Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Risk Managing "Meaningful" Consent

1,279 views

Published on

This presentation from the 2014 ASHRM Conference analyzes the legal, regulatory and clinical risks related to meaningful consent and offers ways to mitigate them.

Published in: Health & Medicine
  • Be the first to comment

  • Be the first to like this

Risk Managing "Meaningful" Consent

  1. 1. Risk Managing Meaningful Consent October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 1 A personal membership group of Risk Managing “Meaningful” Consent Timothy Kelly, MS, MBA Director Standard Register Healthcare Fay A. Rozovsky, JD, MPH President The Rozovsky Group, Inc. Atlanta, GA Williamsburg, VA A personal membership group of Information for the following credits may be  found on a flyer in your conference bag: • ASHRM CE Certificates (CPHRM renewal,  ACHE, NAHQ, HCCA/CCB) • CNE Credits • Illinois CLE Credits • CME Credits Continuing Education Reminders
  2. 2. Risk Managing Meaningful Consent October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 2 A personal membership group of All presenters, Faculty, Panel Members and Content  Developers, unless indicated, have no significant  financial interest/arrangement with any organization  that could be perceived as a real or apparent conflict of  interest with the subject matter of the presentation.  Disclosure of Conflict of Interest and Commercial Support A personal membership group of Objectives Define the core elements of meaningful consent in  the electronic exchange of health information.  Analyze the legal, regulatory and clinical risk  exposures associated with meaningful consent. Describe steps to identify and mitigate risk  exposures stemming from meaningful consent. 
  3. 3. Risk Managing Meaningful Consent October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 3 A personal membership group of Background: Release of Information in the Age of “the Cloud” A personal membership group of Hypoxic Ischemic Encephalopathy Health Insurance Exchange Health Information Exchange HIE – Acronym Check
  4. 4. Risk Managing Meaningful Consent October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 4 A personal membership group of • System that allows for the  secure, electronic transfer  of a patient’s vital medical  information • Advantages include: – Speed – Availability of information – Fewer errors – Automatic integration of  data into the EHR Health Information Exchange (HIE) A personal membership group of HIE Implementation Status Directed and query exchanges are both available Only directed exchange is available Only query exchange is available Source:  HealthIT.gov  http://www.healthit.gov/policy‐researchers‐ implementers/state‐hie‐implementation‐status/ (accessed 9/1/14)
  5. 5. Risk Managing Meaningful Consent October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 5 A personal membership group of Meaningful Consent in Context • 2011:  A federal advisory committee, the Health  Information Technology Policy Committee (HITPC),  recommends to the Office of the National Coordinator for  Health Information Technology (ONC), that patients be  given a “meaningful choice” as to whether their health  information is exchanged through certain types of HIEs. • March 2013:  ONC completes an eConsent Pilot Project in  Western New York using tablet computers to inform  patients about available options when deciding whether  or not to engage in the electronic sharing of their health  information via an HIE. A personal membership group of Why All the Fuss? • Isn’t a regular consent  authorization sufficient? • Why do we need yet  another layer of  complexity? T R U S T
  6. 6. Risk Managing Meaningful Consent October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 6 A personal membership group of The Press is on IT • 40 million customers with  compromised credit and  debit card information • 70 million with  compromised email and  mailing address  information Harris EA, Perlroth N. Target missed signs of a data breach. The New York Times.  March 13, 2014. A personal membership group of The Press is on IT • 56 million  customers  compromised Vinton K. With 56 million cards  compromised, Home Depot's  breach is bigger than Target's.  Forbes. September 18, 2014.
  7. 7. Risk Managing Meaningful Consent October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 7 A personal membership group of And in Healthcare “Hackers recently broke into  [the for‐profit hospital  chain’s] computers and stole  data on 4.5 million patients. Hackers have gained access to  their names, Social Security  numbers, physical addresses,  birthdays and telephone  numbers.”  http://money.cnn.com/2014/08/18/   technology/security/hospital‐chs‐hack/ A personal membership group of And Patients Know IT A psychiatric nursing  assistant monitoring  patients was seen taking  information from the unit  where the patients resided.   A folder with 47 pages of  PHI was found in a public  trash bin located off the  premises of the hospital. “I feel like I can’t trust  the hospital anymore,  not with anything  personal….I don’t  even know where the  records have been,”  said a patient. “Texas Psych Hospitals Deal with Privacy Breaches,” Modern Healthcare, January 28, 2014.
