By Brett Kinsler, Strategic Interests, Partner, Clinical Services & Informatics
and
By Ken Kleinberg, Point-of-Care Partners, Practice Lead, Innovative Technologies
In our previous post, we discussed the importance and some of the challenges of a consent management program. Now, let’s look at some other areas that require examination and decisions in the consent management process:
Major Consent Considerations
Here are some of the most important issues that organizations need to consider for robust implementation in support of meaningful patient consent management:
Authorization Models: range from opt-in or opt-out (may be at the organization or the state level, and may have huge implications for adoption/success with opt-out being the preferred approach), and hybrids that require opt-in for sensitive information, such as HIV or controlled substances or other specific PHI (personal health information) or demographics related to age or guardianship.
Initiating Party: consent initiation may be performed by the provider, the patient, or either, in addition to a parent/guardian or healthcare proxy (how this consent is verified and passed from stakeholder to stakeholder is a key challenge in consent management).
Initiation Domain: may be at the point of care, online, or a mixture of options. COVID-19 has led to waiver programs that temporarily change these policies. Such changes may become permanent. Areas subject to natural disasters (e.g., hurricanes, tornados, flooding, wildfires) may want to specifically plan for such occurrences.
Data Sharing: basic choice to share all data or can be more granular to select certain types of data by sensitivity level (a key challenge here is that omission of data, such as a diagnosis for mental illness, may still be discerned if other information that is shared, such a medication used to treat mental illness, is included for medication reconciliation safety purposes).
Provider Data Access: may be granted to a particular provider, organization, or multiple providers (community consent) based on the model deployed. Some models permit emergency access or may blanket restrict all access regardless of an emergency event occurrence. Use of audit trails can be key here to track unwarranted access.
Patient Data Access: models may provide ability to access and/or suggest changes – this access can be more complex based on age (restrictions for teenagers, for example, which can differ by state or organization), family member access (divorced/separated, step-parent), etc. As there can by high complexity here and no easy answers, this can be a major impediment to more sophisticated consent implementation.
Alteration and Revocation: patient changes to consent may be retrospective, prospective, or contain options of either. For example, revoking consent may or may not remove access to some or all historic data. Changes to consent may be entered by the patient, provider, or either and may occur at the local or statewide level – timing may also be an issue (e.g., batch vs. real-time).
Alignment with Federal Policies: HIPAA, TEFCA, Part II regulations, etc., does not necessarily reconcile fundamental policy differences across regions or states.
Data Types: Can include both HIPAA-covered and non-HIPAA-covered data such as advance directives, MOLST (Medical Orders for Life-Sustaining Treatment) data, genetic information, patient generated health data from wearables and home devices, AI/ML generated data, etc.
Additional Technical and Organization Considerations
Among the technical issues of implementing consent management are:
Integration Technologies – leveraging FHIR APIs when feasible and including approaches to integrate with other consent requirements, EHRs, advanced directives, etc.
Authentication and Tracking – Identity management, OAuth/UMA, audit capabilities
Promulgating Consent to Other Entities– Differences in terminology and lack of adequate mapping may contribute to lowest common denominator filtering where granularity of consent is lost
Workflow – including the ability to support authorized queries, and allow patients the ability to view and manage consent preferences online
Organizational considerations include:
Consent Strategy – who in the organization decides what approach the organization should take to consent management – should it be based on what others have done (e.g., identification of best practices) – how should it mesh with state or federal policy – could the organization’s consent approach be a competitive differentiator?
Governance – who has the authority to change, interpret or enforce policies
Changing Landscapes – Keeping up with potential legislative changes, such as concerning the management of sensitive substance use, mental health, and HIV data as well as overall consent models.
Advocacy – what approaches and levers do organizations have to influence policy
Outreach approaches – including provider and patient communication, education, training and activation/engagement.
