Overview
Over the past few calls (as of 08/05/2015) the IL community has been discussing consent management and how this could be done within OpenHIE. There are a number of dimensions to consider:
- Opt-in vs opt-out - Do people opt into the system or is there consent implied until they opt-out
- Break-the-glass - Do we allow a break-the-glass scenario where a clinician can opt to gain access to a patients record even if they don't have consent in a life threatening scenario
- All-in or segmented access - Do we allow partial access to a patients record depending on a clinicians role, or do we always allow clinicians a full view of the health information.
These can all be applied in various combination and the merits of these, along with some opinions about the combinations are discussed in a document that Derek Ritz has put together.
Approach
As the IL, community we have discussed that consent could be built out using a maturity model. We would start with the least complex combination of the above dimensions and then as times goes on AND if countries request a more complex handling of consent, then we could expand the scope to add support for a more complex combination of the above dimensions.
As a first pass the IL community believes that we should support the minimal combination and most implementable solution, which is described by the following:
- We support an opt-out system. Consent is implied when patients make use of the health system and they may opt out if so inclined (this could be as simple as a switch in the XDS registry and could be handled manually as the opt-out numbers will likely be small)
- If clinicians have access to the HIE they have access to all data within it, we don't segment any data
- We don't support break-the-glass as all data is made available to clinicians that have access to the HIE
Please feel free to comment or give your thoughts on this below.