Health Information Technology
Currently, patient consent decisions about sharing health information are often obtained on a paper form. As more providers and health information exchange organizations (HIEs) move to the use of electronic health records (EHRs) and other health IT, technology will play an increasing role in electronically capturing and maintaining patient consent.
Technology will also play an important role in identifying and communicating a patient’s consent decision related to sharing health information. Health IT systems will need the ability to honor patient consent decisions.
This web page touches on the technology aspects of capturing and maintaining consent decisions as well as the handling of sensitive health information.
A number of different models for electronically capturing and managing patient consent exist, including:
- Consent Bundled with Information – collecting patient consent at the place where health care is delivered and then transmitting the consent and corresponding health information when it is requested by others. For example, in some models, a consent document (such as a PDF of a paper consent form) is sent along with the patient’s health information.
- Metadata Tagging – adding a code to the health information to “tag” it with details related to the patient’s consent choice. When this tagged information is sent from one health IT system to another, the sending and receiving organizations’ health IT system needs to be able to read and understand what the tag means. The tag may also be a reference to a separate consent document that is stored locally or in a centralized database, showing the health IT system where to look for the most up-to-date consent choice for that piece of information.
- Centralized Approach – managing patient consent through a central database or repository that can be queried to decide how information may be accessed based on the patient’s choice.
No one operating model has emerged as the best practice.
The following quick background on sensitive health information may be helpful in showing why technology is important in this area. Sensitive health information is defined here as specific types of health information or health information generated by a specific type of provider.
Some of the categories of sensitive health information that may receive increased protection include:
- subject of information (e.g., HIV-related information, mental health information),
- provider type (e.g., substance abuse treatment provider), and
- type of information (e.g., psychotherapy notes).
Under the HIPAA Privacy Rule, patient consent is not required for the sharing of most health information for treatment, payment, and health care operations. However, some federal and state laws require patient consent for the sharing of sensitive health information.
Some laws require that when sensitive health information is disclosed, the receiving organization be notified that it cannot further disclose the information without obtaining the patient’s consent to do so. This restriction is often called a prohibition on re-disclosure. One federal law that has this requirement is 42 CFR Part 2 [PDF - 13.2 MB], which protects the confidentiality of information related to substance abuse treatment received at federally funded treatment centers.
In addition to these laws, some organizations have their own internal policies requiring patient consent in order to share particularly sensitive information.
Some providers or HIEs may be constrained by their technology’s limitations. Some technologies offer patients only the choice to share all or none of their health information, including information that may be considered by many to be sensitive. Review the Meaningful Consent Overview page for more information about patient consent options.
The Office of the National Coordinator for Health Information Technology (ONC) encourages providers and organizations involved in electronic health information exchange (eHIE) to develop policies and technical approaches [PDF -327 KB] that offer patients more consent choices than simply having all or none of their information shared. ONC has supported various projects focused on developing and adopting consent technology:
- Data Segmentation for Privacy (DS4P) – The DS4P Standards & Interoperability Initiative strives to enable an HIE’s varying disclosure policies to be implemented and managed interoperably. DS4P showed a way for providers to share certain portions of an EHR, while not sharing others, such as information related to substance abuse treatment. Pilot projects conducted under DS4P implemented the developed standard and showed ways that the 42 CFR Part 2 prohibition on re-disclosure notice can be transmitted, along with health information, when a patient has consented to its disclosure. For an example, view a 5-minute video or 14-minute video of the U.S. Department of Veterans Affairs (VA)/Substance Abuse and Mental Health Services Administration (SAMHSA) demonstration project. Visit the DS4P Wiki for detailed initiative information.
- Aspiring to Awesome (A2A) Pilot (Health Information Exchange Challenge Program) [PDF - 143 KB] – The A2A pilot focuses on offering patients specific access control choices. A2A involves normalizing EHR patient information, conducting a needs analysis to understand patient preferences on health information exchange, creating an ethics framework, and designing a browser-based interface to allow patients to specify their privacy preferences.
- Strategic Healthcare IT Advanced Research Projects on Security (SHARPS) – SHARPS is a consortium of 12 universities with a blend of expertise in medicine and health care. Learn about SHARPS’ consent-related projects — HIPAA as a Logic Program, as well as Policy Authoring & Reasoning (PATRN) Toolkit — by visiting the SHARPS resources page.
- eConsent Trial Project – The eConsent Trial Project developed and implemented electronic and innovative ways to 1) educate patients about choice options and 2) capture and record their consent choices.
- Data Provenance [PDF - 940 KB] – ONC explored how the provenance or origin of clinical information is currently documented in a variety of system types, including EHRs, personal health records (PHRs), and HIEs. The Data Provenance (DPROV) Standards and Interoperability Initiative will address the “source data” challenge so that trust in the authenticity of the data can help inform decision making.
- Behavioral Health Data Exchange Consortium [PDF - 3.8 MB] – The Consortium was created to pilot the interstate exchange of behavioral health treatment records among treating health care providers using the Nationwide Health Information Direct protocols. Read more about consent and the final report of the Behavioral Health Data Exchange Consortium pilots.
- Research and Policy White Papers on Consent – These documents helped inform the eConsent and Data Segmentation efforts:
- Consumer Consent Options for Electronic Health Information Exchange: Policy Considerations and Analysis [PDF - 733 KB]
- Data Segmentation in Electronic Health Information Exchange: Policy Considerations and Analysis [PDF - 483 KB]
- The Implementation of E-consent Mechanism in Three Countries: Canada, England, and the Netherlands [PDF - 877 KB]
- Electronic Consent Management: Landscape Assessment, Challenges, and Technology – The Consent Management Technology Landscape Assessment documents the information collected during informal discussions with various stakeholders, including health information organizations (HIOs), healthcare providers, and health IT developers. The scope of the report is to document whether there are significant technical barriers to widespread electronic consent management, based on how how some HIOs, providers, and developers manage patient consent when they share health information via health information exchange as of 2104, Electronic Consent Management: Landscape Assessment, Challenges, and Technology [PDF - 1.7 MB]