This presentation from the 2014 ASHRM Conference analyzes the legal, regulatory and clinical risks related to meaningful consent and offers ways to mitigate them.
1. Risk Managing Meaningful Consent
October 29, 2014 8:45am
ASHRM Annual Conference & Exhibition Anaheim, CA Page 1
A personal
membership group of
Risk Managing
“Meaningful” Consent
Timothy Kelly, MS, MBA
Director
Standard Register Healthcare
Fay A. Rozovsky, JD, MPH
President
The Rozovsky Group, Inc.
Atlanta, GA Williamsburg, VA
A personal
membership group of
Information for the following credits may be
found on a flyer in your conference bag:
• ASHRM CE Certificates (CPHRM renewal,
ACHE, NAHQ, HCCA/CCB)
• CNE Credits
• Illinois CLE Credits
• CME Credits
Continuing
Education Reminders
2. Risk Managing Meaningful Consent
October 29, 2014 8:45am
ASHRM Annual Conference & Exhibition Anaheim, CA Page 2
A personal
membership group of
All presenters, Faculty, Panel Members and Content
Developers, unless indicated, have no significant
financial interest/arrangement with any organization
that could be perceived as a real or apparent conflict of
interest with the subject matter of the presentation.
Disclosure of Conflict of Interest
and Commercial Support
A personal
membership group of
Objectives
Define the core elements of meaningful consent in
the electronic exchange of health information.
Analyze the legal, regulatory and clinical risk
exposures associated with meaningful consent.
Describe steps to identify and mitigate risk
exposures stemming from meaningful consent.
3. Risk Managing Meaningful Consent
October 29, 2014 8:45am
ASHRM Annual Conference & Exhibition Anaheim, CA Page 3
A personal
membership group of
Background:
Release of Information in
the Age of “the Cloud”
A personal
membership group of
Hypoxic Ischemic Encephalopathy
Health Insurance Exchange
Health Information Exchange
HIE –
Acronym Check
4. Risk Managing Meaningful Consent
October 29, 2014 8:45am
ASHRM Annual Conference & Exhibition Anaheim, CA Page 4
A personal
membership group of
• System that allows for the
secure, electronic transfer
of a patient’s vital medical
information
• Advantages include:
– Speed
– Availability of information
– Fewer errors
– Automatic integration of
data into the EHR
Health Information
Exchange (HIE)
A personal
membership group of
HIE
Implementation Status
Directed and query exchanges are both available
Only directed exchange is available
Only query exchange is available
Source: HealthIT.gov
http://www.healthit.gov/policy‐researchers‐
implementers/state‐hie‐implementation‐status/
(accessed 9/1/14)
5. Risk Managing Meaningful Consent
October 29, 2014 8:45am
ASHRM Annual Conference & Exhibition Anaheim, CA Page 5
A personal
membership group of
Meaningful Consent
in Context
• 2011: A federal advisory committee, the Health
Information Technology Policy Committee (HITPC),
recommends to the Office of the National Coordinator for
Health Information Technology (ONC), that patients be
given a “meaningful choice” as to whether their health
information is exchanged through certain types of HIEs.
• March 2013: ONC completes an eConsent Pilot Project in
Western New York using tablet computers to inform
patients about available options when deciding whether
or not to engage in the electronic sharing of their health
information via an HIE.
A personal
membership group of
Why All the Fuss?
• Isn’t a regular consent
authorization sufficient?
• Why do we need yet
another layer of
complexity?
T
R
U
S
T
6. Risk Managing Meaningful Consent
October 29, 2014 8:45am
ASHRM Annual Conference & Exhibition Anaheim, CA Page 6
A personal
membership group of
The Press is on IT
• 40 million customers with
compromised credit and
debit card information
• 70 million with
compromised email and
mailing address
information
Harris EA, Perlroth N. Target missed signs of a data breach. The New York Times. March 13, 2014.
A personal
membership group of
The Press is on IT
• 56 million
customers
compromised
Vinton K. With 56 million cards
compromised, Home Depot's
breach is bigger than Target's.
Forbes. September 18, 2014.
7. Risk Managing Meaningful Consent
October 29, 2014 8:45am
ASHRM Annual Conference & Exhibition Anaheim, CA Page 7
A personal
membership group of
And in Healthcare
“Hackers recently broke into
[the for‐profit hospital
chain’s] computers and stole
data on 4.5 million patients.
