Data Reuse Agreements: A Patient Centered Approach To Clinical Data Consent Management

Title: Data Reuse Agreements: Patient Consent To Share Clinical Data

Date of Release: 4/19/2011

Case Number: 11-1601

ProblemAll health care providers, payers, and institutional users of health records (including DoD, VA, CMS, NIH, SSA, etc.) must comply with HIPAA, ARRA, and no doubt future laws to protect patient privacy. Currently, data can be shared for purposes predefined by law, but the patient has no effective way to restrict these releases (e.g., to exclude certain recipients, or control access to especially sensitive data such as mental health or reproductive information). Beyond this, the patient must sign an explicit paper consent form, typically agreeing to the provider’s data sharing policy terms without modification. There is no way to pass written restrictions to an automated data release system, to authenticate a faxed form, to let a patient reuse a well thought-out set of conditions, to change preferences without changing the paper copy at each provider, to indicate willingness to share their data with any reputable researchers, to establish a family member or trusted physician as a proxy, or to review all requests for one’s records. As a result, delays and denials occur, inhibiting emergency care, referrals, and research.

Objectives• Create a template-driven user interface to capture complex patient preferences, organized bypurpose (e.g., research, emergency access), by provider type and by relationship (e.g., referral). • Test the user interface with MITRE staff outside the project. • Demonstrate use of potential data sources (e.g., a registry of physicians’ credentials and on-call substitutes, or of institutions that routinely do emergency care). • Identify and solve thorny technical problems such as mixing patient and government preferences, or restrictions where enforcement (e.g., on free text) cannot be guaranteed.

ActivitiesMITRE is pioneering a mechanism (called Kairon) by which each patient has a consent rule set, available in one place that describes what data may be released in what situations. The user interface for creating the rule set encourages general, reusable constructs, (e.g., “doctors with whom I have a treatment relationship”). Our architecture works both in today’s largely manual system, and with gradually increasing automation, and permits consent management services providers (perhaps the payers, major integrated providers such as the VA, or PHR vendors) to compete for patients. We have created a prototype and written several papers describing the requirements and conops, a solution architecture, and drilling down on specific problems. We hope to transition our work to multiple sponsors (VA, DoD, CMS, ONC, SAMHSA) and are integrating our work with other projects in the MITRE health care ecosystem (HealthLab, MedCafe, and ESP). Our code is posted in an open-source repository.

Impact

Our work has potential application to all of MITRE's sponsors and customers involved in the collection and release of protected health information.

This includes: the Office of the National Coordinator for Health Information Technology, the Department of Veterans Affairs, the DoD Military Health System and Tricare program, the Centers for Medicare and Medicaid Services, the Food and Drug Administration, the National Institutes of Health, the Indian Health System, etc.