Comments by John Hatchett and Michelle Lopez Posted on February 1, 2008

We appreciate the opportunity to provide comments on the recommendations contained in the document Standardized Consumer Consent Policies and Procedures for RHIOs in New York State, issued by the Office of Health Information Technology Transformation of the New York State Department of Health.

Signees to this letter are members of the HIV consumer community. We are very interested in the evolving area of electronic health records (EHR) and health information exchange (HIE), and have participated in discussions convened by the AIDS Institute to learn more about this topic and provide input and recommendations to increase the potential for the system to be used and trusted by members of the HIV community, to improve quality of care and contribute to better outcomes. Two consumer members of the HIV community as well as AIDS Institute representatives participated in the HISPC process. We look forward to continued representation in the ongoing statewide collaboration process described in the document. These comments reflect the opinions of consumers in the HIV community whose names are listed below, and the sentiments expressed by the overwhelming majority of 100 consumers who participated in the aforementioned discussion groups.

We commend the Department's Office of Health Information Technology Transformation on the document in terms of presenting complex information in a clear and understandable format that reflects the stated priority: "establishment of public trust with respect to the privacy and security of health information as the single most important goal of New York's health IT investment program."

We offer the following comments on recommendations and supporting information contained in the document:

Consent Process

We strongly support the key recommendation to employ a statewide uniform policy for an affirmative consent process that allows patients the opportunity to decide whether and which providers can access the patient's personal health information electronically. For consumers within the HIV community, the ability to make this decision is consistent with current practice under existing law, and helps engender trust in a new system by granting consumers the right to decide which providers, if any, can access their electronic health record.

We recommend and support written affirmative consent to protect all parties involved. The key recommendation to "obtain affirmative consent from the consumer that references the RHIO prior to accessing her/his personal information" does not specify that consent is written. That is implied by the later recommendation which requires RHIOs to use a State-approved consent form – although the word "written" is not included in the section describing the form. This may be intentional to allow for electronic forms and signatures but we recommend that the requirement be specific as to how such consent is documented and stored for future reference and for liability purposes.

Providers will need to make arrangements to ensure meaningful informed written consent for persons who under 18 years old, do not speak and/or read English and those with special needs, such as persons who are deaf/hard of hearing, blind or mentally disabled. State level policies on consent must explicitly address the needs of special populations and provide guidance. For example, when discussing consent, providers may need to arrange for an American Sign Language interpreter for a patient who is deaf. Addressing the needs of special populations should be part of the deliberations of the ongoing statewide collaboration process.

It is very important that patients be presented with options relating to written affirmative consent and understand the process. In a world where discrimination and stigma relating to HIV status and other medical conditions are sadly still a reality, it is essential to ensure patients have the option to grant consent on a provider-specific basis, to decline participation in electronic HIE without repercussions, and to revoke consent at any time. A standardized consent process of this nature will help gain consumer buy-in and build the trust necessary to realize the potential of improving care through use of health information technology.

Ensuring voluntary written affirmative consent is essential. A key component of the affirmative consent process presented in the document is the clear statement prohibiting care providers and payers from conditioning treatment or payment on execution of the consent. This prohibition must be part of the regulatory framework, subject to enforcement and sanctions.

We also support the stated discretionary option for RHIOs and their participating providers to seek consent prior to disclosure of sensitive personal health information since it would give patients the option to withhold such information from electronic HIE. The decision to withhold such information made jointly by the patient and his/her clinician(s) must of course be balanced with the need to make complete information available to another treating provider to ensure optimal care. Consumers and providers must be made aware of this option through the statewide education process.

Regarding payer access to information, we assume that the information required to pay insurance claims is not within the scope of this discussion. The document recommends that payers be permitted to access RHIO information only if the payer has obtained its own consent from the patient that specifically references the RHIO. It further states that such consent should permit use of the information only for care management and quality improvement intended to benefit the patient, not medical underwriting and similar practices. The prohibition should also clearly state that the information cannot be used regarding payment decisions of any kind. Practically speaking, we do not believe most consumers would sign a consent for payers to access name identified personal health information available through the RHIO. If this option becomes a reality, consumers must be educated about it and assurances given that enrollment into any insurance plan and plan benefits are not conditioned on willingness of the insured to sign such a consent.

