Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Presentation on ONC’s Electronic Consent Management (ECM) Landscape Assessment Joint Meeting of the HITSC TSSWG with the HITSC ASA WG, HITPC PSWG, Interoperability.

Published byPeregrine Hoover Modified over 8 years ago

Similar presentations

Presentation on theme: "A Presentation on ONC’s Electronic Consent Management (ECM) Landscape Assessment Joint Meeting of the HITSC TSSWG with the HITSC ASA WG, HITPC PSWG, Interoperability."— Presentation transcript:

1 A Presentation on ONC’s Electronic Consent Management (ECM) Landscape Assessment Joint Meeting of the HITSC TSSWG with the HITSC ASA WG, HITPC PSWG, Interoperability WG and Consumer WG December 17, 2014 Lucia Savage, ONC Chief Privacy Officer DRAFT: Not for distribution

2 Outline ONC Timeline Snapshot: History of Electronic Patient Consent
Electronic Management of Individual Permissions Environment HIPAA: Permitted Uses and Disclosures Interoperability Roadmap: Framing Consent/Patient Choice Strategy Consent Terminology Why is Computational Privacy Important? ONC’s Electronic Consent Management (ECM) Landscape Assessment (conducted by MITRE) Q&A and Open Discussion

3 ONC TIMELINE SNAPSHOT: History of Electronic Consent Management
September 2010: HITPC issues recommendations to ONC on Consent: March 2012: ONC Program Instruction Notice (PIN), Privacy and Security Framework Requirements and Guidance for the State Health Information Exchange Cooperative Agreement Program: October 2013: HITPC recommends that the HITSC should further consider technical methods for giving providers the capacity to comply with applicable patient authorization: May October 2014: October 2013 recommendations led to ONC’s ECM landscape assessment conducted by MITRE TODAY

4 Electronic Management of Individual Permissions Environment
Laws, regulations, and policies for patient consent Laws, regulations, and policies for sensitive information Consent models (opt-in, opt-out, with restrictions, etc.) HIO Architecture EHR system interoperability Consent directive (paper or electronic) or Patient provides consent to share sensitive health information and HIPAA Permitted Uses and Disclosures

5 HIPAA: Permitted Uses and Disclosures
HIPAA remains the constant: Remember, HIPAA permits exchange of data among Covered Entities without a written permission from the individual for Treatment, Payment, and Healthcare Operations (TPO), unless a more restrictive law applies. HIPAA supplies a “background rule” that operates if the individual never takes action to state a choice.

6 Interoperability Roadmap: Framing Consent/Patient Choice Strategy
Variation in rules about permission to access, use or disclose makes it difficult to build software systems that accurately capture, maintain, and persist this data. But we need software systems to capture and persist both written individual directions and what is permitted without a written individual direction. Consent Management Computable Privacy Evolving to

7 Consent Terminology Definitions used in Assessment
Patient Consent A patient’s decision to permit his/her health information to be accessed and shared for treatment purposes; specifically, authorization (1) to participate in electronic health information exchange (Big Choice) and (2) to share sensitive health information (Granular Choice). Alternate terminology: patient preferences, authorization, meaningful choice, release of information (ROI) Privacy Consent Directive An expression of a patient’s consent decision regarding how personal health information is to be accessed and shared Expressed either in paper form or electronically as a technically implementable specification This is the new framing OCPO would like to message for consent – Big Choice vs. Granular Choice

8 Consent Terminology Definitions used in Assessment
Consent Management (CM) A system, process, or set of policies that enables patients to choose what health information they are willing to permit their healthcare providers to access and share. It enables patients to participate in e-health initiatives and to establish privacy preferences to determine who can access protected health information (PHI), for what purpose, and under what circumstances. CM involves the dynamic creation, management, and enforcement of patient, organizational, and jurisdictional privacy directives. Electronic consent management (ECM) CM done in a fully electronic manner, whereby patient consent decisions are handled in an automated way by health information technology (IT) systems. Consent is able to control access to and sharing of health information.

9 Why is Computational Privacy Important?
As more providers and health information organizations (HIOs) adopt electronic health records (EHRs) and other health IT, technology will play an increasing role in electronically capturing and maintaining patient permissions Health IT systems will need the ability to identify and persist patient decisions Technology will play an important role in communicating a patient’s decision related to sharing health information as well as handling sensitive health information NOTE: Assessment was commissioned under name of “electronic consent management” but we know that’s too narrow of a view.

