Is consent necessary to share patient information in M&M conferences?

Special consent is not necessary to share patient information in M&M conferences as long as the information is anonymized and is identified within hospital consent forms.

What are M&M conferences?

A journal article from the Journal of General Internal Medicine states, “Traditionally, the goal of M&M conferences is to provide a forum for faculty and trainees to explore the management details of particular cases wherein morbidity or mortality occurred. In carefully reviewing the records and specifics of care, a primary goal of these sessions is to revisit errors to gain insight without blame or derision.”

The primary goal of an M&M conference is to improve patient care by understanding what went wrong and how to prevent similar issues in the future. Through a detailed review of specific incidents, healthcare providers identify areas needing improvement, refine their practices, and ultimately elevate the quality of care delivered. These conferences create an environment of transparency and continuous learning. 

Consent for M&M discussions

Since the primary purpose is educational, aimed at learning from mistakes and not assigning blame, specific consent for M&M discussions isn't usually required. However, general consent forms signed by patients upon admission often cover the use of their medical information for internal education and quality improvement purposes. These forms typically include clauses that allow medical cases to be discussed among healthcare professionals as part of the institution’s commitment to improving care and outcomes. 

How to maintain patient privacy throughout the M&M conference procedure

1. Before presenting any case in an M&M conference remove all personally identifiable information. It includes names, addresses, medical record numbers, and any other details that could be used to identify the patient.
2. Conduct these conferences in secure locations where only authorized personnel are present.
3. When sharing information related to M&M conferences via email, use HIPAA compliant email services. Encrypted email is necessary when sending reminders about the meetings or distributing anonymized case details to participants beforehand.
4. Conduct regular audits after each M&M conference to make sure all privacy protocols were followed. These audits can check for any accidental disclosures of patient information and assess the effectiveness of anonymization and data handling processes.

See also: Top HIPAA compliant email services

FAQs

What is consent?

Consent is a voluntary agreement by a patient to allow their personal information to be used or disclosed based on full disclosure of the risks, benefits, and alternatives.

What is authorization?

Authorization is a detailed document that grants explicit permission for specific types of disclosures or uses of personal health information beyond those allowed for regular healthcare operations.

Is the PHI of the deceased still protected?

Yes, the PHI of deceased individuals remains protected under HIPAA for 50 years after their death.