  8. 8. Risk Managing Meaningful Consent October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 8 A personal membership group of The Core Elements of Meaningful Consent in the Electronic Exchange of Health Information A personal membership group of Definition Anyone? “Consent should not be a  ‘check‐the‐box’ exercise.  Meaningful consent occurs  when the patient makes an  informed decision and the  choice is properly recorded  and maintained.” Looks like a  statement about  a normal  treatment  consent, right? http://www.healthit.gov/providers‐professionals/patient‐consent‐electronic‐ health‐information‐exchange/meaningful‐consent‐overview
  9. 9. Risk Managing Meaningful Consent October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 9 A personal membership group of 1. The decision is made after the patient has had  sufficient time to review educational material, 2. The choice is commensurate with circumstances  for why health information is exchanged (i.e., the  further the information‐sharing strays from a  reasonable patient expectation, the more time and  education is required for the patient before he or  she makes a decision), Six aspects of “meaningful” consent: http://www.healthit.gov/providers‐professionals/patient‐consent‐ electronic‐health‐information‐exchange/meaningful‐consent‐overview Core Elements Meaningful Consent A personal membership group of Core Elements Meaningful Consent 3. The patient’s choice is not used for discriminatory  purposes or as condition for receiving medical  treatment 4. The decision is commensurate with circumstances  for why individually identifiable health information  is exchanged, 5. The choice is consistent with patient expectations,  6. The choice is revocable at any time. http://www.healthit.gov/providers‐professionals/patient‐consent‐ electronic‐health‐information‐exchange/meaningful‐consent‐overview
  10. 10. Risk Managing Meaningful Consent October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 10 A personal membership group of HIE Participation Models No Consent  is Obtained Opt Out  Model Opt In  Model Opt In with  Restrictions Opt Out  with  Restrictions A personal membership group of Popular Versions Meaningful Consent Opt‐in – Default is that patient health information  is not shared. Patients must actively express  their consent to share. Opt‐out – Default is for patient health  information to automatically be  available for sharing. Patients must  actively express their desire to not  have information shared if they  wish to prevent sharing. Bear a higher burden of proving that patient was educated on options
  11. 11. Risk Managing Meaningful Consent October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 11 A personal membership group of Patient Choice “Patients may choose to  give providers and HIEs  full access to their  information, limited  access, or no access at all.” http://www.healthit.gov/providers‐professionals/patient‐consent‐ electronic‐health‐information‐exchange/meaningful‐consent‐overview A personal membership group of Patient Consent for HIE The three pillars of  Meaningful Consent http://www.healthit.gov/providers‐professionals/patient‐consent‐ electronic‐health‐information‐exchange/meaningful‐consent‐overview Technology Patient  Education and  Engagement Law and  Policy Meaningful  Consent for  Health  Information  Exchange
  12. 12. Risk Managing Meaningful Consent October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 12 A personal membership group of Meaningful Consent Explained 1. Patient Education and Engagement – including educating patients  about their consent options, who may release their information and,  how, and the significance of the consent choice. 2. Technology – using technology to capture and maintain patient consent  decisions, identify which sensitive portions of patient information are  restricted from access, and communicate these restrictions  electronically with others. 3. Law and Policy – ensuring alignment with federal and state law and  other legal and policy requirements pertaining to consent, individual  choice, and confidentiality.” http://www.healthit.gov/providers‐professionals/patient‐consent‐ electronic‐health‐information‐exchange/meaningful‐consent‐overview A personal membership group of Relationship to “Meaningful Use” The CMS Medicare and Medicaid EHR Incentive  Programs provide financial incentives for the  “meaningful use” of certified EHR technology. To receive an EHR incentive payment, providers have to show that they are “meaningfully using” their certified EHR  technology by meeting certain measurement thresholds Stage 1  requirements, Stage 2 requirements, etc. CMS has established  these thresholds for eligible professionals, eligible hospitals, and  critical access hospitals (CAHs). http://www.healthit.gov/policy‐researchers‐ implementers/meaningful‐use‐regulations
  13. 13. Risk Managing Meaningful Consent October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 13 A personal membership group of Meaningful Use Stage 3 Discussion “Some federal and state health information privacy and  confidentiality laws, including but not limited to 42 CFR Part 2  (for substance abuse), establish detailed requirements for  obtaining patient consent for sharing certain sensitive health  information, including restricting the recipient’s further  disclosure of such information. How can MU help improve the capacity of EHR infrastructure  to record consent, limit the disclosure of this information to  those providers and organizations specified on a consent  form, manage consent expiration and consent revocation,  and communicate the limitations on use and restrictions on  redisclosure to receiving providers?” Request for commentary from the HITPC http://www.healthit.gov/sites/default/files/hitpc_stage3_rfc_final.pdf A personal membership group of Relationship to Shared Decision-Making • Leveling the playing field – the  two‐way conversation between  the patient and care provider(s) • Using comparative effectiveness  data  to inform the patient • Use of decision aids • Patient preferences SEC. 3506. PROGRAM TO FACILITATE SHARED DECISIONMAKING (Part D of title IX  of the Public Health Service Act, as amended  by section 3503, is further amended  by adding at the end the  following: ‘‘SEC. 936. PROGRAM TO FACILITATE SHARED  DECISIONMAKING.) Could it be used in meaningful consent?
