WEDI Webinar Q&A: Consent Management in the Age of Interoperability

In our recent webinar “Consent in the Age of Interoperability”, presented by the Workgroup on Electronic Data Interchange (WEDI), we explored key challenges of adapting to the recent FHIR interoperability mandates, discussed new solutions that simplify and automate obtaining member consent, and shared key considerations for evaluating new tools.

We received a lot of great questions from our audience and unfortunately ran out of time before we could address all of them—but don’t worry, we cover them here. Read on for our answers to your most burning questions!

Q: Does CMS-9115 or CMS-0057-F require a member to have granular control on consent and sharing data or just high-level consent?

A: To some degree, yes. Access via the Patient Access API (as required in CMS-9115-F) is expected to support authorized users (AU) access to a member/patient longitudinal record.

The Payer-to-Payer API Opt-In requirements of CMS-0057-F enable the member to choose between sharing non-sensitive data or all data. For Provider Access Opt-Out requirements, however, it is an all-or-nothing proposition; i.e., there is no requirement to name specific providers.

Q: What is the difference between a personal representative and an authorized representative?

A: There is an important distinction between a personal representative and an authorized representative. The personal representative typically has the same rights as the member/patient. The authorized representative is an individual that is granted either implicit or explicit consent by the patient.

Q: Is a member portal required to manage consents for Payer-to-Payer data exchange?

A: No, the Payer-to-Payer provision does not require a member to have a member portal account to request data sharing between their new health plan and their old health plan. As a result, payers will need to consider how to best support their members in managing their consent preferences while also capturing and storing consent for audit purposes.

Q: CMS-9115-F had a requirement for the patient or authorized user to have access to the Patient Access API, right?

A: That’s correct! All provisions from 9115F are still in place. The 57F mandate simply expanded upon those provisions by issuing new ones for prior authorization, provider access, and payer-to-payer data exchange.

Q: If the consent data is in the FHIR storage or repository, what will be the best way for other systems to get the consent information? Directly through FHIR interactions? Or will an abstraction layer (e.g., an API) be needed?

A: The current v4 consent resource does not have the necessary attributes to exchange consent information directly through FHIR interactions. For now, the preferred workaround is to pull in the consent resource attributes from v5 into the v4 consent resource; however, streamlining consent information exchange is a key focus of the HL7/FAST Consent Management Workgroup.