Data Control vs Data Access, with Purpose
No one argues that collaboration and communication are keys to effective and efficient healthcare.
These concepts require data sharing across the fragmented healthcare ecosystem — with controls. Necessary controls on ethical and fluid data sharing are stressed when more players collaborate more often. Individuals have the responsibility to protect their privacy in the face of massive power and informational asymmetries between patients and the medical ecosystem serving as their service providers.
In general, consumers are in favor of electronic data sharing, but three elements of transparency are important: individual control, who has access, and the purpose for use of the data.
This process of giving up control is always in a context that can blur what is actually happening to a consumer. When answering consent questions, a consumer is attempting to do something else (e.g., enroll, get to an appointment, and be admitted to a hospital). An analogy can be made when signing up to a new app or service as one is engaged in a process of use rather than reflectively considering the implications of consent.
Legally, to be compliant with the CMS interoperability and patient access final rule, all CMS-regulated payers need to implement and maintain a standard-based application programming interface (API) to share member health data. The API should allow members to access their health data through third party applications of their choice and give physicians access to member information, if required, with an approval/consent from the member.
Concurrently, under the “payer-to-payer data exchange” policy, current payers are required to send member clinical data to new payers. Payers are liable to share this data till five years post the end of a member’s coverage or disenrollment. Payers are at the receiving end of this need to store member information in their data systems to ensure uniformity of the data.
Interoperability Drives Increased Need for Granular Privacy & Consent
Payers and members will quickly find that privacy and, its sister concept, consent have much more importance than in the past as data flies around the healthcare ecosystem. In response, consent technology will be reinvented over the next 18 months to provide payers and members with confidence that “their data” is not used inappropriately.
As we said in “Health Data Sharing Consent — What It Is and Why Payers Should Start Afresh” (IDC #US47671021, May 2021), this effort will use technology to capture and maintain patient consent preferences, identify which sensitive portions of member information are restricted from access, and communicate these restrictions electronically with others.
Current consent management solutions are limited to the opt-in/opt-out models of dedicated consent, either allowing or denying all of the content within the healthcare application only, and the purpose of the consent record is to be used locally for the application only. Conversely, patients do not have a mechanism to grant or restrict access to their information at their own discretion or even be aware of how their information is being accessed.
Simply put, a payer needs to build/buy a new agile consent infrastructure for compliance, trust, and control.
Advice for the Technology Buyer
- Identity and access management
- Data ingestion, curation, and cleansing of data via ETL or advanced engines
- EMPI, an “enterprise” master patient index (a centralized, cross-platform solution designed to link/match and reconcile records in real time from diverse systems to assign records to a unique “person” correctly)
- Longitudinal health records in an EHR, data warehouse, data lake, and/or FHIR server
- Business rules engines
- Data encryption
- API management
- Data use logging and audit
Consider that these technologies have evolved in a passive way over many years to meet low level requirements only around egregious use of personal health information (PHI) within the enterprise. Time to rethink in the context of interoperability.