When EHRs started showing up on the mainstream industry radar a couple of decades ago, everyone focused on how they helped get rid of the archaic paper records and digitized care delivery within organizations. How time changes perspective. Now EHRs are somewhat commodity and local, intra-organization workflow digitization is a bit passé. The buzz now are inter-organization workflows and health information exchange.
Within the conventional realm of EHRs, attention was given to modules that emulated real-world clinical workflows like order entry (as CPOE), medication administration (as eMAR), etc. But with interoperability as the next frontier, we are seeing new solutions that tackle hitherto unrecognized/under-appreciated healthcare information topics. One such topic is consent management.
If you think consent is just a simple boolean flag that needs to get stored in a table somewhere, think again. Consent is a surprisingly complex multifactorial concept that is mired in vague laws that differ from state-to-state, but needs to be implemented accurately as a gatekeeper for critical information. Consider the following examples of what all needs to be factored into consent management:
- Consent can be of different types: consent to disclose information, consent to access information
- Consent can be given at different levels: provider, group, region, state, HIE
- Consent can have different implementations: full opt-in, full opt-out, opt-in with restrictions, opt-out with exceptions
- There are different workflows that interact and over-ride consent: like ‘break-the-glass’ functionality that lets certain providers access information in case of emergency
- Consent is governed by different laws vary by state: For example, in NY a minor (<18 years) can receive certain reproductive, mental health services regardless of their parent’s consent. So the consent management software has to not only track the parental consent but also the child’ birth date, procedure/diagnosis and reconcile them constantly
- Other thorny questions: time range applicable to consent (can/should it be retrospectively applied? what about reports that have been produced before patient chose to opt-out?), public health considerations (does the state own information about critical communicable diseases irrespective of consent?), what to default to if consent is unknown (opt-in? out? restricted?), how to handle conflicts between systems that claim to have consent, etc.
This paper by ONC is a good summary of most of the nuances related to consent. It’s no small feat for a Healthcare IT vendor to manifest nation-wide consent management as software artifacts, esp. if they have to retroactively fit it into legacy offerings. Which brings me to Health Information Protection And Associated Technologies (HIPAAT). They provide consent management and auditing software to enable health information privacy for various healthcare participants. What makes them unique is that they are the only vendor I know of that does nothing but that.
The core HIPAAT product seems to be ‘Privacy eSuite’ (PeS), which is essentially a consent validation and management SaaS offering that can be implemented by EHRs, HIEs and stand-alone care organizations. PeS would help its customers implement consent workflows like break-the-glass functionality in their native applications. Other interesting products are myConsentMinder (a consumer-oriented web application that helps patients self-manage consent) and the IHE-ATNA compliant Universal Audit Repository (stores and implements PHI-related auditing capabilities).
HIPAAT is another example of my previous point about healthcare IT excellence emerging in narrow niches. Traditional market solutions are getting bloated because they are trying to do too many things. Superlative marketing and regulatory anxiety are muddying the field by encouraging cross-dressing. EHRs are trying to claim interoperability features (e.g. Epic’s abysmal failure called Care Elsewhere) and HIEs are trying to do EHR work (e.g. Axolotl’s EMR lite and Medicity‘s ProAccess).
I’m a bit pessimist about the near future being kind to niche solutions. I think most of these one-trick-ponies are going to get acquired by richer incumbents. Specially the incumbents enjoying the cross-subsidy of their parent conglomerates, like Medicity (owned by insurer Aetna), McKesson (main business is drug distribution) or GE (truly diversified). But once the market zeal for inorganic growth slows down, the once remaining will be having a genuine value proposition that is worth paying for. And I bet that will be a more focused set of survivors who do a few things, but do them right.