Hackers have gained access to
their names, Social Security
numbers, physical addresses,
birthdays and telephone
numbers.”
http://money.cnn.com/2014/08/18/
technology/security/hospital‐chs‐hack/
A personal
membership group of
And Patients Know IT
A psychiatric nursing
assistant monitoring
patients was seen taking
information from the unit
where the patients resided.
A folder with 47 pages of
PHI was found in a public
trash bin located off the
premises of the hospital.
“I feel like I can’t trust
the hospital anymore,
not with anything
personal….I don’t
even know where the
records have been,”
said a patient.
“Texas Psych Hospitals Deal with Privacy Breaches,” Modern Healthcare, January 28, 2014.
8. Risk Managing Meaningful Consent
October 29, 2014 8:45am
ASHRM Annual Conference & Exhibition Anaheim, CA Page 8
A personal
membership group of
The Core Elements of
Meaningful Consent in the
Electronic Exchange of
Health Information
A personal
membership group of
Definition Anyone?
“Consent should not be a
‘check‐the‐box’ exercise.
Meaningful consent occurs
when the patient makes an
informed decision and the
choice is properly recorded
and maintained.”
Looks like a
statement about
a normal
treatment
consent, right?
http://www.healthit.gov/providers‐professionals/patient‐consent‐electronic‐
health‐information‐exchange/meaningful‐consent‐overview
9. Risk Managing Meaningful Consent
October 29, 2014 8:45am
ASHRM Annual Conference & Exhibition Anaheim, CA Page 9
A personal
membership group of
1. The decision is made after the patient has had
sufficient time to review educational material,
2. The choice is commensurate with circumstances
for why health information is exchanged (i.e., the
further the information‐sharing strays from a
reasonable patient expectation, the more time and
education is required for the patient before he or
she makes a decision),
Six aspects of “meaningful” consent:
http://www.healthit.gov/providers‐professionals/patient‐consent‐
electronic‐health‐information‐exchange/meaningful‐consent‐overview
Core Elements
Meaningful Consent
A personal
membership group of
Core Elements
Meaningful Consent
3. The patient’s choice is not used for discriminatory
purposes or as condition for receiving medical
treatment
4. The decision is commensurate with circumstances
for why individually identifiable health information
is exchanged,
5. The choice is consistent with patient expectations,
6. The choice is revocable at any time.
http://www.healthit.gov/providers‐professionals/patient‐consent‐
electronic‐health‐information‐exchange/meaningful‐consent‐overview
10. Risk Managing Meaningful Consent
October 29, 2014 8:45am
ASHRM Annual Conference & Exhibition Anaheim, CA Page 10
A personal
membership group of
HIE
Participation Models
No Consent
is Obtained
Opt Out
Model
Opt In
Model
Opt In with
Restrictions
Opt Out
with
Restrictions
A personal
membership group of
Popular Versions
Meaningful Consent
Opt‐in – Default is that patient health information
is not shared. Patients must actively express
their consent to share.
Opt‐out – Default is for patient health
information to automatically be
available for sharing. Patients must
actively express their desire to not
have information shared if they
wish to prevent sharing.
Bear a higher
burden of
proving that
patient was
educated on
options
11. Risk Managing Meaningful Consent
October 29, 2014 8:45am
ASHRM Annual Conference & Exhibition Anaheim, CA Page 11
A personal
membership group of
Patient Choice
“Patients may choose to
give providers and HIEs
full access to their
information, limited
access, or no access at all.”
http://www.healthit.gov/providers‐professionals/patient‐consent‐
electronic‐health‐information‐exchange/meaningful‐consent‐overview
A personal
membership group of
Patient Consent
for HIE
The three pillars of
Meaningful Consent
http://www.healthit.gov/providers‐professionals/patient‐consent‐
electronic‐health‐information‐exchange/meaningful‐consent‐overview
Technology
Patient
Education and
Engagement
Law and
Policy
Meaningful
Consent for
Health
Information
Exchange
12. Risk Managing Meaningful Consent
October 29, 2014 8:45am
ASHRM Annual Conference & Exhibition Anaheim, CA Page 12
A personal
membership group of
Meaningful
Consent Explained
1. Patient Education and Engagement – including educating patients
about their consent options, who may release their information and,
how, and the significance of the consent choice.
