Patients have long advocated for greater, easier access to their medical records while maintaining privacy. As health data-sharing increases, all of those who work across the healthcare industry have a responsibility to create a better and more interoperable healthcare system.

In a recent conversation on the Changing Healthcare podcast, we talked about the challenges of consent and data segmentation, how technology can help solve some of these problems, and  the work our industry is doing to create standardized ways to segment sensitive data.

Great progress, more work ahead

The healthcare industry took a big step forward with the 21^st Century Cures Act, which went into effect in 2021.The Office of the National Coordinator (ONC) and Centers for Medicaid and Medicare (CMS) rules implementing the Cures Act require healthcare systems, select payers, and health IT vendors to provide patients with access to their data, primarily through FHIR (fast healthcare interoperability resources) APIs.  This is a significant advancement from the early Meaningful Use requirements to enable patient access using an app of their choice.

Of course, mandates are one thing; meeting these mandates is another thing all together. The ease of patient access with FHIR APIs has introduced a pressing question: How can the industry best implement appropriate healthcare privacy policies through patient consent and data segmentation to enable secure patient and caregiver access?

Collaboration is key to success

The need to define frameworks for consent and segmentation, and the technology behind them, was a key driver for many industry players, including Change Healthcare. Change Healthcare participates in HL7, supporting the development of FHIR profiles, including those that can be used to communicate consent. Additionally, Change Healthcare participates in the SHIFT workgroup (formerly known as Protecting Privacy to Promote Interoperability (PP2PI) which is working to address sensitive data segmentation to protect patient privacy and promote interoperability.  The group’s work is focused on the development of nationally accepted use cases, standards revision of a national terminology value set, and collaboration with ONC on policy drivers to spur widespread adoption.

The problem with consent

Consent from patients for data access and use is key to establishing and maintaining patient privacy. But privacy covers multiple data exchange use cases, including: between the patient and various medical practices, mental health services, substance abuse histories, dental needs, pharmacy and medical device history, laboratory tests, payers, and caregivers.

There are number of complications to add to the mix when you incorporate proxy access: parents needing access to children’s information (and then the child coming of age, starting to manage their own privacy), and guardians with permission to manage consent for patients unable to do so themselves. To add to that, we are also collecting and storing all this information in silos, leading to patient frustration.

The core issue is this: how does a patient, or their representative, give consent in some cases and not in other cases? And what can be passed between data exchange partners to communicate consent choices?

Building APIs and consent access systems

Patients need a way to manage the use or purpose for sharing information. There are obvious clinical and payment applications, with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) guardrails. But consent is also needed for state laws, such as the California Consumer Privacy Act (CCPA) requirements, or for medical studies and clinical trials.

The first step is building and managing libraries of APIs that can be used by the patient as a vehicle of consent.

The goal is to allow the patient to give consent via a Web or mobile application that may house or access health records data. Significant work is being done in HL7 to build out these capabilities in FHIR. The FHIR consent resource has been available, but is being built out to allow for more granular consent options.  Additionally, OAuth 2.0, which is a key component of SMART on FHIR, enables an individual to be authenticated to the system to ensure consent is obtained from the right individual and data release is restricted to those with appropriate consent.

Data segmentation and challenges

Let’s say now we have appropriate consent, how do we tackle granularly segmenting the data we have access to? Data segmentation helps choose the kind of information that can be shared. The need here is ensuring patient privacy and patient safety.

We need to be better at how we identify, tag, protect, and share sensitive data. It’s critical to protect patient privacy when electronically exchanging sensitive information pertaining to behavioral health, substance use, reproductive health, HIV, and other medical issues. This is a challenge because we have many different stakeholders, different flows of data, data ownership, and complex implementation of standards.

Many are also concerned that data segmentation can exacerbate inequities in the healthcare system when it comes to tricky privacy problems such as when patients are being treated for addiction or mental health conditions. Both HIPAA and 42 CFR Part 2 (Part 2), two of the federal laws that govern the privacy of substance use disorders, may end up preventing a provider from knowing about other key conditions which can affect the quality of patient care.

Establishing standards segmentation

We need to approach this problem by having terminology standards in place where we are all speaking the same language, looking at implementation guidance and working with experts across the country so everyone is on the same page.  While data segmentation may seem uncomplicated at first blush, it is incredibly complex to determine which pieces of clinical data (particular medications, particular lab results, particular problems) that can be sensitive in nature.  Additionally, a single medication in a patient list may not communicate anything sensitive, but multiple medications together could indicate an HIV diagnosis, inadvertently releasing sensitive health information.  The industry must agree on the code sets that are deemed sensitive based on state and federal rules as well as patient preference so that automated rules engines can then appropriately withhold sensitive data.  NIH has done some of this early work that can be expanded to include the full breath of data sets for the industry to adopt.

In the future, artificial intelligence (AI) and machine learning tools may be embedded in consent and segmentation engines to provide patients and their advocates with the control they need. Such tools have the potential to point out to patients what type of content can be made available -- and to whom.

Technology can help lower cost and transform patient experience

Now that patients have easier electronic access to their data, the industry will need to ad0pt products and services to embrace privacy consent and choice. Change Healthcare along with many other companies have been supporting standards development for consent and data segmentation work for the last few years, and we are excited to see the advancements that will be made in the next few years.

All players in the healthcare ecosystem will need to work together to define and incorporate standards in solutions that will allow patients access to their clinical data.  Through a combination of FHIR, standardized data vocabularies, and standardized data tags, the industry will be able to build products that give patients greater control over their health information.