Patients’ trust in how their health information is managed is essential to the success of emerging models for electronically sharing patient health information. Patients may be unfamiliar with, and therefore may not trust, exchanging health information through certain types of third parties such as health information exchange organizations (HIEs). Recognizing this, the Health Information Technology Policy Committee (HITPC), a federal advisory committee of the Office of the National Coordinator for Health Information Technology (ONC), recommended that patients be given a “meaningful choice” as to whether their health information is exchanged through certain types of HIEs.

In furtherance of this recommendation, ONC sponsored a project to identify the factors that patients would want to know when making a decision whether to participate in this type of electronic health information exchange (eHIE). Based on this analysis, ONC sponsored a project to develop educational and informational materials as an example of how health care providers and HIEs may educate patients about their model of eHIE and their choices pertaining to the confidentiality and sharing of their health information.

Patient Consent for Electronic Health Information Exchange

The success of eHIE is heavily dependent upon patients trusting that their health information will be managed in a private and secure manner.

Several models of eHIE exist or are in the planning stages, involving varying levels of technical complexity. eHIE services are sometimes built into a health care organization’s systems; sometimes the services are provided by a third-party organization called an HIE. An HIE serves as a network, intermediary, or service organization that helps route information among various participating providers and allows them to share and access patient health information for purposes of treatment, payment, and health care operations (TPO); TPO includes functions such as business management and general administrative activities; legal services; and quality assessment and improvement activities, including case management and care coordination.

In some HIEs, a provider can submit an electronic query, search for, and retrieve information about a specific patient, often without the health care provider who created or is holding the record being aware that another provider requested and received information. This method of a health care provider asking for patient information is not in the control of the provider that created or is holding the information, or that provider’s organized health care arrangement (OHCA); therefore, it is different from a provider directly contacting another to request a patient’s information. Uses and disclosures that go beyond the provider’s own use, such as aggregation of data between providers, may surprise patients and undermine the provider-patient treatment relationship built on trust.

Patients often are concerned about the confidentiality of their health information, particularly information that is related to health conditions considered “sensitive” by most people, including information related to substance abuse treatment, mental health, and HIV/AIDS status. This concern keeps some patients from participating in a local, regional, or statewide HIE. The viability, sustainability, and widespread adoption of electronic health information exchange largely depend upon the level of trust and desire of both health care providers and patients to participate in eHIE.

As electronic health information exchange expands among different health care providers and other entities that exchange electronic health information, patients must be able to trust the provider and the HIE that information will be handled in accordance with their wishes. Meaningful, informed patient choice (“patient consent”) is one way to ensure patient trust. This “consent decision” concerns the sharing and accessing of the patient’s health information through an HIE for TPO.

Privacy and Confidentiality Law & Policy

Health care providers and HIEs adopt different approaches to obtain consent from patients for sharing or limiting access to their health information.

Providers may choose to offer one or a combination of the following general types of consent models or policies to patients:

  • Opt-in – By default, patient health information is not shared. Patients must actively express their desire to allow sharing of their health information.
  • Opt-out – By default, patient health information is automatically available for sharing.  To prevent sharing, patients must actively express their desire not to have information shared.

The ultimate implementation of a consent model may be dictated by state law or regulation.

While the information may be part of the provider’s medical record, the decision for the exchange of the information to another provider lies with the patient. Therefore, consent decisions may allow patients to decide:

  • if their health information will be released,
  • under what circumstances the release will take place (e.g., any time or emergencies only?), and
  • by whom (e.g., health care providers? HIEs?).

Some federal and state privacy laws and regulations (e.g., 42 CFR Part 2 – Confidentiality of Alcohol and Drug Abuse Patient Records, Title X of the Public Health Service Act – 42 CFR 59.11 – Confidentiality) exist that require health care providers to obtain patients’ written consent before providers disclose patient health information to other people and organizations, even for treatment.  Many of these privacy laws protect information that is related to sensitive health conditions.

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule generally permits, but does not require, covered health care providers to give patients the choice as to whether their health information may be disclosed to others for TPO. HIPAA leaves in effect other laws that are more privacy-protective. Under this legal framework, health care providers and HIEs must continue to follow other applicable federal and state laws that require patients’ consent before disclosing or exchanging their health information.

In addition to these laws, some organizations have their own internal policies requiring patient consent to share particularly sensitive information.

When patients are asked to make consent decisions, regardless of the consent model used, in furtherance of the HITPC recommendation, ONC encourages providers, HIEs, and other health IT implementers to help patients make a meaningful choice. Meaningful consent occurs when the patient makes an informed decision and the choice is properly recorded and maintained.  Specifically, a meaningful consent decision has six aspects. The decision is:

  • made with full transparency and education,
  • made only after the patient has had sufficient time to review educational material,
  • commensurate with circumstances for why health information is exchanged (i.e., the further the information-sharing strays from a reasonable patient expectation, the more time and education is required for the patient before he or she makes a decision),
  • not used for discriminatory purposes or as a condition for receiving medical treatment,
  • consistent with patient expectations, and
  • revocable at any time.

