The Sequoia Project is seeking public feedback by Feb. 21 on a white paper titled Moving Toward Computable Consent: A Landscape Review. Healthcare Innovation recently spoke with Deven McGraw, J.D., M.P.H., and Steven Lane, M.D., M.P.H., who co-chaired the work group that developed the paper. 

McGraw is the chief regulatory and privacy officer for Ciitizen, a platform for patients to gather and manage their health information. Lane is the chief medical officer of interoperability company Health Gorilla. The white paper scans the landscape of challenges around patient-controlled granular consent to the sharing of sensitive data and identifies existing solutions and approaches. The plan is for the work group to evolve into a community of practice to work on implementation. 

Healthcare Innovation: Could you start by explaining why it so important that individuals have flexible privacy and consent tools that allow them to control what information is shared and how?

McGraw: We start with a baseline that we already have laws on the books at the federal level, with respect to substance abuse treatment as well as psychotherapy notes, and then also at the state level with respect to particularly sensitive data that give patients rights to consent or to restrict or opt out of sharing their information in certain circumstances, including even for treatment purposes. But in our movement to electronic medical records, we didn’t necessarily have the capacity to enable patients to exercise those choices and to be able to have them honored in the system. What that meant was that patients were often forced to say, ‘Well, don’t exchange any of my information vs. it’s just this sensitive information that I don’t want to have shared.

HCI: I saw your paper mentions the State of Maryland enacting a law requiring HIEs to block interstate exchange of procedure codes related to certain types of sensitive information. And I remember talking to Nichole Sweeney, the chief privacy officer at CRISP Shared Services in Maryland, about this. In cases where they might be required by law to offer patients granular consent, for instance about reproductive health information, have some healthcare organizations or HIEs figured out how to segment it or if they’re sharing CCDs, is it not possible to segment it at all? And what are they doing in that case?

Lane: The problem is, if you don’t have tools to do granular segmentation, the only option you have to meet the requirements of these sorts of regulations is to not share their data at all. So those people who have sensitive information end up not being able to participate in interoperability, writ large; they end up not being able to benefit from the the advantages of data exchange and potentially having worse outcomes. Because, of course, everyone is now dependent on the electronic means of data exchange. The idea of calling up the hospital and asking them for a copy of their records is really a thing of the past at this point. So the absence of these granular controls actually worsens health equity for people with particularly sensitive data.

HCI: But does does that potentially leave you vulnerable to being labeled an information blocker — if you say that your solution to this problem is just to not share any data about the person?

McGraw: No, because if you don’t have the technical capabilities to do the segmentation, that is an exception from information blocking. 

HCI: There are also issues about patient identity and matching across data holders. Does this argue for the role of a health data utility that crosses organizational boundaries, or the QHINs under TEFCA to play a role in this? Could that be a possible solution? 

Lane: There’s no question that identity management is a key part of this whole discussion. You have to know whom you’re talking about and whose data you’re sharing in order to meet the requirements, both in order to avoid inappropriate access or exchange and to to assure that you are doing it appropriately. So there are lots of solutions to doing identity management accurately. It can be done at a regional level through a health data utility. It can be done at a national level based on whom you’re connecting through, like a QHIN, as you mentioned. There are a number of ways to approach that, most of which are being discussed. I think the idea of linking identity management with consent management is a really good one, and I think that if we can do those in a way that they are coordinated, it will be more efficient and we’ll have better outcomes, but it’s not clear that that’s the direction that the industry is going.

McGraw: I think you’ll see in the paper that there was a lot of work done by the work group to surface what solutions are currently being utilized at different levels in the interoperability ecosystem. What are HIEs like CRISP doing? What are medical providers doing? What are certified EHR systems doing? Where’s the state of the technology? Where do we need to go to improve it and have it work better and maybe have some degree of coherence, if not consistency, across these different levels and throughout the ecosystem?

Lane: It’s really important point to acknowledge that the technology exists to do this at scale. We just have not had widespread implementation of that technology. So the technical standards, the groups at HL7, have been working hard on this for a number of years, both for CDA exchange and for FHIR-based exchange. There are fairly mature systems for data tagging, but as this has been considered through ASTP/ONC rule-making processes — the HTI1 and HTI2, there has been discussion about specifying the technical standards and they have shied away from that. So what we have is existing technical standards which are not required to be implemented. 

One of the main purposes of the white paper and the work group and what will be a community of practice was to sort of level set: where do we stand now? And then to try to move forward in a new administrative context, where we don’t necessarily anticipate even the degree of rule-making and federal guidance that we’ve had over the past four years. How can we as an industry move forward to try to address this? Because there are rules being put on the books, and there will probably be more state laws being put on the books in the coming years that entities will need to deal with. 

