In recent weeks, I've had the opportunity to interview executives from three health information exchanges about their patient consent policies.
Advice on consent
All three have some form of patient consent model. Granted, three out of three doesn't make the case for patient consent, but it sure weakens the argument that consent is ruinous to health information exchange.
One of my interviewees was Devore Culver of HealthInfoNet, the statewide health information exchange based in Portland, Maine. HealthInfoNet uses the opt-out model, where the default position is that patient records move through the exchange unless patients take affirmative action to not participate.
Out of more than 1 million patient participants thus far, fewer than 1% have opted out, Culver said.
Jim Younkin, leader of the Keystone Health Information Exchange, also serves as director of IT at Geisinger Health System in Danville, Pa. Keystone uses an opt-in consent model and restricts access to exchange members whom patients have authorized to view their information. The participation rate for Geisinger patients is between 80% to 85%, according to Younkin; at some non-Geisinger facilities the opt-in rate is closer to 90%.
"The worst performers were organizations that had a confusing message for patients, trying to describe details of (health information exchange)," Younkin said. "We found the simplest message is to explain that it gives us permission to share their healthcare information with other members of their care team, and not go into details about how that sharing would occur."
Rich Lang is vice president and chief information officer of 247-bed Doylestown Hospital, which has had sponsored a community-based HIE since 2007. I met Lang at the College of Healthcare Information Management Executives' Fall CIO forum last week in San Antonio, Texas. Doyleston goes the extra mile, using an opt-in model, which obliges providers to obtain patients' consent before the patients' records can be shared through in the exchange. The consent constraint is stored both within a provider's EHR and with the HIE.
Even with opt-in, fewer than 1% of Doylestown HIE patients choose not to participate, Lang said.
Lang points out—correctly—that providers are no longer required under the Health Insurance Portability and Accountability Act of 1996 to obtain patient consent for moving their records for most common purposes. That's a shame, but the obligation was removed by HHS rule writers under the Bush administration in 2002.
It was replaced with "regulatory permission" to use and disclose a patient's medical records without his or her permission for treatment, payment and "other healthcare operations." "Other healthcare operations" is a category so broadly defined that the Bush rule rewriters, in an act of regulatory jujitsu, flipped the privacy rule on its head. They converted a fairly stringent privacy protection rule into a sieve.
I've heard all the excuses—that affording patients some say over the sharing of their medical records is technological infeasible, cumbersome, inimical to good patient care and would muck up the compilation of statistically valid data sets for health research and data mining. All three of these health information exchanges provide examples that effecting patient control is not the horror its antagonists make it out to be. In fact, I like what Lang said about the issue: Even though providers are not legally obliged to seek a patient's permission or tell them where their records are being sent, they should do it anyway.
"If you're not transparent about what you're doing with that data, even if you don't have to under HIPAA, then I think you're remiss in a fundamental responsibility," he said.
What a concept. Think it will catch on?
Follow Joseph Conn on Twitter: @MHJConn.
Send us a letter
Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.