Maine Bill Would Require HIE Opt-InPatients Would Have to Opt In to Allow Data Access
The legislation, introduced by Sen. Roger Katz, R-Augusta, would require that healthcare providers give patients an opt-in form that they could use to indicate whether they want their information shared over HealthInfoNet, the statewide HIE. The bill also would:
- Mandate the HIE notify patients in case of a breach;
- Mandate that patients be able to review their records that are accessible via the HIE;
- Prohibit disclosure of records for marketing or sales without patient authorization;
- Prohibit denial of treatment or payment on the basis of non-participation in HealthInfoNet.
In voicing support for the bill, Shenna Bellows, executive director of the Maine Civil Liberties Union, said, "Patients should have a choice as to whether they want their private medical records to be shared in a statewide database. Patient privacy and consent need not be barriers to improving coordinated care."
Central Data RepositoryHealthInfoNet uses a central data repository to store certain patient records, explained Devore Culver, the HIE's executive director and CEO. Authorized clinical users can access information in the database using a secure virtual private network portal, he explained. "Any authorized clinician accessing the exchange must 'break the glass' and associate themselves with a patient in a specific role before access to personal health information is granted," Culver said.
Healthcare providers in Maine that participate in the statewide HIE give patients a Notice of Privacy Practices, as required under HIPAA, that also describes that their data may be shared via the HIE, Culver said. The notice describes how a patient may opt out of having their information shared via the HIE. Patients can opt out via the web, over the phone or by filling out a paper form. "Once a patient opts out, their health information is deleted from the HIE," Culver said.
HealthInfoNet designed its patient consent strategy in 2007. A majority of stakeholders, including representatives of patients, providers, payers, business and government, "felt an opt-out strategy best balanced the interests of patients, providers and all those involved, as well as ensured the exchange would be effective, valuable and viable," Culver said. "All agreed that an opt-in policy was impractical and would not lead to enough participation to be of value."
The Privacy and Security Tiger Team, which advises federal regulators, has endorsed a "meaningful consent" approach that HIEs should take; it accommodates either the opt-in or opt-out approach. (See: Patient Consent Guidelines Endorsed). The team's recommendations have not yet been incorporated into a federal rule or regulation.
An HIE survey last year found that only 18 percent of health information exchanges had a policy requiring patients to "opt-in" and give formal consent before any of their records are shared via the networks (See: Survey: 'Opt-In' for HIE Consent is Rare).