Affirmative Consent: Contrary to the recommendation in the Policy, NYSPA recommends that individual consents be obtained from patients for both the uploading of personal health information (PHI) and the downloading of PHI from a Regional Health Information Organization (RHIO). The requirement for consent for both uploading and downloading should be included on the same consent form. We understand that in the "custodian" RHIO model, a HIPAA consent is not required for uploading PHI to the RHIO, but in the "owner RHIO" model, a HIPAA consent is required. Therefore, without affirmative consent to uploading PHI, the Policy is not technology neutral, would impose a greater burden on the owner RHIO model, and may serve to hamper inter- RHIO data exchange.

More important, patients should be afforded the opportunity to determine whether an individual provider should be permitted to upload PHI only, download PHI only or both upload and download PHI. The requirement for affirmative consent for uploading confers greater control on patients and permits them to withhold uploading authority to providers of "sensitive" medical care and treatment in their discretion, but still permit patients to permit such providers the right to download PHI from other providers. The simple act of uploading data to another entity at a remote location is not risk free. Data loss is a reality that patients and consumers currently confront. Furthermore, since uploaded PHI may be downloaded in an emergency situation to a provider without the patient's affirmative consent when the patient is incapable of giving such consent, we believe that patients should retain the right to provide consent for both uploading and downloading.

With regard to children, NYSPA recommends that when a provider is required to obtain consent from a parent or other legal guardian, such consent should expire when the minor child reaches 18 years of age. The RHIO's should adopt policies to assure that those turning 18 are informed of their former participation in the RHIO, and to be given the opportunity to give consent or withdraw from the RHIO. However, until that consent/withdrawal occurs, emergency access should remain permissable until the individual attains the age of 21. For adults who have signed a consent and then become incapable, the consent will be both durable (not affected by a period of incapacity) and should be effective until the person revokes the consent or until a person legally authorized to act for the incapable person revokes the consent.

In all cases when PHI is downloaded in an emergency situation when the patient is incapable of providing affirmative consent, the patient should be promptly notified of the downloading of PHI. The consent form should include a provision explaining the procedures permitting downloading in emergency situations if the patient is incapable and there is no one authorized to act on behalf of the incapable patient.

Uses of Data: NYSPA believes that conflating the use of PHI for both research and marketing is inappropriate. NYSPA recommends that the issue of the use of PHI maintained by RHIOs for research purposes even when the PHI is de-identified should be the subject of separate review and consideration. Patients may have legitimate concerns about use of their PHI even if de-identified based upon the goals and purposes of the proposed research.

Regarding access to PHI by payers (health plans and insurers), NYSPA is very concerned about payers coercing patients to sign consents and denying enrollment, renewal or coverage based the patient's willingness to execute a consent. NYSPA recommends that payers be required to decouple the application, renewal and claims process from the process of requesting a RHIO consent. Payers should be prohibited from including a RHIO consent from the forms required for an application, renewal or claims processing.

Sensitive Information: Although NYSPA insists on full confidentiality protection for psychiatric treatment information, NYSPA does not support requiring a separate identification and consent section on the consent form for mental health, HIV and substance abuse treatment. The Policy recommends that the consent form include a separate designated section on the form listing these three "sensitive" categories and requiring a specific "check off" to include PHI in these three categories.

NYSPA does not believe that establishing a second tier requirement for mental health, HIV or substance abuse treatment is necessary or feasible. First, such information may be included as part of the treatment record of an illness or condition unrelated to mental health, HIV or substance abuse (treatment record of surgical procedure may include a history of prior illnesses that may include sensitive information). Current computer technology does not permit the filtering out or segregating of such sensitive material from medical records.

Instead, NYSPA recommends that the consent form specifically state that this consent may include authorization for the release of PHI that may include mental health, HIV and substance abuse treatment information. Since our recommendation for consent requires consent to uploading, patients will retain the ability to decide whether to permit a particular provider to upload PHI and will consider whether such PHI includes sensitive material. Patients receiving treatment in a substance abuse clinic may decide to withhold consent to uploading PHI from this provider while authorizing their internist to upload PHI. Assuming the availability of necessary technology, providers of treatment involving sensitive information may also be able to provide summary PHI to be uploaded to address patients' privacy concerns. This flexibility enhances patients' rights and willingness to access care.