Upload
engagingpatients
View
890
Download
2
Embed Size (px)
Citation preview
Risk Managing Meaningful Consent
October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 1
A personalmembership group of
Risk Managing “Meaningful” Consent
Timothy Kelly, MS, MBA
DirectorStandard Register Healthcare
Fay A. Rozovsky, JD, MPH
PresidentThe Rozovsky Group, Inc.
Atlanta, GA Williamsburg, VA
A personalmembership group of
Information for the following credits may be found on a flyer in your conference bag:
• ASHRM CE Certificates (CPHRM renewal, ACHE, NAHQ, HCCA/CCB)
• CNE Credits
• Illinois CLE Credits
• CME Credits
ContinuingEducation Reminders
Risk Managing Meaningful Consent
October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 2
A personalmembership group of
All presenters, Faculty, Panel Members and Content Developers, unless indicated, have no significant financial interest/arrangement with any organization that could be perceived as a real or apparent conflict of interest with the subject matter of the presentation.
Disclosure of Conflict of Interest and Commercial Support
A personalmembership group of
Objectives
Define the core elements of meaningful consent in the electronic exchange of health information.
Analyze the legal, regulatory and clinical risk exposures associated with meaningful consent.
Describe steps to identify and mitigate risk exposures stemming from meaningful consent.
Risk Managing Meaningful Consent
October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 3
A personalmembership group of
Background:Release of Information in the Age of “the Cloud”
A personalmembership group of
Hypoxic Ischemic Encephalopathy
Health Insurance Exchange
Health Information Exchange
HIE –Acronym Check
Risk Managing Meaningful Consent
October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 4
A personalmembership group of
• System that allows for the secure, electronic transfer of a patient’s vital medical information
• Advantages include:– Speed– Availability of information– Fewer errors– Automatic integration of data into the EHR
Health Information Exchange (HIE)
A personalmembership group of
HIEImplementation Status
Directed and query exchanges are both available
Only directed exchange is available
Only query exchange is available
Source: HealthIT.gov http://www.healthit.gov/policy‐researchers‐implementers/state‐hie‐implementation‐status/(accessed 9/1/14)
Risk Managing Meaningful Consent
October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 5
A personalmembership group of
Meaningful Consent in Context
• 2011: A federal advisory committee, the Health Information Technology Policy Committee (HITPC), recommends to the Office of the National Coordinator for Health Information Technology (ONC), that patients be given a “meaningful choice” as to whether their health information is exchanged through certain types of HIEs.
• March 2013: ONC completes an eConsent Pilot Project in Western New York using tablet computers to inform patients about available options when deciding whether or not to engage in the electronic sharing of their health information via an HIE.
A personalmembership group of
Why All the Fuss?
• Isn’t a regular consent authorization sufficient?
• Why do we need yet another layer of complexity?
TRUST
Risk Managing Meaningful Consent
October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 6
A personalmembership group of
The Press is on IT
• 40 million customers with compromised credit and debit card information
• 70 million with compromised email and mailing address information
Harris EA, Perlroth N. Target missed signs of a data breach. The New York Times. March 13, 2014.
A personalmembership group of
The Press is on IT
• 56 million customers compromised
Vinton K. With 56 million cards compromised, Home Depot's breach is bigger than Target's. Forbes. September 18, 2014.
Risk Managing Meaningful Consent
October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 7
A personalmembership group of
And in Healthcare
“Hackers recently broke into [the for‐profit hospital chain’s] computers and stole data on 4.5 million patients.
Hackers have gained access to their names, Social Security numbers, physical addresses, birthdays and telephone numbers.”
http://money.cnn.com/2014/08/18/ technology/security/hospital‐chs‐hack/
A personalmembership group of
And Patients Know IT
A psychiatric nursing assistant monitoring
patients was seen taking information from the unit where the patients resided. A folder with 47 pages of PHI was found in a public trash bin located off the premises of the hospital.
“I feel like I can’t trust the hospital anymore, not with anything personal….I don’t even know where the records have been,” said a patient.
“Texas Psych Hospitals Deal with Privacy Breaches,” Modern Healthcare, January 28, 2014.
Risk Managing Meaningful Consent
October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 8
A personalmembership group of
The Core Elements of Meaningful Consent in the Electronic Exchange of Health Information
A personalmembership group of
Definition Anyone?
“Consent should not be a ‘check‐the‐box’ exercise. Meaningful consent occurs when the patient makes an informed decision and the choice is properly recorded and maintained.”