  14. 14. Risk Managing Meaningful Consent October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 14 A personal membership group of The Legal, Regulatory and Clinical Risk Exposures Associated with Meaningful Consent A personal membership group of The Legal Component Legislation in the 50 states HIPAA The Privacy Act of  1974 ARRA 2009 Affordable Care Act  2010
  15. 15. Risk Managing Meaningful Consent October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 15 A personal membership group of • Requires “Opt In” for HIE participation  (currently limited to HIE demonstration  projects) • Requires faster breach notification – CA = 5 days, Federal = 60 days • Elevated restrictions on use of “routine” PHI for the  purpose of treatment, payment and health care  operations – CA requires prior written authorization for sensitive PHI  disclosures (e.g. psychotherapy notes, drug and alcohol  treatment records, HIV status and test results) State Law (California as an Example) A personal membership group of Federal Regulation HIPAA Privacy HIPAA Security GINA HITECH Shared Savings  Program ACOs FERPA Privacy Regs Clinical Research Regs …………………… The MU Incentive Rules CMPs
  16. 16. Risk Managing Meaningful Consent October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 16 A personal membership group of HIPAA Highlights: Privacy Rule Limits use and disclosure of  PHI for  marketing and fundraising purposes,  and prohibits the sale of PHI without  individual authorization. Individual can receive electronic  copies of their health information via  regular (unencrypted) email. Individuals may restrict disclosures to  a health plan (and Medicare)  concerning treatment for which the  individual has paid out of pocket in  full. HIPAA Privacy creates its own flavor of the “Opt Out” and adds to Restriction complexity [Omnibus Final Rule, Effective September 23, 2013] A personal membership group of • Restrictions on disclosure of PHI to others (e.g.  spouse, parent, family) – Provider is not obligated to agree to request – If reasonable and agreed to, request must be honored • Restrictions on means of communication (e.g. bills  sent to work address instead of home address,  follow‐up calls to cell phone instead of home phone) Common Restrictions
  17. 17. Risk Managing Meaningful Consent October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 17 A personal membership group of ACOs (The Medicare Shared Savings Program Final Rule) “Beneficiaries will be given the opportunity to decline this  data sharing as part of this notification. After a period of  30 days from the date the ACO provides such  notification, ACOs will be able to request beneficiary  identifiable data from us absent an opt‐out request from the beneficiary.  Although we would expect providers/suppliers to still  actively engage beneficiaries in conversation about the  Shared Savings Program and their ability to decline to  share their own health data at the beneficiaries’ first  primary care visit.” Fed Reg. 76(212): 67851, November 2, 2011. A personal membership group of ACOs (The Medicare Shared Savings Program Final Rule) “Upon signing participation agreements and a DUA, ACOs  will be provided with a list of preliminary prospectively  assigned set of beneficiaries… who are likely to be  assigned to the ACO…  ACOs may utilize this initial preliminary prospectively  assigned list along with the quarterly lists to provide  beneficiaries with advance notification prior to a  primary care service visit of their participation in the  shared savings program and their intention to request  their beneficiary identifiable data.” Fed Reg. 76(212): 67851, November 2, 2011.
  18. 18. Risk Managing Meaningful Consent October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 18 A personal membership group of Top Reasons for HIPAA Breaches Under  the HITECH Act  Theft Loss Unauthorized Access/Disclosure Incorrect Mailing Hacking/IT Incident Improper Disposal Hourihan C, Cline B. A Look Back: U.S. Healthcare Data Breach Trends. Health  Information Trust Alliance (HITRUST).  December 2012. T R U S T The Risk Exposures A personal membership group of The Risk Exposures T R U S T Other Risks Inaccurate information – “I am not a drug  addict, but that is what is in the HIE about me!” Medical errors from incomplete data in the HIE. Untimely uploading and/or updating of HIE  information.
