4

Consent Management in Health Care Privacy

Executive Summary

We came across some useful information from Privacy Horizon and supplementary sources and have combined it into the summary below on the topic of consent management in healthcare. Please refer to the original sources below for more detailed information.

Consent management refers to the system of practices that dictate how consumers and patients allow which personal health information they are willing to permit access to their health providers. In today’s society, personal information is collected and used extensively, by individuals and organizations, for a variety of reasons. Advances in technology have a particularly significant impact on the ease with which personal information can be collected, used, shared and combined, introducing new challenges for the protection of personal information. 

Consent is a key element of the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law. Under PIPEDA, organizations are required to obtain meaningful consent for the collection, use and disclosure of personal information. Consent is considered meaningful when individuals are provided with clear information explaining what organizations are doing with their information.[1]

Supplementary Contact Organizations:

 

We are interested in generating some discussion on this topic in our Healthcare Privacy Community. Please visit this space to join the conversation.

 

The Personal Information Protection and Electronic Documents Act

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations. It sets out the ground rules for how businesses must handle personal information in the course of commercial activity. Under PIPEDA, knowledge, and consent for certain purposes is not required when information meets the definition of “publicly available.” However, “publicly available information” should not be confused with “information that is accessible to the public.” In fact, the definition of “publicly available” under PIPEDA is very restrictive.

PIPEDA regulations define “publicly available” information as information appearing in telephone directories, professional or business directories, government registry information, and records of quasi-judicial bodies that are available to the public. Generally speaking, no consent is required as long as the collection, use, and disclosure of such information relates directly to the purposes for which it was made publicly available.

“Publicly available” information also includes information published in a magazine, book, or newspaper that is available to the public and where the individual has provided the information.

All personal information that is not “publicly available” as defined above, or which is not covered by the other exceptions, requires consent.



Business and Architecture Considerations for Interoperable Consent Solutions[3]

The express consent of the individual is generally not required for the collection of personal health information (PHI) to provide care and treatment. In fact, the collection of this information is required to provide care. The legislative frameworks in most jurisdictions, however, permit individuals to express their wishes to limit the use and/or disclosure of their personal health information for some purposes. These wishes must be documented, communicated and respected throughout the individual’s interaction with the health system, in both paper and electronic systems. The exercise of these wishes, however, is constrained by jurisdictional and organizational rules.

Consent directives, a term used to refer to the expression of an individual’s wishes, may include direction to permit, withhold, withdraw, change or revoke consent to collect, use or disclose personal health information. While relatively few consent directives are in place at this time, consent management functionality is a legislated requirement and must be part of electronic health record (EHR) systems.

Three basic solutions to consent deployment exist as follows:

1. Central consent management
 
  • This model features a centralized consent repository
  • It has a centralized CMS functionality within the Health Information Access Layer (HIAL) operating within a Services Oriented Architecture (SOA)
  • A CMS web interface supports the capture and management of directives
 
2. Consent management as part of a clinical domain repository
 
  • Currently, this is the most common deployment model reported across jurisdictions in Canada 
  • Each domain has a consent management solution - consent management is integrated within the clinical domain solution.
  • Capture, storage and enforcement of consent directives take place within the clinical domain solutions.
 
3. Federated consent management
 
  • CMS components may reside in a number of locations and can work together in various ways -- multiple instances of the same CMS may be distributed across various locations or the various functions of a comprehensive solution may be dispersed.
  • If consent transactions take place in a number of Consent Repositories dispersed across the jurisdiction, the repositories synchronize consent directives and consent management rules. Enforcement may be provided by a single common HIAL or synchronized multiple regional HIALs.
  • If domain-specific CMSs are federated into an overall jurisdictional solution, the enforcement and management of directives may occur within the clinical domain CMS. 

The constant and accelerating pace of technological change is having a profound impact on privacy protection. It is critical for organizations to consider privacy issues before launching new products or services that involve the collection of personal information. Individuals should also consider privacy issues before using new technologies. When devising solutions to consent management, it is equally important to consider the role that technology plays in managing virtual health information.[5]


Privacy as a Competitive Advantage

Openness about privacy practices and easier user access to that information will lead to greater consumer trust, which is good for business. Privacy is, more than ever, a material consideration in consumers’ decisions to purchase or use products and services. Organizations that win and maintain trust in this area will realize a competitive advantage. If people are confident about putting their personal information online, they can more fully participate in the digital economy, which will spur innovation and create economic benefits for local and global health care economies.[2]

Key Takeaways

Consent management enables patients and consumers to affirm their participation in e-health initiatives and to establish consent directives to determine who will have access to their protected health information (PHI), for what purpose and under what circumstances. Consent management supports the dynamic creation, management and enforcement of consumer, organizational and jurisdictional privacy policies. It is a crucial touchstone of virtual health care privacy.