Looks like a statement about
a normal treatment
consent, right?
http://www.healthit.gov/providers‐professionals/patient‐consent‐electronic‐health‐information‐exchange/meaningful‐consent‐overview
Risk Managing Meaningful Consent
October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 9
A personalmembership group of
1. The decision is made after the patient has had sufficient time to review educational material,
2. The choice is commensurate with circumstances for why health information is exchanged (i.e., the further the information‐sharing strays from a reasonable patient expectation, the more time and education is required for the patient before he or she makes a decision),
Six aspects of “meaningful” consent:
http://www.healthit.gov/providers‐professionals/patient‐consent‐electronic‐health‐information‐exchange/meaningful‐consent‐overview
Core ElementsMeaningful Consent
A personalmembership group of
Core ElementsMeaningful Consent
3. The patient’s choice is not used for discriminatory purposes or as condition for receiving medical treatment
4. The decision is commensurate with circumstances for why individually identifiable health information is exchanged,
5. The choice is consistent with patient expectations,
6. The choice is revocable at any time.
http://www.healthit.gov/providers‐professionals/patient‐consent‐electronic‐health‐information‐exchange/meaningful‐consent‐overview
Risk Managing Meaningful Consent
October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 10
A personalmembership group of
HIEParticipation Models
No Consent is Obtained
Opt Out Model
Opt In Model
Opt In with Restrictions
Opt Out with
Restrictions
A personalmembership group of
Popular VersionsMeaningful Consent
Opt‐in – Default is that patient health information is not shared. Patients must actively express their consent to share.
Opt‐out – Default is for patient health information to automatically be available for sharing. Patients must actively express their desire to not have information shared if they wish to prevent sharing.
Bear a higher burden of proving that patient was educated on options
Risk Managing Meaningful Consent
October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 11
A personalmembership group of
Patient Choice
“Patients may choose to give providers and HIEs full access to their information, limited access, or no access at all.”
http://www.healthit.gov/providers‐professionals/patient‐consent‐electronic‐health‐information‐exchange/meaningful‐consent‐overview
A personalmembership group of
Patient Consent for HIE
The three pillars of Meaningful Consent
http://www.healthit.gov/providers‐professionals/patient‐consent‐electronic‐health‐information‐exchange/meaningful‐consent‐overview
Technology
Patient Education and Engagement
Law and Policy
Meaningful Consent for Health
Information Exchange
Risk Managing Meaningful Consent
October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 12
A personalmembership group of
Meaningful Consent Explained
1. Patient Education and Engagement – including educating patients about their consent options, who may release their information and, how, and the significance of the consent choice.
2. Technology – using technology to capture and maintain patient consent decisions, identify which sensitive portions of patient information are restricted from access, and communicate these restrictions electronically with others.
3. Law and Policy – ensuring alignment with federal and state law and other legal and policy requirements pertaining to consent, individual choice, and confidentiality.”
http://www.healthit.gov/providers‐professionals/patient‐consent‐electronic‐health‐information‐exchange/meaningful‐consent‐overview
A personalmembership group of
Relationship to“Meaningful Use”
The CMS Medicare and Medicaid EHR Incentive Programs provide financial incentives for the “meaningful use” of certified EHR technology.
To receive an EHR incentive payment, providershave to show that they are “meaningfully using” their certified EHR technology by meeting certain measurement thresholds Stage 1 requirements, Stage 2 requirements, etc. CMS has established these thresholds for eligible professionals, eligible hospitals, and critical access hospitals (CAHs).
http://www.healthit.gov/policy‐researchers‐implementers/meaningful‐use‐regulations
Risk Managing Meaningful Consent
October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 13
A personalmembership group of
Meaningful UseStage 3 Discussion
“Some federal and state health information privacy and confidentiality laws, including but not limited to 42 CFR Part 2 (for substance abuse), establish detailed requirements for obtaining patient consent for sharing certain sensitive health information, including restricting the recipient’s further disclosure of such information.
How can MU help improve the capacity of EHR infrastructure to record consent, limit the disclosure of this information to those providers and organizations specified on a consent form, manage consent expiration and consent revocation, and communicate the limitations on use and restrictions on redisclosure to receiving providers?”
Request for commentary from the HITPChttp://www.healthit.gov/sites/default/files/hitpc_stage3_rfc_final.pdf
A personalmembership group of
Relationship toShared Decision-Making
• Leveling the playing field – the two‐way conversation between the patient and care provider(s)
• Using comparative effectiveness data to inform the patient
• Use of decision aids
• Patient preferences
SEC. 3506. PROGRAM TO FACILITATE SHARED DECISIONMAKING (Part D of title IX of the Public Health Service Act, as amended by section 3503, is further amended by adding at the end the following: ‘‘SEC. 936. PROGRAM TO FACILITATE SHARED DECISIONMAKING.)