One-to-one provider exchanges of information are described in the document as a request by a treating clinician to receive information from or send information to an identified source, such as delivery of lab results to the clinician who ordered the test or a discharge summary being sent by a treating hospital to the referring physician. We agree that it makes sense to not subject these types of exchanges to the new consent policies especially since this reflects current practice. This exemption must be clearly defined and be part of the patient education process.

Regarding access to health information in emergency situations, the conditions specified that would allow the treating physician to access the consumer's electronic health information through "break the glass" capability are reasonable. A lingering concern is whether this process can happen quickly enough to help save a life. Some consumers in the HIV community have expressed a desire for more deliberation regarding methods for authenticating the patient's identification (e.g., use of thumbprint identification and/or health care proxy designation linked to consent when the patient is incapacitated) to ensure quick access to electronic personal health information in a true health emergency.

Consumer Education

We strongly support this statement found in the document as we believe it is a strong foundation on which to engender trust and consumer buy-in for electronic health information exchange: "Because of the paradigm shift inherent in health information exchange, an essential cornerstone of New York State's health IT policy is to ensure the consumers are appropriately educated about how their health information can be shared and to provide consumers with the informed opportunity to decide whether or not they desire to have their information accessible via the SHIN-NY governed by RHIO.

If consumers are not informed of the new paradigm, they have no way of understanding to what they are consenting. Thus, from a consumer trust perspective, new consent policies which clearly define the role of RHIOs (and clinicians, providers and payers participating in RHIOs), coupled with significant provider and patient education programs, are crucial to ensuring that consumers are provided with the opportunity to make informed decisions with respect to with whom and for what purpose their personal health information is shared and used."

Without comprehensive and timely education, there will be resistance and fear. We strongly recommend that adequate resources and time be devoted to planning and implementing a multi-pronged approach for educating consumers about how EHRs, HIE, and RHIOs will work, security and confidentiality protections, the consent process, benefits and risks, and the need for personal responsibility in using and accessing the system. The diversity of communities and populations in New York State must be recognized and be reflected in materials and messages that are culturally competent and available in multiple languages. In addition, educational strategies must be tailored for persons with special needs – individuals who are deaf/hard of hearing, blind, or mentally disabled and others.

We also recommend that resources for this education be directed to entities known and trusted by the HIV community as they are particularly well-suited to provide this education and to engage in a dialogue to address concerns. Example of such entities include community-based organizations, peer training programs and care providers with HIV experience.

Legal Foundation for Protection of Confidentiality and Privacy

We support the premise that NYS laws reflect a desire to ensure that patients are protected from unauthorized uses of personal health information and provide both a legal and normative guidepost for developing consent policies for information exchange governed by RHIOs in New York. We would add that New York's HIV Confidentiality Law represents the "gold standard" in terms of protecting patient privacy and confidentiality, and imposing penalties for breaches. As the promise of HIT unfolds with the potential for exchanging information across State lines, federal legal protections with strong penalties for breaches are needed to ensure patient privacy and confidentiality. We would go so far as to recommend that such federal legal protections be a prerequisite for New York State's participation in the planned National Health Information Network (NHIN). The NYS HIV Confidentiality Law should serve as a model.

Regulation of RHIOs

Since RHIOs are intended to function as "trusted brokers" of personal health information in any of the three models described in the document, we support the State's intention to create a strong regulatory framework that includes laws governing the role of RHIOs regarding the use and disclosure of information, security safeguards, patient access to data, patient privacy protections and penalties for breaches.

The document states that "RHIOs must ensure…health information exchange software and services and the participants of the RHIO comply with minimum protocols, standards and services of the new consent policies and procedures. All statewide health information exchange enabled by the RHIO must comply with RHIO protocols and standards…." The RHIOs must operate within the envisioned regulatory framework and the entity responsible for oversight of RHIOs must set minimum uniform standards and have the resources, staffing and expertise to ensure compliance.

