AMIA says ONC rule doesn't go far enough on patients' data access

The American Medical Informatics Association says the proposed federal rules aimed at driving interoperability don't go far enough to put patients and providers in the driver's seat when it comes to accessing and exchanging health data.

In 53 pages of comments (PDF) to the Office of the National Coordinator for Health IT (ONC) about the information blocking and health IT certification rule, AMIA said the proposed rule "perpetuates an imbalance where patients, clinicians, and researchers are beholden to health IT developers for routine access, exchange, and use of health data."

If finalized as proposed, this rule will solidify a dynamic where health data must be standardized before the information is available for patient care or research, AMIA said. The group, which represents 5,500 informatics professionals, said it "flatly reject[s] a policy that requires data to be standard before it can be used."

“These proposals represent the most consequential health informatics policies since the first Meaningful Use regulation was proposed a decade ago.” AMIA President and CEO Douglas Fridsma, M.D., said in a statement. “The new policies outlined by ONC will fundamentally and dramatically change the landscape for health IT and data availability. But we must go further to put patients, providers, and researchers in the driver’s seat.”

RELATED: CHIME urges CMS, ONC to give providers 3 years to comply with interoperability rules

ONC unveiled the proposed rule (PDF) back in February focused on implementing health IT provisions in the 21st Century Cures Act. The rule calls on the healthcare industry to adopt Fast Healthcare Interoperability Resources as the standard for application programming interfaces (APIs) while also proposing a requirement that patients must be able to electronically access all of their data through an “electronic health information” export.

The rule additionally seeks to implement the information blocking provisions of the Cures Act, proposing seven exceptions to the definition of information blocking. Finally, the rule lays out requirements for conditions and maintenance of certification for health IT and the first version of the U.S. Core Data for Interoperability.

CMS also released a proposed rule (PDF) taking aim at data blocking. The comment period for both ends June 3.

At a high level, AMIA said it commends ONC for translating the ambitious statutory imperatives from the Cures Act into regulation. "We support many of these proposals and we note that numerous provisions in this proposed rule operationalize the recognition conveyed by Congress that change is needed to the status quo," the organization said.

RELATED: Complying with information blocking rule will be a challenge without standardized APIs: HIMSS

But AMIA strongly cautioned ONC against an approach that “will solidify a dynamic where health data must be standardized before it is available for patient care or research,” and called on the agency to “flip [this] paradigm.”

AMIA strongly recommended that ONC establish a “share now, standardize as needed” policy.

The industry group also joined with the College of Healthcare Information Management Executives in asking ONC to issue an interim final rule rather than a final rule to provide more time for industry stakeholders to give feedback.

To help stakeholders adjust to these new policies for information blocking, AMIA also recommended the Office of Inspector General (OIG) institute a period of enforcement discretion to better understand how actors are interpreting new requirements and to avoid wasteful litigation. Such enforcement discretion would have OIG require corrective action plans—rather than levy fines which would likely lead to litigation—where claims of information blocking are found to be warranted, AMIA said.

The period could be limited to three years from when the rule is finalized, and AMIA suggested that all claims of information blocking—substantiated and unsubstantiated—should be made publicly available for stakeholders to study.

The industry group also is concerned about patient privacy and security in this emerging API-driven environment. There are currently few consumer protections outside of the HIPAA-regulated environment, but completely addressing privacy risks with third-party apps falls outside the statutory authority of ONC and the Department of Health and Human Services, AMIA said. 

The group is urging Congress to take action to fill the consumer protection gaps residing just beyond the reach of HIPAA.

To address privacy and security concerns in the near term, AMIA recommended a host of actions for ONC to take including categorizing API users into two distinct stakeholder groups: third-party API users who develop software and interact with API technology suppliers and first-order API users who are end users of the software developed by third-party API users.

ONC also should take immediate steps to implement recommendations of the 2016 API Task Force to foster secondary markets for app endorsements in which stakeholders can endorse apps for meeting specified expectations of performance, AMIA said.