North Carolina Health Information Exchange Patient Consent Options for HIE NC HIE Board Education Webinar Date: July 2, 2010 Time: 8:30 am – 9:30 am Location: NC Hospital Association 2400 Weston Parkway, Cary, NC Dial in: Code: Webinar Login: Webinar Password: NCHIE
Discussion Document – Not Intended for Distribution2 Agenda 1.Welcome/Introduction 2.ONC Requirements 3.Role of consent in HIE 4.Consent Policy Influencers 5.Legal Framework for Consent 6.Implications of NC Law for NC Consent Policy 7.Example Statewide HIE Consent Policy: NY 8.Key Info to Inform Future Consent Policy Decisions
Discussion Document – Not Intended for Distribution3 ONC Requirements The ONC Statewide HIE Cooperative Agreement outlines specific requirements across five domains: Governance, Legal & Policy, Business & Technical Operations, Technical Infrastructure and Finance. Legal & Policy Domain: “The mechanisms and structures in this domain address legal and policy barriers and enablers related to the electronic use and exchange of health information. These mechanisms and structures include but are not limited to: policy frameworks, privacy and security requirements for system development and use, data sharing agreements, laws, regulations, and multi-state policy harmonization activities. The primary purpose of the legal/policy domain is to create a common set of rules to enable inter-organizational and eventually interstate health information exchange while protecting consumer interests.” One of the ONC program evaluation questions is, by the two-year mark: Has the governance organization developed and implemented privacy policies and procedures consistent with state and federal requirements?
Discussion Document – Not Intended for Distribution4 The Role of Consent in HIE Consumer consent is the tool by which consumers control the exchange of their health information through a HIE. The NC statewide HIE collaboration process is tasked with determining to what extent, and how, consumers should be able to control such exchange. Consent is but one of many privacy and security tools. Other features that should influence NC’s consent policy decision include: –Uses of health information available through the exchange; –Filtering of sensitive health information through the exchange; –Whether and to what extent consumers may control what providers are allowed to share and/or access their information; –Ability to “break the glass” to obtain health information in emergency situations where consumer consent has not been granted; –Nature and breadth of consumer outreach and education efforts related to the consent decision; and –Extent of security, enforcement, and remedies in place.
Discussion Document – Not Intended for Distribution5 Competing Influences on a State’s Consent Policy 1 Patients Want : –Meaningful control over and protection of their health information –Quality, well-coordinated care Providers Want : –To deliver quality, well-coordinated care –Maximal quantity and quality (i.e., utility) of data –Protection against liability –Minimal administrative burden and cost Payers Want : –Maximal patient and provider participation –Minimal burden and cost –Access to data Exchanges Want : –Maximal patient and provider participation –Maximal flexibility to sustain the exchange –Minimal administrative / operational burden –Maximal ability to provide value to participants 1 Melissa Goldstein and Alison Rein. “Consumer Consent Options for Electronic Health Information Exchange: Policy Considerations and Analysis.” Prepared for the Office of the National Coordinator for Health IT. March 23, 2010
Discussion Document – Not Intended for Distribution6 Legal Framework for Consent Federal and state laws regulating the disclosure of patient health information provide a framework for the development of a consent policy for statewide HIE in North Carolina. HIPAAPermits Covered Entities to use and disclose Protected Health Information without patient authorization for treatment, payment and health care operations. 42 CFR Part 2 Prohibits federally-assisted alcohol or drug abuse treatment facilities or programs from using or disclosing any information about a patient for even treatment, payment or health care operations unless the patient has consented in writing, except in a medical emergency. NC State Law Restrictions on Disclosure by Certain Providers NC law permits most health care providers to disclose medical information for treatment purposes without patient consent. HOWEVER, certain types of providers must obtain consent before disclosing for treatment purposes: 1. Certain mental health facilities and programs 2. Nursing homes 3. Adult care homes 4. Home health agencies (possibly) Restrictions on Disclosure of Reportable Communicable Disease Information Although there is some uncertainty about how the law is interpreted, many health care providers believe NC law prohibits the disclosure of information about reportable communicable diseases to outside entities without patient consent, even for treatment purposes. Approximately 70 communicable diseases are subject to this law.
Discussion Document – Not Intended for Distribution7 Implications of NC Law for NC Consent Policy Allowing exchange without affirmative consumer consent (through a pure opt-out or no consent model) appears infeasible absent a change in law. –Existing NC law requires consent for 1) disclosure by certain types of care providers and 2) disclosure of certain types of health information. A “mixed” opt-in and opt-out or no consent model could conceivably be implemented provided: –Substance abuse treatment providers, mental health facilities, nursing homes and possibly home health agencies obtain affirmative consent before disclosing information through the HIE. –Providers obtain affirmative consent before disclosing information about reportable communicable diseases or such information is filtered out of the HIE.
Discussion Document – Not Intended for Distribution8 Example Statewide Consent Policy: New York’s SHIN-NY (Opt-in) RHIO Participants must obtain written patient consent before accessing a patient’s health information through a RHIO –Includes all of a patient’s information (e.g. Sensitive Health Information) –RHIOs and their Participants must use a standard consent form provided and/or approved by the State RHIO Participants may upload or otherwise make available through an edge server or other means information to the RHIO without consent provided that: –The RHIO is serving as the Participant’s Business Associate; and –The RHIO does not make the information accessible to other RHIO Participants until written consent is obtained authorizing such access.
