the purpose of the HIE, says Finn. However, one advantage is that it gives providers an opportunity to educate patients at the time of opt out and dispel any myths or misconceptions they may have about electronic data exchange. Although this places a burden on providers located in areas where significant numbers of patients prefer to opt out, it’s an opportunity for much-needed education, he explains.
Another disadvantage when consumers choose not to include their information is that it can indirectly lead to higher mortality rates, particularly in emergency departments where physicians could otherwise benefit from easy access to patient information on which they can base important clinical decisions, says Barrett.
Opt Out With Exceptions
Although this model provides more choices for consumers, adding exceptions into the mix is difficult to put into practice, says Finn, who spent 20 years working in healthcare, 11 of which were for a large integrated healthcare delivery system, before joining Symantec. “As someone who has had to operationalize those exceptions, I don’t believe this is a workable model,” he says. “Medical records aren’t set up that way. The medical record is a document designed to be shared between providers. If you’re partially in or out, you’re also skewing data for quality and outcomes measures, so it doesn’t really add value in my opinion.”
Although today’s technology generally allows HIEs to restrict entire episodes of care or entire visits, establishing more finite parameters for restriction is problematic, says Fernandes. “A sensitive diagnosis or condition could be in the history and physical or discharge summary, noted as the reason for a lab or imaging test, documented in the progress notes or the operative report, etc,” she says. “Sensitive information won’t be called out in a specific area in a chart, it can be almost anywhere in the record. Therein [lies] the challenge with restricting disclosure in a granular approach.”
Another question this model raises is whether patients are capable of making sound decisions about who should be able to access their data, says Finn. “People will make decisions based on their values and needs, but they won’t be clinical decisions,” he notes.
The challenge with this model is that patients must choose to participate, which means they must fundamentally understand the goal of the HIE—a point that many providers fail to convey effectively or at all, says Finn. Multiple HIEs in one geographic area make it confusing for patients, as do conflicting state HIPAA requirements and state privacy laws that may conflict with other state or federal laws. Patients whose primary language is not English may also have a difficult time understanding the HIE’s purpose and therefore may not wish to participate, Finn adds. “My concern is that you won’t get the level of participation one would hope for under HITECH or that the provider would need to make the HIE valuable for him or her,” he says.
Although certain states (eg, Massachusetts) have found success with an opt-in model, this may be due to their relatively small geographic area and fairly homogenous demographics, says Finn. “I’m not sure how opt in would work in a state like Texas where you can drive for 12 hours and still not be across the state,” he says. “We have major metropolitan areas like Houston and then you have literally hundreds of cities of four or five thousand [people]. Those are people who don’t like others knowing stuff about them. My concern is that you’d lose a lot of populations that need to be looked at and that would otherwise add valuable information.”
Opt In With Restrictions
This model provides the most flexibility and thus may be easiest for patients to buy into, says Barrett. “One of the biggest things people want is options. [With this model], people have the option to determine how the data will be used,” he says. “As long as we give people that option on how they want to use the data, that’s going to give a greater opportunity for success. People will feel comfortable having their data disseminated.”
However, this model—as well as the opt-out-with-exceptions model—raises several ethical questions, the most complex of which is who owns the record, says Barrett. “Privacy advocates say the patient owns it. Payers say it’s theirs. A provider in a hospital environment says the data is theirs. I think it’s still up for debate and is a fundamental question that has yet to be answered,” he says.
Models that focus on inclusion rather than exclusion may be more helpful in terms of achieving short-term and long-term goals, says Overhage. Without inclusion, physicians, patients, and other stakeholders won’t deem the information accurate or reliable, he notes.
Goldstein believes a variety of consent models will continue to exist even as consumers become more educated and the nation as a whole moves toward a national health information network. However, the more absolute models, such as no consent and total opt-in, may be phased out, she adds.
As patients become more educated about HIEs, consent models may become more similarly constructed and have less variation, says Finn. “I suspect we may continue to have [several models], but they may become more closely based on specific parameters. They may have a common understanding of what data can be shared, what can be exempted, and who can get access [to information]. The exceptions may be more standardized and not open to a patient’s or a provider’s whim,” he says.
Fewer eventual consent models will be helpful in terms of achieving a national health information network and improving health outcomes, adds Finn. “In talking with HIEs across the United States, my biggest fear is that we’re going to end up with 50 different ways of doing things. I think the key is going back to why we’re doing this health information exchange to start with. The issue is really to improve the quality of care and patient outcomes and metrics,” he says.