Healthcare Consent Management Demands Newfound Respect for the Checkbox

We are all familiar with the endless and repetitive paperwork required at each doctor’s office visit. We complete them as quickly as possible and check the boxes with often just a brief scan. However, those little check boxes on the forms are about to play a much bigger role in how payer and provider organizations, along with commercial businesses, interact with our healthcare data. The Centers for Medicare and Medicaid Services (CMS) and Office of the National Coordinator for Health Information Technology (ONC) have published final rules for interoperability that unequivocally say the patient is in control of their healthcare data.  So that little check box asking for a patient’s consent to use and share their data with others—along with new ways for patients to give their consent for data sharing—takes center stage in the final rule. 

Consent management done well can be the catalyst for unleashing the potential of member, patient, and consumer data. Traditionally, consent has been managed at a high level (e.g., “I give permission to use my data for billing”), and the use of data has been largely dictated by regulations such as HIPAA. Such high-level consent meant that data could be used only for very specific purposes, like providing and paying for care. Responsible organizations took a conservative view of consent and were reticent to use data for things like high-value operational activities related to care coordination with third parties or advanced analytics.

But the new CMS and ONC interoperability rules mean the individual consumer, patient, or member can consent to far broader and more valuable uses of their data for artificial intelligence, machine learning, consumer health applications, and the like.  When patients, on a large scale, consent to share diet and exercise data, for example, with providers and research institutions, what impact might that have on population health analytics and medical research in general?  What that may look like to consumers could ultimately be better, more informed and more personalized decisions about their care. 

Savvy healthcare organizations will leverage the new rules to their advantage. What do you think it means to a payer organization to get access to a member’s entire claims history, from all previous policies, from all previous payers? Then add to that picture data from MyFitnessPal, Jenny Craig, Fitbit, and all the other wearable devices and smart phone apps streaming data about a member’s every move? Impossible?  The patient has only to check the right box. Advantage can be gained only if organizations are able to capture and manage the consent so they can use the patient’s or member’s data with confidence that all appropriate permissions have been granted.

Expanding Data Sharing to Third Parties

Managing member and patient consent for the use of their data has always been important. But in the past this consent has been limited by HIPAA, and the use of the data has largely been internal to an organization. The new interoperability rules expand the sharing of data to include third parties designated by the patient or member. This external sharing of data creates far greater risk for the payer if their tracking and managing of consent is inaccurate. The new need to manage consent for sharing ePHI (electronic personal health information) with third parties is in addition to an already growing importance of consent management that has largely been left unaddressed by many payers.

The proliferation of data volume, data sources, and data types has made consent management much more challenging—and much more integral to the data management architecture for providers and payer organizations. Add in the complexity created when data is used for the secondary purposes of analytics and artificial intelligence and doing consent management becomes critical to enabling exciting new product features while reducing organization exposure and risk. The end result creates an entirely more demanding consent management landscape than ever before—one that has implications beyond compliance and privacy but is also used to significantly enable and accelerate business objectives.

I am working on a white paper that explores the complex requirements of consent management. It requires assembling many of the core capabilities of a robust data management platform into seamless end-to-end processes that can be orchestrated with member, patient, or consumer consent as a mission-critical business process. As I work on that white paper, it is clear that consent management is a complex data management challenge:

  • We must know who the consumer is accurately and unequivocally
  • We must capture and document their consent for use of their data for specific purposes, in whatever form and wherever that consent may be collected
  • We must have automated, scalable, reliable processes that allow that consent to be reviewed, verified, and updated

Consent management is definitely a data management—and data governance—challenge, but like most things related to data management, consent management should include IT, but not be owned by IT. It’s potential impact to the business is far too great. Today we see consent management often falling under data privacy—part of a broader compliance picture. Tomorrow, I suggest that it will be owned by the executive responsible for data governance or, in the case of healthcare payer organizations, it could fall under the purview of Chief Actuary Officer, where most of the key data science and analytics work is done today. Regardless, healthcare organizations need to start preparing themselves for consent management operations with people, budget, and a newfound respect for that little checkbox.

Next Steps

View more info at www.informatica.com/healthcare