The key policy question is when should consent be required before patient data is disclosed, shared, or transferred. In many cases (most notably for treatment) there is no legal requirement and arguably no policy interest in requiring consent, but if a given entity decides that they would prefer to solicit patient preferences and honor consent directives, they are free to do so (presumably except in cases where they are legally required to disclose information regardless of patient preferences).With respect to treatment, the Tiger Team members have to date suggested that current legal requirements that mandate consent in advance of health data disclosure are sufficient, at least if they can be enforced, so their attention has sensibly been focused on a set of foreseeable circumstances or situations outside of core or routine purposes for use (such as treatment, payment, and health care operations) under which health information might be exchanged that should, as a matter of policy (and eventually, regulation) trigger the need for the health care entity to obtain patient consent before the data exchange takes place. Among the recommendations presented today was a representative list of factors that should trigger the need for health care entities to obtain consent from patients before sharing personal health data via health information exchange:
- Patient’s health information is no longer under control of either the patient or the patient’s provider
- Patient’s health information is retained for future use by a third party/ intermediary
- Patient’s health information is exposed to persons or entities for reasons not related to ongoing treatment (or payment for care)
- Patient’s information is aggregated outside of a provider’s record or record of integrated delivery system/accountable care organization with information about the patient from other, external medical records
- The exchange is used to transmit information that is often perceived to be more sensitive than other types of information (e.g. behavioral health, substance abuse, and other areas defined by NCVHS)
- Significant change in the circumstances supporting an original patient consent
There are broader level conflicts between some of the key outcomes sought through health IT adoption and strong consumer controls over data sharing, most notably that an opt-in by default model might severely limit the amount of data available for sharing, which would reduce the effectiveness of the programs or initiatives or activities that depend on widely available health data. Still, providing consent is still routinely cited as a prerequisite for engendering public trust in the use of EHR's and other health information technology, and despite the challenges with implementing consent management capabilities, focusing on privacy and consent is likely to pay greater dividends than emphasizing security controls.If the current security and privacy controls used with health IT were sufficient to give people the level of confidence they would need to obviate the concerns they have now about the protection of their personal data, then we might be at a point where the data should be shared by default. But, until we are at that point (and we're not there now), people don't have that level of confidence, so they must be offered the control (through opting in). This implicitly recognizes that not everyone has the same views, concerns, confidence, or perceptions of trustworthiness of the system. With differing levels of trust, it's unrealistic to impose a single standard approach that will satisfy everyone (a warning that the developers of the NHIN trust framework might do well to heed). Accepting the view that risk must be present for trust to come into play, this also means that if security and privacy measures could be made so effective as to eliminate the risk of misuse or unauthorized disclosure of information, there would be no need for individuals to have trust in the system. Any situation short of information surety will mean that some risk remains, and to encourage people to act (agree to share their data) despite that risk, there must be mechanisms in place that either increase trust or that compensate for the lack of trust, and therefore facilitate decisions to act on whatever level of trust exists.
It is somewhat refreshing to see the explicit statement from the Tiger Team that the central focus of trust in health IT is the relationship between the patient and the provider, specifically, that "Providers 'hold the trust' and are ultimately responsible for maintaining the privacy and security of their patients' records," including making decisions about exchanging or disclosing patient data. This relationship illustrates the three-part instantiation of trust — the truster (patient), the trustee (provider), and the context (doctor-patient relationship for health care). The characterization of trust in this context also fits the conception of trust as "encapsulated interest" where, in this case, the patient's evaluation of the trustworthiness of the provider stems from the provider's incorporation of the patient's interests as his or her own. Having said that, and with no disrespect intended to the members or intentions of the privacy and security Tiger Team, there is a fundamental limitation as to the validity of policy statements purporting to represent patient perspectives unless and until some effort is made (other than opening sessions for public comment) to solicit and reflect actual consumer opinions about these issues.