When a Patient says YES to authorize access to their data, they are saying it within some context. This authorization comes with metaphoric strings.
Overall Policy contextA Consent Policy is a multi-layered thing. Let me illuminate this by looking at a simple and most common Privacy Consent in healthcare is:
- The Patient says YES to authorize use of their data for Treatment, Payment, and normal hospital Operations.
- This consent is only for the one organization. Likely implied by the author of the consent.
- This consent has a start date, of today.
- This consent names the patient
- This consent names the purpose-of-use of Treatment, Payment, and normal hospital Operations
- This consent doesn't appear to have an end date.
- So we need to look into the Organizations policies to see what their data retention policy is. Do they retain beyond receiving payment for services? Do they retain until death? Can I ask that they discard?
- What control is there if the Organization is merged with another organization? Or goes out of business?
- This consent relies on an agreed definition of "Treatment"
- Does treatment mean all at the Organization can access the data regardless of treatment relationship?
- Is there a formal treatment relationship system at this Organization?
- Who is allowed to declare they are treating?
- What actions are considered treatment, vs payment, vs operations?
- One can imaging Treatment is restricted to licensed clinicians; but who is checking that?
- Are any third parties used for any Treatment actions?
- Are dietitians involved as part of Treatment, or Operations?
- This consent relies on agreement of definition of "Payment"
- Can I pay with cash and thus not expose this episode to any insurance?
- Who are the people involved in Payment?
- Are these accesses part of the access report?
- Are third parties used for any of these Payment activities?
- is involved?
- This consent relies on agreement of definition of "Operations"
- What is operations?
- Who is authorized to do operations?
- Who authorizes those that are authorized?
- Are these operations actions also included in an audit?
- Does this include government reporting?
- Is there any way I can control what operations is?
- Are third parties used for any of these Operations?
- This consent doesn't say anything about things that are not mentioned. Does this mean that these other things are forbidden?
- Often there is a statement hidden somewhere that indicates that there are sometimes when Marketing may happen. Often this is considered part of normal Operations
- Often the organization is under government mandate to participate in quality reporting, immunization reporting, drug-abuse reporting, physical-abuse reporting, etc.
- Often the organization is required to assist with law enforcement. Does this require a court order?
- Often the organization has a clinical-research function. Are the data used in clinical research? Are the data de-identified? If de-identified, what assurances that the de-identification is sufficient? What remedy is available if the de-identification is not sufficient?
- Are third parties used for these unsaid things?
- How do I get an accounting of access?
- How do I dispute that someone got access that should not have?
- How do I request a correction?
- If I terminate the Consent, then what is still allowed to be done with my data?
- What remedy is available?
That Base Policy is defined to be a set of definitions and rules intended to meet some Goals and Regulations. Shown in blue in the following figure. That Base Policy informs and controls a bunch of IT Systems including a User Directory, Patient Directory, Role assignment, ec. That Base policy fulfills a set of regulations. So the Base Policy is fulfilling the Organizations responsibility to Regulations (like HIPAA), and to the Goals of the Organization.
Other articles on Privacy Controls and Privacy Enforcement