By Hans Buitendijk, Chair, EHR Association Privacy & Consent Task Force

As health data flows more widely and automatically across providers, payers, patients, public health, researchers, and others, automated tools to filter for data that is not authorized to be shared have become imperative.  

To date, relatively simple and coarse methods have been deployed where large data sets are excluded from exchange:

• Patients can opt in or out of sharing all their data.
• Networks only allow for the exchange of select data (e.g., patients over 18 years old).
• HIPAA allows for the sharing of data for treatment, payment, and operations (TPO) without consent broadly across providers and with payers for services covered.

While patients can ask for their data, or subsets thereof, to not be shared, implementation of this is challenging in the absence of a comprehensive set of agreed-upon standards, computable consent to share directives, and a federated infrastructure to manage approved consents at scale from documentation, approval, and execution. Similarly, more jurisdictions are establishing a greater variety of increasingly complex privacy rules. This can yield conflicting rules for the same patient and data due to the lack of computable, standards-based rules, resulting in a lack of clarity on who can share what with whom.

This blog series focuses on understanding the different aspects of privacy and consent management and the gaps that need to be addressed to enable authorized data sharing at scale without unnecessarily restricting data sharing out of an abundance of caution.

This blog series focuses on understanding the different aspects of privacy and consent management and the gaps that need to be addressed to enable authorized data sharing at scale without unnecessarily restricting data sharing out of an abundance of caution.

We recognize that sharing a complete patient data set is critical to enabling good clinical decision-making and that, absent certain data, patient safety could be compromised. Addressing the appropriateness of certain privacy rules with a patient’s data-sharing preferences in the context of patient safety considerations is out of scope. Rather, the focus is on properly managing privacy and patient data-sharing rules recognized by jurisdictions, providers, and patients.

Privacy and consent management involves several key components that must be considered when enabling management at scale:

• Terminology – Agreed-upon vocabulary used in privacy and consent rules identifying sensitive data directly (e.g., conditions, test codes and values, nomenclatures codes, procedures, medications) and categorically (e.g., sensitivity flags to tag/segment data, data sets, and/or documents), notifiable events, and other relevant data.
• Administration – The ability to record and share privacy and consent rules in a computable format that systems can unambiguously and consistently apply to their data-sharing authorization services. These rules would be expressed in an industry format, utilizing specific sensitive data codes and values directly, the presence of sensitivity flags where sensitive data codes and values cannot be used directly, as well as sensitive context rules (a combination of multiple data that in combination would yield data being flagged as sensitive, e.g., medications that are on their own not necessarily indicative of sensitive data, but in combination with other medications and/or laboratory results could be. 
• Authorization Services – Tools and capabilities used by protected health information (PHI) data holders to filter data and documents that cannot be shared with the requesting or target data source based on the privacy rules, a patient’s data sharing rules, and potential local policies.

These need to come together to enable a data holder to respond correctly to a request for information by pushing data to the target source using any format or method. The recipient will, in turn, manage access to the data received by their user community.

Rules Management

One of the most important questions is where the privacy and patient data sharing rules are managed, maintained, and shared with the data holders. Different approaches or combinations of approaches come to mind for the various types of rules management.

Privacy Rules

For privacy rules defined by jurisdictions, the rules should be defined by the jurisdictions owning them to ensure they consistently reflect the intent of the privacy rules. There would be an opportunity for a single national library for these, but one per jurisdiction would still be manageable. Either way, the data holders’ health IT would know exactly where to get the latest versions of the applicable rules for the jurisdictions relevant to a particular exchange (the jurisdiction of at least the data holder and as needed the recipient)

Patient Data Sharing Rules

Multiple approaches could be considered, including Provider Centric, Jurisdiction Centric, and Patient-Centric. Following is a non-exhaustive list that highlights some of the key challenges for each model.

• Provider Centric – Patients maintain their consent directives with each of their providers and healthcare organizations. In a way, this mimics the current paper process where every provider requests consent from patients, who can also request additional or alternative consent directives. As patients must (or would like to) review their consent directive requests with their provider and get their approval, there is a clear need to have easy access by the provider and the patient during that process. However, the patient will need to maintain multiple consent directive repositories and keep them in sync. When they are out-of-sync it would be unclear as to which rules to consider.
• Jurisdiction Centric – A patient’s data sharing rules directive repository is provided for each patient at the jurisdictional level. Aspects of this can be seen in Maryland’s approach, where the patient opt-out sharing directives must be managed with the state HIE. Currently, it would not manage all of a patient’s data-sharing rules when a more granular approach is necessary. It would enable fewer maintenance points, but patients receiving care across jurisdictional boundaries would need to manage multiple repositories. Additionally, patients may not be comfortable with a government entity managing this very sensitive set of data-sharing rules.
• Patient Centric – Patients have a single repository for their consent directives, which would be held by a trusted party that would manage any rules across any providers and healthcare organizations that manage that data. The party of choice could be their most trusted provider, a jurisdiction, personal health record (PHR) app provider, or any other party that may provide those capabilities. Patients would need to share access to that repository (e.g., demographic data like phone numbers and addresses) with all their providers.

It is unclear which of these models will prevail, but a data holder would need access to one or more repositories containing a patient’s consent directives. Further, these repositories must make it possible for a patient to create and manage computable rules and to review them with their relevant providers for agreement where needed.

In the second part of this blog series, we lay out a proposed roadmap for establishing the necessary framework for privacy and consent management.