2. Technology – using technology to capture and maintain patient consent
decisions, identify which sensitive portions of patient information are
restricted from access, and communicate these restrictions
electronically with others.
3. Law and Policy – ensuring alignment with federal and state law and
other legal and policy requirements pertaining to consent, individual
choice, and confidentiality.”
http://www.healthit.gov/providers‐professionals/patient‐consent‐
electronic‐health‐information‐exchange/meaningful‐consent‐overview
A personal
membership group of
Relationship to
“Meaningful Use”
The CMS Medicare and Medicaid EHR Incentive
Programs provide financial incentives for the
“meaningful use” of certified EHR technology.
To receive an EHR incentive payment, providers
have to show that they are “meaningfully using” their certified EHR
technology by meeting certain measurement thresholds Stage 1
requirements, Stage 2 requirements, etc. CMS has established
these thresholds for eligible professionals, eligible hospitals, and
critical access hospitals (CAHs).
http://www.healthit.gov/policy‐researchers‐
implementers/meaningful‐use‐regulations
13. Risk Managing Meaningful Consent
October 29, 2014 8:45am
ASHRM Annual Conference & Exhibition Anaheim, CA Page 13
A personal
membership group of
Meaningful Use
Stage 3 Discussion
“Some federal and state health information privacy and
confidentiality laws, including but not limited to 42 CFR Part 2
(for substance abuse), establish detailed requirements for
obtaining patient consent for sharing certain sensitive health
information, including restricting the recipient’s further
disclosure of such information.
How can MU help improve the capacity of EHR infrastructure
to record consent, limit the disclosure of this information to
those providers and organizations specified on a consent
form, manage consent expiration and consent revocation,
and communicate the limitations on use and restrictions on
redisclosure to receiving providers?”
Request for commentary from the HITPC
http://www.healthit.gov/sites/default/files/hitpc_stage3_rfc_final.pdf
A personal
membership group of
Relationship to
Shared Decision-Making
• Leveling the playing field – the
two‐way conversation between
the patient and care provider(s)
• Using comparative effectiveness
data to inform the patient
• Use of decision aids
• Patient preferences
SEC. 3506. PROGRAM TO FACILITATE SHARED DECISIONMAKING (Part D of title IX
of the Public Health Service Act, as amended by section 3503, is further amended
by adding at the end the following: ‘‘SEC. 936. PROGRAM TO FACILITATE SHARED
DECISIONMAKING.)
Could it be used in meaningful consent?
14. Risk Managing Meaningful Consent
October 29, 2014 8:45am
ASHRM Annual Conference & Exhibition Anaheim, CA Page 14
A personal
membership group of
The Legal, Regulatory and
Clinical Risk Exposures
Associated with Meaningful
Consent
A personal
membership group of
The Legal
Component
Legislation in the 50 states
HIPAA
The Privacy Act of
1974
ARRA 2009
Affordable Care Act
2010
15. Risk Managing Meaningful Consent
October 29, 2014 8:45am
ASHRM Annual Conference & Exhibition Anaheim, CA Page 15
A personal
membership group of
• Requires “Opt In” for HIE participation
(currently limited to HIE demonstration
projects)
• Requires faster breach notification
– CA = 5 days, Federal = 60 days
• Elevated restrictions on use of “routine” PHI for the
purpose of treatment, payment and health care
operations
– CA requires prior written authorization for sensitive PHI
disclosures (e.g. psychotherapy notes, drug and alcohol
treatment records, HIV status and test results)
State Law
(California as an Example)
A personal
membership group of
Federal Regulation
HIPAA
Privacy
HIPAA
Security
GINA
HITECH
Shared Savings
Program ACOs
FERPA
Privacy Regs
Clinical Research Regs
……………………
The MU Incentive Rules
CMPs
16. Risk Managing Meaningful Consent
October 29, 2014 8:45am
ASHRM Annual Conference & Exhibition Anaheim, CA Page 16
A personal
membership group of
HIPAA Highlights:
Privacy Rule
Limits use and disclosure of PHI for
marketing and fundraising purposes,
and prohibits the sale of PHI without
individual authorization.
Individual can receive electronic
copies of their health information via
regular (unencrypted) email.
Individuals may restrict disclosures to
a health plan (and Medicare)
concerning treatment for which the
individual has paid out of pocket in
full.
