UPDATED on March 9 at 12:23 p.m.
The Trump administration Monday released widely anticipated rules that will change how providers, insurers and patients exchange health data.
Specifically, the regulations will allow patients to access and download their health records with third-party apps.
The two rules, issued by both the Department of Health and Human Services' Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services (CMS), implement interoperability and patient access provisions of the bipartisan 21st Century Cures Act.
Putting patients in charge of their health records is a key piece of giving patients more control in healthcare, and patient control is at the center of the Trump administration’s work toward a value-based healthcare system, Trump administration officials said during a call with reporters on Monday.
ONC’s final rule establishes secure, standards-based application programming interface (API) requirements to support a patient’s access and control of their electronic health information. The Centers for Medicare & Medicaid Services also released a proposed rule (PDF) at HIMSS last year suggesting that Medicaid, the Children’s Health Insurance Program, Medicare Advantage plans and qualified health plans be required to make enrollee data immediately accessible by 2021.
The rules were first proposed at the Health Information and Management Systems Society (HIMSS) conference last year aiming to advance interoperability and give patients easier access to their health data.
"This is an unprecedented rule allowing the safe and secure access of health information," said National Coordinator for Health IT Donald Rucker, M.D. during the press call. "Americans will now have electronic access to their health information on their smartphone if they chose. The rule requires hospitals and doctors to provide software access points to their electronic health record (EHR) databases," he said.
The Office of the National Coordinator for Health Information Technology's information blocking rule (PDF) requires that electronic health data be made available to patients at no cost and defines exceptions to data blocking.
Jeff Smith, vice president of public policy at the American Medical Informatics Association (AMIA), said the ONC rule will "fundamentally transform the landscape for health IT" by providing patients access to all of their information."
"In the near term, information is going to be messy and incomprehensible, for the most part, but over the long term, it creates a dynamic where access is the first step to be able to do something important with the data," he said.
The data-sharing regulations have split the industry with Epic and many hospitals coming out against the interoperability rules citing concerns about data privacy. Even federal lawmakers and major health IT groups have urged HHS to make big changes to the rules to strengthen data security safeguards.
However, many technology vendors, including Apple and Microsoft, along with health plans and consumer advocacy groups, have urged HHS to move forward with publishing the rule.
In a statement issued Monday, Epic said the rule is "very important to health systems and their patients" and Epic executives plan to the rule carefully to understand its impact before making judgments.
"As we read the rule, we will be especially interested in the impact of the rule on hospitals and physicians, and Epic’s ability to support them in delivering care as well as the implementation timelines for required development and effective dates.
Epic also will be taking a close look at the transparency for patients into companies’ data use and data handling practices, the company said.
In response to stakeholder comments on the rule and concerns about data privacy, ONC put in "powerful protections" around access and use of patient data by third-party apps, Rucker said.
"We bound into the patient authentication process the ability of the providers to give notice and let patients know what they are consenting to and to do that in a deliberate and straightforward way. That is absolutely central to the way that patients allow apps to get access to information," he said.
Rucker noted that the apps will use the same authorization framework, called OAuth2, that is used on travel and banking apps.
Some industry groups don't think the ONC rule goes for enough to protect patient data.
American Hospital Association President and CEO Rick Pollack, said in a statement that the rule lacks the necessary guardrails to protect consumers from actors such as third party apps that are not required to meet the same stringent privacy and security requirements as hospitals.
"This could lead to third party apps using personal health information in ways in which patients are unaware," he said.
Smith also said the ONC rule doesn't include mitigating provisions to the exposure of patient privacy outside of the context of the Health Insurance Portability and Accessibility Act (HIPAA).
"As near as I can tell, they took zero steps to try and address the patient privacy issues that will arise as a consequence of these new functionalities and new access to data," he said.
AMIA and the American Medical Association have advocated that ONC should require health IT vendors get privacy and security attestations from app developers who have access to APIs.
ONC's jurisdiction over third-party apps is limited, Smith said, and Congress will need to tackle patient data privacy with new legislation.