Section 4.13 Implement
Managing Patient Consent
Prepare to manage your clients’ consent for participating in health information exchange (HIE).
Time needed: 2 hours
Suggested other tools: NA
How to Use
1. Gain an appreciation of the need for managing patient consent and access in HIE.
2. Adopt tools to obtain, manage, and supply consent when submitting and/or requesting a
given person’s health information via a health information exchange organization (HIO) or
other HIE process.
Patient Consent for eHIE – Electronic Health Information Exchange
As health information exchange through electronic systems increases, patients’ trust in HIE must be
ensured – and patients may be more often asked to make an “informed” consent decisions.
This consent decision concerns the sharing and accessing of the patients’ health information through
an eHIE for treatment, payment and healthcare operations purposes. To achieve this, many states
have adopted consent requirements for their HIO/HIE/HDIs or have otherwise modified their state
statutes on health information privacy.
Federal Resources – Meaningful Consent Support
Through the ONC (Office of the National Coordinator) of Health Information Technology federal
HHS resources support the concept of “meaningful consent” strategies and tools which can be used
by health care providers to engage and educate patients, provide background information, videos,
customizable tools, and provide practical implementation tips in fostering trust in new technologies
and greater understanding of options for participating in meaningful informed consent decisions:
Resource Name
Patient Consent for Electronic Health
Information Exchange – eConsent Toolkit
Meaningful Consent Overview
Patient Education and Engagement
Technology Aspects of Capturing and
Maintaining Consent Decisions
Health Information Privacy Law & Policy
Recommendations to Health IT Policy
Committee: Family, Friends & Personal
Representative Access – Intersection of
VDT for MU2
Section 4 Implement—Managing Person Consent - 1
URL
http://www.healthit.gov/providers-professionals/patient-consentelectronic-health-information-exchange
http://www.healthit.gov/providers-professionals/patient-consentelectronic-health-information-exchange/meaningful-consentoverview
http://www.healthit.gov/providers-professionals/patient-consentelectronic-health-information-exchange/patient-education-andengagement
http://www.healthit.gov/providers-professionals/patient-consentelectronic-health-information-exchange/patient-education-andengagement
http://www.healthit.gov/providers-professionals/patient-consentelectronic-health-information-exchange/health-informationprivacy-law-policy
http://www.healthit.gov/FACAS/sites/faca/files/HITPC_Personal
RepresentativeUpdate_2014-04-08.pdf
State and Local Patient Consent Requirements
Although the federal government provides excellent tools to assist HIOs and the participants who use
them, consent is unique to each state. In some cases, it is even unique to a certain HIO or provider
organization that may choose to enforce more stringent requirements than its state or the federal
government requires.
Minnesota provides an example of tools it uses to manage consent below. For more information on
Federal, State and Organizational Resources about Consent, Personal Choice, and Confidentiality
visit Quick Links under the Health Information Privacy Law and Policy URL above.
Minnesota Consent Resources
Minnesota Privacy Resources
Minnesota Health Records Act
Minnesota Standard Consent Form and
Instructions for Completing
Q&A: Standard Consent Form to Release
Health Information (MN)
Upper Midwest Health Information
Exchange Consortium to advance
Interstate Exchange of PHR (UM HIE)
Minnesota Privacy & Security Resources
MN Laws & Mandates (Index)
MN State Response to HITECH ACT
MN Health Records Access Study (2013)
URL
http://www.health.state.mn.us/e-health/privacy/index.html
https://www.revisor.mn.gov/statutes/?id=144.291
http://www.health.state.mn.us/divs/hpsc/dap/consent.pdf
http://www.health.state.mn.us/e-health/privacy/standconsentqa.pdf
http://www.health.state.mn.us/divs/hpsc/ohit/umhie.html including
Consent Matrix, Common Consent Form, Request for HIE
http://www.health.state.mn.us/e-health/privacy/index.html
http://www.health.state.mn.us/e-health/lawsmn.html including
EHR, eRX, HIE Oversight, Health Record Act Fact Sheet,
Healthcare Administrative Simplification
http://www.health.state.mn.us/e-health/lawsmn.html
http://www.health.state.mn.us/e-health/hras/hras2012.html
Managing Patient Consent for Your Facility
Use the following checklist to make sure you have appropriately addressed patient consent as you
begin to use HIE:
 Know the HIPAA requirements surrounding consent. HIPAA permits, but does not require,
providers to obtain consent for use of protected health information for treatment, payment,
and health care operations.
 Know the requirements for obtaining consent in your state and care setting —which may be
more stringent than HIPAA.
 Be sure that both HIPAA and state consent and authorization requirements are applied in a
manner consistent with the Confidentiality of Alcohol and Drug Abuse Patient Records
regulations (45 CFR Part 2). The following are useful references pertaining to electronic
health record (EHR) and HIE:
o The Confidentiality of Alcohol and Drug abuse Patient Record Regulation and the
HIPAA Privacy Rule: Implications for Alcohol and Substance Abuse Programs, June
2004, Substance Abuse and Mental Health Services Administration,
http://www.samhsa.gov/healthprivacy/docs/samhsapart2-hipaacomparison2004.pdf
o HIPAA Crosswalk with 42 CFR Part 2, prepared by the Texas Department of State
Health Services, http://www.dshs.state.tx.us/hipaa/privacynoticessa.shtm
o Frequently Asked Questions: Applying the Substance Abuse Confidentiality
Regulations to Health Information Exchange (HIE), Prepared by the Legal Action
Center for the Substance Abuse and Mental Health Services Administration,
http://www.samhsa.gov/healthprivacy/docs/ehr-faqs.pdf
Section 4 Implement—Managing Person Consent - 2
 Learn about the requirements for obtaining consent to participate in the HIO in your state or
region in which you plan to participate.
o Opt in: requires action or affirmation by an individual for inclusion; default is
exclusion
o Opt out: requires action or affirmation for exclusion; default is inclusion
 Collaborate with your EHR vendor to learn how you may be able to manage the person
consent requirements of your HIO within your EHR.
 Remember when using the Direct protocol for exchanging health information in secured
email, there is no monitoring of person consent as there is within an HIO. This does not
absolve you from obtaining consent, but may not require you to obtain consent as specific as
would be required when participating in an HIO. Refer to Federal Meaningful Consent
resources for additional information.
Because an HIO is considered an intermediary—and a HIPAA business associate of the
participating covered entities—the relationship between a behavioral health provider and the
HIO is somewhat different than when using Direct email only between two behavioral health
providers or the provider and patient. Furthermore, most HIOs collect and store at least some
health information. This may be used to aggregate data or simply to make it easier to
facilitate the exchange of data. This intermediary data storage increases concerns about
potential misuse of the data—hence the stricter requirements for consent in an HIO.
Note: the requirements for managing your client’s consent should be reviewed with your legal
council.
Copyright © 2014 Stratis Health.
Section 4 Implement—Managing Person Consent - 3
Updated 04-17-14