Healthcare providers may use either an opt-in or opt-out method to obtain patient consent for a directed or simple exchange of records between two health care organizations, members of the federal privacy tiger team said last week.
But an opt-out approach should be undertaken only if the provider gives its patient a reasonable opportunity to make an informed decision about that option, what the tiger team called giving the patient a "meaningful choice" in the control of their personal healthcare information.
In an opt-out method, providers assume consent is granted for sharing health records until a patient decides to opt-out.
Meaningful choice could be satisfied by giving patient sufficient advance notice to consider consent and also must be outside of the scope of the urgent need for care, according to members of the team who met last week to discuss consent policies.
Other measures of meaningful choice would involve offering the patient as much transparency as possible about the organization receiving their health information, the plan for its use and other implications of the patient's decision, policy makers said.
The concept of meaningful choice is important because its terms protect a patient's expectation of privacy, according to Deven McGraw, the chair of the tiger team and director of the Health Privacy Project at the Center for Democracy and Technology.
"Opt-out is acceptable if it meets all the criteria of meaningful choice," she said at a meeting of the tiger team Aug. 6.
The tiger team, made up of public and private sector health care privacy experts, is charged with recommending answers to vexing privacy and security problems related to health information exchange in programs funded by the Office of the National Coordinator.
The direct exchange of patient data between two providers generally does not require patient consent beyond what is already covered in the Health Insurance Portability and Accountability Act, state laws and fair information practices, unless circumstances arise to trigger a consent decision.
An example of such a circumstance would include when patient data in a provider-held record is no longer in the control of that provider, according to Paul Egerman, a software entrepreneur and co-chair of the tiger team.
"Patients must have an opportunity to provide consent before any of the patient's data is made available to a third party information organization," he said at the meeting.
This can be met with an opt-in form of consent, in which patient information goes nowhere without the patient's permission. Or, providers can offer clear disclosure statements with plenty of notice so patients have the opportunity to opt-out before making patient's data available. If the patient does not opt out, the provider can share the information.
Meaningful choice measures are meant to strengthen the opt-out form of consent, which patients often don't pay attention to, team members noted. "Opt-out has been used historically sometimes to avoid consent," said Wes Rishel, a tiger team member and vice president and an analyst for Gartner's healthcare provider research practice.
"In opt-in, my permission is never assumed until it is given," he said.
