Risk Managing "Meaningful" Consent

Risk Managing Meaningful Consent

October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA

A personalmembership group of

Risk Managing “Meaningful” Consent

Timothy Kelly, MS, MBA

DirectorStandard Register Healthcare

Fay A. Rozovsky, JD, MPH

PresidentThe Rozovsky Group, Inc.

Atlanta, GA Williamsburg, VA


Information for the following credits may be found on a flyer in your conference bag:

• ASHRM CE Certificates (CPHRM renewal, ACHE, NAHQ, HCCA/CCB)

• CNE Credits

• Illinois CLE Credits

• CME Credits

ContinuingEducation Reminders




All presenters, Faculty, Panel Members and Content Developers, unless indicated, have no significant financial interest/arrangement with any organization that could be perceived as a real or apparent conflict of interest with the subject matter of the presentation.

Disclosure of Conflict of Interest and Commercial Support


Objectives

Define the core elements of meaningful consent in the electronic exchange of health information.

Analyze the legal, regulatory and clinical risk exposures associated with meaningful consent.

Describe steps to identify and mitigate risk exposures stemming from meaningful consent.




Background:Release of Information in the Age of “the Cloud”


Hypoxic Ischemic Encephalopathy

Health Insurance Exchange

Health Information Exchange

HIE –Acronym Check




• System that allows for the secure, electronic transfer of a patient’s vital medical information

• Advantages include:– Speed– Availability of information– Fewer errors– Automatic integration of data into the EHR

Health Information Exchange (HIE)


HIEImplementation Status

Directed and query exchanges are both available

Only directed exchange is available

Only query exchange is available

Source: HealthIT.gov http://www.healthit.gov/policy‐researchers‐implementers/state‐hie‐implementation‐status/(accessed 9/1/14)




Meaningful Consent in Context

• 2011: A federal advisory committee, the Health Information Technology Policy Committee (HITPC), recommends to the Office of the National Coordinator for Health Information Technology (ONC), that patients be given a “meaningful choice” as to whether their health information is exchanged through certain types of HIEs.

• March 2013: ONC completes an eConsent Pilot Project in Western New York using tablet computers to inform patients about available options when deciding whether or not to engage in the electronic sharing of their health information via an HIE.


Why All the Fuss?

• Isn’t a regular consent authorization sufficient?

• Why do we need yet another layer of complexity?

TRUST




The Press is on IT

• 40 million customers with compromised credit and debit card information

• 70 million with compromised email and mailing address information

Harris EA, Perlroth N. Target missed signs of a data breach. The New York Times. March 13, 2014.


The Press is on IT

• 56 million customers compromised

Vinton K. With 56 million cards compromised, Home Depot's breach is bigger than Target's. Forbes. September 18, 2014.




And in Healthcare

“Hackers recently broke into [the for‐profit hospital chain’s] computers and stole data on 4.5 million patients.

Hackers have gained access to their names, Social Security numbers, physical addresses, birthdays and telephone numbers.”

http://money.cnn.com/2014/08/18/ technology/security/hospital‐chs‐hack/


And Patients Know IT

A psychiatric nursing assistant monitoring

patients was seen taking information from the unit where the patients resided. A folder with 47 pages of PHI was found in a public trash bin located off the premises of the hospital.

“I feel like I can’t trust the hospital anymore, not with anything personal….I don’t even know where the records have been,” said a patient.

“Texas Psych Hospitals Deal with Privacy Breaches,” Modern Healthcare, January 28, 2014.




The Core Elements of Meaningful Consent in the Electronic Exchange of Health Information


Definition Anyone?

“Consent should not be a ‘check‐the‐box’ exercise. Meaningful consent occurs when the patient makes an informed decision and the choice is properly recorded and maintained.”