ONC sponsored a project to explore one aspect of meaningful consent—educating patients about their choices.

What Do Patients Want to Know before Making a Choice?

Based on adult patient input collected during the ONC eConsent Trial Project conducted last year in western New York state, ONC found that patients are interested in learning more before they decide whether or not to allow health care providers to access or share their health information electronically. While we learned that patients prefer receiving educational materials directly from their health care provider in person, we knew it would be a challenge to meet this preference. Therefore, we tried to meet this need through a multi-media approach, including video recording a health care professional delivering educational material in an interactive manner for patient viewing at health care provider facilities. We also complemented this approach with a paper brochure and a handout to accommodate the preference of some patients to receive material in various formats.

This overall method of delivery is consistent with ONC’s HITPC recommendation that the person who has the treating relationship with the patient (in most cases, this is the patient’s doctor or nurse) be responsible for educating patients.

In particular, the project found that patient interest in consent centers on four key factors, the Who, What, How, and Why:

Who Factor: Who could access their health information?

  • Who has access to health information (e.g., individual practitioner or provider organization? front desk receptionist? health insurance company?)
  • Who does not have access to health information (e.g., employers)?
  • Scope of participating organizations within the HIE
  • What if a new provider joins the HIE after the consent decision?
  • Patient access to HIE health information
  • Family members accessing a patient’s HIE health information

What Factor: What type of information could be accessed or shared?

  • Type of information accessible or shared through an HIE
  • Whether sensitive health information would be shared (e.g., genetic information, HIV test results, mental health care treatment)
  • What is an HIE and the consent decision context
  • Difference between the HIE consent and HIPAA Notice of Privacy Practices     acknowledgement, and medical procedure consent
  • Overview of consent options and default consent setting

 How Factor: How is information protected and secured?

  • Information security and safeguards in place that protect health information
  • Sanctions associated with misuse or inappropriate access to health information
  • Policies and procedures associated with information protection
  • Health information privacy rights (e.g., right of access)
  • Option to change consent decision

Why Factor: Why may information be accessed or shared (i.e., purpose of use)?

  • When may health information be accessed or shared?
  • Purpose for which information will not be accessed or shared
  • Non-retaliatory nature of making a consent decision

Patient Education Material Design, Development, & Deployment

Much of the existing research on patient consent education has focused on informed consent for medical procedures, research, or treatment and does not pertain to electronic health information exchange. Therefore, we used the informed consent process for a medical/surgical procedure as a comparable model. Traditional informed consent assumptions expect patients to read and understand the consent form; participate in a discussion with a provider; and make a decision based upon what often is a large volume of information. However, in practice, patients often do not read the entire consent form or fully understand it. Similarly, individuals often do not read documentation associated with online privacy policies.

Using this research and patient input gathered as part of our project, we developed and implemented sample, interactive educational materials to meet this need and implemented a technology-centric approach with patients in health care provider settings. With a goal to develop succinct, plain language patient educational material, while balancing readability and technical terms, we developed videos and media-rich materials to accompany text for viewing on tablet computers at participating health care facilities. Because research has shown that an educational video is a successful channel for significantly improving an audience’s understanding of concepts, we structured the multi-media educational materials to provide a balanced and flexible learning experience. To the extent practicable, we used neutral language in the text development, reducing any bias toward a specific opt-in or opt-out consent model. The key factors (Who, What, How, and Why) served as the cornerstone of the development.

The overview educational material consisted of a three-minute video that provided high-level information about the key factors.  Seven additional videos, varying in length, provided patients with a more detailed explanation of key factors and introduced other optional exploration non-key factors (e.g., benefits of sharing health information). Patients had the option to review any educational material (organized by topic areas) and do a “deep-dive” into information for a given area.

What Can Others Leverage from the eConsent Project?

As patients become more engaged in their health care, communication to and education of patients become even more important. Patients want to understand more about various aspects of their choices regarding the electronic sharing of their health information, particularly as it relates to third parties, including HIEs. Adequately informing patients of these new models for exchange and giving patients the choice whether to participate is one means of ensuring that patients trust these technologies.

When health care providers give patients a choice, they should provide clear, comprehensive, concise, and easily understood education to patients about their choice. During the eConsent Trial project, while patient experiences varied receiving educational material on a tablet at health care settings, they most frequently reviewed the overview educational material (Who, What, How, and Why), and some patients spent time reviewing some of the additional “deep dive” topic areas.

The results from the project show that health care providers and HIEs should consider the key factors when engaging and educating their patients about the need for their consent. ONC’s sample materials and resources should help providers and HIEs implement meaningful consent for their patients. Use of multimedia is an efficient means of designing, developing, and delivering patient educational material to ensure any choice patients make with respect to sharing their health information is indeed meaningful.