  19. 19. Risk Managing Meaningful Consent October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 19 A personal membership group of Liability Risks • Breach of a Standard of Care – “But I thought I followed  the requirements for informed consent under state law.   Ah, wait a minute, no, I followed that federal ‘meaningful  consent’ stuff.” • Unauthorized Disclosure to the HIE – “June, I thought  you consented Thad Roft to sharing his EHR information  on the HIE.  He is furious.  He said he never agreed to it.” • Permission Creep – “Our compliance team is concerned  that the Opt‐In for Meaningful Consent does not address  the use of HIE data for population health studies.” A personal membership group of Say Goodbye to Shared Savings § 425.710 Data use agreement.  (a)(1)….the ACO must comply with the limitations on use  and disclosure that are imposed by HIPAA. (2) If the ACO misuses or discloses data in a manner  that violates any applicable statutory or regulatory  requirements or that is otherwise non‐compliant with  the provisions of the DUA, it will no longer be eligible  to receive data under subpart H of this part, may be  terminated from the Shared Savings Program under  §425.218, and may be subject to additional sanctions  and penalties available under the law. Medicare Program; Medicare Shared Savings Program:  Accountable Care Organizations; Final Rule, Fed Reg.76(212):   67802‐67990, 67989, November 2, 2011.  
  20. 20. Risk Managing Meaningful Consent October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 20 A personal membership group of Identifying and Mitigating Meaningful Consent Risk Exposures A personal membership group of • Membership: HIM, IT, clinical leadership, legal  counsel, patient relations and “typical” patients • Design procedures from the patient’s perspective • Address any applicable state statutes • Review other consent scenarios as appropriate (e.g. consent for treatments and procedures, consent  for participation in clinical trials) Form a Review Group
  21. 21. Risk Managing Meaningful Consent October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 21 A personal membership group of Consent Time Out Learn the best way to communicate  with this patient and the right  educational tools to use for him or her. Look for such issues as:  Cognitive ability  Hearing  Visual impairment  Language   The need for interpreters  Culture  Health literacy Rozovsky FA. Consent Time Out. Dialogues in Healthcare 2008;2(7):1‐11. A personal membership group of It is a Two-Way Conversation • Understandable explanation • Probable benefits and risks in consent  to participation in the HIE • Explanation of alternatives, including  restrictions on use • Consequences of declining  participation in the HIE • Employ teach‐back to confirm  understanding Reasonable expectations No coercion – no intimidation
  22. 22. Risk Managing Meaningful Consent October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 22 A personal membership group of Make it an “INFORMED” Refusal • Does “no” mean NO? • Complete an informed  refusal process. • Try to identify any basis  for misunderstanding  that could lead to a  refusal. A personal membership group of Data Partitioning  Restrictive permission from  “meaningful” consent  Withdrawal at anytime of consent  to inclusion of data in the HIE  IT needs to be part of the picture  Office and clinic IT folks need to  be in the loop  Systems analytics for monitoring  Test the system  Log permissions for HIE  Log partial permissions/partial  exclusions for HIE  Log withdrawal of consent
  23. 23. Risk Managing Meaningful Consent October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 23 A personal membership group of Documenting Meaningful Consent The consent The partial  consent The refusal  consent The decision  reversal  Who consented the patient?  Ability of the individual to make a  decision.  Who was present?  Record a summary of the consent  process.  Record the agreed upon course of action  regarding HIE.  Document the use of language  interpreters and the language used.  Record the titles of decision aids used in  the process.  Date and Time. A personal membership group of Conclusion A clearer public policy is  needed from federal and state  officials on meaningful consent. At the operations level, much  can be done by healthcare risk  management professionals to  mitigate the risks of this new  approach to consent and HIE.
  24. 24. Risk Managing Meaningful Consent October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 24 A personal membership group of Questions? Fay Rozovsky, JD, MPH fay@therozovskygroup.com Tim Kelly, MS, MBA timothy.kelly@standardregister.com A personal membership group of • Rozovsky FA, CONSENT TO TREATMENT:  A PRACTICAL GUIDE, 4TH EDITION.  New York:  Wolters Kluwer, 2007 with annual  supplements. • HIPAA Privacy Rule, Final Rule, Federal Register, 78: 5687,et seq.,  Jan. 25, 2013. http://www.gpo.gov/fdsys/pkg/FR‐2013‐01‐ 25/pdf/2013‐01073.pdf • Shared Savings Program for Medicare Accountable Care  Organizations, Federal Register, 76: 67802, et seq., November 2  2011. • Patient Consent for HIE, http://www.healthit.gov/providers‐ professionals/patient‐consent‐electronic‐health‐information‐ exchange/meaningful‐consent‐overview, last updated on March 24,  2014. Reference List
  25. 25. Risk Managing Meaningful Consent October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 25 A personal membership group of • EHR Incentives & Certification, http://www.healthit.gov/providers‐ professionals/meaningful‐use‐definition‐objectives, last updated on  March 18, 2014. • Rozovsky FA. Consent Time Out. Dialogues in Healthcare  2008;2(7):1‐11. www.therozovskygroup.com • Rozovsky F, Kelly T. Mitigating the risks of 'meaningful consent' for  HIE participation. Healthcare IT News. April 3, 2014.  http://www.healthcareitnews.com/blog/mitigating‐risks‐ meaningful‐consent‐hie‐participation Reference List

×