The document states: "By requiring a simple access consent on a State approved form that covers all types of health information, the recommended policies adopt a straightforward and easily implementable solution for provider organizations that mirrors the process already in place."

THINC RHIO's Comment: THINC RHIO is concerned about the practicality of the proposed solution because it does not mirror a key element of the patient-provider relationship that is currently in place.

As noted in the White Paper on page 14, line 10, consent to share a patients' health information in New York "may be verbal or even implied for most types of health information." It is our experience that the majority of physicians currently rely on consent that is implied in order to disclose common types of health information. In order to comply with the proposed consent approach, providers and their staff will have to change existing procedures and commit additional resources beyond their current practice of obtaining implied consent and acknowledgement of patients' review of the HIPAA privacy practices.

Some providers may decide that the additional administrative overhead for participating in a RHIO is not commensurate with the potential benefits. If this holds true, many physicians (especially those in small and medium sized practices) may choose not to participate in RHIOs and instead rely on their current data exchange mechanisms (e.g., via mail, phone, fax, or electronically through other one-to-one mechanisms).

1. Assess and Document the Applicability/Effectiveness of Alternative Consent Approaches. In Massachusetts, for example, the Massachusetts eHealth Collaborative (MAeHC) has adopted an opt-in process in which patient consent is required before data disclosed to the network. First, when a patient visits a health facility for care, he/she is provided the opportunity to "opt-in" and agree to have all his/her clinical data published to the network. The patient then identifies the health facilities he/she agrees to make available to the network. Those who consent are agreeing to have specific information shared with other authorized physicians, hospitals, and additional service providers. Based on data provided by MAeHC, over 90% of patients have chosen to opt-in to their community exchanges.
2. Conduct Pilot Demonstrations. THINC RHIO recommends that the NYSDOH develop a pilot program that would allow selected RHIOs to pilot varying State-approved opt-in consent approaches. Supported by a rigorous evaluation, the demonstrations could assess the practicality and level of participation among providers and patients for each approach. Through a comparative analysis of the demonstrations, lessons learned from the pilots would inform the development of the most practical and effective statewide consent approach. We also recommend that Pilot Projects explore the nature, timing, and sequence of components of the consent process that contribute to a patient being "informed and knowing."

THINC RHIO agrees that the success of health information exchange will depend upon the extent to which patients trust the proposed health information exchange. A number of surveys demonstrate that consumers are concerned about the privacy of their health information in the context of it being available via health information exchange. According to results of a study conducted for AARP in February 2006, Americans are concerned about the risks introduced by the use of electronic health information systems. In 2005, a Harris survey showed that 70 percent of Americans are concerned that an electronic medical record system could lead to sensitive medical information being exposed because of weak security, and 69 percent are concerned that such a system would lead to more personal health information being shared without patients' knowledge.

These studies suggest that consumers are primarily concerned about the risks of weak security mechanisms and controls of the systems that maintain their data. Based on these data and the collective experience of THINC RHIO's Privacy and Consumer Committee, we believe that "consent," while important, may not be the most critical element to building consumer trust.

1. potential remedies for those that are harmed by breaches or unauthorized disclosure of their health information
2. consequences and penalties for entities that breach and entities that fail to protect patient data
3. RHIOs' obligation to make publicly available the details of their data security mechanisms and procedures

The document states: "RHIOs and participants must make available to the consumer upon request an audit trail of the consumer's health information accessed through the RHIO."

THINC RHIO's Comment: THINC RHIO believes that the availability of access logs will be an important element to consumers' trust of health information exchange in New York. We believe that additional information regarding what constitutes an audit trail and its availability would serve to augment this important component.