Providers ponder more-stringent rules on privacy
For many patients, consent is the sine qua non for medical-records privacy. When a patient can give or withhold consent, it translates into a patient’s right to allow or disallow the sharing of their medical information.
Nearly three out of four respondents to this year’s Modern Healthcare/modern Physician Survey of Executive Opinions on Key Information Technology Issues said their organizations seek a patient’s consent before releasing their records to outside entities.
Opinions varied, however, on a favored way to obtain that consent.
There were five questions about privacy in this year’s survey, including three about consent, two of which were new.
The goal was to highlight provider attitudes about privacy and consent as HHS rulemakers ponder more stringent privacy-rule revisions required under the American Recovery and Reinvestment Act of 2009. The stimulus law amended the Health Insurance Portability and Accountability Act of 1996, a key federal healthcare privacy law.
The new rules are likely to include a limited restoration of a patient’s federal right of consent that was stripped away by HHS rulemakers in 2002. The ARRA affords patients the right to have providers withhold from their insurance companies information about their care if patients pay for that care out of pocket. Also, many health information exchanges operate where patient consent is required under state privacy laws.
Noting that the 2002 HIPAA privacy rule grants “regulatory permission” for providers to disclose a patient’s medical records without their consent for treatment, payment and other healthcare operations, the survey asked: “Does your organization seek patient consent before disclosing their medical records to other providers outside your organization (including health information exchanges)?”
An overwhelming majority of survey respondents (73%) indicated they do seek patient consent; another 17% said they don’t; and 10% of respondents were unsure.
Respondents also were asked which method they believe “patients should be able to use” to manage their participation in health information exchanges or regional health information organizations.
Half of respondents indicated patients should use the “opt out” method in which consent is assumed by default and a patient must take some form of action to remove themselves from participation.
The next most popular choice, selected by 18% of survey respondents, was to afford patients “granular” consent, in which patients may choose to share some of their medical records but withhold others, which may include more sensitive information such as records of treatment for drug and alcohol abuse, mental health or sexually transmitted diseases. The choices of “opt in” and “no choice” each were chosen by 16% of survey respondents.
“I think that granular will be to too hard to manage,” says Dr. Howard Landa, who chose opt-out. Landa is chief medical information officer for 387-bed Alameda County Medical Center in Oakland, Calif., and vice chairman of the Association of Medical Directors of Information Systems, a professional association for physician informaticists. Landa says one of the expected benefits from health information exchange is its cost-containing potential by reducing duplicative tests because test results will become widely and readily available.
“My feeling is you need to make the patient aware that you’re doing this and what would happen if they don’t participate,” Landa says.
“With opt-in, it will never happen,” he says. “If everyone has to state specifically, ‘You can send that,’ it’s not going to get sent and tests will be repeated.” Landa, a veteran informaticist, is referring to the experiences of exchanges that use opt-in, which tend to have lower participation rates than those that use opt-out.
Or, Landa says, later on when the patient wants or needs their information shared, “you’ll waste a lot of time and energy” working their consent back into the system.
“I love the whole thought of granularity,” he says, “but I don’t think it’s possible without a whole lot of support that’s not going to be there.”
Steven Little, however, chose granular consent. Little is president and CEO of 167-bed Agnesian Healthcare in Fond Du Lac, Wis.
“It shouldn’t be a mass mailing,” he says. “I believe as individuals we should have a right to pick and choose where that information goes to protect our own privacy. That’s important to me on a personal basis as well as being a healthcare provider.”
Dr. Deborah Peel, founder of the Patient Privacy Rights Foundation in Austin, Texas, had a mixed reaction to the survey results. Peel was less than thrilled by even 73% of respondents saying their organizations seek patient consent before disclosing their information to outsiders.
“People are now using the word consent, but it’s not the same as informed consent,” Peel says. “It’s more a kind of blanket form that’s shoved in front of somebody and they think that counts.”
But Peel says she is encouraged by the Modern Healthcare survey data that indicated a majority of respondents were unfazed by more stringent ARRA protections (See chart).
“The people on the front lines seem to support the patient’s rights and expectations,” Peel says. “They didn’t seem to think putting into effect some of the privacy protections would have much impact.”