Comments by Anonymous Posted on January 31, 2008

Page # Line # Comments/Criticisms Suggested Alternatives
20 33

The NY HISPC white paper clearly outlines the components of patient consent needed to be addressed for health information exchange and SHIN-NY to succeed, and in general, proposes realistic and well thought out solutions. However, this response highlights concerns about the specific recommendation on Page 20, line 33 that states "Affirmative consent must be obtained by each provider and payer organization before accessing health information via the SHIN-NY governed through the RHIO." For the reasons discussed below, this recommendation could hinder HIE implementation and adoption in New York.

Due to the complexity of the topic, I would first like to clarify/define a few points.

  1. This response focuses only on the recommendation that consent be obtained before access for treatment purposes. This could also be called "consent for withdrawal". This is contrasted with an alternative which proposes that every facility would obtain affirmative written consent from a patient before making any of his or her information available to other providers through the RHIO. For ease of reference, this could be called "consent upon deposit". (Please note this is different from "consent FOR deposit" in that the clinical data would be stored in the RHIO whether or not consent is obtained.) This response does not comment on nor dispute any of the other NYHISPC recommended policies (i.e those regarding durability, revocability, audits, benefits, enforcement, intended use, sensitive health information, etc.)
  2. In the spirit of full disclosure, I am the director of a RHIO that had planned to obtain patient consent upon deposit. Much thought was put into this consent model and our technology was developed with that assumption in mind. However, my concerns extend beyond the potential need for revision of our consent model.
  3. The importance of developing a consent policy that enables cross-RHIO interoperability is clearly understood. However, the following should also hold true:
    1. The policy recommended for inter-RHIO interoperability does not necessarily have to be the same as that for intra-RHIO information exchange; and
    2. The likelihood that every participant in a NHIN will follow the NY HISPC model is remote. Rather than having a single required consent model, perhaps there should be means for accommodating the exchange of data between RHIOs with different consent models.

There are three issues with the requirement of obtaining affirmative written consent for withdrawal rather than consent upon deposit: 1) provider implementation burdens, 2) perceptions of liability, and 3) erosion of patient trust.

  1. 1) Provider Implementation Burdens:
    • The biggest difficulty presented by the NYHISPC recommendation for "consent for withdrawal" is operational. The burden on providers becomes apparent when existing hospital workflows and required workflow changes are carefully analyzed. A primary encumbrance occurs after the consent form is signed, at which time the affirmation or negation of consent needs to be conveyed to the RHIO technology. The recommendation from NYHISPC implies that, in non-emergent situations, one of two means for communicating a patient's consent would need to be utilized. A provider would need to either: A) Provide an assertion that affirmative written consent was obtained via an electronic flag (eg."clicking a button" or "checking a box") within the registration or RHIO system, or B) Send the written consent form by either fax, email, snail mail, etc. to the RHIO for verification. (or both)
    • Solution A is problematic because it would require the provider implement significant and costly technical and/or workflow changes.
      1. It necessitates that providers store, catalog, and maintain the paper consent and have it available upon authorized request.
      2. It requires large (expensive) workflow and technical changes to communicate consent to the RHIO technology and/or in real-time to the treating provider(s).
      3. It may demand the ability to rapidly query the existing consent status of a patient (to prevent redundant questioning of the patient or, in emergency "break the glass" situations, to be sure that "…the consumer has not previously withheld consent for the provider organization to access his/her information…").(page 21 ,line 11)
    • Solution B has the following practical limitations:
      1. It would be very difficult (if not impossible) for facilities to communicate a copy of the consent to the RHIO and have the appropriate flag set within the RHIO technology in real-time. Almost undoubtedly, the paper consents would be sent in batch to the RHIO and this would often result in the consent not being verified in time to allow a provider to access RHIO information for the current instance of care. (This holds especially true for ED or outpatient settings).
      2. It does not support cross-RHIO data exchange. It is not likely that a RHIO requesting information on a patient would send copies of the signed consent form to all the other RHIOs that have relevant information on that patient.
    • The limitations of Solutions A and B, employed individually, are partially related to the real-time requirements necessitated by a consent for withdrawal policy. A hybrid of the two solutions could arguably resolve these limitations; however, the complexity introduced would itself be burdensome to providers, would potentially be confusing to users and patients, and would violate a "Key Principle of New Consent Policies and Procedures" identified by NYHISPC: Minimize burdens on healthcare providers (page 16, line 10).
  2. Perceptions of Liability:
    • A second significant concern regarding the NYHISPC recommendation of consent for withdrawal involves the issue of liability. Based upon discussions with large provider organizations, many providers would have significant problems sharing patient information when they have not directly acquired the consent to share. Prevailing opinion suggests that the data providing entity is at least partially liable for the improper sharing of information without consent. While all participating organizations must accept the RHIOs policies regarding consent, some may not be comfortable with others enforcement of these policies. Organizations would have to develop a high comfort level with the specifics of the participation agreement in order to put their responsibility into the hands of future un-named entities, or they would face the burden of implementing "consent upon deposit" as well as "consent for withdrawal".
  3. Erosion of Patient Trust:
    • Obtaining and maintaining patients' trust is an important principle of the NYHISPC recommendations. Implementation of the "consent for withdrawal" recommendation would, however, result in two significant sources of erosion to patient trust.
      1. By tying consent to access, NYHISPC is effectively tying consent to the patient matching or linking process (at least at RHIOs based on the CfH or IHE models). That is, the consent will apply to records for a patient only if the RHIO's patient matching algorithm finds "exact matches" for that patient (by either an electronic or manual process). This has one of two practical implications: The RHIO must either: i) display only exact matches to a user and thereby frequently present only part of the entire available record or ii) display likely matches to the user and thereby expose records from patients who have not provided consent (perhaps only minimal demographic or visit information, but non-consented information, nonetheless). – These inadvertent disclosures could erode patient trust.
      2. By allowing for (or requiring) a "break the glass" provision, users will be able to access patient information without having received consent. This, by definition, exposes patient information to users that patients may or may not want to see their information; Security depends upon the user's conscience and auditing/policing as protection. "Break the glass" capability opens an easy avenue for malevolent abuse. While this abuse should be uncommon, it will happen and could erode trust.

In conclusion, if one does not dig deeply enough into the implications for implementation, then one could miss the extent of the burden that the NYHISPC recommendation of consent before access would place on providers (especially hospital providers) and RHIOs. The issues outlined above hopefully illustrate this burden. Given concerns with liability, worries about resources, and doubts about value, organizations may choose not to participate in HIE.

All of the issues discussed would be resolved by a policy of "consent upon deposit". With significantly increased resources, "consent for withdrawal" is a strong and viable option; however, with or without a resource influx, "consent upon deposit" should be considered as an alternate option and/or as the new recommendation.

 "Consent upon deposit" --> Every facility would obtain affirmative written consent from a patient before making any of his or her information available to other providers through the RHIO. For ease of reference, this could be called "consent upon deposit".
30 39 The relativity of the statement that begins on Page 30, Line 39, " By requiring a simple access consent on a State approved form that covers all types of health information, the recommended policies adopt a straightforward and easily implementable solution for provider organizations that mirrors the process already in place.", is questioned. "Consent on deposit" more closely mirrors what occurs today with the NPP in most hospitals in the state of New York.