Discussion Document – Not Intended for Distribution9 Example Statewide Consent Policy: Maine’s HealthInfoNet (Opt-out) The health information of Maine residents is included in HealthInfoNet unless the consumer opts- out using the form pictured here. Under Maine law, no consent was required for health care providers and facilities to disclose information for TPO. 2 Maine amended the law to explicitly allow disclosure to a HIE for TPO but statutorily required that consumers be allowed to opt-out MRSA 1711-C. 3 SP 570, LD ME PL Chapter 387. June 12, 2009.
Discussion Document – Not Intended for Distribution10 Status of Legal/Policy Workgroup Deliberations to Date The Legal Subcommittee has conducted an initial scan of NC state laws that address consent to disclose patient information for treatment purposes to provide input to policy subcommittee, which is studying and discussing consent policy models. Review of state laws suggests that existing NC law points toward a consent policy that would require patient consent to disclose via a HIE for treatment purposes, as existing NC law requires consent for 1) disclosure by certain types of care providers and 2) disclosure of certain types of health information. The Policy Subcommittee has recommended a two-pathway approach to developing a consent policy: one that assumes existing NC law remains as is, and, if desirable, a second pathway that would provide a different consent policy for the HIE but might require changes to NC law. The full Legal/Policy Workgroup will be reviewing the Policy Subcommittee’s recommendation on a consent model under existing law on July 2, The Legal/Policy Workgroup will submit its recommendation for approach under existing law to the NC HIE Board at the July 13, 2010 board meeting.
Discussion Document – Not Intended for Distribution11 Key Information to Inform Future Consent Policy Decisions Both patient and provider participation are necessary to facilitate better care delivery and advance other societal goals (e.g., improved public health), as well as to ensure the viability of HIE. Evidence shows that both opt in and opt-out consent models can generate sufficient patient and provider participation to achieve the critical mass necessary for system function and the realization of key goals. 4 Adoption of an appropriate consent model, coupled with responsible policies dictating the types of information included in the exchange, the nature and number of entities granted access to the information, the purposes for which the information can be used, the durability and revocability of consumer consent, and the extent of security, enforcement, and remedies in place, will help to build trust in North Carolina’s statewide HIE network while meeting clinical goals. 4 Melissa Goldstein and Alison Rein. “Consumer Consent Options for Electronic Health Information Exchange: Policy Considerations and Analysis.” Prepared for the Office of the National Coordinator for Health IT. March 23, 2010
ATTACHMENTS
Discussion Document – Not Intended for Distribution13 Common Consent Models Consumer consent models for HIE include: –Opt-in: Typically requires affirmative authorization from the consumer, often through signing a standardized consent form, before a consumer’s health information may be exchanged through the network. –Opt-out: Typically requires that the consumer is given notice – through mailings, brochures, posted notices or other means - and allows a consumer’s health information to be exchanged through the network unless and until the consumer formally requested that it not be. –No-consent 2 : Consumers’ health information is automatically included in an exchange and the consumer is not given the express opportunity to opt-out. A mixed model can be created as well. 2 The no consent model does not relieve covered entities from complying with provisions under HIPAA governing patient rights, including the patient’s right to make a request to restrict the disclosure of their PHI for TPO. HIPAA also outlines other situations in which PHI may not be disclosed without express consent.
Discussion Document – Not Intended for Distribution14 Option Name Key ElementsAdvantagesDisadvantages Mixed Model Exchange only a summary record of structured data that does not include medical record notes Filter communicable disease data Opt out consent for most providers Opt in consent for substance abuse treatment providers, mental health facilities, nursing homes and possibly home health agencies Significant amount of data available for treatment and care management from outset Higher level of patient control over sensitive data may enhance consumer trust Low administrative burden on most providers No need to change law Data about all patients incomplete High administrative burden on some providers Technical obstacles to effectively filter, with related risk of legal liability Opt In Potential exchange of full medical record without data filtering Opt in consent for all providers Highest level of patient control likely to lower risk of consumer mistrust and privacy concerns Fuller record set available for patients who do consent Limited technical obstacles No risk of ineffective filtering No need to change law Limited amount of data available for treatment and care management at outset Level of patient participation over time unclear; HIE’s utility may be undermined High administrative burden on all providers Consent Model Options
Discussion Document – Not Intended for Distribution15 Option Name Key ElementsAdvantagesDisadvantages Opt Out Change NC law to permit exchange of all medical information through statewide HIE without patient consent as long as HIPAA standards are followed and patients have opt out right Potential exchange full medical record without data filtering Opt out consent for all providers except substance abuse facilities Full record set available for vast majority of patients for treatment and care management from outset Low administrative burden on all providers except substance abuse facilities Limited technical obstacles No risk of ineffective filtering Lowest level of patient control may generate consumer mistrust and privacy concerns Requires change in law No Consent Change NC law to permit exchange of all medical information through statewide HIE without patient consent as long as HIPAA standards are followed Potential exchange of full medical record without data filtering No opt out right for patients, except opt in consent for substance abuse facilities Full record set available for all patients for treatment and care management from outset Low administrative burden on all providers except substance abuse facilities Limited technical obstacles No risk of ineffective filtering Lowest level of patient control may generate consumer mistrust and privacy concerns Requires change in law May raise questions about compliance with HIPAA’s “request for restrictions” requirement