Unlocking the complexities of consent in healthcare

The concept of informed consent is straightforward – offering an individual a choice to either implicitly or explicitly say yes or no, or at least no, to a data handling practice, when the individual clearly understands the practice in question.

That said, all organizations face complexities in applying consents appropriately in the real world, where the details matter.

Additionally, the healthcare industry faces special challenges related to consents due to the nature of relevant regulations, common use cases for data uses, and the critical and sensitive nature of healthcare activities.

Though not a comprehensive list of complexities, following is a brief list of consent considerations in the healthcare space and a few tips for addressing them:

• Ability to obtain informed consent
• Research, public good, and disclosures
• Handling multiple jurisdictions
• Data sensitivity

Ability to obtain informed consent

One of the challenges that exists in the healthcare industry related to consent lies in diverse practical impediments in obtaining freely given and informed consent given barriers in language, cognitive or developmental ability, emotional distress, and understanding that other fields do not face. Healthcare activities cover all of humanity, regardless of the language spoken and the cognitive or age-related capability to given consent.

Even without language or cognitive barriers, medicine and healthcare are complicated subjects with multiple stakeholders and built-in uncertainties about outcomes. This means that even sophisticated, native speaker data subjects can struggle to understand the ins and outs of a particular decision. Moreover, people often face the need to make healthcare decisions quickly in crisis situations, which can also be an obstacle to (good) decision making.

These obstructions to informed consent are incredibly hard to remove altogether. However, there are some high-level activities that can help a healthcare organization carefully navigate those obstructions.

• Identify needed languages and alternative routes to support other languages: While it may be impractical, if not impossible, to provide disclosures and consents in all possible languages and dialects, it may be useful to thoughtfully identify most common languages to support directly and then create an alternate path to accommodate the balance.
• Establish clear standards for cognitive/age requirements for consent and alternate paths for cases do not meet the standards: Keeping in mind that many healthcare decisions must be made – sometimes in a hurry – regardless of the mental or age status of the data subject in question, clear standards for each consent use case and alternative paths for making a decision will help an organization navigate this complexity.
• Review notices and disclosures for clarity, simplicity, and accuracy: As every privacy pro knows, creating a clear, simple, and fully accurate notice is incredibly hard. However, especially in the healthcare space where there is so much potential for gray areas, probabilities, and complexity, it is time well spent.

Research, public good, and disclosures

Many jurisdictions, when considering requirements for data uses and sharing, set aside activities that support a ‘public good,’ and even research itself, as special cases that may not require consent – and sometimes even set aside from normal personal data handling restrictions and obligations. For example, the European Union’s GDPR and countries like the United Kingdom with laws modeled after the GDPR include a legal basis related to ‘public interest.’

This allows organizations to process data, potentially even sensitive data, for related purposes and often without consent. Additionally, in the United States, the Healthcare Portability and Accountability Act (HIPAA) provides for a path to avoid requirements of the Privacy Rule for research use cases altogether. Moreover, some jurisdictions, including the United States under HIPAA, allow for activities, including data sharing, in service of the provision and payment of healthcare services to occur without explicit consent.

This is a practical consideration, given that critical medical and pharmaceutical researchers may not be able to get consent, or they only be able to get a version of consent that does not reveal the full nature of the experiments. Traditional opt in consent also may not always be possible in the healthcare setting, due to emergency situations. Plus, there are certainly some public health and critical research situations where the public good really does outweigh any individual reservations about participating.

While these special case allowances help advance health and healthcare, there is no doubt that they also increase the complexity of determining whether, and what kind of consents may apply to data uses. To solve this complexity, the best path forward, unfortunately, is the tedious but necessary task of reviewing each data field, jurisdiction, and use for consent requirements and exceptions to those requirements. A consent management platform can assist in organizing this complicated analysis and managing it on an ongoing basis, but there is no way the organization in question can avoid putting in the work.

Handling multiple jurisdictions

As noted above, healthcare and health-related research can overlap with multiple jurisdictions. Even within a single geographic jurisdiction, different data sets and data uses may trigger different laws. For example, in the United States, HIPAA will cover personal data related to provision and payment of healthcare, but it will not cover all personal data that same organization may hold and use. Moreover, it is common for healthcare organizations to be a combination of public and private institutions, which can complicate which rules apply in which cases.

Again, a consent management platform can assist in organizing the complexity of rules that apply in which cases once the organization has carefully stepped through the necessary operational and legal analysis.

Data sensitivity

By its very nature, the healthcare industry must handle sensitive data. Most, if not all general-purpose privacy laws that define ‘sensitive data’ do so in a way that includes health data. Breach notification laws include sensitive data within the defined data sets that trigger notification when an organization discovers a compromise. Many of these laws also require additional protections for sensitive data, including more stringent consent requirements, or even prohibitions against processing sensitive data with some small exceptions. The interaction between sensitive data requirements and consent are complicated, especially across geographic borders.

Summary

The healthcare industry faces many challenges regarding consent, including but not limited to the complex patchwork of laws that may apply, and the nature of common healthcare provision/payment/research activities that makes traditional consent difficult (if not impossible). Fortunately, there are technology tools available to help analyze the numerous factors that impact consent, make decisions on a per-data field/data use/jurisdiction/use case basis, and apply those decisions moving forward.