Opt-In Policy Best For HIE Patient Privacy

8 Health Information Exchanges Lead The Way

Healthcare providers have yet to agree on the best way to protect the privacy of personal health information (PHI) in health information exchanges (HIEs), but John Halamka, MD, has an opinion.

As CIO at Beth Israel Deaconess Medical Center (BIDMC) in Boston, Halamka recently announced in a blog post that BIDMC will have all of its 1,800 affiliated ambulatory care providers ask their patients to "opt in for data sharing among the clinicians coordinating their care." This would allow data exchange, not only within BIDMC, but also with outside clinicians who provide care for those patients. The patients who opt in now will still be able to opt out later.

The blog entry noted that the statewide HIE is moving in the same direction; while BIDMC will document the patient consent itself, the state will start recording all consents in 2014.

Massachusetts law already requires opt-in consent for information exchange, Halamka told InformationWeek Healthcare, but BIDMC has selected a particular variety that he calls "opt-in to disclose." The other major type of opt-in consent, he said, is "opt-in to view," which would require patients to consent every time their information is viewed by a clinician other than their personal doctor.

State privacy laws, he added, override the HIPAA consent forms that patients are asked to sign. And there's no uniform national policy on how HIE privacy should be handled. So providers are trying various approaches in different states.

[Most of the largest healthcare data security and privacy breaches have involved lost or stolen mobile computing devices. For possible solutions, see 7 Tools To Tighten Healthcare Data Security.]

For example, California healthcare organizations are using an opt-out approach that allows any patient's data to be exchanged unless the patient requests that it not be. Mark Savage, an attorney with Consumers Union, told FierceHealthIT recently that the California solution has been "to limit the use of HIE to treatment by trusted doctors, with strong security protocols. In that context, opt-out has been an OK solution for us, because the structure built around the consent mechanism is strong enough to protect consumer privacy."

But that wouldn't work in Massachusetts, Halamka said. "In Massachusetts, consumers believe that the data shouldn't be exchanged about them until they give permission for that to occur. Because of our state laws and our culture, the notion of opting in makes more sense for us."

Due to limitations in current technology and processes, Halamka said, BIDMC can only implement the initial phase of what he calls "meaningful consent," which allows patients to control which data their treating physicians can view. In the first phase, patients can choose whether to disclose their data to BIDMC, but they can't control what kinds of data may be exchanged. The only exception is what Halamka calls "lock-box data," which includes information about mental-health treatment and is normally sequestered even within BIDMC. That data won't be available to non-BIDMC providers. Otherwise, if patients opt in, all of their data will be available to treating practitioners who request it from BIDMC.

With current electronic health records, Halamka noted, it's difficult to give patients more granular control. Even if the program specifies that a particular patient's HIV diagnosis and medications should not be exchanged, he notes, the diagnosis might be revealed or alluded to in free text. Moreover, if certain medications were not disclosed, doctors could not rely on the medication list when prescribing new drugs.

"So a patient needs to understand that if he or she chose not to consent, there are consequences, like drug-drug interactions or incomplete treatment," Halamka said.

Indications are that most patients will opt in. Several years ago, Halamka noted, the Massachusetts eHealth Collaborative asked all of the adults in North Adams, Mass., to opt in as part of an experimental health information exchange. "We achieved a 98% consent to opt in to everything," he recalled, as a result of educating patients "about the benefits of good, safe, quality care."

Will BIDMC providers go along with the policy, despite the extra work it will impose on them? Halamka believes they will. Aside from the fact that it requires only a one-time conversation with each patient, he noted, "The providers recognize that opt in to consent for disclosure is something that plays well in the media and with consumer groups. It sounds very patient-centric, and it's something that's going to be easy to have a conversation with the patient about."

Get the new, all-digital Healthcare CIO 25 issue of InformationWeek Healthcare. It's our second annual honor roll of the health IT leaders driving healthcare's transformation. (Free registration required.)