Search the KHIT Blog

Tuesday, July 26, 2011

What does "obtain consent" mean with respect to HIT?

Some assume that in Nevada "consent" axiomatically connotes a requirement of express (written) affirmative "opt-in" to override a comprehensive default circumstance of one having passively opted out.

Interesting. Really?
Well, consider...

Nevada does not provide a single, consistent approach to the privacy and security of health information. [pg 2]...

...Nevada does not have a comprehensive statutory framework in place to address health information and HIT issues. Instead, the existing statutes concerning these issues are scattered throughout NRS, and have often been adopted and amended independently of each other. In addition, these statutes, for the most part, do not specifically address issues involving electronic health information... [pg 14]

An interesting 98 page read traversing the gamut of Nevada statutes pertaining to PHI. It was the precursor to the May 23rd, 2011 Nevada HIE Strategic and Operational Plan I discussed my in prior post. Nothing I can find materially changed in the interim with respect to ePHI "consent." Let me add this to the Ops Plan excerpts I cited in my prior post:
The objectives related to these overarching [HIE] goals are to:

...Employ Nevada Open Meeting Law to ensure transparency and openness about policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information, including how that individually identifiable health information is collected, used, and disclosed and whether and how [emphasis mine] they can exercise choice over such collections, uses, and disclosures, in compliance with federal and state laws... [4.2 NV HIE Goals and Objectives, pp. 6-7]

The minimal regulatory/procedural mechanics of State HIE ePHI "consent" remain to be determined, IMHO. That, however, does not constrain the HealthInsight HIE from promulgating consent policies, with the knowledge that they may at some point(s) be in need of revision to conform to subsequent NAC and/or NRS requirements.


In a prior post I cited recent publishing and discussion regarding some of the heuristic liabilities that afflict "reasoning." A common one is that of "confirmation bias" -- i.e., most of us, even "experts," tend to stop shopping for evidence once we find enough that fits with what we already assume to be the case.

In my prior post I cited some details from the Nevada SB 43 pertaining to patient options with respect to ePHI disclosure consent for purposes of health information exchange.

To recap:
Sec. 7. 1. The Director shall by regulation prescribe standards:

(a) To ensure that electronic health records and the statewide health information exchange system are secure;

(b) To maintain the confidentiality of electronic health records and health-related information, including, without limitation, standards to maintain the confidentiality of electronic health records relating to a child who has received health care services without the consent of a parent or guardian and which ensure that a child’s right to access such health care services is not impaired;

(c) To ensure the privacy of individually identifiable health information, including, without limitation, standards to ensure the privacy of information relating to a child who has received health care services without the consent of a parent or guardian;

(d) For obtaining consent from a patient before transmitting the patient’s health records to the health information exchange system, including, without limitation, standards for obtaining such consent from a child who has received health care services without the consent of a parent or guardian...
Sec. 15. NRS 439.538 is hereby amended to read as follows:

439.538 1. If a covered entity transmits electronically individually identifiable health information in compliance with the provisions of [the]:

(a) The Health Insurance Portability and Accountability Act of 1996, Public Law 104-191; and

(b) Sections 2 to 12, inclusive, of this act and the regulations adopted pursuant thereto, which govern the electronic transmission of such information, the covered entity is, for purposes of the electronic transmission, exempt from any state law that contains more stringent requirements or provisions concerning the privacy or confidentiality of individually identifiable health information.

2. A covered entity that makes individually identifiable health information available electronically pursuant to subsection 1 shall allow any person to opt out of having his or her individually identifiable health information disclosed electronically to other covered entities, except:

(a) As required by the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.

(b) As otherwise required by a state law.

(c) That a person who is a recipient of Medicaid or insurance pursuant to the Children’s Health Insurance Program may not opt out of having his or her individually identifiable health information disclosed electronically...

Well, seems from all of those provisions that the precise legal/regulatory parameters of ePHI/HIE disclosure "consent" remain TBA in the wake of final passage of SB 43, no?

But, then, there's this contrary little wrinkle I'd missed:
Sec. 11. 1. Except as otherwise provided in subsection 2 of NRS 439.538, a patient must not be required to participate in a health information exchange. Before a patient’s health care records may be transmitted electronically or included in a health information exchange, the patient must be fully informed and consent, in the manner prescribed by the Director, to the transmittal or inclusion.

