But let's submit DeCouteau's ideas to a candid world. By the way, DeCouteau now serves as director of software development for Jericho Systems Corp., Dallas, which is developing privacy-consent management software, among other offerings.
“The tagging of the data (should) occur every time, just-in-time, based on the patients' confidentiality directives and the clinical mappings associated with those confidentiality codes,” DeCouteau said. “This allows for the patient rules to change as well as the underlying mapping of labs, radiology, meds, etc., to a specific concern like HIV. Each time the document is requested, it is re-tagged based on what the patient and clinical community now wants and knows. If I change my preference and am no longer concerned about HIV or substance abuse, every time I go to open that document, it is re-tagged by my preference, according to the most current medical knowledge, and its re-evaluated accordingly.”
Patients can access and change their directives through a Web-based interface, DeCouteau said. He said the software controlling the tagging and the movement—or not—of a patient's information pursuant to his or her preference is located in a software layer, either at a healthcare organization, such as a hospital, with sufficient IT resources to operate and maintain it, or at the health information exchange organization level. There the HIE could provide a useful service to smaller providers, such as solo or small-group physician practices.
“If everybody is pushing their data to an HIE now, then the opportunity exists to do it right,” DeCouteau said. “If it's at the HIE layer, you have the patient-consent directive within the HIE framework.” There the consent directives can be mapped to the data, such as lab results. DeCouteau demonstrated this mapping function this year at HIMSS.
By the way, DeCouteau said the same technology could be used to track and provide patients the ability to view who has had access to their medical data within a healthcare organization, something the Office for Civil Rights has proposed in a separate rule for accounting on access and disclosure of patient records pursuant to the American Recovery and Reinvestment Act. That plan has met considerable resistance from providers, who say it, too, is not feasible.
What the PCAST report described, DeCouteau said, is a step even further than where his system is designed to go. Attaching meta data constraints to discrete data elements, where they would persist wherever the data goes is akin to digital rights management techniques used in the music and movie industries. “It can be done,” DeCouteau said. “You could do it that way, you could.”
But DeCouteau said that what he's outlining is an alternative, good first step.
“Initially, we need to get away from delivering the data and saying, here you go,” he said, “Because that's where we are now; we're delivering the data with no control over it.”