10 ONC’s Electronic Consent Management (ECM) Landscape Assessment (Conducted by MITRE)

11 Landscape Assessment Objectives
Scope Patient consent to participate in HIE and to share sensitive health information for treatment purposes Objectives Conduct a landscape assessment of current CM practices Determine how sensitive data is defined and maintained Identify gaps in current technology and other challenges that may be hindering the adoption of ECM Provide a description of technologies and standards that can identify, capture, track, manage, and transmit patient consent Inform ONC and Federal Advisory Committee Act (FACA) Work Importance: ECM can also be helpful for identifying authorized secondary uses (e.g., quickly querying patients who have consented to share health information for research purposes) [Note – research is not a focus of the report]

12 Landscape Assessment Methodology
1 hour unstructured conversations with 25 diverse contributors Health information organizations (HIOs) Health IT developers/vendors Healthcare Providers Subject matter experts (SMEs) – patient advocacy organizations, attorneys representing HIOs, and federal IT experts

13 Landscape Assessment Phases of CM Maturity
Phase I – Not Electronic Phase II – Partially Electronic Phase III – ECM Future State Electronic consent form Structured data Health IT interprets electronic consent directives, applicable laws, regulations, & policies Granular choice Current Growth Paper and electronic consent forms Some structured data: digital flags No granularity; share all or share none Current State Paper consent form No structured data Human must review consent form No granularity Phase I – Current State Paper consent form No structured data in consent form. Consent is collected on a paper form. Paper form is scanned into a patient EHR (usually as a PDF image file). Consent form does not contain structured data. Consent form travels with patient information, but it must be read and analyzed by a human being to comply with patient consent choices. Consent decisions are not applied with granularity. Phase II – Current Growth Paper and electronic consent forms Some structured data. Electronic consent may contain digital flags or markers that are machine-readable. Consent is collected on a paper form and then a human enters data into an electronic form, or consent is recorded electronically by a patient (either via a tablet or web portal). An electronic server is able to make basic share/do not share decisions based on a digital flag or marker that reflects the patient’s consent decision. Consent decisions are not applied with granularity. Usually the share/do not share decision applies to all patient health information, not discrete portions of the patient’s health record. III – Future State Electronic consent form Structured data in consent form Consent is collected in an electronic form that contains structured data. Structured data is used to create consent directives. Health IT systems can interpret and process patient consent decisions from structured data and consent directives. Health IT systems can interpret and process federal, state, regional, and organizational laws, regulations, and policies about consent and sensitive information. Consent can be as granular as the applicable laws, regulations, and policies provide. All patients fully educated and making fully informed decisions Today Future

14 Landscape Assessment Findings: Current State Key Issues
Paper consent forms/PDFs do not facilitate ECM Need for structured data in consent forms No existing best practice or model for electronically collecting or sharing consent information No consensus regarding the definition of sensitive information Sensitive information defined by federal and state laws HIPAA provides a legal floor and states can, and do, enact more restrictive rules Both states and HIOs have different consent models

15 Landscape Assessment Key Findings: Gaps and Challenges
No gaps; no need for new technologies or standards Challenges: (1) lack of structured data in consent forms and (2) interoperability Technology Federal, state, local laws, regulations, & policies may conflict Conflicting consent models (opt-in, opt-out, or more granular consent options) Compliance Complexity Concerns regarding patient-facing software to register and update consent Perceived as expensive and technically difficult Identity and Access Management Significant financial investment to deploy and maintain health IT Smaller practices at resource disadvantage Cost ECM requires providers to alter traditional workflows Both patients and providers may benefit from education to build trust Workflow, Trust, and Education Concerns regarding 42 C.F.R. Part 2 Many HIOs do not process Part 2 data State laws re: sensitive information Policy Challenges

16 Potential Approach to Moving from Current State to Ideal Future State (Phase III - ECM)
Ability of electronic consent directives (both patient-directed and “background rules”) to be applied to existing health IT Fully automated ECM requires the use of numerous technology standards for transport, messaging, and vocabulary (already exists and in use) Leverage lessons learned from pilots that have demonstrated that existing technology standards can support ECM Track or identify some software solutions that already offer ECM capabilities CDA header body Consent Directive ADT XACML

17 Landscape Assessment Technology Standards Identified*
Transport Standards XDR XDM XDS.b Messaging and Language Standards XML HL7 v2 and v3 HL7 CDA HL7 C-CDA HL7 CCD C32 XACML SAML Vocabulary Standards LOINC SNOMED CT RxNorm ICD-9 / ICD-10 Technology Standards that Support ECM Identified During Discussions *NOTE: These are the technology standards identified during the landscape assessment