HIPAA Privacy
creates its own
flavor of the “Opt
Out” and adds to
Restriction
complexity
[Omnibus Final Rule,
Effective September 23,
2013]
A personal
membership group of
• Restrictions on disclosure of PHI to others (e.g.
spouse, parent, family)
– Provider is not obligated to agree to request
– If reasonable and agreed to, request must be honored
• Restrictions on means of communication (e.g. bills
sent to work address instead of home address,
follow‐up calls to cell phone instead of home phone)
Common Restrictions
17. Risk Managing Meaningful Consent
October 29, 2014 8:45am
ASHRM Annual Conference & Exhibition Anaheim, CA Page 17
A personal
membership group of
ACOs (The Medicare Shared
Savings Program Final Rule)
“Beneficiaries will be given the opportunity to decline this
data sharing as part of this notification. After a period of
30 days from the date the ACO provides such
notification, ACOs will be able to request beneficiary
identifiable data from us absent an opt‐out request
from the beneficiary.
Although we would expect providers/suppliers to still
actively engage beneficiaries in conversation about the
Shared Savings Program and their ability to decline to
share their own health data at the beneficiaries’ first
primary care visit.”
Fed Reg. 76(212): 67851, November 2, 2011.
A personal
membership group of
ACOs (The Medicare Shared
Savings Program Final Rule)
“Upon signing participation agreements and a DUA, ACOs
will be provided with a list of preliminary prospectively
assigned set of beneficiaries… who are likely to be
assigned to the ACO…
ACOs may utilize this initial preliminary prospectively
assigned list along with the quarterly lists to provide
beneficiaries with advance notification prior to a
primary care service visit of their participation in the
shared savings program and their intention to request
their beneficiary identifiable data.”
Fed Reg. 76(212): 67851, November 2, 2011.
18. Risk Managing Meaningful Consent
October 29, 2014 8:45am
ASHRM Annual Conference & Exhibition Anaheim, CA Page 18
A personal
membership group of
Top Reasons for HIPAA Breaches Under
the HITECH Act
Theft
Loss
Unauthorized Access/Disclosure
Incorrect Mailing
Hacking/IT Incident
Improper Disposal
Hourihan C, Cline B. A Look Back: U.S. Healthcare Data Breach Trends. Health
Information Trust Alliance (HITRUST). December 2012.
T
R
U
S
T
The Risk Exposures
A personal
membership group of
The Risk Exposures
T
R
U
S
T
Other Risks
Inaccurate information – “I am not a drug
addict, but that is what is in the HIE about me!”
Medical errors from incomplete data in the HIE.
Untimely uploading and/or updating of HIE
information.
19. Risk Managing Meaningful Consent
October 29, 2014 8:45am
ASHRM Annual Conference & Exhibition Anaheim, CA Page 19
A personal
membership group of
Liability Risks
• Breach of a Standard of Care – “But I thought I followed
the requirements for informed consent under state law.
Ah, wait a minute, no, I followed that federal ‘meaningful
consent’ stuff.”
• Unauthorized Disclosure to the HIE – “June, I thought
you consented Thad Roft to sharing his EHR information
on the HIE. He is furious. He said he never agreed to it.”
• Permission Creep – “Our compliance team is concerned
that the Opt‐In for Meaningful Consent does not address
the use of HIE data for population health studies.”
A personal
membership group of
Say Goodbye to
Shared Savings
§ 425.710 Data use agreement.
(a)(1)….the ACO must comply with the limitations on use
and disclosure that are imposed by HIPAA.
(2) If the ACO misuses or discloses data in a manner
that violates any applicable statutory or regulatory
requirements or that is otherwise non‐compliant with
the provisions of the DUA, it will no longer be eligible
to receive data under subpart H of this part, may be
terminated from the Shared Savings Program under
§425.218, and may be subject to additional sanctions
and penalties available under the law.
Medicare Program; Medicare Shared Savings Program:
Accountable Care Organizations; Final Rule, Fed Reg.76(212):
67802‐67990, 67989, November 2, 2011.
20. Risk Managing Meaningful Consent
October 29, 2014 8:45am
ASHRM Annual Conference & Exhibition Anaheim, CA Page 20
A personal
membership group of
Identifying and
Mitigating Meaningful
Consent Risk Exposures
A personal
membership group of
• Membership: HIM, IT, clinical leadership, legal
counsel, patient relations and “typical” patients
• Design procedures from
the patient’s perspective
• Address any applicable
state statutes
• Review other consent
scenarios as appropriate
(e.g. consent for treatments and procedures, consent
for participation in clinical trials)
Form a
Review Group
21. Risk Managing Meaningful Consent
October 29, 2014 8:45am
ASHRM Annual Conference & Exhibition Anaheim, CA Page 21
A personal
membership group of
Consent Time Out
Learn the best way to communicate
with this patient and the right
educational tools to use for him or her.
