On Monday, the U.S. Department of Health and Human Services (HHS) issued what it calls “transformative” rules that will govern how healthcare providers, insurers and technology vendors must design their systems to give patients safe and secure access to their health data. Issued by two different agencies within HHS – the Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare and Medicaid Services (CMS) – the rules implement the interoperability and patient access provisions of the bipartisan 21st Century Cures Act.
The new rules are aimed at putting patients in charge of their own health records and allowing them to share their sensitive health data with others, including smartphone application developers. But with these new rules come growing concerns over the risk they pose to patient privacy.
Interoperability and Patient Access
The ONC final rule requires that health providers, developers of certified health information technology (IT) products, health information exchanges and other health information networks give patients secure, electronic access to their health records at no cost, and it creates new measures to prevent information-blocking practices and anti-competitive behavior. In addition, the rule establishes new provisions to ensure that providers have the ability to communicate about health IT usability, user experience, interoperability and security, including (with limitations) the ability to document issues using screenshots and video, which ONC says are critical forms of visual communication.
The rule also establishes secure, standards-based application programming interface (API) requirements to support patients’ free access to and control of their electronic health information using the smartphone app of their choice. This provision will allow patients to organize information from different healthcare providers and health insurers in applications on their smartphones. Building on the ONC’s final rule, the CMS final rule requires health plans in Medicare Advantage, Medicaid, the Children’s Health Insurance Program and through the federal exchanges to share claims and other health information with patients in a safe, secure, understandable, user-friendly electronic format through the Patient Access API. According to HHS, the Patient Access API will allow patients to access their data through any third-party application they choose and to take this information with them as they move from plan to plan and provider to provider. The idea is to create a world where patients have instant access to information so they can easily choose a doctor and get the best care at the lowest price.
The CMS final rule also establishes a new condition of participation (CoP) for all Medicare and Medicaid participating hospitals, requiring them to send electronic notification to another healthcare facility or community provider when a patient is admitted, discharged or transferred. The goal of this CoP is to foster innovation, facilitate better care coordination and improve patient outcomes by allowing a receiving provider to reach out to the patient and deliver appropriate follow-up care in a timely manner.
Although applauded by many as putting patients in the “driver’s seat” with respect to coordinating their own care, the new rules also raise concerns regarding patient privacy and the potential for misuse of health data. These concerns are being amplified as healthcare systems are increasingly entering into data-sharing deals with tech companies such as Google and Microsoft.
This is where the new rules arguably fall short. The CMS final rule provides that covered entities and business associates have the option to offer advice to patients on the potential risks involved with requesting data transfer to an application or entity not covered by HIPAA, “but such efforts generally must stop at education and awareness or advice regarding concerns related to a specific app.” In recent resolution agreements with covered entities, HHS has taken the position that patients should have nearly unfettered access to their health information in the possession of a healthcare provider.
Ultimately, healthcare providers and health insurers should understand that patients’ sharing of health data with apps, other providers and other insurers will now be easier than ever. Therefore, they should begin to familiarize themselves with the new standards for sharing data and providing patients with digital access to health data while considering the privacy risks that should be communicated to patients in the process.