18 Landscape Assessment Contributor Suggestions
Federal Consent Management Framework or Model (ONC, CMS, SAMHSA) Consent: collection method, data elements, vocabularies, messaging standards, provenance Standard Sensitive Information Consent Form Centralized Services to store and manage consent Master patient index; master provider index Education Informative videos and other media directed at patients and providers; dispel myths and confusion Standard Identity and Access Management Solutions Multi-factor authentication, personal appearance, more sophisticated authentication solutions More Financial Incentives Extend CMS EHR Incentive Program eligibility to clinical counselors and treatment facilities. 42 C.F.R. Part 2 Reform Alter “to whom” requirements; align 42 C.F.R. Part 2 with HIPAA

19 Landscape Assessment Summary
ECM is an important capability as patient health information becomes increasingly digitized ECM applies automated computer processing that interprets the patient’s electronic consent directive Although ECM faces challenges, pilots have demonstrated that existing technology standards can support ECM Software developers are acknowledging the need for ECM capabilities A federally defined policy and technical model framework for collecting and sharing patient consent for sensitive information in healthcare may be helpful

20 Q&A and Open Discussion

Download ppt "A Presentation on ONC’s Electronic Consent Management (ECM) Landscape Assessment Joint Meeting of the HITSC TSSWG with the HITSC ASA WG, HITPC PSWG, Interoperability."

Similar presentations

Legal Work Group Developing a Uniform EHR/HIE Patient Consent Form.

Legal Work Group Developing a Uniform EHR/HIE Patient Consent Form.
Supporting National e-Health Roadmaps WHO-ITU-WB joint effort WSIS C7 e-Health Facilitation Meeting 13 th May 2010 Hani Eskandar ICT Applications, ITU.

Supporting National e-Health Roadmaps WHO-ITU-WB joint effort WSIS C7 e-Health Facilitation Meeting 13 th May 2010 Hani Eskandar ICT Applications, ITU.
ELTSS Alignment to Nationwide Interoperability Roadmap DRAFT: For Stakeholder Consideration in response to public comment.

ELTSS Alignment to Nationwide Interoperability Roadmap DRAFT: For Stakeholder Consideration in response to public comment.
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
Electronic Submission of Medical Documentation (esMD) Face to Face Informational Session esMD Requirements, Priorities and Potential Workgroups – 2:00pm.

Electronic Submission of Medical Documentation (esMD) Face to Face Informational Session esMD Requirements, Priorities and Potential Workgroups – 2:00pm.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
THE FOLLOWING SLIDES EXPLAIN THE REQUIRED ELEMENTS THAT MUST BE INCLUDED FOR A HIPAA AUTHORIZATION TO BE VALID HIPAA Authorizations.

THE FOLLOWING SLIDES EXPLAIN THE REQUIRED ELEMENTS THAT MUST BE INCLUDED FOR A HIPAA AUTHORIZATION TO BE VALID HIPAA Authorizations.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
NCVHS: Privacy and Confidentiality Leslie P. Francis, Ph.D., J.D. Distinguished Professor of Law and Philosophy Alfred C. Emery Professor of Law University.

NCVHS: Privacy and Confidentiality Leslie P. Francis, Ph.D., J.D. Distinguished Professor of Law and Philosophy Alfred C. Emery Professor of Law University.
Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.

Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.
Beth DeLair, JD, RN DeLair Consulting, LLC. Discussion Topics Background Existing WI Requirements State Efforts to Change Law Senate Bill 487 Changes.

Beth DeLair, JD, RN DeLair Consulting, LLC. Discussion Topics Background Existing WI Requirements State Efforts to Change Law Senate Bill 487 Changes.
Your HIPAA rules Ben Burton, JD, MBA, RHIA, CHP, CHC Notice of Privacy Practices.

Your HIPAA rules Ben Burton, JD, MBA, RHIA, CHP, CHC Notice of Privacy Practices.
NHIN Direct Project Communications Work Group Message for State HIE/RECs August 30, 2010.

NHIN Direct Project Communications Work Group Message for State HIE/RECs August 30, 2010.
Overview of Longitudinal Coordination of Care (LCC) Presentation to HIT Steering Committee May 24, 2012.

Overview of Longitudinal Coordination of Care (LCC) Presentation to HIT Steering Committee May 24, 2012.
Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.
Interoperability and Health Information Exchange Workgroup March 10, 2015 Micky Tripathi, chair Chris Lehmann, co-chair.

Interoperability and Health Information Exchange Workgroup March 10, 2015 Micky Tripathi, chair Chris Lehmann, co-chair.
User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.

User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.
Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap – DRAFT Version 1.0 Joint FACA Meeting Chartese February 10, 2015.

Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap – DRAFT Version 1.0 Joint FACA Meeting Chartese February 10, 2015.

Similar presentations

Ads by Google