A Presentation on ONC’s Electronic Consent Management (ECM) Landscape Assessment Joint Meeting of the HITSC TSSWG with the HITSC ASA WG, HITPC PSWG, Interoperability WG and Consumer WG December 17, 2014 Lucia Savage, ONC Chief Privacy Officer DRAFT: Not for distribution
Outline ONC Timeline Snapshot: History of Electronic Patient Consent Electronic Management of Individual Permissions Environment HIPAA: Permitted Uses and Disclosures Interoperability Roadmap: Framing Consent/Patient Choice Strategy Consent Terminology Why is Computational Privacy Important? ONC’s Electronic Consent Management (ECM) Landscape Assessment (conducted by MITRE) Q&A and Open Discussion
ONC TIMELINE SNAPSHOT: History of Electronic Consent Management September 2010: HITPC issues recommendations to ONC on Consent: http://www.healthit.gov/facas/sites/faca/files/hitpc_transmittal_p_s_tt_9_1_10_0.pdf March 2012: ONC Program Instruction Notice (PIN), Privacy and Security Framework Requirements and Guidance for the State Health Information Exchange Cooperative Agreement Program: http://www.healthit.gov/sites/default/files/hie-interoperability/onc-hie-pin-003-final.pdf. October 2013: HITPC recommends that the HITSC should further consider technical methods for giving providers the capacity to comply with applicable patient authorization: http://www.healthit.gov/FACAS/sites/faca/files/HITPC_Transmittal_08212013.pdf May 2014 - October 2014: October 2013 recommendations led to ONC’s ECM landscape assessment conducted by MITRE TODAY
Electronic Management of Individual Permissions Environment Laws, regulations, and policies for patient consent Laws, regulations, and policies for sensitive information Consent models (opt-in, opt-out, with restrictions, etc.) HIO Architecture EHR system interoperability Consent directive (paper or electronic) or Patient provides consent to share sensitive health information and HIPAA Permitted Uses and Disclosures
HIPAA: Permitted Uses and Disclosures HIPAA remains the constant: Remember, HIPAA permits exchange of data among Covered Entities without a written permission from the individual for Treatment, Payment, and Healthcare Operations (TPO), unless a more restrictive law applies. HIPAA supplies a “background rule” that operates if the individual never takes action to state a choice.
Interoperability Roadmap: Framing Consent/Patient Choice Strategy Variation in rules about permission to access, use or disclose makes it difficult to build software systems that accurately capture, maintain, and persist this data. But we need software systems to capture and persist both written individual directions and what is permitted without a written individual direction. Consent Management Computable Privacy Evolving to
Consent Terminology Definitions used in Assessment Patient Consent A patient’s decision to permit his/her health information to be accessed and shared for treatment purposes; specifically, authorization (1) to participate in electronic health information exchange (Big Choice) and (2) to share sensitive health information (Granular Choice). Alternate terminology: patient preferences, authorization, meaningful choice, release of information (ROI) Privacy Consent Directive An expression of a patient’s consent decision regarding how personal health information is to be accessed and shared Expressed either in paper form or electronically as a technically implementable specification This is the new framing OCPO would like to message for consent – Big Choice vs. Granular Choice
Consent Terminology Definitions used in Assessment Consent Management (CM) A system, process, or set of policies that enables patients to choose what health information they are willing to permit their healthcare providers to access and share. It enables patients to participate in e-health initiatives and to establish privacy preferences to determine who can access protected health information (PHI), for what purpose, and under what circumstances. CM involves the dynamic creation, management, and enforcement of patient, organizational, and jurisdictional privacy directives. Electronic consent management (ECM) CM done in a fully electronic manner, whereby patient consent decisions are handled in an automated way by health information technology (IT) systems. Consent is able to control access to and sharing of health information.
Why is Computational Privacy Important? As more providers and health information organizations (HIOs) adopt electronic health records (EHRs) and other health IT, technology will play an increasing role in electronically capturing and maintaining patient permissions Health IT systems will need the ability to identify and persist patient decisions Technology will play an important role in communicating a patient’s decision related to sharing health information as well as handling sensitive health information NOTE: Assessment was commissioned under name of “electronic consent management” but we know that’s too narrow of a view.
