Navigating the Patient Consent Management Landscape

When CMS released the Interoperability and Prior Authorization Final Rule (CMS-0057-F) last January, most of the headlines focused on the requirement to implement various new APIs for provider access, payer-to-payer data exchange, and prior authorization. But there was another key provision of 57F that went largely undiscussed: the requirement for payers to obtain patient consent in order to share medical information with other healthcare organizations.

Healthcare consumers’ concerns about how their data is being used (and by whom) are mounting. In a recent AMA survey of 1,000 patients, the prevailing sentiment was one of uncertainty: respondents aren’t sure how their health data is being used, by whom, or for what purpose. In fact, 25% of respondents said they weren’t fully comfortable with their own physicians having access to their health data. The 57F ruling is an important first step towards giving members greater control over their health data—but it’s just the tip of the iceberg.

The State of Consent Management

Within the healthcare system, data sharing between HIPAA covered entities (CEs) is governed by a clear set of rules. Protected health information (PHI) can be shared without member authorization for the purposes of “TPO”: treatment, payment, and health care operations. Certain types of information, like psychotherapy notes, HIV status, or information relating to substance use disorders, cannot be shared without member consent. Consent is also required if the PHI is being sold or shared for marketing purposes.

The most basic consent models are opt-in and opt-out. In an opt-in model, PHI cannot be shared without the member’s permission. The opt-out model, on the other hand, assumes that members consent to the collection and/or use of their PHI—for any reason—unless the member explicitly withdraws their consent.

Currently, consent is managed through a series of manual processes. Members are required to document their consent preferences on paper forms, which are then scanned in by CSRs and sent to Privacy Officers for verification and approval. Once approved, the member’s preferences are manually entered into various application-specific databases.

Not only does this require extensive manual work to document each member’s consent preferences in each database, but the databases themselves are siloed. Any change to the member’s consent preferences—even something as simple as naming a different personal representative—means the existing preferences and relevant paperwork need to be deleted and the entire process redone from scratch.

By making health plans responsible for capturing their members’ data-sharing preferences, the 57F ruling will force payers to invest in a more robust consent management infrastructure that should facilitate more free-flowing bi-directional data exchange. From a policy standpoint, this is a good thing; however, the ruling fails to address some of the more urgent challenges of consent management.

Challenge #1: Inconsistent State Policies

Each state has its own consent management policies. For healthcare entities operating solely in that state, adherence to those policies is straightforward, but many entities operate in multiple states, and the lack of consistency between each state’s consent policies can muddy the waters.

Take New York, for example. The state has a very successful group of healthcare information exchanges (HIEs) with a statewide data-sharing bus that enables different areas to easily share data with one another. But what if the member splits their time between New York (which has an opt-out policy) and Florida, where opt-in consent is required from the member each time a new provider wants to access their PHI?

What if the member works in New York City and sees a specialist near their office, but is a resident of Connecticut (which has an opt-out policy for “regular” PHI and an opt-in policy for sensitive PHI)? Which policy takes precedence: the state where the member’s plan is based, or the state where they receive care? More importantly, how can payers ensure the member’s consent preferences carry over across different geographical locations?

Challenge #2: Who Can Access PHI (and Why)?

One of the biggest challenges of consent management is the opacity surrounding what PHI is being shared and for what purpose. Members often have no idea who can access their private health data—and even if they did, updating or revoking their consent would require them to contact each entity individually.

Let’s say our Connecticut-dwelling member slips and breaks their wrist while on vacation in Pennsylvania. Per the treatment exception, the ED clinician can request relevant records without the patient’s consent for the purposes of providing treatment. But “treatment” is so broadly defined that the provider could receive the patient’s full medical history, without the patient’s knowledge.

Once the treatment is complete, there is little reason for the hospital to hold on to that information. But Pennsylvania’s consent policy allows the hospital’s system (and the HIE to which the hospital is connected) to hold on to the member’s PHI indefinitely, unless the member formally opts out. Since there is no way for our hypothetical member to monitor and update their consent preferences, they will likely assume that the hospital only has records relating to their broken wrist—and not, as it turns out, their full medical history. (For our member’s sake, let’s hope that hospital doesn’t experience a data breach.)

Challenge #3: Protecting PHI or Information Blocking?

The inefficiencies of consent management don’t just affect members, but payers as well. In order to access their members’ medical records, payers frequently have to engage in inefficient and costly chart chases—and the parties from whom they’re requesting that information aren’t always willing to hand it over.

Making patient data portable and easily accessible is a prerequisite for a truly interoperable healthcare system, but some healthcare companies are reticent to share, as we’ve seen in a recent legal dispute between a health data exchange and a large EMR vendor. The dispute underscores a larger problem that directly impacts consent management: the difficulties of ensuring patient data is portable and available between competing entities.

The data exchange contends that the EMR vendor is engaging in information blocking by monopolizing patient data and using it to inform new solutions without fear of competition. The EMR, on the other hand, has argued that it is merely protecting patient data, and that the data exchange was improperly accessing patient records within its system.

Which brings us to the next challenge.

Challenge #4: Liability Concerns

Since HIPAA became law in 1996, healthcare organizations have largely taken a conservative approach to sharing patient data. The only way to run afoul of the law was by sharing too much data, so most organizations erred on the side of caution—and that attitude is evident in many organizations’ consent management practices.

The 21st Century Cures Act prohibiting information blocking, passed in 2016, was an attempt to get organizations to loosen their grip on PHI and encourage more free-flowing data exchange between healthcare stakeholders. While well-intentioned, the Cures Act doesn’t seem to have had the desired effect, and it’s easy to see why: the punishment for information blocking is a slap on the wrist compared to the penalties providers could incur for violating HIPAA. Moreover, under HIPAA, liability for unauthorized PHI disclosure almost exclusively falls on the providing organization, though there are exceptions wherein the requesting organization may be held partially responsible.

Shifting the liability burden to the requestor (rather than the provider) would spur more robust data exchange and support greater interoperability while still safeguarding PHI. But until that happens, organizations will continue to approach data exchange and consent as an exercise in risk mitigation, rather than an opportunity to do what’s best for the member.

Challenge #5: Consent Management = Patient Management

Consent preferences are difficult to manage across organizations and geographical locations because patients are difficult to manage across those same boundaries. Effective and comprehensive consent management can only be built on a foundation of strong patient management, and our healthcare system hasn’t achieved that yet.

The average person moves nearly 12 times and has 12 jobs in their lifetime, which could potentially mean having 12 different health plans and seeing 12 different providers in 12 different areas. Without a universal health record, there is no way to keep track of consent preferences or ensure one consistent, unified set of patient health data.

Many organizations rely on algorithms to pull together PHI from disparate sources, but these algorithms aren’t always accurate. And even if the shards of data at different organizations could be pulled together in a unified patient record, the organizations themselves are sometimes loath to part with what they see as proprietary information.

When it comes down to it, patient consent preferences are no different than lab results or claims. They’re all data points. The difficulties of consent management are a microcosm of healthcare’s larger struggle to more effectively integrate, apply, and share data and deliver a comprehensive, consistent, and more portable member/patient experience.

The consent requirements of CMS-0057-F can certainly serve as part of a more robust regulatory framework for consent; however, just as a few APIs won’t solve all our data exchange problems, it’s going to take more than a single provision to address the challenges of consent management. And as we’ll discuss in the coming weeks, recent legal and technological developments have made the need to solve these problems even more pressing.