Different states require exchanges and providers to deal with data and consent in a number of different ways.
Health information exchanges (HIEs) allow doctors and hospitals to quickly see patients’ health information so they can diagnose medical issues and recommend treatment more efficiently.
HIEs can also help doctors avoid repeating costly and time-consuming diagnostic tests or imaging, since they can see the results of tests patients may have had recently. To share a patient’s medical history, healthcare providers need consent from the patient. But not all states have the same rules about collecting consent. Different states use different consent models, and each has pros and cons that can affect both patients and providers. Some models require more effort from providers and patients but provide greater privacy protection for patients and better information access for providers.
The Different Types of Consent
HIEs use different types of consent in different states. All consent models let healthcare providers look at a patient’s medical history. If you are a patient, different types of consent offer varying degrees of protection for your medical information. They also differ in how you control who can access your medical records. If you are a doctor or a provider, different types of consent impact your day-to-day workflow and how you obtain consent and what you see in your patients’ medical history.
- The opt-out consent used in many states gives HIEs the right to legally share a patient’s medical information without their express consent. Instead, patients who do not want their information shared have to actively opt out. They can do this by submitting an online form, calling the HIE, or mailing an opt-out form to rescind their consent. When patients opt out in some states, such as California, HIEs can continue to collect their medical information so they can share it whenever they are legally required to do so. When patients do not opt-out, some states allow HIEs to share their medical information in any way not prohibited by the federal Health Insurance Portability and Accountability Act (HIPAA) laws. The HIPAA laws govern what healthcare information providers can share about patients, whom they can share it with, and when they can share it.
- Community-wide consent lets patients give permission to an HIE to share their health information with every participant in their community—which can be statewide. In states that use community-wide consent, patients only need to give consent once. Patients do not have to sign a consent form every time they see a new healthcare provider. Providers are required to have a treatment relationship with a patient in order to access their medical records. However, because community-wide consent covers all participants in the system, there is a greater potential for unauthorized access to medical records. This risk requires more auditing and oversight to ensure that no unauthorized access occurs.
In addition, the community-wide consent model can have limitations to certain data, like Part II data. Part II data is covered under confidentiality guidelines established by the federal Substance Abuse and Mental Health Services Administration (SAMHSA). Those regulations require that people who have been treated for substance abuse and mental health issues sign a separate consent that covers access to that information.
- Consent to share requires that the HIE get a patient’s consent to collect his or her health information and share it with providers who participate in that information exchange. The consent to share model gives the patient more control over who can see their health information.
- Consent to access. Unlike the consent to share model, this model requires that patients sign a separate consent form for every provider they want to be able to view their health information. When patients sign a consent form, only clinicians who are actively involved in their care can have access to their records. The consent to access model is used in New York and other states. Of all the models, this provides patients with the most control over who can see their medical records. Patients can decide which of their providers have been granted consent to view their medical records and health information.
Understanding which model is used in your state allows you to exercise better control over health information, whether you’re a patient or a provider. When you understand how to manage consent in your state, you can find the best balance between protecting patient privacy and ensuring secure, easy sharing of health information through HIEs.