Lawmakers push HHS for more clarity, stronger data privacy protections in federal data sharing rules

Federal lawmakers are putting pressure on the Department of Health and Human Services (HHS) to make big changes to forthcoming rules on data sharing and information blocking.

A bipartisan group of senators sent a letter to HHS Secretary Alex Azar Nov. 15 urging the agency to provide more clarity about which data must be shared to comply with the information blocking rule.

Sen. Mark R. Warner, D-Virginia, wants to see HHS put in stronger controls and standards to safeguard patient data as the rule pushes insurers to make records accessible through application programming interfaces (APIs), according to a letter (PDF) he sent to Azar, also on Nov. 15.

Warner, co-founder of the Senate Cybersecurity Caucus, is a frequent critic of poor cybersecurity practices in healthcare.

“In just the last three years, technology providers and policymakers have been unable to anticipate—or preemptively address—the misuse of consumer technology which has had profound impacts across our society and economy," he wrote in the letter.

Third-party data stewardship is a critical component of information security, Warner wrote. "A failure to ensure robust requirements and controls are in place is often the cause of the most devastating breaches of sensitive personal information," he said.

The Centers for Medicare & Medicaid Services (CMS) proposed interoperability rule (PDF) is under review at the Office of Management and Budget (OMB), the last step before publication. That rule would require insurers participating in CMS-run programs like Medicare, Medicaid and the federal Affordable Care Act exchanges to allow patients to access their personal health information electronically through open APIs. The use of APIs would allow third-party software applications to connect to, process and make the data available to patients.

In his letter to Azar about the CMS rule, Warner wrote that any approach to give patients access to health information "must balance innovation and ease of access with privacy, security, and a commitment to robust competition."

RELATED: AMA, CHIME call for ONC to make major changes to data blocking regulation

Warner urged that, at a minimum, CMS' final rule should include standards that guarantee patients have ready access to their personal health data and an ability to regularly monitor the information for accuracy. Patients need to be informed of all commercial uses of their data, including any third parties their data have been shared with, Warner urged.

The rules should also give patients the ability to withhold consent for their data to be shared with third parties or used in new ways without their consent, he said.

Along with putting adequate privacy and security safeguards in the CMS rule, Warner urged HHS to work with the Federal Trade Commission and state attorneys general to develop a way to prosecute companies' privacy and security lapses.

Organizations should be required to document open API specifications and required security controls, Warner wrote. The senator also wants the CMS rule to require informed proactive consent when patient data are shared with a third party and stronger protections to ensure data aren't used in ways beyond what patients agreed to.

Concerns with ONC's data blocking rule

The Office of the National Coordinator for Health IT's (ONC's) interoperability and information blocking rule also is under review at OMB. ONC released its proposed information blocking rule (PDF) in February that outlines seven exceptions to the prohibition against information blocking and provides standardized criteria for API development.

RELATED: CHIME, AMA voice concerns to Congress over privacy, timelines of ONC information blocking rule

In a letter to Azar, eight senators said they continue to hear concerns about the lack of clarity and standards around ONC's use of the term "electronic health information" (EHI) in the data blocking rule. The largely undefined data set is much more expansive than the ONC-backed standard, called the U.S. Core Data for Interoperability (USCDI), which most systems are working to implement, according to the letter, which was signed by Sens. Tammy Baldwin, D-Wisconsin; Ron Johnson, R-Wisconsin; Tina Smith, D-Minnesota; Christopher Coons, D-Delaware; Jacky Rosen, D-Nevada; James Lankford, R-Oklahoma; Richard Durbin, D-Illinois; and Martha McSally, R-Arizona.

The Health Information Technology Advisory Committee has heard similar criticism that the broad definition of EHI creates confusion and that there is a need to clarify the rule so providers understand which data they must share.

The ambiguity around the definition of EHI will increase the burden on stakeholders to avoid accusations of information blocking and create risks to patient privacy and security, the senators wrote in the letter.

The senators urged ONC to examine the definition of EHI to align it with USCDI to "better establish clear parameters for what electronic health information must be made available for access, exchange, and use" to create "manageable standards for interoperability."