Two new proposed rules from the Department of Health and Human Services are important steps to accelerate interoperability, but they need to be finetuned to avoid significant unintended consequences, healthcare leaders said on Capitol Hill on Tuesday.
Those consequences could include an increased burden on providers and risks to patient data privacy, the experts told the Senate Health, Education, Labor and Pensions (HELP) committee about the interoperability provisions of the 21st Century Cures Act. The committee is weighing the potential challenges ahead as the information blocking rule (PDF) from the Office of the National Coordinator (ONC) for Health IT is implemented.
Last month, the Centers for Medicare & Medicaid Services (CMS) also published a draft rule to encourage interoperability and patient access to their medical records. Both the ONC and CMS rules call for the adoption of standardized application programming interfaces (APIs), specifically FHIR, to enable data sharing through smartphone applications.
As it provides oversight, the Senate HELP committee wants to ensure the interoperability initiatives are heading in the right direction, Senate HELP committee chairman Lamar Alexander (R-Tenn.) said, adding, “Are these the right standards? Are these rules moving too fast?”
APIs are the foundation for the modern internet, and Congress accelerated the adoption of APIs “in a meaningful way” with the passage of the 21st Century Cures Act, said Ben Moscovitch, project director of the health information technology program at The Pew Charitable Trusts.
He applauded ONC’s requirement of the use of standards for APIs in the information blocking rule. “As ONC finalizes the rule, Congress should ensure that the agency maintains its commitment to standardized APIs—both through the use of FHIR and refined implementation guidelines,” he said.
Yet, a central concept of the ONC and CMS rules is that patients will use third-party applications to access their medical records, and many of these third-party applications are not covered by the Health Insurance Portability and Accountability Act (HIPAA).
“Providing unvetted third-party applications fairly open access to patient digital health data concerns me as both a clinician and a consumer,” said Christopher Rehm, M.D., chief medical informatics officer for Lifepoint Health, a health care system based in Brentwood, Tennessee.
Lucia Savage, former chief privacy officer at ONC and now chief privacy and regulatory officer at Omada Health, said committee members are rightfully concerned about privacy and security. She urged Congressional leaders to work on broader consumer data privacy policies.
“I think you need to look at the totality of the fact that the digital life is no longer sliced up in economic sectors and we need policies to converge, whether it’s something like HIPAA migrating outwards or a uniform policy that consumers can understand,” she said, adding that privacy policies need to converge so the expectations for the consumer “are the same wherever they go.”
Rehm recommended an industry-backed process to independently vet third-party applications to ensure they meet all relevant security standards, use data appropriately and are in line with consumer expectations.
Potential burden on providers
In a statement released prior to the hearing, health IT lobbying group Health Innovation Alliance, formerly known as Health IT Now, said the information blocking proposal could increaser provider burden while stopping short of achieving widespread interoperability.
The proposals could keep doctors on the hook for vendors' technology costs, the group said. “ONC should adopt standards that promote interoperability, including standards that are normalized, eliminate custom tweaking, and that make interfacing simple and inexpensive,” Health Innovation Alliance executive director Joel White said.
Due to the lack of system interoperability, provider organizations shoulder the burden and the cost of implementing interfaces to connect different technology systems, Rehm said. Once an EHR vendor upgrades a product, providers need at least 12 months to review, configure, test, train and deploy the technology, he said.
Under the CMS proposed rule, hospitals will be required to send admission, discharge, and transfer notifications as a condition of participation for Medicare and Medicaid. “While I support this idea directionally … this is, unfortunately, putting the cart before the horse,” Rehm said, noting that not all EHRs can generate these messages. It’s an enormous undertaking in time and money for hospitals to individually connect to other providers and facilities, he said.
America’s Health Insurance Plans also questioned the proposed timeline (PDF) for implementing the ONC and CMS rules, calling it “unrealistic” and said it would pose “significant compliance burdens” on health insurers, providers and other stakeholders.
Health insurance providers will have to build and test the new standardized technology as well as ensure that the third-party entities are able to securely connect to their systems, AHIP said.
Calls for improved patient matching
Ineffective patient record matching continues to be a significant hurdle in the healthcare industry and inhibits widespread interoperability, Moscovitch said. Both CMS and ONC included requests for information on patient matching in the proposed interoperability rules.
Moscovitch said ONC should require the use of the U.S. Postal Service standard as well as other data elements, like email addresses, to improve match rates. He urged Congress to work with ONC to ensure the agency requires the use of better standards to accurately match patient records.