Interoperability in Healthcare enables health information exchange between patient, provider and payer to deliver transparent and equitable patient care. However, to enable seamless and secure data exchange across multiple connected systems, it is imperative to have patient consent.
Consent management and patient data privacy should be the major design considerations while enabling patient data access via healthcare APIs in order to ensure that the patient protected health information is not being exploited by any unknown system.
Consent management refers to the process and system of collecting and managing patient’s affirmation for using and sharing of Patient Protected Health Information (PHI). It also empowers Patients to set up privacy preferences to control who, under what conditions, and for what purpose will have access to their protected health information (PHI). It facilitates the dynamic creation, management and enforcement of consumer, organizational and jurisdictional privacy directives.
Thus, a comprehensive consent management system defines the success of the true interoperable solution and compliance to CMS Interoperability & Patient Access Rule requirements.
The process to enable consent management may appear simple, however it has some challenges while creating one such comprehensive solution.
Key Challenges in building a comprehensive Consent Management System
- Data Aggregation & Identity Management – As the data is often collected through various channels like website, mobile app, etc., mapping the information to respective member is not easy.
- Data Transparency – Members are often not aware about how their information is being operated. They should have the visibility and should be able to modify the data preferences.
- Evolving Privacy Rules – It must comply with the ever-evolving regulatory environment. While it is vital for all healthcare organizations to adhere to the privacy regulations and data security requirements stipulated by HIPAA, GDPR and CCPA, the compliance and privacy requirements around sensitive healthcare data are expected to change at breakneck speed. Hence, the consent management system should be flexible enough to adapt to the future requirements.
CitiusTech’s Consent Management System
CitiusTech’s Consent Management system offers a comprehensive consent management system working on AWS and featuring the CMS compliant requirements along with consent tracking and security labeling.
Below workflow illustrates a typical consent signing and data retrieval process by a third-party application:
Consent Workflow
Diagram showing workflow of consent
1a, 1b, 1c. Member, Admin or Related Person (User) will request to create a new consent, update, revoke, deactivate or verify an existing consent using Consent Management portal (Sample). User can also use Member Portal or Mobile application for the same.
2. Upon receiving the request to create, update, revoke, deactivate or retrieve a Consent, Consent FHIR API will be executed to store, update the FHIR Consent resource in the database. Created/Updated consent is stored in Consent Management database.
3. Consent API can be used to retrieve the Consent from the Consent Management database.
4. Authorized External applications, systems, devices etc. (Trusted Actor) requests payer management module for patient related information like patient, encounter data etc. through FHIR API server using relevant FHIR resources.
5. Upon receiving the request from authorized external applications/systems, consent management module will validate whether consent is provided by member of a specific domain or organization (tenant) to share the requested information with requesting system in Consent management database.
6. If the member has not provided consent to share requested information with requesting organization/system/application then Consent API requests for online consent from member. Based on member’s action requested information is either share data/reject the request of provider system.
7. If an active consent is available in Consent management system for the requesting organization/system/application then FHIR API allows the member information to be shared with them.
Different healthcare organizations may have different needs when it comes to a Consent Management System. However, there are a few features that are crucial to today’s healthcare organizations.
- Cloud-Based Deployment
Cloud-based consent management has gained more traction substantially, as it allows information to be accessed wherever and whenever needed. The Consent Management System developed by CitiusTech also leverages cloud storage and works on AWS. This gives it the flexibility to permit members & payers to access/manage records without any geographical constraints. - Flexible and Scalable
The Consent Management System should be flexible enough to support various requirements of healthcare organizations. It’s great if it facilitates an option for both on-site storage and hybrid storage (AWS cloud-based storage options & on-site), so organizations can choose a suitable option.
The Consent Management should be modular enough with a plug-and-play feature that allows consent management system to work seamlessly with third-party applications & web portals. Amazon API Gateway services facilitates in creating, publishing, maintaining, monitoring, and securing APIs at any scale. - Data Security
Security Labeling is yet another crucial feature. To ensure the members’ information and the consent records are accessed and stored securely, a consent management system must configure security policies, state-level policies and patron regulations. It needs to be compliant to the latest healthcare rules and regulations. AWS Cloud Security helps elevate the consent management security needs on cloud. - Accessibility- The Consent Management should support both offline consents and consents on-the-go to enhance accessibility and easiness.
a. Offline consent:- In this scenario, it captures one-time member consent over a given period of time for a list of data attributes and choice of applications.
- To provide offline consent, member needs to login to the payer consent management system.
- Member can update/revoke the consent as per their requirement.
- This is when members download a new third-party health application to access their health data. However, the application does not have an existing consent from member in the consent management system.
- The application will prompt for the consent by redirecting the member to the Consent Management System.
- Once approved, the requisite health data is accessed.
AWS Identity and Access Management (IAM) will provide fine-grained access control to help establish permissions that determine who can access which resources under which conditions.
