Comments by Irene Koch, Posted on February 1, 2008
The Brooklyn Health Information Exchange (BHIX) appreciates being a stakeholder in the process of developing a State-wide policy on patient consent as it relates to health information exchange. BHIX believes the recommendations in this HISPC White Paper will help ensure State-wide interoperability and standardization, earn patient trust and clarify existing patient consent laws. BHIX believes the proposed policies are the most appropriate, achievable and scalable means of ensuring that consumers have a clear and consistent understanding of – and an effective manner of controlling – who is able to access their health information through health information exchange.
| Page # | Line # | Comments/Criticisms | Suggested Alternatives |
|---|---|---|---|
| 20 | 29 | While the appropriate locus for patient consent to access his/her personal health information through a RHIO appropriately lies with his/her provider and/or payer, more guidance is needed as to how to specifically define a "provider organization" and "payer organization." In providing this guidance, cognizance should be given to the fact that some independently-licensed provider organizations already share electronic health record systems so that certain related, but legally distinct, provider organizations already have access to health information of the other. Similarly, guidance is needed as to how to clearly communicate that a patient's consent to a provider or payer organization will apply to all individuals authorized to use the RHIO by such provider/payer organization. | |
| 20 | 31… | The words "consumer" and "patient" are used somewhat interchangeably in the White Paper, but these terms are imprecise when applied to rules for patient consent. In particular, the use of the word "consumer" in this sentence (indeed throughout this section on Affirmative Consent and the entire White Paper) should be clarified. Similarly, the use of the word "patient" should also be clarified to ensure that consent may be obtained from the patient or his/her legally authorized representative. | The concept that consent may be obtained from the patient, or his/her legally authorized representative should be incorporated throughout the White Paper. |
| 20 | 31… | Related to the point raised above (need for more precision in use of words "patient" and "consumer") is the complicated issue of how RHIOs are expected to handle consent for exchange of information relating to services for which minors have legal authority to consent (e.g. prenatal care, STDs). There are certainly circumstances where the parent of a minor does not have legal authority to gain access to information related to services for which his/her minor child consented to treatment. However it is not at all clear whether such parent may still, nonetheless, have authority to provide consent for a provider or payer organization to access all of his/her minor's health information through a RHIO. Since many RHIOs do not have capacity to separate information based on who provided consent for the underlying services, it is important to understand who may provide overall consent for health information exchange in these complex cases. A related issue will be determining when a parent is entitled to access his/her child's health information from a RHIO (See Page 25, Line 36). | A concrete recommendation of how to handle RHIO consents for minor patients who have consented to services from which data in the RHIO is derived would help RHIOs address this complicated matter. |
| 20 | 37 | The use of the words "Once a provider obtains patient consent, it may access the information of all other participating providers ..." in this sentence is too narrow. The consent envisioned in this Paper must allow access to information originating from other types of data sources (e.g. payers/Medicaid, outside data sources). Also, to the extent this sentence suggests that only providers will gain access to the patient's health information, it lends itself to being interpreted too narrowly. | Replace the words with: "Once a provider or payer organization obtains patient consent, it may access the information of all other participating providers, payers and/or data sources..." |
| 20 | 32 | The use of the words "prior to accessing his/her personal health information" in this recommendation may not clearly reflect that the consent will allow access to information of all other participating providers, payers and/or data sources. (See also comment above re Page 20, Line 37). | Add the words "of other participating providers, payers and/or other data sources" to the end of the sentence. |
| 21 | 12 | Use of the word "withheld" may be semantically misleading and/or inaccurate in this sentence in that it does not allow for a patient's consent status to be undecided. Clearly, there will be those patients who wish to affirmatively deny consent for a provider to access his/her information through the SHIN-NY. However, it is entirely possible that a patient is undecided as to whether to provide affirmative consent for RHIO access. In the case of an undecided patient, it may be said that he/she has withheld affirmative consent for a provider to access the RHIO without having affirmatively denied consent. In such cases where a patient's consent status is undecided (or, similarly, if patient's consent status is yet unknown), "break the glass" access in an emergency situation should still be available. (See also Page 22, Line 2). | Replace the word "withheld" with "denied" (or "affirmatively denied"). |
| 23 | 1 to 3 | Including all "Research" (other than research using exclusively "de-identified" health information, as per Page 20, Line 17) as a Level 2 Use is too restricitve and may stifle certain types of research that would more appropriately be considered Level 1 and/or be handled in an alternative manner. Retrospective chart review research generally receives an IRB waiver of HIPAA authorization for disclsoure of information and of informed consent from the patient. Similar waiver provisions should be available for research using a RHIO. Alternatively, such research could be described as a Level 1 Use. Such an approach may require loosening of the Level 1 requirement that the entity accessing the information must have had a relationship with the individual who is subject of the information (Page 22, Line 36). Notably, certain HIPAA accounting of disclosure rules also apply to such HIPAA-waivered reserach. Guidance about which IRB(s) is/are authorized to review research using data from a RHIO is needed. | Modify the description of Level 2 uses of patient data to decouple research from marketing. Permit research conducted pursuant to a IRB waiver of HIPAA authorization to be treated differently from research requiring informed consent and HIPAA authorization for disclosure of information. Seek harmonization of the RHIO consent rules with the HIPAA standards as they relate to waivers of authorization for disclosure in research and accounting of disclosures related to disclosures for research. |
| 23 | 36 | The use of the words "clinicians must have the discretion, in consultation with their patients, to withhold information …" may be too narrow and/or misleading as used in this sentence. First, the discretion of whether to withhold data should lie with the patient, not the provider. Second, while a RHIO must have ability to accommodate those who do not want their information shared via the SHIN-NY, the method of accommodating this is stated too narrowly here. A RHIO will likely not have the ability to filter certain data (versus other data in the RHIO) from being exchanged the SHIN-NY. (See also, Page 28, Line 23.) The language should be clarified to suggest that a RHIO need not accommodate a provider's desire to filter which of his/her patients' health information is uploaded to the RHIO on an element-by-element basis. | It should be made clear that a RHIO need not accommodate an element-by-element request to withhold data. Rather, it should be made clear than an appropriate method for accommodating a patient making this type of request is to give the provider who uploads such a patient's data the ability to indicate whether this patient's data (as a whole) may be exchanged (or not) in the RHIO and/or give such provider the option of not uploading any given patient's data at all. |
| 26 | 17 | Periodic audits are required no less than annually by this sentence, however the type and scope of audit required is not specified. | More detail is needed as to appropriate scope of audits. |
