Consent Management Controls in the Age of Interoperability
Information
The requirement to secure and control access to personal health information (PHI) byvarious parties (patients, payers, personal representatives, authorized users, etc.) requiring differing levels of granular access controls is a major challenge facing the healthcare industry – and it is increasing in complexity. The rise of FHIR interoperability across major healthcare entities, an expanding ecosystem of data trading partners (some who may not be initially subject to HIPAA), and the sharing and combining of new and varied types of data (e.g., WIC, SNAP) that may have different consent requirements are some of the drivers contributing to these challenges. Additionally, federal and state regulatory provisions with complex and, at times, overlapping consent mandates must be considered when designing solutions governing patient data. Finally, we are in a new age of surveillance and AI that is raising many new questions about transparency and limitations on data reuse and associated authorizations/consents. The next generation of consent controls must ensure the sharing of PHI conforms to these evolving complex regulatory and patient demands.
Presenters will discuss the:
· Basics of healthcare data access consent controls
· Emerging complexities and designs around exchanging whole person data to support Medicaid populations
· Challenges and designs required to ensure regulatory compliance across parties accessing PHI based on rules repositories and enforcement engines
· Effect increases in FHIR-based interoperability adoption is having on the healthcare ecosystem and how it can be capitalized on through the adoption of a new set of consent management controls supporting regulatory and business polices, as well as technical requirements
· Dynamics of key consent-related aspects evolving over time and how organizations will need to utilize flexible consent management controls to support interoperability regulations and individual business requirements while continuously conforming to federal and state data-sharing regulations in a scalable and enterprise-accessible manner
· Key industry drivers that need to be considered, such as HL7 FAST Consent Management and HL7 Da Vinci Implementation Guides (e.g. PDEX), and how those drivers work together to capture, utilize, share, and manage a federated set of consent FHIR resources
Presenters will also provide overviews of two different projects designed to explore consent management:
1. An overview of a consumer identity access management program for a commercial payer by a healthcare technology company and how that project has been successfully implemented as an enterprise person identity solution, in conjunction with a consent management program, to address federal and state data access control provisions through flexible and scalable architecture. The presenter will discuss the challenges faced during the project and the solutions implemented to overcome them.
2. An overview of a pilot for a universal consent management form designed to be securely stored and managed by a contracted nonprofit information exchange for Medi- Cal (Medicaid) enrollees. The presenter will discuss outcomes of the pilot, lessons learned in implementation, and future consent management solutions being explored.
