Work with federal information systems? Responsible for risk management, continuous monitoring, or FISMA compliance? Check out my book: FISMA and the Risk Management Framework.

Wednesday, July 21, 2010

Health IT policy intensifies focus on consent

While there were several informative presentations and topics addressed at the monthly meeting of the Health IT Policy Committee today, the recommendations from the Privacy and Security Tiger Team on adoption of fair information practices and, especially, handling of consent generated a particularly active discussion. Managing consent and patient or consumer preferences about the use and disclosure of their personal information is garnering a lot of attention within the Office of the National Coordinator, as both its federal advisory committees have been considering the issue. Consent remains among the most significant issues in health information exchange and health IT, and in some ways represents a particularly difficult one to resolve, because it is impossible to satisfy the priorities of all the stakeholders involved. The focus of much of the debate has been on establishing consent as a key privacy protection which, if offered to patients, may help them feel more comfortable with the idea of their personal health data being stored in electronic health records and potentially shared with other entities through health information exchange.

The key policy question is when should consent be required before patient data is disclosed, shared, or  transferred. In many cases (most notably for treatment) there is no legal requirement and arguably no policy interest in requiring consent, but if a given entity decides that they would prefer to solicit patient preferences and honor consent directives, they are free to do so (presumably except in cases where they are legally required to disclose information regardless of patient preferences).With respect to treatment, the Tiger Team members have to date suggested that current legal requirements that mandate consent in advance of health data disclosure are sufficient, at least if they can be enforced, so their attention has sensibly been focused on a set of foreseeable circumstances or situations outside of core or routine purposes for use (such as treatment, payment, and health care operations) under which health information might be exchanged that should, as a matter of policy (and eventually, regulation) trigger the need for the health care entity to obtain patient consent before the data exchange takes place. Among the recommendations presented today was a representative list of factors that should trigger the need for health care entities to obtain consent from patients before sharing personal health data via health information exchange:
  • Patient’s health information is no longer under control of either the patient or the patient’s provider
  • Patient’s health information is retained for future use by a third party/ intermediary
  • Patient’s health information is exposed to persons or entities for reasons not related to ongoing treatment (or payment for care)
  • Patient’s information is aggregated outside of a provider’s record or record of integrated delivery system/accountable care organization with information about the patient from other, external medical records
  • The exchange is used to transmit information that is often perceived to be more sensitive than other types of information (e.g. behavioral health, substance abuse,  and other areas defined by NCVHS) 
  • Significant change in the circumstances supporting an original patient consent
The Tiger Team recommended to the Health IT Policy Committee that ONC adopt the position that "Choice should be required if any of the factors in the previous slide are present, and ONC should promote this policy through all of its policy levers." The use of the term choice in this context refers to the ability of the health care consumer to assert preferences about data disclosure, including opting in or opting out of sharing data in different circumstances. One of the more energetic side debates during the meeting (and apparently reflecting similar lack of consensus among Tiger Team members) centered on the best choice model to recommend, with opt-in and opt-out being the two primary alternatives. Patient privacy advocates tend to favor opt-in, because it maximizes patient control over the use and disclosure of their data and because it requires the consent choice to be made in advance of any actual sharing of data. A subset of the group (it's not entirely clear if this is a minority or majority of the members) advocates adopting an opt-in approach and not only recognizing a fundamental right of privacy (something which, it should be noted, does not exist in American law or jurisprudence, even in health care) but expecting the architecture of systems or solutions involved in health information exchange should reflect protection of privacy as a core design principle.

There are broader level conflicts between some of the key outcomes sought through health IT adoption and strong consumer controls over data sharing, most notably that an opt-in by default model might severely limit the amount of data available for sharing, which would reduce the effectiveness of the programs or initiatives or activities that depend on widely available health data. Still, providing consent is still routinely cited as a prerequisite for engendering public trust in the use of EHR's and other health information technology, and despite the challenges with implementing consent management capabilities, focusing on privacy and consent is likely to pay greater dividends than emphasizing security controls.If the current security and privacy controls used with health IT were sufficient to give people the level of confidence they would need to obviate the concerns they have now about the protection of their personal data, then we might be at a point where the data should be shared by default. But, until we are at that point (and we're not there now), people don't have that level of confidence, so they must be offered the control (through opting in). This implicitly recognizes that not everyone has the same views, concerns, confidence, or perceptions of  trustworthiness of the system. With differing levels of trust, it's unrealistic to impose a single standard approach that will satisfy everyone (a warning that the developers of the NHIN trust framework might do well to heed). Accepting the view that risk must be present for trust to come into play, this also means that if security and privacy measures could be made so effective as to eliminate the risk of misuse or unauthorized disclosure of information, there would be no need for individuals to have trust in the system. Any situation short of information surety will mean that some risk remains, and to encourage people to act (agree to share their data) despite that risk, there must be mechanisms in place that either increase trust or that compensate for the lack of trust, and therefore facilitate decisions to act on whatever level of trust exists.

It is somewhat refreshing to see the explicit statement from the Tiger Team that the central focus of trust in health IT is the relationship between the patient and the provider, specifically, that "Providers 'hold the trust' and are ultimately responsible for maintaining the privacy and security of their patients' records," including making decisions about exchanging or disclosing patient data. This relationship illustrates the three-part instantiation of trust — the truster (patient), the trustee (provider), and the context (doctor-patient relationship for health care). The characterization of trust in this context also fits the conception of trust as "encapsulated interest" where, in this case, the patient's evaluation of the trustworthiness of the provider stems from the provider's incorporation of the patient's interests as his or her own. Having said that, and with no disrespect intended to the members or intentions of the privacy and security Tiger Team, there is a fundamental limitation as to the validity of policy statements purporting to represent patient perspectives unless and until some effort is made (other than opening sessions for public comment) to solicit and reflect actual consumer opinions about these issues.

1 comment:

  1. Having architected and run an Opt-In consent, distributed federated HIE over the past several years (www.SAFEHealth.org), I have lived through these issues and more. I have found that while 5% of patients get their peace of mind from knowing that they have absolute control over who sees which piece of their clinical data, 95% of patients get peace of mind from knowing that all of their data are available when they show up for care in the ER or at their self-referred specialist's visit or at their new PCP's visit. Thus I think HIEs need to provide 3 levels of transport: First is for order/result transactions that patient can't opt-out of and are covered in the Notice of Privacy. The second is for the 95% of patients that want to Opt-in once, pick and choose which organizations that they definitely don't want connected (e.g. where they work or where they had a psych admission), but after that (unless revoked) the data just keeps flowing to every other place they go, regardless of whether it has Mental Health or HIV information. Then, for the 5% that want more specific control, they don't Opt-In for that second transport mechanism, but instead use a more specific one-time consent mechanism. Using this 3-tier "consent/transport" architecture, everyone gets what they want and need.

    ReplyDelete