The Patient as Steward of Healthcare Data

Managing Consent Preferences

John D. Halamka MD

Louis Sullivan Lecture

Privacy is the Final Frontier

How do we record patient preferences about information sharing?

How do we transfer consent preferences among payers, providers, labs, pharmacies, personal health record vendors and other stakeholders?

How do we manage continually changing privacy preferences, situations and use cases?

1998 – Payer/Provider data exchange

Health Insurance Portability and Accountability Act (HIPAA)

2004 – Provider/Provider data exchange

Regional Health Information network Organizations (RHInOs)

2008 – The Patient as Data Steward

Consent Assertion Markup Language (CAML)

How it might work?

A Consent Wizard, available as an open source web application, codifies all the consent options inventoried by HISPC

The output of the Consent Wizard is a transportable XML representation of patient preferences that can be hosted by a payer, a PHR, or a RHIO and used to guide all information exchange

Flavors of Consent

Opt-Out = data is exchanged by default unless restricted by the patient

Opt-In = data is not exchanged by default until the patient consents

Quilted = a subset of data is exchanged with patient consent based on institution, data user, data producer, and situation

Scope of Consent

Institution– Opt Out = I do not wish the information at this

institution to be shared– Opt In = I agree to share all information from

this institution– Quilted = I agree to share my medications and

labs but not my problem list and notes from this institution

Scope of Consent

Data User– Opt Out = I do not want to participate in this

research study– Opt In = I want my data used by all

stakeholders with audit protections, to optimize my health

– Quilted = I want all my data shared with emergency providers, primary care physicians, payers and public health agencies, but not with pharmaceutical firms

Scope of Consent

Data Producer– Opt Out = I do not want my laboratory records

shared– Opt In = I want my data from labs, pharmacies

and payers shared with providers– Quilted = I want my pharmacy records shared

except medications used for mental health, HIV, and substance abuse treatment

Scope of consent

Situation– Opt Out = I do not want my data shared for

simple office visits with one-time providers i.e. out of town visit to an urgent care for a small laceration repair

– Opt In = I want my data shared for all care situations

– Quilted = I want my data shared for all emergency visits but not for routine care

How it might appear

<consent> <scope="Institution"> <code code="311570" displayName="Beth Israel Deaconess Medical

Center"/> <statusCode code="opt-in"/> <time value=’20041001132534-0500’/> </scope> <scope="DataUser"> <code code =“12345678" displayName="Harvard Clinical Research

Institute" /> <statusCode code="opt-out"/><time value=’20060923153527-0500’/> </scope></consent>

How it might appear

<consent> <scope="DataProducer"> <code code="987654321" displayName="Walgreens Pharmacy"/> <statusCode code="quilted"/> <time value=’20051103161524-0500’/> <exclusion code="34343434" displayName="Mental Health"/></scope> <scope="Situation"> <code code =“111111" displayName="Emergency Department Care" /> <statusCode code="opt-in"/><time value=’20060201113715-0500’/> </scope></consent>

What this means

I opt-in to share all my data from Beth Israel Deaconess Medical Center

I opt-out of participating in a clinical trial at Harvard Clinical Research Institute

I opt-in to sharing my Walgreens prescription data except mental health medications

I opt-in to sharing all data (including mental health medications) for emergency care

The devil is in the details

The Consent Wizard would need to enforce integrity of consent options to avoid conflicting preferences i.e. patients cannot both opt-out and opt-in for data sharing with the same data user and situation

A hierarchy must be created to ensure consistent interpretation of complex consent such as

situation > institution > data user > data producer i.e. an opt-in for emergency department data sharing overrides data producer opt-outs

How could this be implemented?

A Payer implements a patient portal which hosts the Consent Wizard and authenticates the patient. When a provider does a 270/271 transaction, the CAML data is returned with the 271 response or is available as a 275 claims attachment

How could this be implemented?

A Personal Health Record vendor provides the Consent Wizard to patients but does not need to verifiably authenticate the patient. When the patient 'authenticates' with the provider during the care registration process, the patient provides the PHR vendor name and account information needed to access their CAML data

How could this be implemented?

A RHIO, on behalf of the community, hosts the Consent Wizard and provides access to the CAML records of the community

Next steps

Consideration by the AHIC Security and Privacy Working Group

If AHIC proposes a use case, then SDOs would need to work on CAML or adapt XACML (existing standard for access control) to support CAML principles

Pilot projects for Consent Wizard development