Health information exchanges and the problem of consent

Will health information exchanges provide patient access portals or not?

There are 60 or so regional health information exchanges (HIEs) in the works. They are beset with issues: technology, regulations, competing stakeholders, payment reform uncertainty, sustainability and consent. The last thing they need, it seems, is citizen clients.

It turns out that HIEs have a choice of strategies, at least in the next year or two. Now that proposed Stage 2 Meaningful Use regulations are out mandating secure messaging via the direct protocols for all certified EHR vendors, HIEs can avoid patient access by not storing any information about a patient. Simply put, HIEs can either just relay encrypted messages or they can tackle the problem of consent.

The New York Civil Liberties Union (NYCLU) recently took notice of plans by the SHIN-NY to collect and store data without patient consent by arguing that patient consent will be needed for release of data. Going even further, the SHIN-NY is trying to pass all patient-facing responsibility, including getting consent and providing an accounting for disclosures, to the participating institutions – a plan that surely can’t help their sustainability problem – but I digress.

HIEs like SHIN-NY are making a mockery of HIPAA. Weak as it is, HIPAA at least requires institutions that have data about a patient to share that data with the patient. Stage 2 goes much further than that to include convenient on-line access through portals and downloadable things like Blue Button files. According to their published principles, SHIN-NY is defining itself as exempt from citizen disclosure of the information it stores.

From a legal perspective, the SHIN-NY patient-transparency-avoidance strategy might be that they should be treated like a state agency that collects private information for internal use because they don’t share the information with anyone without patient consent. This, it seems to me, is a major stretch since there’s no way for a patient to actually know specifically what information will be shared about them if they do consent.

It’s time for sunshine in HIEs and an open HIE consent discussion. The principle of “nothing about me without me” comes to mind. HIEs that want to store data about me, first and foremost, must make that data conveniently accessible to me via a Web portal. They should allow me to share that data with trusted institutions using free and simple standards that can limit access to the minimum information necessary.

HIEs are at the crossroads of patient engagement, itself a major thrust of Stage 2. I hope these new publicly funded institutions make the patient-friendly choice.

Adrian Gropper is a medical technology developer and consulting on health services strategy at

Submit a guest post and be heard on social media’s leading physician voice.

View 3 Comments >

Most Popular

✓ Join 150,000+ subscribers
✓ Get KevinMD's most popular stories