Friday, August 26, 2016

Consent Basis in Controlling Big-Data Feeding frenzy

In the last article I wrote about all the Vectors through the healthcare data access control space that are commonly needed by Patient Privacy Consent Authorizations. In this article I will describe the residual policy rules and Obligations.

When a Patient says YES to authorize access to their data, they are saying it within some context. This authorization comes with metaphoric strings.

Overall Policy context

A Consent Policy is a multi-layered thing. Let me illuminate this by looking at a simple and most common Privacy Consent in healthcare is:

  • The Patient says YES to authorize use of their data for Treatment, Payment, and normal hospital Operations.

One might think that this is a very simple Consent. Simply "YES". Others might notice that there are some restrictions to "Treatment/Payment/Operations". Both are very important attributes of the consent, and would be seen clearly in the consent. 

The Consent that would be on file will likely just say these simple truths. You all have seen  Consent form, they are not very all encompassing.

What is implied is
  • This consent is only for the one organization. Likely implied by the author of the consent.
  • This consent has a start date, of today. 
  • This consent names the patient
  • This consent names the purpose-of-use of Treatment, Payment, and normal hospital Operations
What is unclear is
  • This consent doesn't appear to have an end date. 
    • So we need to look into the Organizations policies to see what their data retention policy is. Do they retain beyond receiving payment for services? Do they retain until death? Can I ask that they discard?
    • What control is there if the Organization is merged with another organization? Or goes out of business?
  • This consent relies on an agreed definition of "Treatment"
    • Does treatment mean all at the Organization can access the data regardless of treatment relationship?
    • Is there a formal treatment relationship system at this Organization?
    • Who is allowed to declare they are treating?
    • What actions are considered treatment, vs payment, vs operations?
    • One can imaging Treatment is restricted to licensed clinicians; but who is checking that?
    • Are any third parties used for any Treatment actions?
    • Are dietitians involved as part of Treatment, or Operations?
  • This consent relies on agreement of definition of "Payment"
    • Can I pay with cash and thus not expose this episode to any insurance?
    • Who are the people involved in Payment?
    • Are these accesses part of the access report?
    • Are third parties used for any of these Payment activities?
    • is involved?
  • This consent relies on agreement of definition of "Operations"
    • What is operations?
    • Who is authorized to do operations?
    • Who authorizes those that are authorized?
    • Are these operations actions also included in an audit?
    • Does this include government reporting?
    • Is there any way I can control what operations is?
    • Are third parties used for any of these Operations?
  • This consent doesn't say anything about things that are not mentioned. Does this mean that these other things are forbidden?
    • Often there is a statement hidden somewhere that indicates that there are sometimes when Marketing may happen. Often this is considered part of normal Operations
    • Often the organization is under government mandate to participate in quality reporting, immunization reporting, drug-abuse reporting, physical-abuse reporting, etc.
    • Often the organization is required to assist with law enforcement. Does this require a court order? 
    • Often the organization has a clinical-research function. Are the data used in clinical research? Are the data de-identified? If de-identified, what assurances that the de-identification is sufficient? What remedy is available if the de-identification is not sufficient?
    • Are third parties used for these unsaid things?
Further away and 
  • How do I get an accounting of access?
  • How do I dispute that someone got access that should not have?
  • How do I request a correction?
  • If I terminate the Consent, then what is still allowed to be done with my data?
  • What remedy is available?
Within HIPAA there is a requirement that the Notice of Privacy Practices be posted. Although HIPAA is very a minimalist regulation and specific to the USA, similar practices are found elsewhere in the world. Some of the above questions might be answered by that document. However I am sure some of the above is not stated in that document.

An important point is that the details needed are not found in any Regulation, they are specific to the Organization. The Organization must look at regulations and their goals and come up with their specific Policy. This concept of Layers of Policy was first introduced in my Healthcare Privacy & Security Bloginar, based on the IHE presentation.

This preparation is also the first step in my discussion on the overall Consent Process. Shown in this infographic.

So a Consent record will indicate who the Patient is, what the start date is, what organization it is with, etc... The Consent record needs to also be very clear what rules apply at that organization. This is what I am referring to as Base Policy. As in the basis of the Consent. That which this specific Patient specific Consent is built upon.

That Base Policy is defined to be a set of definitions and rules intended to meet some Goals and Regulations. Shown in blue in the following figure. That Base Policy informs and controls a bunch of IT Systems including a User Directory, Patient Directory, Role assignment, ec. That Base policy fulfills a set of regulations. So the Base Policy is fulfilling the Organizations responsibility to Regulations (like HIPAA), and to the Goals of the Organization.

Conclusion

The Base Policy of a Consent is just as important as the Consent. The Basis Policy is not the regulations, regulations are the basis of the Base Policy. The Base Policy includes a huge amount of rules and commitments that are specific to that organization. The Consent is the proverbial tip-of-the-iceberg.

Other articles on Privacy Controls and Privacy Enforcement