Patient trust is a necessary component for the healthcare system to work and that is true both for the health system that exists today and the one that we’re trying to create for the future. So as the industry begins moving toward a patient-centric health system, we need to make sure that the patient is comfortable.
This from Deven McGraw of the Health Privacy Project and healthcare law expert Gerry Hinckley in their session at HIMSS 2011 – New Patient Privacy and Consent Standards for a Connected World.
HIPAA addressed consents at the most general level. Essentially it requires patient consent for uses the majority would agree should not be permitted, such as selling the data to marketers or secondary research projects.
There are a large number of disclosures that don’t require any permission from the patient, however. Some of this has been corrected under the HITECH provisions of ARRA, for example, patients can prevent disclosure to insurance companies when they pay out of pocket. But in the great scheme of things, patients have little control.
As McGraw and Hinckley content, changes in technology often bring about the need to reassess the legal structures in place and that is precisely what’s happening with the question of patient consents. As the industry jumps into the practice of sharing patient data through Health Information Exchanges (HIEs), we risk patient data being more widely available than ever before.
The best work on these issues is being done at the federal level by groups such as the ONC Policy committee’s Privacy and Security Tiger Team and the PCast report. The challenge is that, for all of these issues, States have the opportunity to set many of these rules. Some have an opt-in rule, others an opt-out and many have a complex hybrid approach with different rules for different scenarios. Certainly this complicates the delivery of quality, repeatable solutions from the vendor community, but also causes a great deal of trouble for any organization serving a border community or with a multi-state footprint.
When approaching the question from a policy standpoint, the interests of individual control and effectiveness of HIEs need to be balanced. Requiring numerous consents from each patient desensitizes patients, and very few then consider the merits of individual requests thoughtfully. An opt-in process may leave the HIE with too little data and physicians stop viewing it as a valuable tool. Complex schemes, such as the ability to opt-out except in the case of emergencies, can be problematic to enforce in practice.
The best solutions will use consistency and simplicity on a national level. A consistent framework is important to facilitating understanding and adoption by healthcare organizations. Simplicity will serve the needs of the majority of patients while reasonably allowing them to be educated about their decision and be thoughtful of the choices that they make.
Personally, I’m not convinced these goals are 100 percent achievable, but they are the right goals to strive for and hopefully can serve as a step in the right direction