“Consent is going from theoretical to the implementation phase and adjustments are having to be made,” Ree Sailors, program director of health IT for the National Governors Association, told me for a story earlier this year. Some states that started with Medicaid as the lead agency began with opt-out as the default and have had to adjust as the public learns more about health data exchange, she added. Other state HIEs determined that not enough people would sign up in an opt-in format.
On Nov. 14, I listened to a lively webinar panel discussion on patient consent hosted by the National eHealth Collaborative. That discussion reinforced Sailors’ observation that consent seems to be moving from opt-out to hybrid models. For instance, Holt Anderson, executive director of the North Carolina Healthcare Information and Communications Alliance, described an HIE in his state involving 16 hospitals that had an opt-out model. But it has since linked up with a Veterans Administration hospital in Asheville with an opt-in policy. Queries to the VA are not acted upon unless the veteran has opted in. “It is a hybrid model and the mixture seems to be working,” Anderson said. Devore Culver, executive director and CEO of Maine’s HealthInfoNet, said its opt-out consent model, arrived at in 2007 after extended debate, is now becoming something of a hybrid, too, as it deals with restrictions around behavioral health and HIV information. Legislation passed in the state’s last legislative session allows that that data to be released as long as it is sequestered until a patient consents. Instead of blocking that information, the HIE system is being redesigned to treat it in a different manor. “All the risk has moved upstream to the exchange,” Culver said, “and that has me a little bit nervous.”
Many state health IT executives have expressed a desire for the federal government to weigh in, but progress has been slow. Although the Health IT Policy Committee sent recommendations to the Office of the National Coordinator in September 2010, no policy decisions have been made yet. Joy Pritts, chief privacy officer for ONC, said her office is reviewing those recommendations with a Health and Human Services interdivision work group and with other federal agency partners. ONC is also running a pilot project focused on identifying elements of consent that individuals need to make “meaningful” decisions about it and to measure the burdens to providers in having lengthy conversations about privacy and consent with patients.
Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology and a member of the Health IT Policy Committee, described a few of those recommendations. She said the committee made a distinction between different types of architecture. If all you are doing is peer-to-peer exchange and basically digitizing what has been done previously via paper and fax, she said, the committee suggested there isn’t need to offer patients consent beyond what they have today. But if you are setting up an exchange architecture in which providers can “pull” data from other providers or from a central source, patients should be given some options as to whether their data is part of this or not. A lot of states are struggling with whether to have several consent models based on architecture or have one size fit all. “It’s an interesting debate,” McGraw said, “and it is tying people up in knots.”
More important than opt in or opt out, she added, is transparency about what you are doing. Patients need to understand that there is HIE infrastructure being built, and that they have an opportunity to make a choice in advance of that data being accessible.
It still remains to be seen which model will prevail: the opt-out model that many states have chosen (because it’s easier) or the more challenging option the Policy Committee recommends that involves more upfront choices for consumers. Stay tuned.