Look for such issues as:
Cognitive ability
Hearing
Visual impairment
Language
The need for interpreters
Culture
Health literacy
Rozovsky FA. Consent Time Out. Dialogues in Healthcare 2008;2(7):1‐11.
A personal
membership group of
It is a Two-Way
Conversation
• Understandable explanation
• Probable benefits and risks in consent
to participation in the HIE
• Explanation of alternatives, including
restrictions on use
• Consequences of declining
participation in the HIE
• Employ teach‐back to confirm
understanding
Reasonable expectations No coercion – no intimidation
22. Risk Managing Meaningful Consent
October 29, 2014 8:45am
ASHRM Annual Conference & Exhibition Anaheim, CA Page 22
A personal
membership group of
Make it an
“INFORMED” Refusal
• Does “no” mean NO?
• Complete an informed
refusal process.
• Try to identify any basis
for misunderstanding
that could lead to a
refusal.
A personal
membership group of
Data Partitioning
Restrictive permission from
“meaningful” consent
Withdrawal at anytime of consent
to inclusion of data in the HIE
IT needs to be part of the picture
Office and clinic IT folks need to
be in the loop
Systems analytics for monitoring
Test the system
Log permissions for HIE
Log partial permissions/partial
exclusions for HIE
Log withdrawal of consent
23. Risk Managing Meaningful Consent
October 29, 2014 8:45am
ASHRM Annual Conference & Exhibition Anaheim, CA Page 23
A personal
membership group of
Documenting
Meaningful Consent
The
consent
The partial
consent
The refusal
consent
The decision
reversal
Who consented the patient?
Ability of the individual to make a
decision.
Who was present?
Record a summary of the consent
process.
Record the agreed upon course of action
regarding HIE.
Document the use of language
interpreters and the language used.
Record the titles of decision aids used in
the process.
Date and Time.
A personal
membership group of
Conclusion
A clearer public policy is
needed from federal and state
officials on meaningful consent.
At the operations level, much
can be done by healthcare risk
management professionals to
mitigate the risks of this new
approach to consent and HIE.
24. Risk Managing Meaningful Consent
October 29, 2014 8:45am
ASHRM Annual Conference & Exhibition Anaheim, CA Page 24
A personal
membership group of
Questions?
Fay Rozovsky, JD, MPH
fay@therozovskygroup.com
Tim Kelly, MS, MBA
timothy.kelly@standardregister.com
A personal
membership group of
• Rozovsky FA, CONSENT TO TREATMENT: A PRACTICAL GUIDE, 4TH
EDITION. New York: Wolters Kluwer, 2007 with annual
supplements.
• HIPAA Privacy Rule, Final Rule, Federal Register, 78: 5687,et seq.,
Jan. 25, 2013. http://www.gpo.gov/fdsys/pkg/FR‐2013‐01‐
25/pdf/2013‐01073.pdf
• Shared Savings Program for Medicare Accountable Care
Organizations, Federal Register, 76: 67802, et seq., November 2
2011.
• Patient Consent for HIE, http://www.healthit.gov/providers‐
professionals/patient‐consent‐electronic‐health‐information‐
exchange/meaningful‐consent‐overview, last updated on March 24,
2014.
Reference List
25. Risk Managing Meaningful Consent
October 29, 2014 8:45am
ASHRM Annual Conference & Exhibition Anaheim, CA Page 25
A personal
membership group of
• EHR Incentives & Certification, http://www.healthit.gov/providers‐
professionals/meaningful‐use‐definition‐objectives, last updated on
March 18, 2014.
• Rozovsky FA. Consent Time Out. Dialogues in Healthcare
2008;2(7):1‐11. www.therozovskygroup.com
• Rozovsky F, Kelly T. Mitigating the risks of 'meaningful consent' for
HIE participation. Healthcare IT News. April 3, 2014.
http://www.healthcareitnews.com/blog/mitigating‐risks‐
meaningful‐consent‐hie‐participation
Reference List