Looks like a statement about

a normal treatment

consent, right?

http://www.healthit.gov/providers‐professionals/patient‐consent‐electronic‐health‐information‐exchange/meaningful‐consent‐overview




1. The decision is made after the patient has had sufficient time to review educational material,

2. The choice is commensurate with circumstances for why health information is exchanged (i.e., the further the information‐sharing strays from a reasonable patient expectation, the more time and education is required for the patient before he or she makes a decision),

Six aspects of “meaningful” consent:


Core ElementsMeaningful Consent


Core ElementsMeaningful Consent

3. The patient’s choice is not used for discriminatory purposes or as condition for receiving medical treatment

4. The decision is commensurate with circumstances for why individually identifiable health information is exchanged,

5. The choice is consistent with patient expectations,

6. The choice is revocable at any time.





HIEParticipation Models

No Consent is Obtained

Opt Out Model

Opt In Model

Opt In with Restrictions

Opt Out with

Restrictions


Popular VersionsMeaningful Consent

Opt‐in – Default is that patient health information is not shared. Patients must actively express their consent to share.

Opt‐out – Default is for patient health information to automatically be available for sharing. Patients must actively express their desire to not have information shared if they wish to prevent sharing.

Bear a higher burden of proving that patient was educated on options




Patient Choice

“Patients may choose to give providers and HIEs full access to their information, limited access, or no access at all.”



Patient Consent for HIE

The three pillars of Meaningful Consent


Technology

Patient Education and Engagement

Law and Policy

Meaningful Consent for Health

Information Exchange




Meaningful Consent Explained

1. Patient Education and Engagement – including educating patients about their consent options, who may release their information and, how, and the significance of the consent choice.

2. Technology – using technology to capture and maintain patient consent decisions, identify which sensitive portions of patient information are restricted from access, and communicate these restrictions electronically with others.

3. Law and Policy – ensuring alignment with federal and state law and other legal and policy requirements pertaining to consent, individual choice, and confidentiality.”



Relationship to“Meaningful Use”

The CMS Medicare and Medicaid EHR Incentive Programs provide financial incentives for the “meaningful use” of certified EHR technology.

To receive an EHR incentive payment, providershave to show that they are “meaningfully using” their certified EHR technology by meeting certain measurement thresholds Stage 1 requirements, Stage 2 requirements, etc. CMS has established these thresholds for eligible professionals, eligible hospitals, and critical access hospitals (CAHs).

http://www.healthit.gov/policy‐researchers‐implementers/meaningful‐use‐regulations




Meaningful UseStage 3 Discussion

“Some federal and state health information privacy and confidentiality laws, including but not limited to 42 CFR Part 2 (for substance abuse), establish detailed requirements for obtaining patient consent for sharing certain sensitive health information, including restricting the recipient’s further disclosure of such information.

How can MU help improve the capacity of EHR infrastructure to record consent, limit the disclosure of this information to those providers and organizations specified on a consent form, manage consent expiration and consent revocation, and communicate the limitations on use and restrictions on redisclosure to receiving providers?”

Request for commentary from the HITPChttp://www.healthit.gov/sites/default/files/hitpc_stage3_rfc_final.pdf


Relationship toShared Decision-Making

• Leveling the playing field – the two‐way conversation between the patient and care provider(s)

• Using comparative effectiveness data to inform the patient

• Use of decision aids

• Patient preferences

SEC. 3506. PROGRAM TO FACILITATE SHARED DECISIONMAKING (Part D of title IX of the Public Health Service Act, as amended by section 3503, is further amended by adding at the end the following: ‘‘SEC. 936. PROGRAM TO FACILITATE SHARED DECISIONMAKING.)

Could it be used in meaningful consent?