Could it be used in meaningful consent?
Risk Managing Meaningful Consent
October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 14
A personalmembership group of
The Legal, Regulatory and Clinical Risk Exposures Associated with Meaningful Consent
A personalmembership group of
The Legal Component
Legislation in the 50 states
HIPAAThe Privacy Act of
1974
ARRA 2009Affordable Care Act
2010
Risk Managing Meaningful Consent
October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 15
A personalmembership group of
• Requires “Opt In” for HIE participation (currently limited to HIE demonstration projects)
• Requires faster breach notification– CA = 5 days, Federal = 60 days
• Elevated restrictions on use of “routine” PHI for the purpose of treatment, payment and health care operations– CA requires prior written authorization for sensitive PHI disclosures (e.g. psychotherapy notes, drug and alcohol treatment records, HIV status and test results)
State Law(California as an Example)
A personalmembership group of
Federal Regulation
HIPAAPrivacy
HIPAASecurity
GINA
HITECH
Shared Savings Program ACOs
FERPA
Privacy Regs
Clinical Research Regs
……………………
The MU Incentive RulesCMPs
Risk Managing Meaningful Consent
October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 16
A personalmembership group of
HIPAA Highlights: Privacy Rule
Limits use and disclosure of PHI for marketing and fundraising purposes, and prohibits the sale of PHI without individual authorization.
Individual can receive electronic copies of their health information via regular (unencrypted) email.
Individuals may restrict disclosures to a health plan (and Medicare) concerning treatment for which the individual has paid out of pocket in full.
HIPAA Privacy creates its own
flavor of the “Opt Out” and adds to
Restriction complexity
[Omnibus Final Rule, Effective September 23,
2013]
A personalmembership group of
• Restrictions on disclosure of PHI to others (e.g. spouse, parent, family)– Provider is not obligated to agree to request
– If reasonable and agreed to, request must be honored
• Restrictions on means of communication (e.g. bills sent to work address instead of home address, follow‐up calls to cell phone instead of home phone)
Common Restrictions
Risk Managing Meaningful Consent
October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 17
A personalmembership group of
ACOs (The Medicare Shared Savings Program Final Rule)
“Beneficiaries will be given the opportunity to decline this data sharing as part of this notification. After a period of 30 days from the date the ACO provides such notification, ACOs will be able to request beneficiary identifiable data from us absent an opt‐out requestfrom the beneficiary.
Although we would expect providers/suppliers to still actively engage beneficiaries in conversation about the Shared Savings Program and their ability to decline to share their own health data at the beneficiaries’ first primary care visit.”
Fed Reg. 76(212): 67851, November 2, 2011.
A personalmembership group of
ACOs (The Medicare Shared Savings Program Final Rule)
“Upon signing participation agreements and a DUA, ACOs will be provided with a list of preliminary prospectively assigned set of beneficiaries… who are likely to be assigned to the ACO…
ACOs may utilize this initial preliminary prospectively assigned list along with the quarterly lists to provide beneficiaries with advance notification prior to a primary care service visit of their participation in the shared savings program and their intention to request their beneficiary identifiable data.”
Fed Reg. 76(212): 67851, November 2, 2011.
Risk Managing Meaningful Consent
October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 18
A personalmembership group of
Top Reasons for HIPAA Breaches Under the HITECH Act
Theft
Loss
Unauthorized Access/Disclosure
Incorrect Mailing
Hacking/IT Incident
Improper Disposal
Hourihan C, Cline B. A Look Back: U.S. Healthcare Data Breach Trends. Health Information Trust Alliance (HITRUST). December 2012.
TRUST
The Risk Exposures
A personalmembership group of
The Risk Exposures
TRUST
Other Risks
Inaccurate information – “I am not a drug addict, but that is what is in the HIE about me!”
Medical errors from incomplete data in the HIE.
Untimely uploading and/or updating of HIE information.
Risk Managing Meaningful Consent
October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 19
A personalmembership group of
Liability Risks
• Breach of a Standard of Care – “But I thought I followed the requirements for informed consent under state law. Ah, wait a minute, no, I followed that federal ‘meaningful consent’ stuff.”
• Unauthorized Disclosure to the HIE – “June, I thought you consented Thad Roft to sharing his EHR information on the HIE. He is furious. He said he never agreed to it.”
• Permission Creep – “Our compliance team is concerned that the Opt‐In for Meaningful Consent does not address the use of HIE data for population health studies.”
A personalmembership group of
Say Goodbye to Shared Savings
§ 425.710 Data use agreement.
(a)(1)….the ACO must comply with the limitations on use and disclosure that are imposed by HIPAA.
