For all state health IT coordinators, providing patients with privacy and control of their health data is a priority. For many, it's also a legal mandate, with data privacy rules differing from state to state.
"The final [state HIE strategic and operational plan] was approved in the last couple weeks, so all the funding is moving out," said Dr. Ross Martin, specialist leader at Deloitte Consulting LLP, the contractor administering the Office of the National Coordinator for Health IT's Statewide HIE Technical Assistance Program. "Every state is in some form of implementation now. They all come from different places, there's no cookie-cutter HIT coordinator designation or CTO coordinator, but they all make it work."
Oregon state HIE builds in rules for HIV, behavioral health patients
Carol Robinson, Oregon state health IT coordinator, said her team is active in promoting consumer engagement in addition to complying with state privacy rules, which happen to be more stringent than federal rules. Allowing patients the ability to opt out of HIE -- except where state and federal law prohibit it -- is a mandate. A consumer advisory panel, she added, is the most important member of a large stakeholder group that is providing feedback on how to best implement patient consents.
"All of the decisions, in terms of our policymaking, have been vetted very thoroughly through that consumer group, including our patient consent policy," Robinson said. This input seems to be paying off, she added. In responding to a recent survey, 80% of rural Oregonians favor all of their providers having access to all of their records, all of the time.
The toughest part for state HIE architects who must support partial opt-out policies may very well be giving patients the ability to shield the disclosure of conditions such as HIV/AIDS, substance abuse or behavioral health treatment. Robinson said it's one thing to make an HIV test invisible, but someone seeing a health record might be able to figure out a person has HIV in other ways -- for example, by seeing that he takes a particular medication.
Having a process that will standardize consent in our state we see as an advantage
Carol Robinson, state health IT coordinator, Oregon
The Oregon state HIE will comply with specific laws protecting patients with these conditions by making those cases "opt in." The rest of the populace will automatically participate and have the choice to opt out. If it seems like a complicated issue to medical authorities and health IT experts, she said, it was even more confusing to the members of the consumer advisory panel. Once they understood, however, they still agreed an overall "opt out" policy would help provide Oregonians with the best care.
Robinson said it falls to her office to administer the opt-in patients. The office supports the process with forms, as well as a detailed public-information campaign, led by providers and state associations, to tell patients their rights whether they are in those legally protected groups or not. As of now, before the HIE can access a patient’s data, state policy dictates that each patient (or his/her caregiver) will annually sign a form indicating they refuse to opt out.
That might seem like "turning an opt-in on its head a little bit," she said, but it seemed to planners like a good middle ground that will both build the state HIE and promote patient participation. Patients will be told specifics about what goes with an opt-out decision -- such as the fact that emergency physicians will not be able to access their data for treatment.
"We see the value in that education campaign…because, culturally, we know that consent is all over the map right now," Robinson said. This is true in the various state assistance programs for children and adults, as well as among health care providers, since policies among hospitals and physician offices vary from location to location. "Having a process that will standardize consent in our state we see as an advantage," she added.
How Rhode Island, Illinois state HIEs address patient consent
Amy Zimmerman, chief of health IT for the Rhode Island Department of Health, said her state HIE's consent model is opt-in, with no data going into the HIE unless a patient enrolls. There are three levels of access the patient can choose upon enrolling -- full but temporary access for emergency treatment, the minimum to which all enrollees consent; a "HIPAA consent" level that gives access to all providers in the course of treatment, and a third consent level that gives permissions to individual providers.
It took 18 to 24 months of discussions with community stakeholder groups to arrive at this model, she said. It was a compromise, because in those discussions Rhode Island authorities found that each group -- providers, patients, and a legal advisory board -- were divided in their feelings toward an "all-or-nothing" opt-in approach to sharing patient data.
The first core service of a state HIE en route to giving patients control of how their data flows through it is the master patient index, said Ivan Handler, CTO of Illinois' Office of Health IT. This is followed by provider, public health and payer directories -- all of which are under construction at present. A recent state law that automatically enrolls Medicaid patients in the HIE will help simplify that process -- especially since patients can't opt out if they want the state to continue to invest in their health.
Beyond that, he said, the state plans a rules-based XML architecture for managing patient consent for HIE participation. The idea is to build in flexibility for future patient privacy laws that may develop over time.
"We're hoping it doesn't start off too complicated, but these are very sensitive issues," Handler said. "We're taking a 'let's prepare for the worst' [approach]."
Let us know what you think about the story; email Don Fluckinger, Features Writer.