Health Information Technology

Currently, patient consent decisions about sharing health information are often obtained on a paper form.  As more providers and Health Information Exchange Organizations (HIEs) move to the use of electronic health records (EHRs) and other health IT, technology will play an increasing role in electronically capturing and maintaining patient consent. 

Technology will also play an important role in identifying and communicating a patient’s consent decision related to sharing health information.  Health IT systems will need the ability to honor patient consent decisions.

This web page touches on the technology aspects of capturing and maintaining consent decisions as well as the handling of sensitive health information. 

E-consent technology
How Can Consent Decisions be Captured and Maintained Electronically?

A number of different models for electronically capturing and managing patient consent exist, including:

  • Consent Bundled with Information – collecting patient consent at the place where health care is delivered and then transmitting the consent and corresponding health information when it is requested by others. For example, in some models, a consent document (such as a PDF of a paper consent form) is sent along with the patient’s health information.
  • Metadata Tagging – adding a code to the health information to “tag” it with details related to the patient’s consent choice. When this tagged information is sent from one health IT system to another, the sending and receiving organizations’ health IT system needs to be able to read and understand what the tag means. The tag may also be a reference to a separate consent document that is stored locally or in a centralized database, showing the health IT system where to look for the most up-to-date consent choice for that piece of information.
  • Centralized Approach – managing patient consent through a central database or repository that can be queried to decide how information may be accessed based on the patient’s choice.

No one operating model has emerged as the best practice.

Why is Technology Particularly Needed for Protecting Sensitive Health Information?

The following quick background on sensitive health information may be helpful in showing why technology is important in this area. Sensitive health information is defined here as specific types of health information or health information generated by a specific type of provider.

Some of the categories of sensitive health information that may receive increased protection include:

  • subject of information (e.g., HIV-related information, mental health information),
  • provider type (e.g., substance abuse treatment provider), and
  • type of information (e.g., psychotherapy notes).

Under the HIPAA Privacy Rule, patient consent is not required for the sharing of most health information for treatment, payment, and health care operations. However, some federal and state laws require patient consent for the sharing of sensitive health information.

Some laws require that when sensitive health information is disclosed, the receiving organization be notified that it cannot further disclose the information without obtaining the patient’s consent to do so. This restriction is often called a prohibition on re-disclosure. One federal law that has this requirement is 42 CFR Part 2, which protects the confidentiality of information related to substance abuse treatment received at federally funded treatment centers.

In addition to these laws, some organizations have their own internal policies requiring patient consent in order to share particularly sensitive information.

Some providers or HIEs may be constrained by their technology’s limitations. Some technologies offer patients only the choice to share all or none of their health information, including information that may be considered by many to be sensitive. See the Meaningful Consent page for more information about patient consent options.

What is ONC Doing to Encourage the Use of Technology in Patient Consent?

The Office of the National Coordinator for Health Information Technology (ONC) encourages providers and organizations involved in electronic health information exchange (eHIE) to develop policies and technical approaches [PDF - 258 KB] that offer patients more consent choices than simply having all or none of their information shared. ONC has supported various projects focused on developing and adopting consent technology.

Pilot projects conducted under the ONC’s Data Segmentation for Privacy Initiative (DS4P) have showed some ways that the 42 CFR Part 2 prohibition on re-disclosure notice can be transmitted, along with health information, when a patient has consented to its disclosure. For an example, you can view a 5-minute video or 14-minute video of the U.S. Department of Veterans Affairs (VA)/Substance Abuse and Mental Health Services Administration (SAMHSA) demonstration project.

ONC-Supported Technology Efforts to Enable Patient Consent

Content last reviewed on September 19, 2018
Was this page helpful?