Support for "Opt-in" or "Opt-out" Approaches
Consent management is a governance decision that the HIE has to make based on state and local laws. Our system is built with flexibility to support and implement the governance recommendations from the HIE operator. Consent management can be formally analyzed using a 4-factor approach as mentioned below.
| Factor | Description |
|---|---|
| Name of the Use Case | Name of the "course of action" |
| Default Setting | The possible set of default values that can be chosen |
| Who initiates and records the consent? | Entity that is responsible for recording the consent |
| Workflows | Transactions that together constitute the functionality required by the use case |
Here are some illustrative examples:
| Use Case: Lab Results Delivery | ||
|---|---|---|
| Default Setting = Consent is implicit | Who initiates and records consent = Not applicable as it is covered under HIPAA treatment provision | Workflows: Lab order, Lab results delivery |
| Use Case: Clinical Summary to ED and hospitals | ||
|---|---|---|
| Default Setting = Explicit consent is required (also known as "Opt-in") | Who initiates and records consent = Patient provides consent at point of care to the provider | Workflows: Retrieve clinical summary |
Our Implementation approach: As illustrated above, the HIE operator will make the governance decisions on the consent model that is most appropriate for its needs for each of the use cases (Groups A, B, C, and D). The HealthUnity system can be configured to implement the consent policies with relative ease. Our consent system supports such actions as: Consent Grant; Consent Deny; Consent Revoke.
Consent module viewing, configuring, and editing consent policies, and enabling online consent management
We have one of the most comprehensive implementations of consent management in the industry.
Personal Health Record in a Health Record Bank configuration: Using this approach, patients have self-service consent options. Patients can choose the providers from whom they request clinical data and the providers to whom they permit data. After appropriate approvals, data will flow into a single PHR system with the source of data appropriately indicated.
Provider: For most use cases (e.g. Clinical Summary at ED, Hospital), patient consent is typically required. We support out-of-the-box a very flexible system for consent management, including options for both opt-in and opt-out, but ultimately fine tuned to your governance policies.
As shown above, consent capture can be done using signature devices, thereby reducing paper consent forms. The digitized signature is automatically captured to the onscreen form.
Actions supported: Consent Grant; Consent Revoke; Consent Deny.
We also support very fine grained consent policy implementations. Some HIE customers require such fine grained consent options while others want to keep it simpler. Examples of some of the options we provide include:
- Consent to publish only (e.g. publish to PHR only)
- Consent to receive only
- Consent based on receiving party
- Consent based on type of information
Support for "break the glass" access for data on an individual patient for medical emergencies
We support "break the glass" (BTG) access control. The BTG privilege can be restricted using our role-based security system. For example, the HIE operator can designate only ED physicians to have BTG privilege. Use of the BTG feature will create audit entries that can be reviewed to ensure compliance with policy.