(2) If the ACO misuses or discloses data in a manner that violates any applicable statutory or regulatory requirements or that is otherwise non‐compliant with the provisions of the DUA, it will no longer be eligible to receive data under subpart H of this part, may be terminated from the Shared Savings Program under §425.218, and may be subject to additional sanctions and penalties available under the law.
Medicare Program; Medicare Shared Savings Program: Accountable Care Organizations; Final Rule, Fed Reg.76(212): 67802‐67990, 67989, November 2, 2011.
Risk Managing Meaningful Consent
October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 20
A personalmembership group of
Identifying and Mitigating Meaningful Consent Risk Exposures
A personalmembership group of
• Membership: HIM, IT, clinical leadership, legal counsel, patient relations and “typical” patients
• Design procedures fromthe patient’s perspective
• Address any applicablestate statutes
• Review other consentscenarios as appropriate(e.g. consent for treatments and procedures, consent for participation in clinical trials)
Form aReview Group
Risk Managing Meaningful Consent
October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 21
A personalmembership group of
Consent Time Out
Learn the best way to communicate with this patient and the right educational tools to use for him or her.
Look for such issues as:Cognitive abilityHearingVisual impairment Language The need for interpretersCultureHealth literacy
Rozovsky FA. Consent Time Out. Dialogues in Healthcare 2008;2(7):1‐11.
A personalmembership group of
It is a Two-Way Conversation
• Understandable explanation
• Probable benefits and risks in consent to participation in the HIE
• Explanation of alternatives, including restrictions on use
• Consequences of declining participation in the HIE
• Employ teach‐back to confirm understanding
Reasonable expectations No coercion – no intimidation
Risk Managing Meaningful Consent
October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 22
A personalmembership group of
Make it an“INFORMED” Refusal
• Does “no” mean NO?
• Complete an informed refusal process.
• Try to identify any basis for misunderstanding that could lead to a refusal.
A personalmembership group of
Data Partitioning
Restrictive permission from “meaningful” consent
Withdrawal at anytime of consent to inclusion of data in the HIE
IT needs to be part of the picture
Office and clinic IT folks need to be in the loop
Systems analytics for monitoring
Test the system
Log permissions for HIE
Log partial permissions/partial exclusions for HIE
Log withdrawal of consent
Risk Managing Meaningful Consent
October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 23
A personalmembership group of
DocumentingMeaningful Consent
Theconsent
The partial consent
The refusal consent
The decision reversal
Who consented the patient?
Ability of the individual to make a decision.
Who was present?
Record a summary of the consent process.
Record the agreed upon course of action regarding HIE.
Document the use of language interpreters and the language used.
Record the titles of decision aids used in the process.
Date and Time.
A personalmembership group of
Conclusion
A clearer public policy is needed from federal and state officials on meaningful consent.
At the operations level, much can be done by healthcare risk management professionals to mitigate the risks of this new approach to consent and HIE.
Risk Managing Meaningful Consent
October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 24
A personalmembership group of
Questions?
Fay Rozovsky, JD, [email protected]
Tim Kelly, MS, [email protected]
A personalmembership group of
• Rozovsky FA, CONSENT TO TREATMENT: A PRACTICAL GUIDE, 4TH
EDITION. New York: Wolters Kluwer, 2007 with annual supplements.
• HIPAA Privacy Rule, Final Rule, Federal Register, 78: 5687,et seq., Jan. 25, 2013. http://www.gpo.gov/fdsys/pkg/FR‐2013‐01‐25/pdf/2013‐01073.pdf
• Shared Savings Program for Medicare Accountable Care Organizations, Federal Register, 76: 67802, et seq., November 2 2011.
• Patient Consent for HIE, http://www.healthit.gov/providers‐professionals/patient‐consent‐electronic‐health‐information‐exchange/meaningful‐consent‐overview, last updated on March 24, 2014.
Reference List
Risk Managing Meaningful Consent
October 29, 2014 8:45am ASHRM Annual Conference & Exhibition Anaheim, CA Page 25
A personalmembership group of
• EHR Incentives & Certification, http://www.healthit.gov/providers‐professionals/meaningful‐use‐definition‐objectives, last updated on March 18, 2014.
• Rozovsky FA. Consent Time Out. Dialogues in Healthcare 2008;2(7):1‐11. www.therozovskygroup.com
• Rozovsky F, Kelly T. Mitigating the risks of 'meaningful consent' for HIE participation. Healthcare IT News. April 3, 2014. http://www.healthcareitnews.com/blog/mitigating‐risks‐meaningful‐consent‐hie‐participation
Reference List