Controlling the risk for meaningful use for HIE participants
The expansion of EHRs has resulted in healthcare organizations compiling more protected health information than ever before. At the same time, HIEs are facilitating access to that information from provider to provider. Consequently, release-of-information authorizations have dramatically expanded in both scope and complexity. Patients are no longer agreeing to a one-time transfer of paper records between two parties. Granting access to health information may now span many providers and potentially payers. In addition, that permission is typically framed as a perpetual agreement unless revoked by the patient. In this environment the question emerges: “Do patients really understand the significance of what they are signing?”
Recently, ONC tried to address some of these intricacies by issuing guidance about how to gain patients’ “meaningful consent” to HIE participation. In a nutshell, meaningful consent allows patients to decide: Whether their electronic information will be released; under what circumstances it will be released and to whom. It gives patients options about where, when and how providers can exchange their electronic PHI.
While an important part of patient decision-making, meaningful consent nonetheless poses significant risks for providers who must treat patients whether or not they are granted access to information available through HIE. Providers could even find themselves contributing to a suboptimal outcome caused by their inability to obtain a complete picture of the patient’s health.
In fact, meaningful consent is fraught with legal/regulatory and clinical risk exposure. Consider the example of a patient seen in a pain clinic who expressly restricts her physician from sharing electronic records detailing the use of acupuncture to treat her spinal stenosis. If the patient is referred to a surgeon, those details will not be available via HIE. If they are, the disclosure may be considered a breach of privacy under HIPAA. In this instance, the patient’s meaningful consent would limit care collaboration – in stark contrast to the goals of many care delivery models intended to coordinate care, avoid duplication of services and prevent medical errors.
To fully appreciate how to obtain meaningful consent, educate patients and honor their requests, organizations must understand the risks involved and identify solutions to mitigate them.
Solutions to Mitigate
Meaningful consent should be obtained any time an organization exchanges health information electronically. These four steps can help analyze potential risks and create practical remedies:
- Form a review group. Include representation from IT, clinical leadership, legal counsel, patient relations and several “typical” patients. This group must clearly understand the patient perspective, as well as the meaningful consent rules and regulations. Varying state laws, for example, may create specific nuances related to meaningful consent for research, shared decision-making or other situations.
- Determine the approach. Organizations typically use opt-in consent (the default is that patient information isnot shared automatically). Opt-out consent (the default is that information is shared automatically) is less advisable unless narrow in scope and fully explained to the patient. A combination of the two (information is only shared in certain conditions, such as emergencies) may also be practical. Organizations must then determine other applicable criteria such as the extent of restriction requests that an organization may support as set forth under the HIPAA Omnibus Rule. Finally, they must establish who is responsible for obtaining meaningful consent, how the approach intersects with informed consent, and how it impacts special circumstances such as shared decision-making, surrogate decision-makers, or patients involved in research.
- Set an educational standard. Educate patients about their options regarding electronic HIE, the benefits, risks and alternatives of ensuring that potential providers have access to information essential to their care. Evaluate any cultural nuances that could be a barrier to the process. Consider health literacy and language barriers among your patient populations. Then, use clear language and easy-to-read formats to communicate. A “frequently asked questions” document, for instance, can help patients understand what information is released, by whom and under what circumstances. Questions might include: “What if I change my mind about release?” “Can someone overturn my decision?” and “How are shared custody situations handled?”
- Create a documentation process. Decide how meaningful consent will be obtained for most patients, then delineate the steps for documenting the process. Keep in mind that staffs that understand meaningful consent and can answer patient questions are best suited for the job. “Teach-back” techniques can also be used to ensure appropriate consent. This would include asking patients to verbalize: what is involved in meaningful consent; what they have chosen to do; and their options should they change their decisions in the future. A consistent and well-documented process can go a long way toward protecting against complaints, grievances and litigation.
Managing Meaningful Consent
Despite the best training, education and documentation, meaningful consent is not achievable if an organization’s IT systems cannot fully support patient approvals and restrictions. If consent of this complexity is documented on paper, the organization may be at an immediate disadvantage. Likewise, poorly designed automated solutions may provide free text fields where restrictions can be entered, but patients often don’t know who or what to restrict. One option is to include granular choices for exclusion within an electronic meaningful consent form, such as a list of providers, family member categories, specific payers or other commonly identified classifications. A well-designed electronic consent approach can then “flag” information as appropriate within the EHR or other systems to mitigate the possibility of not following patient authorized use of and dissemination of health information through an HIE.
Successfully managing the risk inherent in meaningful consent requires involving and educating patients, leveraging IT and training providers to gain accurate consent documentation. In short: A proactive approach to risk analysis and mitigation offers healthcare organizations the best defense against increasingly complex HIPAA rules and HIE infrastructure.