Section 4.12 Implement

Managing Person ConsentPrepare to manage your local public health (LPH) department clients’ consent for participating in a health information exchange (HIE).

Time needed: 2 hoursSuggested other tools: NA

How to Use 1. Gain an appreciation of the need for person consent in HIE.

2. Adopt tools to obtain, manage, and supply consent when submitting and/or requesting a given person’s health information via a health information exchange organization (HIO) or other HIE process.

Person Consent for HIEAs information exchange through electronic systems increases, client trust in HIE must be ensured. To do so, many states have adopted consent requirements for their HIOs or otherwise have modified their state statutes on health information privacy. In addition, the federal government is promoting the concept of “meaningful consent,” which its Web site (www.healthit.gov/providers-professionals/person-consent-electronic-health-information-exchange) describes as:

Made with full transparency and education

Made only after the person has had sufficient time to review educational material

Commensurate with circumstances for why health information is exchanged (i.e., the further the information sharing strays from a reasonable client expectation, the more time and education is required for the person to make a decision)

Not used for discriminatory purposes or as a condition of receiving medical treatment

Consistent with client expectations

Revocable at any time

The HealthIT.gov Web site cited above provides a wide range of tools on:

Client education and engagement, including a video of a pilot test of a person obtaining education and signing consent directives on a tablet computer.

Technology to support person consent transmission to an HIO, including: sending a consent form with the information submitted to the HIO; tagging a client’s data with the person’s choice of who may access it and under what circumstances; or managing consent through a central database that can be queried about how each individual’s information may be accessed.

Law and privacy information to ensure alignment with federal and state law and other legal and policy requirements pertaining to consent, personal choice, and confidentiality.

State and Local Person Consent Requirements

Section 4 Implement—Managing Person Consent - 1

Although the federal government provides excellent tools to assist HIOs and the participants who use them, consent is unique to each state. In some cases, it is even unique to a given HIO or provider organization that may choose to enforce more stringent requirements than its state or the federal government requires.

Minnesota provides an example of the tools it uses to manage consent at: www.health.state.mn.us/divs/hpsc/ohit/umhie.html. Included are tools for exchanging person health information across state boarders, such as:

Consent matrix that a provider would use to determine if person consent is required to release health information.

Sample consent form that a person would complete and sign.

Request for HIE that the provider completes to identify the specific health information being requested.

Manage Person Consent for Your FacilityUse the following checklist to make sure you have appropriately addressed person consent as you begin to use HIE:

Know the HIPAA requirements surrounding consent. HIPAA permits, but does not require, providers to obtain consent for use of protected health information for treatment, payment, and health care operations.

Know the requirements for obtaining consent in your state—which may be more stringent than HIPAA.

Be sure that both HIPAA and state consent and authorization requirements are applied in a manner consistent with the Confidentiality of Alcohol and Drug Abuse Patient Records regulations (45 CFR Part 2); the Family Educational Rights and Privacy Act Regulations (FERPA) (34 CFR Part 99) applicable to students; and any other applicable regulations. The following are useful references in light of electronic health records (EHR) and HIE:

The Confidentiality of Alcohol and Drug abuse Patient Record Regulation and the HIPAA Privacy Rule: Implications for Alcohol and Substance Abuse Programs, June 2004, Substance

Abuse and Mental Health Services Administration, http://www.samhsa.gov/healthprivacy/docs/samhsapart2-hipaacomparison2004.pdf

HIPAA Crosswalk with 42 CFR Part 2, prepared by the Texas Department of State Health Services, http://www.dshs.state.tx.us/hipaa/privacynoticessa.shtm

Frequently Asked Questions: Applying the Substance Abuse Confidentiality Regulations to Health Information Exchange (HIE), Prepared by the Legal Action Center for the Substance Abuse and Mental Health Services Administration, http://www.samhsa.gov/healthprivacy/docs/ehr-faqs.pdf

Family Educational Rights and Privacy Act Regulations (FERPA) (34 CFR Part 99) http://www2.ed.gov/policy/gen/reg/ferpa/index.html

Joint Guidance on the Application of the Family Educational Rights and Privacy Act FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

To Student Health Records http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hipaaferpajointguide.pd f

Learn about the requirements for obtaining consent to participate in the HIO in your state or region in which you plan to participate. Some HIOs require a specific action or affirmation by an

Section 4 Implement—Managing Person Consent - 1

individual for inclusion in the HIE process. Other HIOs require action or affirmation for exclusion from the HIE process. Increasingly, HIOs are adopting a hybrid approach depending on the nature of the information or participants in the exchange. Some HIOs are using a consent matrix, where the person makes specific choices about each type of health information that can be exchanged.

o Opt in: requires action or affirmation by an individual for inclusion; default is exclusion

o Opt out: requires action or affirmation for exclusion; default is inclusion

Collaborate with your EHR vendor to learn how you may be able to manage the person consent requirements of your HIO within your EHR.

Remember that in using the Direct protocol for exchanging health information in secured email, there is no monitoring of person consent as there is within an HIO. This does not absolve you from obtaining appropriate authorization or consent, but may not require you to obtain consent as specific as would be required when participating in an HIO.

Because an HIO is considered an intermediary—and a HIPAA business associate of the participating covered entities—the relationship between an LPH department and the HIO is somewhat different than when using Direct email between two health providers or the provider and patient or client. Furthermore, most HIOs collect and store at least some health information. This may be used to aggregate or facilitate the exchange of data. This intermediary data storage increases concerns about potential misuse of data—hence the stricter requirements for consent in an HIO.

Copyright © 2014 Stratis Health. Updated 03-12-14

Section 4 Implement—Managing Person Consent - 1