Table 2.
Consensus Expectations for the Content Area, “Consent”
| Whenever feasible, health information trustees should obtain valid informed consent from individuals for the collection, storage, or use of personally identifiable health information. If consent is not obtained, then a formal, authoritative and publicly accountable process must be used to authorize a waiver of consent. |
| Valid informed consent |
| 2.1 Valid informed consent for collection, storage, and use of identifiable health information includes disclosure of all necessary information that a reasonable person would use in making an informed decision, in a format that is readily understandable to the individual, and without coercion influencing choice. The information conveyed includes the information described in Expectation 1.1 (a-i) |
| Process for waiver of informed consent |
| 2.2 Valid informed consent to the collection, storage, or use of personally identifiable health information is required, unless its waiver has been justified and authorized by an explicit formal mechanism that is publicly accountable. |
| 2.3 Health information trustees that collect, hold, disclose, access, or use personally identifiable health information without the valid informed consent of the subjects of the information (and not in the course of medical research reviewed by an Institutional Review Board or in the course of legal obligations) have in place a formal, authoritative, and publicly accountable process to address the necessity of doing so (such as a Data Disclosure Board). |
| 2.4 Written records are kept of the proceedings and decisions from this process. |
| Documentation of the process |
| 2.5 The process includes the careful review of a Data Needs Assessment (DNA) document, submitted by the data requestor, for any nonconsensual use of personally identifiable health information. A written DNA addresses the legitimate need for information to be collected, stored, or used without valid consent. |
| 2.6 The process includes the careful review of a written Privacy Impact Assessment (PIA) document, submitted by the data requestor, for any nonconsensual use of personally identifiable health information. A written PIA addresses the risks and benefits to patients, beneficiaries, employees, and other stakeholders of the proposed collection, storage, and use of identifiable information without valid consent. |
| Opt-out provisions |
| 2.7 Patients are allowed to deny the release of their identifiable health information outside the organization receiving the information, except as required by law or as approved through a formal authorization process that is publicly accountable. |
| 2.8 The health information trustee has clear and public policies on what uses of health information are not optional. |