What Is The Argument About?
Beginning with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, federal policy makers have sought to create a national health information technology (IT) infrastructure that allows data to flow among electronic health records (EHRs) and patients to support clinical care and other important use cases such as biomedical research. While EHR adoption increased dramatically following the HITECH Act, interoperability, or the flow of data between different software systems and among different health care actors, remains a problem. Multiple reasons explain its slow progress, from misapplying patient privacy regulations to weak economic models to technological challenges. Policy makers have responded, passing new legislation such as the bipartisan 21st Century Cures Act of 2016 (Cures Act) to push key players such as EHR vendors and providers to flip dynamics favoring data silos to those favoring appropriate data sharing.
On March 4, 2019, the Office of the National Coordinator for Health Information Technology (ONC) issued proposed regulations to implement the Cures Act’s provisions on interoperability, patient access, and information blocking by vendors of certified EHRs and Medicare and Medicaid providers. (Health Affairs covered this rule in several articles published in spring 2019, including a blog post written by every past National Health IT Coordinator, and one written by the ONC’s former chief privacy officer.) The ONC’s final regulation is now due any day, with an expected effective date in January 2022. A key component of the ONC’s proposed rule was the requirement that a vendor of a certified EHR must allow any app a patient chooses to make a data call on a read-only, standard specification application programming interface (API) so that the patient could automatically and efficiently get a copy of their own health data. And, this data call must be allowed regardless of whether the app is approved by the EHR vendor, the health care provider, or adheres to any particular privacy law or self-regulatory scheme. In other words, the patient chooses what is right for them. It is expected that this requirement will persist in the final regulation.
On the eve of release, Epic, the largest vendor of certified EHRs, launched a nationwide public campaign proposing to delay the rule, including an email to customers’ CEOs urging them to join Epic in this proposal. Epic’s main claim: that patients’ privacy would be eroded if they share their data with their chosen health apps. Patients and their allies responded swiftly to defend their right to get and share their health information, including a meeting with the Office of Management and Budget to explain that any delay in releasing the rule would harm patient care and patients.
We strongly believe that Epic’s claims do not warrant a delay in the ONC releasing its rule. We argue the opposite: Delaying release of the ONC’s rule will do nothing to improve consumer privacy protections, while delay could have potentially harmful impacts for patients and patient care.
What Does The ONC Propose In Its Regulation?
Standardized Application Programming Interfaces
Current federal regulations (published October 16, 2015, in the Federal Register at p. 62675–9) require certified EHRs to include an “open” API, with public technical documentation for app developers, to enable patients’ access and use of their health information. The ONC’s proposed regulations build upon this requirement and take a significant, indeed crucial, step forward by requiring standardized, Fast Healthcare Interoperability Resource (FHIR)-based APIs for patient and population services. With all certified EHRs including the same standardized API, interoperability, care, and coordination, a learning health system will advance substantially. The Cures Act requires API access to “all data elements of a patient’s electronic health record.” For the forthcoming rule, the ONC proposed only to require “API access to a limited set of data elements (p. 7485) and promised to add other data elements later.
The Cures Act prohibits information blocking as defined by Congress in the act and authorizes the secretary of the Department of Health and Human Services to identify by regulation reasonable and necessary activities that do not constitute information blocking. The ONC’s proposed regulations defined these seven exceptions to information blocking. The proposed rule also prohibits current common practices, such as:
- Terms based on whether the API user (such as a third-party app developer) is a competitor or potential competitor with the API technology supplier (such as an EHR vendor);
- Terms and fees based on the revenue or value the API user may derive from access, exchange, or use of the data;
- Restrictions against information sharing about user experiences (such as gag clauses);
- Fees for patients’ access, exchange, or use of their electronic health information; and
- Physicians’ and hospitals’ refusing to give patients a copy of their protected health information (PHI) because the physician or hospital does not approve the patient’s health app on privacy grounds.
ONC’s Proposed Rule And Privacy
Epic grounds its objections in patient privacy, writing that it fears that “patients and their family members will lose control of their confidential health information.” As the ONC reported to Congress in July 2016, a consumer’s apps might already collect or store health information while not being regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing Privacy, Security, and Breach Notification Rules. So, it is true that in the two domains, HIPAA-covered and non-HIPAA-covered, privacy protections differ. The ONC’s proposed regulations change none of this.
Furthermore, the ONC’s proposed rule actually reinforces an important privacy principle—that the person whose data are collected has a right to a copy of it. Under HIPAA, consumers have a fundamental right to a copy of their health information in an EHR and to have their data transmitted directly from the EHR to any recipient the patient chooses (HITECH Act, section 134054(e)). HITECH does not limit this right to particular end points with particular privacy policies, and the ONC’s proposed rule brings this right to life, even if the app the individual chooses has weaker privacy controls than HIPAA.
