Interoperability in Healthcare enables health information exchange between patient, provider and payer to deliver transparent and equitable patient care. However, to enable seamless and secure data exchange across multiple connected systems, it is imperative to have patient consent.
Consent management and patient data privacy should be the major design considerations while enabling patient data access via healthcare APIs in order to ensure that the patient protected health information is not being exploited by any unknown system.
Consent management refers to the process and system of collecting and managing patient’s affirmation for using and sharing of Patient Protected Health Information (PHI). It also empowers Patients to set up privacy preferences to control who, under what conditions, and for what purpose will have access to their protected health information (PHI). It facilitates the dynamic creation, management and enforcement of consumer, organizational and jurisdictional privacy directives.
Thus, a comprehensive consent management system defines the success of the true interoperable solution and compliance to CMS Interoperability & Patient Access Rule requirements.
The process to enable consent management may appear simple, however it has some challenges while creating one such comprehensive solution.
Key Challenges in building a comprehensive Consent Management System
CitiusTech’s Consent Management System
CitiusTech’s Consent Management system offers a comprehensive consent management system working on AWS and featuring the CMS compliant requirements along with consent tracking and security labeling.
Below workflow illustrates a typical consent signing and data retrieval process by a third-party application:
Consent Workflow
Diagram showing workflow of consent
1a, 1b, 1c. Member, Admin or Related Person (User) will request to create a new consent, update, revoke, deactivate or verify an existing consent using Consent Management portal (Sample). User can also use Member Portal or Mobile application for the same.
2. Upon receiving the request to create, update, revoke, deactivate or retrieve a Consent, Consent FHIR API will be executed to store, update the FHIR Consent resource in the database. Created/Updated consent is stored in Consent Management database.
3. Consent API can be used to retrieve the Consent from the Consent Management database.
4. Authorized External applications, systems, devices etc. (Trusted Actor) requests payer management module for patient related information like patient, encounter data etc. through FHIR API server using relevant FHIR resources.
5. Upon receiving the request from authorized external applications/systems, consent management module will validate whether consent is provided by member of a specific domain or organization (tenant) to share the requested information with requesting system in Consent management database.
6. If the member has not provided consent to share requested information with requesting organization/system/application then Consent API requests for online consent from member. Based on member’s action requested information is either share data/reject the request of provider system.
7. If an active consent is available in Consent management system for the requesting organization/system/application then FHIR API allows the member information to be shared with them.
Different healthcare organizations may have different needs when it comes to a Consent Management System. However, there are a few features that are crucial to today’s healthcare organizations.
AWS Identity and Access Management (IAM) will provide fine-grained access control to help establish permissions that determine who can access which resources under which conditions.