At the most recent meeting of the Health Information Technology Council, the group responsible for advising the state-designated entity for health information exchange (HIE) continued its work to minimize the confusion caused by patient consent regulations in Massachusetts. The ease with which the MassHIway can proceed with offering Phase 1 services, approximating secure email without access to patient data repositories or the ability to query, depends on its ability to get patient consent effectively.
Although Massachusetts is an opt-in state (i.e., patients must consent to their information being part of an HIE), components of the Commonwealth’s Chapter 224 of the Acts of 2012 have led to a variety of interpretation.
According to the presentation materials made available by John Halamka, MD, MS, on Life as a Healthcare CIO, the state law lacks in two key areas for patient consent: It does not define “opt-in” and its implied definition of “opt-out” is not consistent with industry standards. Part of the reason for this is that the legislation contains language from earlier law enacted in 2008, which predates current understanding of HIE architecture as well as developments in the areas of HIE and patient consent over past several years.
The HIT Council is proposing a basic approach to abiding by Massachusetts law governing patient consent. Participants in the HIE will obtain formal consent from patients during their general consent for care signing processes and name specifically MassHIway as the mode of exchange. The proposal should meet the legislation’s intentions for statewide HIE and refuse to remain silent on HIE consent by clearly delineating the MassHIway.
The group still must tackle what consent processes will be required for the next phase of HIE. The HIT Council is already considering the need for a separate consent for Phase 2 considering that the services “are much more complex and will likely require wholly new consent approaches and workflows that include more assertive patient engagement.”
The challenge posed to HIE by patient consent features prominently in a recent RAND report on patient privacy within the Military Health System. The authors contend that the matter of patient consent could undermine efforts to proceed with the Department of Defense’s Virtual Lifetime Electronic Record (VLER):
Although HIPAA allows providers to share patient health information for the purposes of treatment, payment, and operations without patient authorization, we expect that many civilian providers may not be able or willing to do so, particularly those providers who reside in states with additional requirements for consent beyond the federal requirements . . . DoD also faces some unique challenges with respect to consent for HIE, such as consent for the exchange of pre-accession PHI for an active duty member who was a dependent prior to joining the military.
The care and consideration being taken by the HIT Council in Massachusetts should bode well for ensuring that patient consent, intended to safeguard patient privacy, doesn’t become a hindrance to ensuring a patient’s health and safety wherever the point of care may be.