Second, the ONC lacks legal authority to change the consumer protection rules that apply to consumer-facing health. The ONC’s authority is limited to EHRs and related domains. The ONC does have authority to require technical upgrades to EHRs that implement consumers’ right to access their health data in a usable, computable format, but not to regulate consumer apps.
Congress has the authority to improve consumer privacy protections and is well aware of the problem. Congress has held numerous hearings on the issue since May 2018, and more than a half dozen general privacy bills are currently pending. For example, both Senator Roger Wicker’s (R-MS) and Senator Maria Cantwell’s (D-WA) bills propose a nationwide consumer privacy law that would require transparent explanations of privacy practices; the right to delete, correct, or port one’s data; choices about collection of certain types of sensitive data, such as health data outside HIPAA; and impose restrictions on use by people other than the original data collector. While neither bill is near passage, according to the think tank Future of Privacy Forum, the bills show that consensus is building on key improvements in consumer privacy law. If one of these bills were enacted, it would significantly strengthen protections on the issues that concern Epic. States have taken action as well, such as new consumer privacy legislation in California and Nevada.
Benefits To Clinical Care
Substantial benefits will accrue if the ONC’s proposed regulations are finalized and implemented. First, they will enable a patient to develop a longitudinal health record, a single record combining multiple portals and providers over time, where data can be moved easily from place to place as a patient directs. Patients have made a compelling case that without access to the totality of their health information, their care can be delayed or even harmed. Organizations as diverse as the Pew Charitable Trusts, the American Association of Family Physicians, and Microsoft have written to HHS Secretary Alex Azar urging that the ONC’s rule be finalized as proposed.
Epic has previously claimed that it would strive to create a “comprehensive health record.” Yet, today it seems impossible that a hospital system or EHR could accrue a comprehensive set of a patient’s health information, let alone every patient’s health data. Furthermore, our already fragmented health care system is only becoming more complex: Modern health care requires coordination of an ever-increasing set of data sources (for example, patient-generated device data, genomic data, payers’ claims data), participants (for example, family members and caregivers), and providers of care (for example, school clinics, employers, skilled nursing facilities, telehealth providers). We must start with the premise that health data can and should move to where it needs to go, among multiple providers, caregivers, and data sources, and EHRs and health apps must all have standardized methods for receiving and sending data with robust privacy and security. The ONC’s rule is the vital next step in that process.
As pointed out by Isaac Kohane and Kenneth Mandl, it is critically important that these data transmissions occur via the open-source specification SMART on FHIR interface standard, allowing the data to be transmitted between and among diverse applications in a computable format. A simple download via a non-computable PDF or via a non-standard, proprietary electronic format, is simply insufficient for health care in the modern world.
Second, health care and the nation’s patients deserve the best innovations as we continue to transform from paper records to a digital, learning health system. Across industries, platforms spur innovation and improvements in ways we could never imagine. When the iPhone was launched in 2007, could anybody have imagined the explosion in new ideas that the iOS platform and App Store would catalyze—that we’d have financial tools, podcasting, connected home platforms, streaming movies, and so much more? When Amazon digitized the bookstore, could anybody have imagined the transformation to a huge e-commerce platform for other businesses? EHRs have the opportunity to become platforms, with health care and health information ecosystems designed around seamless data exchange.
The ONC’s proposed regulations enable and advance the innovation we need with standardized application programming interfaces that enable such interconnections of structured data. How might the EHR vendor offerings change if their focus were on becoming platforms with top-notch user experience for their core functions such as e-prescribing and provider documentation along with robust APIs for connecting securely to third-party tools, instead of trying to develop applications and products to target every niche corner of US health care? We could see a flourishing of new apps and services offering convenient telehealth services, with the ability for that data to be exchanged back and forth with your regular doctor, or tools offering personalized health education content, or helping patients find the right clinical trial, or personalized services to help with medical bills. At the moment, we can only dream about the products, services, and tools that could blossom in such a health care platform-based world—but if the ONC’s proposed rules go forward now, these could soon become a reality.
Bottom line: The ONC rule will improve a patient or caregiver’s ability to obtain their total health record, and the ONC rule will not make the current consumer privacy protections worse. Today, individuals could get printed copies of their health records, enter them into apps of their own choosing, however secure or unsecure, and HIPAA would not apply. The forthcoming ONC and CMS rules do not change this existing privacy law. All health care stakeholders who are concerned about that issue should raise it with Congress and state legislatures, which have authority to act, rather than request to delay the ONC’s rule, delaying critical improvements to interoperability, access, innovation, and ending information blocking.
Policy makers have done their part and have promulgated policy to the extent possible (recognizing that policy can sometimes be a blunt, imperfect instrument) to make clear to stakeholders that they need to start sharing data (with appropriate protections and not doing so for only a specific list of approved reasons). Now stakeholders such as EHR vendors, providers, and app developers must do their part and act in the spirit of the new regulations, not lobby against them, and give Americans what they deserve: the ability to have their data move to where it is needed.
Source: Health Affairs