Conclusion
Effective and meaningful consent that supports information sharing and action requires a balance between a patient’s willingness to provide access to their private information, the need for providers and other stakeholders to access patient data to impact clinical outcomes, population health, the patient experience, and the patient’s willingness and ability to play a larger role in their own health and health information. Better use of technology and processes for consent can enhance the effectiveness and efficiency for stakeholders across regions, states, and the nation. Leveraging the expertise of a team who understands stakeholder alignment, consent management strategy, and is skilled in development and deployment will ensure the success of your organization’s consent program.
By Brett Kinsler, Strategic Interests, Partner, Clinical Services & Informatics
and
By Ken Kleinberg, Point-of-Care Partners, Practice Lead, Innovative Technologies
Sign here. On the surface, patient consent is such a simple principle. Patients communicate their desire to share their health information or accept (or deny) a treatment. The most common broad consent is often the only option given to patients, and generally includes the concept of informed consent, emphasizing the patient’s role in the decision-making process and a section to address common patient questions. More granular approaches to consent offer a myriad of options that may specifically assess patient desires and choices to protect privacy and security.
All (Regulated) Stakeholders Take Note
Stakeholders that need to manage consent effectively include health systems, providers, EHR (Enterprise Health Record) vendors, health information exchanges (HIEs), health information networks (HINS), labs, pharmacies, and payers/health plans. Organizations do not necessarily have to have direct patient interaction to be concerned with consent, as is the case with many HIEs that are not patient facing. Patient portals and the newer world of consumer apps are clearly access vehicles where consent may come also into play. The recently finalized rules from CMS and ONC have a lot to say about information exchange and patient access – and while they have yet to be tested, they clearly put a greater responsibility on the patient for managing consent in the permissions they agree to. In many cases, these decisions have implications outside the protections of HIPAA (consumer beware).
The Office of the National Coordinator for health IT (ONC) feels patients need to understand their role and options so that they make meaningful and informed consent decisions – they refer to this as meaningful consent. If patients fail to participate in the process, they risk having too much or too little information shared, leading to potentially dire consequences to their health and private lives. But even once consent is granted, accounting for the responsibility organizations undertake in caring for patients (and their data), leaves much to consider and balance.
Pitfalls of Getting it Wrong
Organizations implementing an effective consent process, including appropriate sharing among multiple stakeholders and regions, face an incredibly complex task. Those who do not have the needed policy/regulatory knowledge, systems, technology, processes, and workflow to properly enable meaningful patient consent may suffer serious repercussions including lawsuits, fines, loss of accreditation, reduction in public trust, or worse. They may also experience loss of revenue, patients, value-based care payments and other incentives.
Poor consent management by industry players may influence the establishment of even greater future barriers and regulations to the exchange of information that truly needs to be shared. We will face the implications of our failure to act responsibly and strategically. Patient advocacy and privacy groups already have a great deal of ammunition regarding lack of patient protections either through mistakes or more purposeful intent, such as sharing information for commercial gain or other purposes beyond what is legal or ethical.
Consent at the State Level
Variations in regulation, approach and methodology to consent within and across states pose challenges to the interoperable exchange of health information. This influences the approaches taken by HIEs that operate in those states or a region that spans states (in addition, cross-state HIE partnerships are not uncommon). Some areas use an opt-in model, requiring patients to consent to the sharing of their data. These systems provide much less information than areas with an opt-out model, whereby default participation and sharing is assumed unless specifically revoked. Certain approaches have been shown to actually increase barriers to health information exchange, placing a greater administrative burden on less technologically advanced organizations. Some providers within and across states may find themselves having to interact with multiple entities to share and access clinical information and, thus, require multiple complex interfaces and workflows to serve their geography well.
Several states have taken a statewide approach to consent, which, while challenging to implement and maintain, provides marked benefits to patients and users. To successfully define and deploy statewide consent capability, a state needs to evaluate and incorporate stakeholder requirements, design solutions (which may include a consent registry) and create an approach to address these requirements that meets the needs of everyone. To ensure successful deployment and sustainability, states need to embrace a funding and program management approach that allows stakeholders to migrate from their current approaches, and solve workflow issues related to the collection and management of consent. This is a complex undertaking that benefits from outside experts to manage the alignment of stakeholders and develop effective and efficient approaches.
