Tuesday, February 21, 2012

HIE Consent Policy

I was recently asked how consent policy can evolve in Massachusetts to balance patient privacy preferences and the need to coordinate care/optimize population health.    Here's the letter I wrote to stakeholders about it:

"My name is John D. Halamka MD and I serve as chief information officer of Beth Israel Deaconess Medical Center, co-chair of the Massachusetts HIT/HIE Advisory Committee, and co-chair of the  HIT Standards Committee.

In my role as a CIO and clinician, I have been passionate about the need to electronically coordinate care to improve quality, safety, and efficiency.

My wife was recently diagnosed with Breast Cancer and her treatment has relied on the secure exchange of healthcare records with her consent.

The consent model that has worked best throughout the Commonwealth is 'Opt in consent to disclose at each institution'.    This means that no data is exchanged between organizations until the patient consents to the release of information from the sending institution (the place where the data was generated).   This consent stays in force until a patient revokes it.  

A separate consent to view the data at the receiving institution is not needed.   There is no need to re-consent the patient at each episode of care.

We've implemented this model in the New England Healthcare Exchange Network (NEHEN), in the Department of Public Health immunization registry, and in the design of the statewide healthcare data exchange that the MassHealth is building.

Opt in to disclose is straightforward to implement and support.  It's easy to enforce and audit.

The one complexity to this approach is the data sharing of records containing HIV information.    Current and proposed Massachusetts regulations require opt in consent to view at each episode of care in addition to opt in consent to disclose.

Consenting the patient at each release of information is challenging to implement, difficult to audit, and likely impossible to enforce.   Security experts agree that easy to implement, easy to audit, enforceable approaches are much more secure than complex, challenging and cumbersome approaches.

I believe that Massachusetts stakeholders will support opt in consent to disclose at each institution as the single best approach for the release of all healthcare data.   Implementing this uniformly across the Commonwealth will ensure respect for patient privacy is maintained, care delivery organizations can support healthcare data exchange processes, and IT departments can implement the necessary applications.

As a CIO, physician, and husband of a cancer patient, I highly recommend we consider this simplification of current regulation and legislation.


John D. Halamka MD"

Privacy protection will always be a journey, but we need to start somewhere and I hope my comments above seem reasonable.

No comments:

Post a Comment