ONC’s Electronic Consent Management (ECM) Landscape Assessment (Conducted by MITRE)
Landscape Assessment Objectives Scope Patient consent to participate in HIE and to share sensitive health information for treatment purposes Objectives Conduct a landscape assessment of current CM practices Determine how sensitive data is defined and maintained Identify gaps in current technology and other challenges that may be hindering the adoption of ECM Provide a description of technologies and standards that can identify, capture, track, manage, and transmit patient consent Inform ONC and Federal Advisory Committee Act (FACA) Work Importance: ECM can also be helpful for identifying authorized secondary uses (e.g., quickly querying patients who have consented to share health information for research purposes) [Note – research is not a focus of the report]
Landscape Assessment Methodology 1 hour unstructured conversations with 25 diverse contributors Health information organizations (HIOs) Health IT developers/vendors Healthcare Providers Subject matter experts (SMEs) – patient advocacy organizations, attorneys representing HIOs, and federal IT experts
Landscape Assessment Phases of CM Maturity Phase I – Not Electronic Phase II – Partially Electronic Phase III – ECM Future State Electronic consent form Structured data Health IT interprets electronic consent directives, applicable laws, regulations, & policies Granular choice Current Growth Paper and electronic consent forms Some structured data: digital flags No granularity; share all or share none Current State Paper consent form No structured data Human must review consent form No granularity Phase I – Current State Paper consent form No structured data in consent form. Consent is collected on a paper form. Paper form is scanned into a patient EHR (usually as a PDF image file). Consent form does not contain structured data. Consent form travels with patient information, but it must be read and analyzed by a human being to comply with patient consent choices. Consent decisions are not applied with granularity. Phase II – Current Growth Paper and electronic consent forms Some structured data. Electronic consent may contain digital flags or markers that are machine-readable. Consent is collected on a paper form and then a human enters data into an electronic form, or consent is recorded electronically by a patient (either via a tablet or web portal). An electronic server is able to make basic share/do not share decisions based on a digital flag or marker that reflects the patient’s consent decision. Consent decisions are not applied with granularity. Usually the share/do not share decision applies to all patient health information, not discrete portions of the patient’s health record. III – Future State Electronic consent form Structured data in consent form Consent is collected in an electronic form that contains structured data. Structured data is used to create consent directives. Health IT systems can interpret and process patient consent decisions from structured data and consent directives. Health IT systems can interpret and process federal, state, regional, and organizational laws, regulations, and policies about consent and sensitive information. Consent can be as granular as the applicable laws, regulations, and policies provide. All patients fully educated and making fully informed decisions Today Future
Landscape Assessment Findings: Current State Key Issues Paper consent forms/PDFs do not facilitate ECM Need for structured data in consent forms No existing best practice or model for electronically collecting or sharing consent information No consensus regarding the definition of sensitive information Sensitive information defined by federal and state laws HIPAA provides a legal floor and states can, and do, enact more restrictive rules Both states and HIOs have different consent models
Landscape Assessment Key Findings: Gaps and Challenges No gaps; no need for new technologies or standards Challenges: (1) lack of structured data in consent forms and (2) interoperability Technology Federal, state, local laws, regulations, & policies may conflict Conflicting consent models (opt-in, opt-out, or more granular consent options) Compliance Complexity Concerns regarding patient-facing software to register and update consent Perceived as expensive and technically difficult Identity and Access Management Significant financial investment to deploy and maintain health IT Smaller practices at resource disadvantage Cost ECM requires providers to alter traditional workflows Both patients and providers may benefit from education to build trust Workflow, Trust, and Education Concerns regarding 42 C.F.R. Part 2 Many HIOs do not process Part 2 data State laws re: sensitive information Policy Challenges
Potential Approach to Moving from Current State to Ideal Future State (Phase III - ECM) Ability of electronic consent directives (both patient-directed and “background rules”) to be applied to existing health IT Fully automated ECM requires the use of numerous technology standards for transport, messaging, and vocabulary (already exists and in use) Leverage lessons learned from pilots that have demonstrated that existing technology standards can support ECM Track or identify some software solutions that already offer ECM capabilities CDA header body Consent Directive ADT XACML
Landscape Assessment Technology Standards Identified* Transport Standards XDR XDM XDS.b Messaging and Language Standards XML HL7 v2 and v3 HL7 CDA HL7 C-CDA HL7 CCD C32 XACML SAML Vocabulary Standards LOINC SNOMED CT RxNorm ICD-9 / ICD-10 Technology Standards that Support ECM Identified During Discussions *NOTE: These are the technology standards identified during the landscape assessment
Landscape Assessment Contributor Suggestions Federal Consent Management Framework or Model (ONC, CMS, SAMHSA) Consent: collection method, data elements, vocabularies, messaging standards, provenance Standard Sensitive Information Consent Form Centralized Services to store and manage consent Master patient index; master provider index Education Informative videos and other media directed at patients and providers; dispel myths and confusion Standard Identity and Access Management Solutions Multi-factor authentication, personal appearance, more sophisticated authentication solutions More Financial Incentives Extend CMS EHR Incentive Program eligibility to clinical counselors and treatment facilities. 42 C.F.R. Part 2 Reform Alter “to whom” requirements; align 42 C.F.R. Part 2 with HIPAA
Landscape Assessment Summary ECM is an important capability as patient health information becomes increasingly digitized ECM applies automated computer processing that interprets the patient’s electronic consent directive Although ECM faces challenges, pilots have demonstrated that existing technology standards can support ECM Software developers are acknowledging the need for ECM capabilities A federally defined policy and technical model framework for collecting and sharing patient consent for sensitive information in healthcare may be helpful
Q&A and Open Discussion