Stream: Da Vinci PDex
Topic: Consent Policy (HRex)
Yukta Bellani (Nov 17 2021 at 18:59):
I understand HRex allows for two options –> regular (= just non-sensitive) vs sensitive (= all data).
And per that policy, if we have a customer who chose ‘regular’ & does not want to share sensitive data, how do we handle sensitivity mapping that varies across states. Are we asking the Payers to do complex state-specific filtering of sensitive data in that scenario?
For example, Sensitive codes for Texas might be different from California. So if two people one in Texas and another in California both choose that same option...does that mean Payers will now have to handle state-specific filtering for those two customers?
Also, different Payers might have a different list of sensitive codes per their legal interpretation of State and Federal Privacy Laws. Will DaV look to standardize the list of sensitive codes to filter? Otherwise, responses will vary by Payers depending on how conservative they are in their interpretation of state/federal privacy laws.
John Moehrke (Nov 17 2021 at 19:03):
this is often why consent and sensitivity labels are local concerns. When data transitions outside the control of the custodian, it likely needs totally new consent and totally new sensitivity labels. Thus, the recommendation in FHIR core that the sensitivity labeling codes often are not communicated outside of the organization. They are critical for data handling within an organization, and especially for access control. But one organizations sensitivity coding is often not the same as another... this said, there are confidentiality codes that do transition with the data, as would obligations, and... national regulatory (e.g. 42 CFR Part 2) tags.
Yukta Bellani (Nov 17 2021 at 19:26):
Right, but in my scenario, only non-sensitive data will move to the next payer so there will not be any tags attached to it. I am trying to see if Payers need to do any sensitive filtering for Payer to Payer or should the options for the customer be -
All data (including any sensitive categories including 42 CFR Part 2) or
Nothing
John Moehrke (Nov 17 2021 at 19:32):
is it right for DaVinci to make that kind of a legal policy decision? I could certainly see how one would communicate sensitive data, with tags... which is what I mentioned.. and for which the HL7 DS4P IG sets the groundwork for.
Yukta Bellani (Nov 17 2021 at 19:36):
That's my point that the CMS rule does not ask Payers to do any sensitive data filtering before sending this data to the next payer. IG is introducing that requirement with the two options under "Consent Policy".
All CMS is saying is that we are required to send this data to another Payer, at the customer's request. This means we will send everything we have and if a customer is concerned about some of the sensitive information in it then they can choose to not do Payer to Payer transfer.
Lloyd McKenzie (Nov 18 2021 at 00:24):
@Robert Dieterle
Balaji Nivasan Baskaran (Mar 24 2022 at 16:04):
Hi, just reading through this old thread, I had the same question how the differentiation of regular vs sensitive data consent assertions will work. could any of you folks please help me understand what was the final decision taken here ?
Lloyd McKenzie (Mar 24 2022 at 16:49):
I'll ping @Robert Dieterle again. My understanding is that if state or other regulations limit your ability to transmit 'sensitive' data without consent, then CMS's rule requiring sharing "all data" doesn't necessarily trump the other regulatory requirement for transmitting sensitive data. (As always, talk to your lawyers.) The 2-levels of consent allows for the possibility of patients consenting to sharing base information but not sensitive information. If your lawyers feel that there are no situations where you need both consent types, then you can just require that all consents be for all data.
Robert Dieterle (Mar 25 2022 at 00:39):
Lloyd -- you are correct -- CMS all data is always conditioned by Federal and State regulations regarding sensitive data that required explicit member consent to share.
Last updated: Apr 12 2022 at 19:14 UTC
