Section 4.13 Implement Managing Patient Consent Prepare to manage your clients’ consent for participating in health information exchange (HIE). Time needed: 2 hours Suggested other tools: NA How to Use 1. Gain an appreciation of the need for managing patient consent and access in HIE. 2. Adopt tools to obtain, manage, and supply consent when submitting and/or requesting a given person’s health information via a health information exchange organization (HIO) or other HIE process. Patient Consent for eHIE – Electronic Health Information Exchange As health information exchange through electronic systems increases, patients’ trust in HIE must be ensured – and patients may be more often asked to make an “informed” consent decisions. This consent decision concerns the sharing and accessing of the patients’ health information through an eHIE for treatment, payment and healthcare operations purposes. To achieve this, many states have adopted consent requirements for their HIO/HIE/HDIs or have otherwise modified their state statutes on health information privacy. Federal Resources – Meaningful Consent Support Through the ONC (Office of the National Coordinator) of Health Information Technology federal HHS resources support the concept of “meaningful consent” strategies and tools which can be used by health care providers to engage and educate patients, provide background information, videos, customizable tools, and provide practical implementation tips in fostering trust in new technologies and greater understanding of options for participating in meaningful informed consent decisions: Resource Name Patient Consent for Electronic Health Information Exchange – eConsent Toolkit Meaningful Consent Overview Patient Education and Engagement Technology Aspects of Capturing and Maintaining Consent Decisions Health Information Privacy Law & Policy Recommendations to Health IT Policy Committee: Family, Friends & Personal Representative Access – Intersection of VDT for MU2 Section 4 Implement—Managing Person Consent - 1 URL http://www.healthit.gov/providers-professionals/patient-consentelectronic-health-information-exchange http://www.healthit.gov/providers-professionals/patient-consentelectronic-health-information-exchange/meaningful-consentoverview http://www.healthit.gov/providers-professionals/patient-consentelectronic-health-information-exchange/patient-education-andengagement http://www.healthit.gov/providers-professionals/patient-consentelectronic-health-information-exchange/patient-education-andengagement http://www.healthit.gov/providers-professionals/patient-consentelectronic-health-information-exchange/health-informationprivacy-law-policy http://www.healthit.gov/FACAS/sites/faca/files/HITPC_Personal RepresentativeUpdate_2014-04-08.pdf State and Local Patient Consent Requirements Although the federal government provides excellent tools to assist HIOs and the participants who use them, consent is unique to each state. In some cases, it is even unique to a certain HIO or provider organization that may choose to enforce more stringent requirements than its state or the federal government requires. Minnesota provides an example of tools it uses to manage consent below. For more information on Federal, State and Organizational Resources about Consent, Personal Choice, and Confidentiality visit Quick Links under the Health Information Privacy Law and Policy URL above. Minnesota Consent Resources Minnesota Privacy Resources Minnesota Health Records Act Minnesota Standard Consent Form and Instructions for Completing Q&A: Standard Consent Form to Release Health Information (MN) Upper Midwest Health Information Exchange Consortium to advance Interstate Exchange of PHR (UM HIE) Minnesota Privacy & Security Resources MN Laws & Mandates (Index) MN State Response to HITECH ACT MN Health Records Access Study (2013) URL http://www.health.state.mn.us/e-health/privacy/index.html https://www.revisor.mn.gov/statutes/?id=144.291 http://www.health.state.mn.us/divs/hpsc/dap/consent.pdf http://www.health.state.mn.us/e-health/privacy/standconsentqa.pdf http://www.health.state.mn.us/divs/hpsc/ohit/umhie.html including Consent Matrix, Common Consent Form, Request for HIE http://www.health.state.mn.us/e-health/privacy/index.html http://www.health.state.mn.us/e-health/lawsmn.html including EHR, eRX, HIE Oversight, Health Record Act Fact Sheet, Healthcare Administrative Simplification http://www.health.state.mn.us/e-health/lawsmn.html http://www.health.state.mn.us/e-health/hras/hras2012.html Managing Patient Consent for Your Facility Use the following checklist to make sure you have appropriately addressed patient consent as you begin to use HIE: Know the HIPAA requirements surrounding consent. HIPAA permits, but does not require, providers to obtain consent for use of protected health information for treatment, payment, and health care operations. Know the requirements for obtaining consent in your state and care setting —which may be more stringent than HIPAA. Be sure that both HIPAA and state consent and authorization requirements are applied in a manner consistent with the Confidentiality of Alcohol and Drug Abuse Patient Records regulations (45 CFR Part 2). The following are useful references pertaining to electronic health record (EHR) and HIE: o The Confidentiality of Alcohol and Drug abuse Patient Record Regulation and the HIPAA Privacy Rule: Implications for Alcohol and Substance Abuse Programs, June 2004, Substance Abuse and Mental Health Services Administration, http://www.samhsa.gov/healthprivacy/docs/samhsapart2-hipaacomparison2004.pdf o HIPAA Crosswalk with 42 CFR Part 2, prepared by the Texas Department of State Health Services, http://www.dshs.state.tx.us/hipaa/privacynoticessa.shtm o Frequently Asked Questions: Applying the Substance Abuse Confidentiality Regulations to Health Information Exchange (HIE), Prepared by the Legal Action Center for the Substance Abuse and Mental Health Services Administration, http://www.samhsa.gov/healthprivacy/docs/ehr-faqs.pdf Section 4 Implement—Managing Person Consent - 2 Learn about the requirements for obtaining consent to participate in the HIO in your state or region in which you plan to participate. o Opt in: requires action or affirmation by an individual for inclusion; default is exclusion o Opt out: requires action or affirmation for exclusion; default is inclusion Collaborate with your EHR vendor to learn how you may be able to manage the person consent requirements of your HIO within your EHR. Remember when using the Direct protocol for exchanging health information in secured email, there is no monitoring of person consent as there is within an HIO. This does not absolve you from obtaining consent, but may not require you to obtain consent as specific as would be required when participating in an HIO. Refer to Federal Meaningful Consent resources for additional information. Because an HIO is considered an intermediary—and a HIPAA business associate of the participating covered entities—the relationship between a behavioral health provider and the HIO is somewhat different than when using Direct email only between two behavioral health providers or the provider and patient. Furthermore, most HIOs collect and store at least some health information. This may be used to aggregate data or simply to make it easier to facilitate the exchange of data. This intermediary data storage increases concerns about potential misuse of the data—hence the stricter requirements for consent in an HIO. Note: the requirements for managing your client’s consent should be reviewed with your legal council. Copyright © 2014 Stratis Health. Section 4 Implement—Managing Person Consent - 3 Updated 04-17-14