Section 11, which rather clearly infers a requirement for express affirmative (written?) "opt-in" consent that I'd failed to read (and might rightfully be construed as dictating what the Director "shall by regulation prescribe" regarding disclosure permission), seems to be at direct odds with 15(2)(c).*
* And, the fact that HIEs are not "covered entities" with respect to HIPAA is an irrelevant technicality. It will not be HIE employees in the providers' offices collecting consents. Moreover, HIEs are bound by the requisite Business Associates Agreements in any event.
I'm left with feeling a twinge of having fallen into the trap of "confirmation bias" in all of this, perhaps in part of function of the "Anchoring Effect" of having read so much HIE consent literature from other sources pertaining to the feds and other states. The convenience of "keyword/phrase" search has its hazards here as well; you think you've found what you need without reading every word.


Lessons from the Leaders

"[The] National eHealth Collaborative (NeHC) recently conducted a study of 12 fully operational HIEs that demonstrate through their innovative strategies and business models that HIEs can benefit multiple stakeholder groups, and can, in the process, become growing, self-sustaining business enterprises."

From "Critical Success Factors" in the Executive summary:
...Consent and security policies and mechanisms must meet the requirements of various types of stakeholders and, in some cases, variations in regulations among multiple states. The HIE’s information infrastructure and operations must also ensure that patient information is accurate and reliable. Managing the framework of trust can be daunting for an HIE, as data originating from a variety of disparate locations must be verified in a way that is simple and efficient, with no margin for error. One executive interviewed calls health information exchange a “zero-defect” business...

Also from the Executive summary, numero uno in the "Barriers" piece:

Policies and procedures designed to meet complex privacy requirements tend to impede an Hie’s efforts to achieve the critical mass of patient records needed to accelerate adoption. Managing patient consent in particular is a major challenge that gains complexity as the footprint of these HIEs expands. With one exception, the HIE teams raising consent as an issue believe that requiring patients to opt-in to the HIE is a barrier to progress. In contrast, operating in an environment where opt-out consent is accepted by the community was identified as an important factor of success.

Interesting. The report goes on to discuss the "consent management" issues (where applicable) confronted by and policies of:
  • Availity
  • Big Bend RHIO
  • HealthBridge
  • HealthInfonet
  • Inland Northwest Health Services
  • MedVirginia
  • Quality Health Network
  • Rochester RHIO
  • Sandlot
  • SMRTnet
  • Taconic Health Information Network and Community
  • U.S. Department of Veterans Affairs
I'm still reviewing all of this at the moment. One example (Availity):
Patient consent. Managing patient consent is a significant challenge that will persist and become more complex as Availity’s geographic footprint and number of users expands. Tracking consents and revocations at the source of the data in a multi-state environment where laws, policies, and preferences often vary, requires significant investments in expertise, collaboration with stakeholders, and education of distributors and consumers.

One more (Rochester RHIO):
Complex patient consent requirements. The complexity of policies to protect patients’ privacy and consent procedures in New York presented significant challenges that the Rochester RHIO needed to overcome to achieve its healthcare provider adoption and consumer participation goals. To streamline the consent process while making the most information available in the shortest period, the Rochester RHIO has implemented the New York Department of Health-approved patient consent model, known as “consent to view.” All patient data available electronically from the RHIO’s data distribution partners is accessible by the HIE regardless of patients’ consent. However, a specified patient’s data cannot be viewed by a user without an informed consent from the patient on file authorizing that user to access that patient’s information. With this model, as soon as a patient grants consent, all historical information on that patient available from data suppliers via the HIE can be accessed by his or her providers. To streamline the process, patients can complete informed consents online. Leadership at the Rochester RHIO considers it vitally important to invest the resources necessary to assist physicians’ offices to operationalizing the patient consent procedures. These strategies have helped the Rochester RHIO obtain consent for more than one-third of the market’s patient population to date.

Big Bend RHIO:
Patient education. Big Bend has found that it is necessary to help patients understand and accept the policy options related to patient opt-in versus opt-out models.

Consensus on patient consent management. Achieving consensus among the community’s stakeholders for an opt- out patient consent model is considered to be an important factor in growth of clinician adoption. HealthInfoNet will remove all clinical data belonging to a patient who decides to opt-out of the HIE. As of early 2011, approximately 6,000 patients – less than 0.6 percent of patients in the database – have opted-out of the HIE. Patients are able to opt-out of the HIE via an online form available at HealthInfoNet’s website.

And, finally, the Veterans Administration:
Patient consent requirements. Sharing of veterans’ health information with private sector entities requires patients to explicitly provide consent (i.e., opt-in). Every VA region requires a different approach and outreach to veterans to invite their participation in VLER, which is a worthy but significant effort and investment.



