The healthcare industry has seen the effects of the digital age in the advent of electronic health records (EHRs), which allow patient Protected Health Information (PHI) to be stored in a versatile, transferrable electronic format. Through the use of health information exchange (HIE), the transmission of clinical data amongst healthcare facilities, health information organizations (HIOs) and government agencies, doctors now have the ability to share EHRs to analyze health patterns of the general population. As such, efforts are underway at the state, regional and national level to expand the use of HIE as a means to quicker and more accurate diagnoses of patients with similar symptoms and histories, thereby facilitating more effective treatment and continuity of care.

The 2009 Health Information and Technology for Economic and Clinical Health Act (HITECH)  included grants to help foster the development of exchanges and address privacy concerns surrounding EHRs and HIE by extending the privacy and security provisions in the Health Insurance Portability and Accountability Act (HIPAA) from only covered entities to include their business associates. HITECH also requires covered entities to report data to the media and to the Department of Health and Human Services on any breach affecting 500 or more individuals. Balancing the substantial patient benefits and broader societal benefits of HIE with the privacy concerns raised requires in-house counsel to work with HIE providers to develop standards for obtaining consent from patients to use their PHI, and requires providers to be aware of the current status of these standards.

Consent models

Several models exist for obtaining patient consent, and each model has its pros and cons.

  1. Simply not obtaining consent from any patients to disclose PHI. However, this is essentially unacceptable from both a philosophical and a legal standpoint. Philosophically, not obtaining consent diminishes patient buy-in of HIE. Legally, in-house counsel and health care providers could open themselves up to lawsuits from patients for disclosure of PHI. Particularly in the event of a breach, the new HIPAA requirements would result in patients discovering that the privacy of their PHI was compromised at the same time they found out that it was being used in an exchange. Nevertheless, some advocacy groups have made a push to eliminate requirements for consent altogether.
  2. Opt-in. Patients are provided with information about EHRs and HIE, and must specifically consent to have their EHRs used as a part of HIE. This model can be implemented through general opt-in, where the patient gives consent for all future use of their EHR in HIE, or per-visit opt-in, where the patient consents to use only the PHI provided during that visit. This model can also be further refined to include a granular option, which allows patients to select the types of information they wish to make available. The opt-in method ensures these patients are willing participants. Unfortunately, opt-in also generally leads to a lower participation rate for patients, because the provider is responsible for convincing the patient to consent. The per-visit or granular approach, while more flexible, adds a great deal of complexity to the process of obtaining consent.
  3. Opt-out. Requires patients to affirmatively choose to be excluded from HIE. Similar to the opt-in model, the opt-out model can take a granular approach, allowing patients to opt-out of disclosing only certain types of information. Generally, this model increases participation because patients may not be as likely to make the effort to affirmatively opt-out of HIE. However, it also raises the question of how to effectively provide this option to patients. If the choice is given without much indication of its purpose, this model may be effectively the same as no consent at all. If the option is too strongly promoted, however, it may have similar participation problems as the opt-in model.

Current state of the law

There have been some recent law developments on the national and state levels that influence the easier adoption of HIE. Nationally, the HITECH Act charged the Office of the National Coordinator for Health Information Technology (ONC) with the responsibility of promoting HIE. Currently, the ONC is developing a Nationwide Health Information Network (NHIN), which will help interconnect the individual HIEs and facilitate the flow of information. In the future this may involve standardizing consent, but for now that delicate issue has been left for the states to decide.

For instance, the Illinois Health Information Exchange and Technology Act created the Illinois HIE. While still in its formative stages, the Illinois HIE Strategic Operating Plan, published at the end of 2010, anticipates a consent model that mixes an opt-out structure for general health information and an opt-in structure for more highly sensitive personal health information. Though most state exchanges are still developing, several well-established exchanges exist, such as the Delaware Health Information Network and the Chesapeake (VA) Regional Information System for our Patients. Both states have adopted an opt-out patient consent model. However, many states have yet to develop their exchanges, so it remains to be seen how the consent models will differ nationwide.

Provider considerations

Considering the potential issues connected with obtaining patient consent for EHRs and HIE, internal counsel must work closely with their provider clients and make decisions with an eye towards the future. In moving forward with EHRs and HIE, it would seem beneficial for counsel to err on the side of overcompliance in obtaining patient consent, and to at least adopt a model which allows patients to identify sensitive information to keep out of exchanges. This allows providers to inoculate themselves against uncertainty, ensuring that policies comply with the exchange requirements of NHIN and any state or regional exchanges which might use EHRs as part of the NHIN. Finally, by having a policy structure that values patient input, counsel will help providers increase patient buy-in to a system that has the potential to improve provision of health care to the individual and to the population as a whole.