1. Data Reuse Agreements: A Patient Centered Approach To Clinical Data Consent Management
Title: Data Reuse Agreements: Patient Consent To Share Clinical Data
Date of Release: 4/19/2011
Case Number: 11-1601
Problem
All health care providers, payers, and institutional users of health records (including DoD, VA, CMS, NIH,
SSA,etc.) must comply with HIPAA, ARRA, and no doubt future laws to protect patient privacy. Currently,
datacan be shared for purposes predefined by law, but the patient has no effective way to restrict
thesereleases (e.g., to exclude certain recipients, or control access to especially sensitive data such as
mental health or reproductive information). Beyond this, the patient must signan explicit paper consent
form, typically agreeing to the provider’s data sharing policy terms without modification. Thereis no way
to pass written restrictions to an automated data release system, to authenticate a faxedform, to let a
patient reuse a well thought-out set of conditions, to change preferences withoutchanging the paper
copy at each provider, to indicate willingness to share their data with anyreputable researchers, to
establish a family member or trusted physician as a proxy, or to review allrequests for one’s records. As
a result, delays and denials occur, inhibiting emergency care, referrals,and research.
Objectives
• Create a template-driven user interface to capture complex patient preferences, organized by
purpose (e.g., research, emergency access), by provider type and by relationship (e.g., referral).
• Testthe user interface with MITRE staff outside the project.
• Demonstrate use of potential data sources(e.g., a registry of physicians’ credentials and on-call
substitutes, or of institutions that routinely doemergency care).
• Identify and solve thorny technical problems such as mixing patient andgovernment preferences, or
restrictions where enforcement (e.g., on free text) cannot be guaranteed.
Activities
MITRE is pioneering a mechanism (called Kairon) by which each patient has a consent ruleset, available
in one placethat describes what data may be released in what situations. The user interface for creating
the rule set encourages general, reusableconstructs, (e.g., “doctors with whom I have a treatment
relationship”). Our architecture works both intoday’s largely manual system, and with gradually
increasing automation, and permits consent management servicesproviders (perhaps the payers, major
integrated providers such as the VA, or PHR vendors) to compete for patients. We have created a
prototypeand written several papers describing the requirements and conops, a solution architecture,
anddrilling down on specific problems. We hope to transition our work to multiple sponsors (VA, DoD,
CMS,ONC, SAMHSA) and are integrating our work with other projects in the MITRE health care
ecosystem (HealthLab,MedCafe, and ESP). Our code is posted in an open-source repository.
Impact
2. Our work has potential application to all of MITRE's sponsors and customers involved in the collection
and release of protected health information.
This includes: the Office of the National Coordinator for Health Information Technology, the Department
of Veterans Affairs, the DoDMilitary Health System and Tricare program, the Centers for Medicare and
Medicaid Services, the Food and DrugAdministration, the National Institutes of Health, the Indian Health
System, etc.