Recall back in April I'd made some observations about "Comparative Effectiveness Research" (CER, cited earlier here as well)? The potential Big Picture long-term data-mining payoff of HIE? Well, recently from the Pacific Research Institute:

...under conservative assumptions, R&D investment in new and improved pharmaceuticals and devices and equipment would be reduced by about $10 billion per year over the period 2014 through 2025, or about 10-12 percent. This reduction in the advance of medical technology would impose an expected loss of about 5 million life-years annually, with a conservative economic value of $500 billion, an amount substantially greater than the entire U.S. market for pharmaceuticals and devices and equipment. This finding suggests that an expanded CER process may be very unwise in a policy context and that a renewed emphasis upon a “bottom-up” process of experimentation by many millions of practitioners and patients would be a more fruitful approach for the acquisition of information about the comparative effectiveness of alternative clinical approaches...

...This finding suggests that an expanded CER process at the federal level—a top-down process—may be very unwise in a policy context, and that a renewed emphasis upon a “bottom up” approach of experimentation by many millions of practitioners and patients would be a more fruitful vehicle for the acquisition of information about the comparative effectiveness of alternative clinical approaches.

So many Straw Men, so Little Time. So, clinical practice advances wrought by data mining from in-the-trenches clinical results (however imperfect) will make us signifcantly worse off? "CER kills"? Basically, they're accusing the government of an inexorable cost-driven biased agenda essentially characteristic of the old "Soviet Science."

I ran this stuff by the esteemed Joe Flower and J.D. Kleinke. Have yet to hear back from J.D. but here's how Joe responded.

I haven't read the study. I don't need to, since it is so obviously true, if we just make certain assumptions, such as:

  • Every dime spent on R&D for drugs and devices is wisely spent, on advances that will save and improve lives.
  • Every dime spent on finding out whether those drugs and devices actually work as advertised, and don't actually kill people, and do it better or cheaper than other drugs and devices, is a dime wasted. CER just slows down legitimate, helpful research.
  • Experience does not show us any examples of wasteful or unnecessary drugs or devices. Those multiple peer-reviewed research papers showing that we waste hundreds of billions of dollars every year on useless complex back surgeries, the 22% of implanted defibrillators that are unnecessary, tens of millions of unnecessary scans, coronary stents put in people with stable heart disease and no heart pain, the heartburn surgeries that work no better than over-the-counter drugs—those studies are all false, wrong, some kind of mumbo-jumbo that we can safely ignore.
If we just make those few simple assumptions, the study has a valid point. If we don't accept those assumptions, we have to wonder about the mental state, motivations, and personal finances of someone who would cook up such an obvious bit of flim-flam.

See Joe's post "Comparative effectiveness research kills?"

BTW, Joe's post quickly got picked up by The Health Care Blog. My subsequent comment:
OK, I’ve been closely through the entire “study” with yellow highlighter and red pen for underlining and margin notes. It could have been done as a short Powerpoint deck of the usual [1] “ell ‘em what you’re gonna tell ‘em, [2] tell ‘em, [3] and finish by telling them what you told them” format.

In sum:
  • Government BAD;
  • unfettered for-profit markets GOOD.
Y’see we can’t trust “the government” to produce unbiased scientific CER findings owing to their imperative to cut costs — inexorably at the expense of patients’ interests and market “innovation” and profits. BUT (implicitly), no such conflict of interest biases exist in the free market.

That’s really the essence of this paper, extensive footnotes, neat-o ECON algebra, and Blinding Glimpses of the Obvious undergrad 101 psych and biz school theory assertions (“incentives,” “ROI,” “opportunity cost,” “efficiency,” etc).

Gotta love the repetitive hedging phrase “to the extent that…” too.

This kind of stuff is akin to that of the “Concern Troll.”

To The Extent That my hops improve materially, I will be hammer-dunking during pickup.

The author's closing assertion (returning to where he began, verbatim):

a “bottom up” approach of experimentation by many millions of practitioners and patients would be a more fruitful vehicle for the acquisition of information about the comparative effectiveness of alternative clinical approaches.

The final sentence in the paper. Permit me to ask: the aggregate "study designs" and scientifically administrative coordination of all these ad hoc, silo'ed n=1 experiments will be accomplished precisely how and by whom?

Simply "Let a Million Clinical Thomas Edisons and Ben Franklins Bloom"?

The author begs off that
...problems of analysis and application are not the central focus of this paper. Instead, we concentrate here on the implications of the CER process on R&D investment in new and improved medical technologies, as driven by federal policy-making in the context of the incentives of public officials...[pg 12]

"Not the central focus"? Forgive me for failing see where they're substantively addressed at all (with the exception of one briefly cited investigation -- the University of Texas ALLHAT Study).

UPDATE: I've asked the fine folks at to take a fresh whack at this topic.


More to come...

No comments:

Post a Comment