Maine Chooses Opt-Out for HIE Consent

Proposal to Switch to Opt-In Approach Is Dropped
Maine Chooses Opt-Out for HIE Consent
After hearing objections from hospitals and physicians about a proposed "opt-in" approach to obtaining patient consent for health information exchange, the Maine legislature has passed a rewritten measure that spells out rules for an "opt-out" approach.

Under the original proposal, introduced by Sen. Roger Katz, R-Augusta, and backed by the Maine Civil Liberties Union, physicians and hospitals would have been required to give patients an opt-in form that they would need to sign to authorize having their electronic health records shared over HealthInfoNet, the statewide HIE (see: Maine Bill Would Require HIE Opt-In).

The revised proposal, which awaits the governor's signature, requires informing patients about the benefits and risks of the HIE and giving them the opportunity to "opt out." Unless they take action to opt out, their information will automatically be accessible via the HIE, which stores certain records in a central data repository.

The state hospital and medical associations joined HealthInfoNet in opposing the original measure, calling it impractical, says Amy Landry, HealthInfoNet's communications director. Other HIEs using the opt-in approach have found that a relatively small percentage of patients take the initiative to sign the form, perhaps because of a lack of awareness of the benefits of health information exchange, she contends. And unless a majority of state residents' records are accessible via the HIE, physicians and hospitals are unlikely to use it because of its limited value, she argues.

Improving Awareness

HealthInfoNet, from its inception, has instructed participating providers to give patients a Notice of Privacy Practices, as required under HIPAA, that also describes that their data may be shared via the HIE and offers the opportunity to opt out. Landry acknowledges that "nobody reads the Notice of Privacy Practices." That's why she says HealthInfoNet backed a provision in the revised legislation that explicitly requires healthcare providers to offer patients a separate form during their first visit that describes the HIE as well as the opportunity to opt out.

The compromise approach in the revised bill addresses concerns "that patients were not aware that they had information in the HIE," Landry contends.

The legislation also prohibits a healthcare provider or insurer from refusing to provide medical assistance or insurance coverage based on a patient's decision not to participate in HealthInfoNet. The bill includes a number of other privacy and security provisions, including requiring the HIE to keep a record of everyone who has accessed records.

Last year, the Privacy and Security Tiger Team, which advises federal regulators, endorsed a "meaningful consent" approach that HIEs should take. It accommodates either the opt-in or opt-out approach, emphasizing educating patients about their privacy rights as well as HIE procedures (see: Patient Consent Guidelines Endorsed). The team's recommendations have not yet been incorporated into a federal rule or regulation. The revised Maine legislation includes provisions that are similar to many of the tiger team's recommendations.

Landry predicts that other statewide and regional HIEs likely will be weighing the patient consent issue in the months ahead and considering Maine's experience. "This isn't the last time you'll see this kind of challenge," she says.

Meanwhile, the Department of Health and Human Services is studying whether to address the issue of patient consent for health information exchange in its rules for the HITECH Act electronic health record incentive program (see: HHS Studying HIE Patient Consent).

To view the revised Maine legislation, visit the legislature website to access LD 1337, but read the "adopted amendments" section.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.