The Legal, Regulatory and Clinical Risk Exposures Associated with Meaningful Consent


The Legal Component

Legislation in the 50 states

HIPAAThe Privacy Act of

1974

ARRA 2009Affordable Care Act

2010




• Requires “Opt In” for HIE participation (currently limited to HIE demonstration projects)

• Requires faster breach notification– CA = 5 days, Federal = 60 days

• Elevated restrictions on use of “routine” PHI for the purpose of treatment, payment and health care operations– CA requires prior written authorization for sensitive PHI disclosures (e.g. psychotherapy notes, drug and alcohol treatment records, HIV status and test results)

State Law(California as an Example)


Federal Regulation

HIPAAPrivacy

HIPAASecurity

GINA

HITECH

Shared Savings Program ACOs

FERPA

Privacy Regs

Clinical Research Regs

……………………

The MU Incentive RulesCMPs




HIPAA Highlights: Privacy Rule

Limits use and disclosure of PHI for marketing and fundraising purposes, and prohibits the sale of PHI without individual authorization.

Individual can receive electronic copies of their health information via regular (unencrypted) email.

Individuals may restrict disclosures to a health plan (and Medicare) concerning treatment for which the individual has paid out of pocket in full.

HIPAA Privacy creates its own

flavor of the “Opt Out” and adds to

Restriction complexity

[Omnibus Final Rule, Effective September 23,

2013]


• Restrictions on disclosure of PHI to others (e.g. spouse, parent, family)– Provider is not obligated to agree to request

– If reasonable and agreed to, request must be honored

• Restrictions on means of communication (e.g. bills sent to work address instead of home address, follow‐up calls to cell phone instead of home phone)

Common Restrictions




ACOs (The Medicare Shared Savings Program Final Rule)

“Beneficiaries will be given the opportunity to decline this data sharing as part of this notification. After a period of 30 days from the date the ACO provides such notification, ACOs will be able to request beneficiary identifiable data from us absent an opt‐out requestfrom the beneficiary.

Although we would expect providers/suppliers to still actively engage beneficiaries in conversation about the Shared Savings Program and their ability to decline to share their own health data at the beneficiaries’ first primary care visit.”

Fed Reg. 76(212): 67851, November 2, 2011.


ACOs (The Medicare Shared Savings Program Final Rule)

“Upon signing participation agreements and a DUA, ACOs will be provided with a list of preliminary prospectively assigned set of beneficiaries… who are likely to be assigned to the ACO…

ACOs may utilize this initial preliminary prospectively assigned list along with the quarterly lists to provide beneficiaries with advance notification prior to a primary care service visit of their participation in the shared savings program and their intention to request their beneficiary identifiable data.”

Fed Reg. 76(212): 67851, November 2, 2011.




Top Reasons for HIPAA Breaches Under the HITECH Act

Theft

Loss

Unauthorized Access/Disclosure

Incorrect Mailing

Hacking/IT Incident

Improper Disposal

Hourihan C, Cline B. A Look Back: U.S. Healthcare Data Breach Trends. Health Information Trust Alliance (HITRUST). December 2012.

TRUST

The Risk Exposures


The Risk Exposures

TRUST

Other Risks

Inaccurate information – “I am not a drug addict, but that is what is in the HIE about me!”

Medical errors from incomplete data in the HIE.

Untimely uploading and/or updating of HIE information.




Liability Risks

• Breach of a Standard of Care – “But I thought I followed the requirements for informed consent under state law. Ah, wait a minute, no, I followed that federal ‘meaningful consent’ stuff.”

• Unauthorized Disclosure to the HIE – “June, I thought you consented Thad Roft to sharing his EHR information on the HIE. He is furious. He said he never agreed to it.”

• Permission Creep – “Our compliance team is concerned that the Opt‐In for Meaningful Consent does not address the use of HIE data for population health studies.”


Say Goodbye to Shared Savings

§ 425.710 Data use agreement.

(a)(1)….the ACO must comply with the limitations on use and disclosure that are imposed by HIPAA.

(2) If the ACO misuses or discloses data in a manner that violates any applicable statutory or regulatory requirements or that is otherwise non‐compliant with the provisions of the DUA, it will no longer be eligible to receive data under subpart H of this part, may be terminated from the Shared Savings Program under §425.218, and may be subject to additional sanctions and penalties available under the law.

