What Is Granular, Computable Consent?

Thanks to recent CMS rules, payers and providers have greater incentive than ever to invest in interoperability. Healthcare has largely focused on implementing FHIR® APIs to enable faster prior authorization decisions and more efficient data exchange between payers, providers, and patients, but there is another benefit to investing in FHIR: the ability to support more effective data privacy controls.

Before FHIR, a member’s clinical data was typically shared according to Clinical Document Architecture (CDA) standards, which organizes health data into full clinical documents, such as discharge summaries or encounter reports. With CDA, member consent is effectively a yes-or-no proposition: either the entire file can be shared, or it can’t. And files are shared in whatever format the data holder uses—so if the recipient uses another format, the data within the file may not be legible to the recipient’s systems.

That has changed with the introduction of FHIR standards. Using FHIR, the information in a patient record can be broken up into individual “resources”; each of these resources can be shared independent of one another (i.e., granular data sharing). And unlike CDA standards, FHIR APIs encode the data in a universal language to ensure that the information can be read by any system (i.e., computable data).

Payer organizations that have invested in FHIR have an opportunity to go beyond what is required by CMS guidelines and deliver granular, computable consent. Not only does this enable compliance with current CMS requirements for member consent, but it can also help plans more effectively manage the myriad channels through which PHI can be communicated. With granular, computable consent, health plans can ensure consent preferences are applied consistently across all channels for a seamless member experience with less administrative burden.

Improve Member Trust

Most members recognize the value of information sharing. A survey from the Commonwealth Fund found that 89% of respondents want their providers to be able to electronically exchange their care information with other providers. However, members also want to have some measure of control over who is using their health data and why: a Markle survey found that more than half of respondents expressed concerns about their health data being used by non-providers like marketers (77%), employers (56%), and even their own health insurers (55%).

This lack of trust can impact a member’s willingness to get appropriate medical care. A 2023 report from the Substance Abuse and Mental Health Services Administration (SAMHSA) found that 33.5% of individuals with substance use disorders (SUDs) didn’t seek treatment out of fear of losing their job, their home, or custody of their children. This is at least partly attributable to an underlying concern that private health data is not truly private—and because any information an individual shares with their provider may end up in the wrong hands, many people choose to forego treatment altogether.

Concerns about data privacy aren’t just about sharing—or not sharing—clinical information with healthcare or healthcare-adjacent organizations. Members also want to be able to share (certain parts of) their information with family members or friends, and granular consent plays a key role in allowing them to do that. A member may want to restrict spousal access to certain parts of their clinical record, such as behavioral health, while still allowing access to everything else.

Organizations operating in multiple states have to contend with a variety of data privacy laws and definitions of sensitive information—which vary from state to state. Alaska has stricter security requirements for sharing information related to mental health, substance use disorders, and genetic testing; Louisiana requires additional security for information relating to birth defects, cancer screenings, and HIV/AIDS. Other states, like Colorado, do not mandate any additional data security beyond what is required by HIPAA.

Granular consent allows organizations to comply with each state’s unique data privacy laws while also honoring the member’s specific data-sharing preferences. But to truly enhance the member experience and improve member trust, computability must also be part of the equation. Establishing a single language for member consent that can be read and applied across your enterprise ensures that if a member moves to a different state with conflicting privacy laws, their data sharing preferences automatically move with them. That means less duplicative paperwork, a reduced administrative burden, and a more seamless healthcare journey for the member.

More Complete Member Data

Among HIPAA-covered entities (and non-covered entities like Housing Authority departments and rehabilitation centers), sharing member data should be a seamless process. As many payers, providers, and patients can attest, however, that's often not the case when multiple organizations and systems are involved.

Like data privacy laws, patient consent requirements also vary on a state-by-state basis. New York requires opt-in consent, meaning patients must formally opt in to data sharing before their provider can check their medical records. Delaware, on the other hand, is an opt-out consent state, meaning patients are assumed to have opted in to unless they specify otherwise. Meanwhile, Connecticut is a mix of opt-in and opt-out depending on the sensitivity of the data. So how can the member ensure their stated preferences for data sharing are honored between different states and healthcare organizations? And how can organizations operating in different states ensure data is shared according to the member’s preferences while also adhering to state requirements for patient consent?

Too often, this variance either acts as a barrier to data sharing by forcing members to reaffirm their consent preferences whenever a new entity needs to access their PHI. This creates an unnecessary burden for the patient and the administrative staff and can also prevent organizations from capturing or sharing complete member data.

Making consent preferences computable across all systems and geographic locations allows each party involved in a member’s care to see the individual’s consent preferences. Organizations that embrace granular, computable consent no longer need to navigate barriers to sharing or accessing member data. This ensures everyone involved in a member’s care—not just external partners, but within your entire enterprise—can access the same information and supports a complete longitudinal record of the member’s health.

Important Considerations

Adopting FHIR standards makes it significantly easier to support granular consent. The HL7 FHIR Consent Resource includes a standard API that streamlines (and in some areas, enables automation of) creating, retrieving, and updating consents within your system. There are also implementation guides designed to support data segmentation for privacy (DS4P), which helps identify data that requires additional restriction using tags and metadata.

To achieve granular consent, the following must be in place:

• Standardized terminology value sets to define and categorize sensitive data
• Implementation guidance and support
• Standardized, computable rules

Investing in FHIR doesn't just support compliance—your interoperability investments also present an opportunity to seize crucial competitive advantages. Unlocking granular, computable consent is just one of the ways a strategic approach to interoperability can help you move beyond a compliance-first approach, deliver value across your enterprise, and support CMS’s vision for a more patient-centered healthcare experience.