The potential third model, as described in the document, "Owner CDR," is likely to cause confusion and concern. The document notes that "each provider would be required by federal law to obtain a HIPAA authorization from each patient …containing a statement that the RHIO is not a covered entity and therefore not required to comply with HIPAA." Since consumers generally consider New York's laws to be more stringent than HIPAA, this model and the suggested language is likely to frighten consumers and "scare them away." We recommend this model be strongly discouraged.

Consumer Representation on RHIOs

We acknowledge that the document includes a recommendation that RHIOs appoint at lease one consumer representative to its Board. As informed consumers who are frequently called upon to participate in an advisory capacity, we strongly recommend increasing that number. Ideally, we would like to see a requirement that at least 25% and ideally 30% of RHIO Board membership be composed of consumers, one of whom is from the HIV community due to familiarity with issues regarding sensitive health information and, very often, specific training on participating in public policy deliberative processes. We would hope other consumer groups would also be represented. We know from experience that the voice of one consumer can more easily be muted without corroboration of the consumer perspective. Asking one consumer to represent the voice of all consumers is unrealistic and even unfair.

Consumers' Access to their Own Health Information

We applaud references in the document to increased consumer access to their own health information – specifying that RHIOs must have policies in place related to consumers' access to their own health information through the RHIO and must inform consumers of those through their education efforts. Many of us have had negative experiences relating to bureaucratic hurdles, lack of timely responses, and costs involved when trying to get copies of our own records. The document refers to RHIOs setting policies as to the form, time period and cost for responding to such requests. Since cost should never be a barrier to consumer access to their own information, we strongly recommend that this service be free to all or available without charge upon request of the consumer. We also recommend that the issue of consumers' access to their own health information be a focus of the ongoing statewide collaboration process.

Uses of Health Information

We support the two levels of permissible uses of data described in the document, with Level 1 uses focusing on treatment, quality improvement and disease management, and Level 2 uses, such as research and marketing. We also agree that the consent process should differ based on the level. The explicit prohibition of using data for "underwriting" and "discrimination" is extremely important. We agree that the statewide collaborative process should add other explicit prohibitions to this list, such as employment-related inquiries and matters related to US citizenship and/or immigration status.

We understand the rationale for the recommended policy that RHIOs may upload data without patient consent in order to support real time data exchange. We agree that consent to disclose requirement, rather than the recommended consent to access requirement, would impose real obstacles in building a system that allows for real time data exchange. However, we also believe that more explicit determinations must be made about what, if any, access the RHIO and its members have to stored information and uses of that data, if any are allowed.

Consumer Involvement in Ongoing Statewide Collaboration Process

The document indicates further deliberation is required regarding consent policies and procedures for de-identified data exchanged through a RHIO for quality and population health measurement and reporting, clinical research and other purposes. This discussion should encompass whether or not and how data available to the RHIO, regardless of whether consent has been given, can be used for such purposes as public health reporting, and in aggregate, de-identified form for quantification of disease burden and overall quality improvement. As members of the HIV community, we look forward to having seats at the table and being represented in the statewide collaboration process focusing on this important topic and other issues regarding evolving EHR/HIE policies.

RHIO Operational Issues and Oversight

We understand that RHIOs, as noted in the document, are in the early stages of building their organizational infrastructures and that time will be needed to fully implement consent and other policies that result from this process. However, because of the stakes involved, RHIOs must be held accountable from day one on protecting personal privacy and facilitating access to potentially lifesaving information once the electronic record is available and consent given. State directives and mandated policies must be clear. In addition strong sanctions and stiff penalties for breaches by the RHIO and its participating members must be explicit as soon as RHIOs have responsibility for any personal health information. Close oversight of operations must be provided by NYS under contractual obligations, the envisioned regulatory framework, and through a transparent and comprehensive public-private accreditation process holding RHIOs to the highest operational standards.