Medicare Program; Medicare Shared Savings Program: Accountable Care Organizations; Final Rule, Fed Reg.76(212): 67802‐67990, 67989, November 2, 2011.




Identifying and Mitigating Meaningful Consent Risk Exposures


• Membership: HIM, IT, clinical leadership, legal counsel, patient relations and “typical” patients

• Design procedures fromthe patient’s perspective

• Address any applicablestate statutes

• Review other consentscenarios as appropriate(e.g. consent for treatments and procedures, consent for participation in clinical trials)

Form aReview Group




Consent Time Out

Learn the best way to communicate with this patient and the right educational tools to use for him or her.

Look for such issues as:Cognitive abilityHearingVisual impairment Language The need for interpretersCultureHealth literacy

Rozovsky FA. Consent Time Out. Dialogues in Healthcare 2008;2(7):1‐11.


It is a Two-Way Conversation

• Understandable explanation

• Probable benefits and risks in consent to participation in the HIE

• Explanation of alternatives, including restrictions on use

• Consequences of declining participation in the HIE

• Employ teach‐back to confirm understanding

Reasonable expectations No coercion – no intimidation




Make it an“INFORMED” Refusal

• Does “no” mean NO?

• Complete an informed refusal process.

• Try to identify any basis for misunderstanding that could lead to a refusal.


Data Partitioning

Restrictive permission from “meaningful” consent

Withdrawal at anytime of consent to inclusion of data in the HIE

IT needs to be part of the picture

Office and clinic IT folks need to be in the loop

Systems analytics for monitoring

Test the system

Log permissions for HIE

Log partial permissions/partial exclusions for HIE

Log withdrawal of consent




DocumentingMeaningful Consent

Theconsent

The partial consent

The refusal consent

The decision reversal

Who consented the patient?

Ability of the individual to make a decision.

Who was present?

Record a summary of the consent process.

Record the agreed upon course of action regarding HIE.

Document the use of language interpreters and the language used.

Record the titles of decision aids used in the process.

Date and Time.


Conclusion

A clearer public policy is needed from federal and state officials on meaningful consent.

At the operations level, much can be done by healthcare risk management professionals to mitigate the risks of this new approach to consent and HIE.




Questions?

Fay Rozovsky, JD, [email protected]

Tim Kelly, MS, [email protected]


• Rozovsky FA, CONSENT TO TREATMENT: A PRACTICAL GUIDE, 4TH

EDITION. New York: Wolters Kluwer, 2007 with annual supplements.

• HIPAA Privacy Rule, Final Rule, Federal Register, 78: 5687,et seq., Jan. 25, 2013. http://www.gpo.gov/fdsys/pkg/FR‐2013‐01‐25/pdf/2013‐01073.pdf

• Shared Savings Program for Medicare Accountable Care Organizations, Federal Register, 76: 67802, et seq., November 2 2011.

• Patient Consent for HIE, http://www.healthit.gov/providers‐professionals/patient‐consent‐electronic‐health‐information‐exchange/meaningful‐consent‐overview, last updated on March 24, 2014.

Reference List




• EHR Incentives & Certification, http://www.healthit.gov/providers‐professionals/meaningful‐use‐definition‐objectives, last updated on March 18, 2014.

• Rozovsky FA. Consent Time Out. Dialogues in Healthcare 2008;2(7):1‐11. www.therozovskygroup.com

• Rozovsky F, Kelly T. Mitigating the risks of 'meaningful consent' for HIE participation. Healthcare IT News. April 3, 2014. http://www.healthcareitnews.com/blog/mitigating‐risks‐meaningful‐consent‐hie‐participation

Reference List

Risk Managing "Meaningful" Consent

Health & Medicine

Transcript of Risk Managing "Meaningful" Consent