Officials revealed long-awaited changes to make it easier for patients to share their health record on Monday. The final rules from the Department of Health and Human Services would require healthcare providers, payers and health IT vendors to ensure patients can access, share and use their health information.
Most groups are still combing through the massive documents, clocking in at more than 1,500 pages combined. But it’s clear that the final rules will influence who owns health data and patients’ ability to share it.
“The whole business is moving from the confines of the clinician to the computational control of the patient,” Dr. Don Rucker, National Coordinator for Health Information Technology, said in a media call on Monday. “We think there are going to be all kinds of patient-facing business models. It will be a massive benefit to the American public even beyond the raw transparency into what the care is and the cost of that care.”
The rules were developed jointly by the Centers for Medicare and Medicaid Services (CMS), and the Office of the National Coordinator for Health Information Technology (ONC). The portions enforced by CMS are more straightforward, requiring providers to meet interoperability requirements over a set timeframe. The ONC’s portion of the rule is a little less cut-and-dry, in trying to make patients the primary stewards of their health information.
Under HIPAA, providers may share health data with other providers. Under the new rules, they must share that information with patients, providers and other parties unless they meet one of eight exclusions outlined by HHS.
“That’s a really big difference in the sharing of health information,” said Claudia Williams, CEO of nonprofit health data network Manifest MedEx and a former White House senior advisor for health technology and innovation.
A new app economy
Despite having many prominent supporters, the new regulations stirred up some controversy. One of the most widely discussed problems is how to protect patients’ privacy if they choose to share their health data with third-party apps.
“One of the large points of the entire work is to jump-start an app economy that is going to entirely change what is offered to patients for their healthcare,” Rucker said.
Specifically, the final rules require payers and providers to use standard APIs that would allow outside apps to connect with electronic health record systems. While many of these standards are already widely used, Epic and a group of hospitals raised concerns that patients might not know what they’re consenting to when they agree to share their protected health information with an outside app. Epic’s CEO reportedly sent out an email to providers in January asking them to sign a letter voicing their concerns with the policy; 60 of Epic’s customers did, according to CNBC.
Despite these concerns, HHS made few changes in its final rule. It carved out an exemption for privacy concerns, but providers are still required to respond to requests within 10 days. Physicians are free to tell patients that an app isn’t covered by HIPAA, but they can’t block the sharing of data.
“It’s not providers’ job or our job to create a new set of screening requirements or privacy requirements on those apps,” Williams said. “It leaves open a really interesting conversation that I think it’s high time that we had. But it will require new laws. It’s not something that can be created (under HIPAA).”
Under the current system, patients will have some opportunities to control what information they share. Steve Posnack, deputy national coordinator for health information technology, explained that patients would pick their preferred app, and point it to whichever provider currently has their healthcare information. They’d log in using the credentials for their patient portal with that provider. Then, the patient would specifically give the app permissions to access certain types of data, such as medication data or clinical notes.
“If this is a medication management application that I’ve chosen to use, I could pick medication data as the only information that I want them to receive,” Posnack explained in a media call.
At that point, an IT developer or provider could share a warning screen with the patient that explains they’re about to share their HIPAA-protected data with an outside entity. Providers, payers and EHR vendors can also ask app developers about their privacy practices and share that information with patients in a neutral light.
“I think that should be a patient’s choice. Not the choice of third parties,” Rucker said. “As we think about privacy in healthcare, it’s important to understand — privacy issues are not about data covered by HIPAA. It is really that health information can be inferred from all electronic data. Geolocation, accelerometers, search strategy… That broader inference is at least as powerful in figuring out what your medical issues are.”
He added that he expected to see more solutions coming up from the private sector, whether that’s through building up a trusted brand, or through good-faith efforts from developers and industry groups. For example, the CARIN Alliance, an interoperability group consisting of tech firms and providers, created a voluntary code of conduct for developers.
“That’s one of the tricky parts. … Some people don’t want to share their data. Some people want to involve themselves in citizen science,” Williams said. “It is hard for patients to figure this out. We haven’t provided them with the tools to do that yet.”
EHR vendors react
In an emailed statement, Epic said it would read the rule carefully to understand its impact before making a judgement.
“We keep the patient at the heart of what we do and we focus on improving health care for patients,” the company wrote in a statement. “We have been working closely with HHS and ONC to try to improve the rule, and we appreciate their willingness to hear our feedback.”
One of Epic’s main competitors, Cerner, has been a more vocal supporter of the rule, despite the increased interoperability and certification requirements.
“While we share concerns as everybody in our industry does about keeping information safe and secure, we’ve been stewards of information for 40 years, and we feel very confident that with patients and providers, we will maintain that balance between privacy and access,” Dick Flanigan, a senior vice president at Cerner with responsibility for regulatory and policy, said in a phone interview. “This has been a long-standing policy goal for Cerner. It was specifically talked about for the last 15 years, and was a personal goal of our late chairman, Neal Patterson, to have patients gain control of health and medical information and use it as they see fit.”
A timeline of the ONC’s information blocking final rule.
A challenge for hospitals
Like their provider and payer counterparts, EHR vendors have six months to get up to speed with the privacy requirements. Essentially, they’ll be required to share a limited amount of health information within the first six months. After two years, they would be required to share all electronic heath information, which is effectively synonymous with personal heath information as defined under HIPAA.
“We stayed close to proposed rule which gave us time to plan and react,” Flanigan said. “Generally, when you come up with regulatory frameworks, you’d always like more time. But we’re comfortable with the timeline that was published. The six months of settling in time without any claims begin made on information blocking is a good thing.”
While Cerner seemed confident, many health systems might struggle to meet the deadline, said Randi Seigel, a partner with Manatt Health.
“Unless a provider was working on coming into compliance before final rule came out, and diligently working to do so, I think it will be a challenge to come into full compliance,” she said. “To the extent they have technology that doesn’t enable interoperability, they’re going to need to sunset that technology or bring that technology up to the standard. … Changing EHR vendors is a huge undertaking.”
Michael Abrams, a managing partner of healthcare consulting firm Numerof & Associates, said larger health systems will also face the challenge of pulling six years of health data into one system.
“With the consolidation that we have seen, we have created any number of increasingly mega-systems that are built up of many smaller entities. I imagine most of them have figured out a way to work in the here and now in terms of a common platform,” he said. “When it comes to reaching back over prior years and being able to consolidate that data for all of the patients that they’ve historically had, that will present new challenges that they’re undoubtedly not looking forward to.”
There is an additional grace period for providers using non-compliant technology. But Seigel said providers also might be hamstrung if they don’t have enough resources in place to handle incoming records requests, such as a shortage of legal assets or IT to determine if an application is secure enough to connect.
“There’s still some ambiguity here of what of these delays could be deemed legitimate without knowing the specific facts, and circumstances and resource limitations,” she said.
In a future rule, HHS plans to establish civil monetary penalties for providers found to hold up the flow of information.
With the fast-approaching deadlines, Manifest MedEx’s Williams said providers will have to work quickly to be able to share information as required under the law. For example, within six months, they should be able to share real-time notification alerts with community providers. So if a patient is admitted into the emergency room, their primary care provider would be notified.
The technical requirements are simple, Williams said, but it takes coordination and asking doctors for patient lists. If they don’t meet the requirement, providers wouldn’t be able to bill Medicare and Medicaid.
“That’s a really big hammer for the hospitals—not being able to process any bills from those two payers,” she said. “There’s no hand-wringing here. They’re just going to have to go straight to implementation.”
Photo Credit: Hiraman, Getty Images
