By Shobhit Saran - Asst. Vice President, Health Plans Consulting | Gati Patel – Healthcare Business Analyst, Perform+ Connect | Guninder Bhatia - Product Owner and Sr. Consultant (Enterprise Data Strategy & Interoperability)
Interoperability in Healthcare enables health information exchange between patient, provider, and payer to deliver transparent and equitable patient care. However, to enable seamless and secure data exchange across multiple connected systems, it is imperative to have patient consent.
Consent management and patient data privacy should be the major design considerations while enabling patient data access via healthcare APIs to ensure that the patient protected health information is not being exploited by any unknown system.
Consent management refers to the process and system of collecting and managing patient’s affirmation for using and sharing of Patient Protected Health Information (PHI). It also empowers patients to set up privacy preferences to control who, under what conditions, and for what purpose will have access to their protected health information (PHI). It facilitates the dynamic creation, management and enforcement of consumer, organizational and jurisdictional privacy directives.
The process to enable consent management may appear simple, however it is challenging to create one such comprehensive solution.
This blog covers the following sections:
- Key challenges in building a comprehensive consent management system
- CitiusTech’s consent management system
- Consent signing and data retrieval process workflow
- Key features of consent management system
Key challenges in building a comprehensive consent management system
- Data Aggregation & Identity Management – As the data is often collected through various channels like website, mobile app, etc., mapping the information to respective member is not easy.
- Data Transparency – Members are often not aware about how their information is being operated. They should have the visibility and should be able to modify the data preferences as and when needed.
- Evolving Privacy Rules – It must comply with the ever-evolving regulatory environment. While it is vital for all healthcare organizations to adhere to the privacy regulations and data security requirements stipulated by HIPAA, GDPR and CCPA, the compliance and privacy requirements around sensitive healthcare data are expected to change at breakneck speed. Hence, the consent management system should be flexible enough to adapt to the future requirements.
CitiusTech’s consent management system
CitiusTech’s Consent Management system offers a comprehensive consent management system working on AWS and featuring the CMS compliant requirements along with consent tracking and security labeling.
Consent signing and data retrieval process workflow
Below workflow illustrates a typical consent signing and data retrieval process by a third-party application:
Figure 1: Workflow of a typical consent signing and data retrieval process by a third-party application
- 1a, 1b, 1c. Member, Admin or Related Person (User) will request to create a new consent, update, revoke, deactivate or verify an existing consent using Consent Management portal (Sample). User can also use Member Portal or Mobile application for the same.
- Upon receiving the request to create, update, revoke, deactivate or retrieve a Consent, Consent FHIR API will be executed to store, update the FHIR Consent resource in the database.
- Consent API can be used to retrieve the Consent from the Consent Management database.
- Authorized external applications, systems, devices etc., (Trusted Actor) requests payer management module for patient related information like patient, encounter data etc., through FHIR API server using relevant FHIR resources.
- Upon receiving the request from authorized external applications/systems, consent management module will validate whether consent is provided by member of a specific domain or organization (tenant) to share the requested information with requesting system in Consent Management database.
- If the member has not provided consent to share requested information with requesting organization/system/application then Consent API requests for online consent from member. Based on member’s action, requested information is either share data/reject the request of provider system.
- If an active consent is available in Consent management system for the requesting organization/system/application then FHIR API allows the member information to be shared with them.
Key features of consent management system
Different healthcare organizations may have different needs when it comes to a Consent Management System. However, there are a few features that are crucial to today’s healthcare organizations.
1. Cloud-Based deployment
Cloud-based consent management has gained more traction substantially, as it allows information to be accessed wherever and whenever needed. The consent management system developed by CitiusTech also leverages cloud storage like GCP, AWS and Azure. This gives it the flexibility to permit members & payers to access/manage records without any geographical constraints.
2. Flexible and scalable
The Consent management system should be flexible enough to support various requirements of healthcare organizations. It’s great if it facilitates an option for both on-site storage and hybrid storage (cloud-based & on-site), so organizations can choose a suitable option.
The Consent Management should be modular enough with a plug-and-play feature that allows consent management system to work seamlessly with third-party applications & web portals.
3. Data security
Security labeling is yet another crucial feature. To ensure the members’ information and the consent records are accessed and stored securely, a consent management system must configure security policies, state-level policies, and patron regulations. It needs to be compliant to the latest healthcare rules and regulations.
The consent management should support both offline consents and consents on-the-go to enhance accessibility and easiness.
- Offline consent:
- In this scenario, it captures one-time member consent over a given period for a list of data attributes and choice of applications.
- To provide offline consent, member needs to login to the payer consent management system.
- Member can update/revoke the consent as per their requirement.
- Consent on-the-go:
- This is when members download a new third-party health application to access their health data. However, the application does not have an existing consent from member in the consent management system.
- The application will prompt for the consent by redirecting the member to the consent management system.
- Once approved, the requisite health data is accessed.
To wrap this up, a comprehensive consent management system defines the success of the true interoperable solution as well as its compliance to CMS interoperability and patient access rule requirements. CitiusTech’s consent management system is a comprehensive solution that addresses the key challenges while offering features that are pivotal to today’s healthcare organizations.