HCI: The paper includes an example of a vendor-specific solution involving Epic consent management. What are some of the pros and cons of working with an organization’s own EHR vendor on consent management? You know, we write about healthcare organizations that use Care Everywhere in lieu of their health information exchange, because it’s easy and it probably gets them 70% of the way there, because all the other hospitals in their region use Epic. But is that the solution? 

Lane: It’s way more than 70%. I mean, here in California, there’s really very little need for a large health system to use an HIE. I’d say Care Everywhere gets them more than 90% of the way there. But be that as it may, I think from the standpoint of the providers, it needs to be in workflow. It needs to be supported by the EHR, or you need to have a very robust parallel supporting process in place. Epic, as usual, has been first to the trough in building a technology solution. it really is designed to support laws like we have in Maryland and California. It’s based on a lot of the same approaches, the idea of tagging sensitive data and writing rules to determine what context that data will or won’t be shared. 

Because we don’t have rule-making that says certified health IT must use X, Y and Z standards, Epic has done their own thing, but it’s pretty close to what we all need. So hopefully the other EHR vendors will be developing similar toolsets that can then harmonize, through, for example, the EHR Association, where the vendors work together. I was actually just talking to someone from the EHRA today, saying that this is a real opportunity for the EHRA to play a larger role, because they’re not necessarily going to have the rules coming down from the feds, that they’re going to need to play nice together to move these initiatives forward, to support their customer bases well.

McGraw: I’m on the board of an HIE in California, so I beg to differ with Steven that there is no need for HIEs in California, because they wouldn’t exist if, in fact, there was no business, and there is business. And if Epic was taking care of it, they wouldn’t need any QHINs either, and they do.

But I am not going to disagree with the point that having Epic, which has a very large footprint in this country, have a solution that is available in the workflows of medical providers is really quite important, and it’s good that they have been forward-thinking on this, because, again, the standards have existed, and we’ve been very slow to get them incorporated.

HCI: I wanted to ask about the role of FHIR. The paper mentions an IHE Privacy Consent on FHIR specification as well as the work of the FHIR at Scale Task Force on consent management capabilities. So is FHIR a key part of the potential solution here?

Lane: I think FHIR makes the solution easier, because the thing about CDA exchange, even though we do have data segmentation for privacy standards for breaking the CDA apart and for protecting segments or even specific data elements, that technology has not been widely implemented. With FHIR, since the data is already atomized, it’s more intuitively obvious how you’re going to do this, because you’re managing the data at the granular data element level. But there is no technical reason why it couldn’t also be done in CDA. Again, today, the vast majority of data is still moving via CDA and, God forbid, fax. I think we need to have solutions that can be applied to all of these data streams, whether it’s HL7, Version 2, CDA, FHIR, etc.

HCI: What is the Shift Task Force and what is it working on?

Lane: Shift is focused on equitable interoperability. This goes to the point that I was making earlier, that individuals who have sensitive data, or feel that some of their data is particularly sensitive and are in need of protection can suffer equity loss because of these rules and the lack of ubiquitous technology. So Shift is very much focusing on particular use cases — the adolescent use case, the reproductive health use case, the adult proxy use case, in really trying to go deep into the technical standards and also the value sets and workflows that are going to be needed to implement interoperability that respects individual privacy preferences.

HCI: Earlier you mentioned a community of practice. So is that the next step in this? Will Sequoia convene something like that as the next phase of this work?

Lane: That is the plan. I think the idea of Sequoia is to serve as a convener, to be a neutral party that brings folks together. So whereas our work group was mostly limited to Sequoia members, with a few subject matter experts that were invited to participate and make presentations, the idea of the community of practice is that it will be a broader group, in the same way that Sequoia has been supporting discussions around information blocking, etc., and that over the course of this year, we’ll be trying to bring together all of the folks who are working on this, and including the people we’ve been discussing it. The EHRA has been very involved, the head of Shift has been very involved, and we really want to be sure that that we have a place where we can all come together and try to drive these implementations forward.

HCI: You mentioned that you don’t think ASTP/ONC is going to be as active in making rules about things like this in the next four years. But if they were, would there be a role for more policy work and incentives, and would that make this work easier? 

McGraw: Yes. As Steven said, these standards have been around for a long time. Implementation is really key. Waiting for entities to deploy this voluntarily, notwithstanding the existence of laws that one would think would compel implementation, hasn’t worked to date. When there are additional incentives put on the table, it definitely helps. I think we have testament to that, with respect to adoption of EHRs, with respect to the use of standards in information sharing. When the government puts some muscle behind it, whether that’s through incentives or through penalties, things happen more quickly.

 

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here