In our next post, we will look more closely at the most important issues for stakeholders to consider, especially regional and state HIEs, regarding the implementation of consent including organizational and technical considerations.
Variations in approach to consent pose challenges to interoperable health information exchange. Each state around the US and, in many states, each individual health information exchange differs in their approach to consent processes and management. This can affect workflow and decision-making capabilities for users of the HIEs. Some state models have been shown to increase regulatory barriers to health information exchange and place a greater administrative burden on those less technologically advanced organizations. Below, we will examine some of the issues, approaches to address them, and implications on key stakeholders including providers, payers, and patients. If your organization is looking to solve HIE consent problems, Strategic Interests and our partners have the ability to assess the current state of consent in your region, compare to best practices around the nation, isolate and evaluate the impacts of making changes, and develop a practical plan to move forward.
There are several model variations around the nation with different selections across the potential options. Model variations include:
Authorization models: range from opt-in, opt-out, and hybrids that require opt-in for sensitive information or other specific PHI or demographics.
Initiating Party: consent initiation may be performed by the provider, the patient, or either, in addition to a parent/guardian or healthcare proxy.
Initiation Domain: point of care, online, or a mixture of options. COVID-19 has led to waiver programs that temporarily change these policies. Such changes may become permanent, and in the meantime have already modified the everyday behavior of clinicians and care providers in their approach to patient care.
Data Sharing: basic choice to share all data or can be more granular to select certain types of data by sensitivity level and clinical application or need.
Provider Data Access: may be granted to a particular provider, organization, or multiple providers (community consent) based on the model deployed. Some models permit emergency access or blanket restrict all access regardless of an emergent event occurrence.
Patient Data Access: models may provide ability to access and/or suggest changes
Alteration and Revocation: patient changes to consent may be retrospective, prospective, or contain options of either. For example, revoking consent may or may not remove access to historic data. Changes to consent may be entered by the patient, provider, or either and may occur at the local or statewide level.
Alignment with Federal Policies: HIPAA, TEFCA, etc. does not necessarily reconcile fundamental policy differences across regions or states.
Migration Issues:
Process for providers who have a presence in geographies served by multiple QEs with varying policies
Process for patients who travel across HIE regions for healthcare in addition to travel out of state which may entail seasonal or emergency care
Governance Structures:
Centralized consent tracking system and standard consent form
Patients are asked to repeatedly sign consents for each HIE, leading to “consent overload.” Such overload not only affects the HIE and the interconnected systems, but also creates temporal inconsistencies as to when a particular consent was in effect and when data was shared or denied.
Patients ability to query for, or change their current state of consent without contacting each individual HIE
Sensitive PHI may be treated differently in different organizations
Complications:
Organizations may be steadfast in their own approach to consent and resistant to change on a statewide level
The benefits of a well-managed consent program far outweigh the challenges. In order to successfully define and deploy such capabilities, HIEs must incorporate stakeholder requirements, design solutions and an approach to address these requirements, embrace a funding and program management approach that allows organizations, providers, and other stakeholders to migrate from current approaches, and solve workflow issues related to the collection and management of consent while conforming to regulatory requirements for the management of sensitive substance use, mental health, and persistent viral data (HIV, herpes, COVID-19, etc.). In addition, the potential of legislative changes could streamline the process but may also pose distinct privacy and workflow challenges.
A successfully deployed statewide consent management system will yield increased patient clarity in the process, lessened effort for participants in the consent process, improvements in care delivery and coordination and the maintenance of patient desires and health information privacy choices. These, and other complex healthcare workflow and strategy quandaries are situations that SI and our partners are well-positioned to address. Let us know if you need help.
Recent Comments