HHS Interoperability Rules Get Mixed Response

Some express concerns about patient privacy, provider API costs, and no interim rule; ONC says data access is a patient's right. Others applaud the "major step forward in healthcare interoperability."

The U.S. Department of Health and Human Services (HHS) has finalized two interoperability rules to give patients direct access to their healthcare data. The first provisions of the rule will impact healthcare systems in as soon as six months.

The two rules, issued by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS), were announced last year, and the final rules were issued today. They are expected to "empower patients around a common aim—giving every American access to their medical information so they can make better healthcare decisions," according to a release issued by CMS.

The final ONC rule and the final CMS rule are available online.

"Americans will now have electronic access to their health information on their smartphone if they choose," said ONC National Coordinator Don Rucker, MD, during a White House media briefing this morning with multiple government officials. "Our rule requires hospitals and doctors to provide software access points—end points, if you will—to their electronic medical record databases so that patients can download these records to their smartphones."

One key deadline for health systems occurs six months from today, said CMS Administrator Seema Verma. "We are changing the conditions of participation for hospitals to ensure Medicare- and Medicaid-participating hospitals are supporting care coordination for patients by sending admission, discharge, and transfer notifications so patients receive a timelier follow up, supporting better care and better health outcomes," she said.

The CMS rule also impacts payers. Starting in 2021, Verma said, "all health plans doing business in Medicare, Medicaid, CHIP, and the federal exchanges [must] share their health data with their patients through a secure standards-based API (application programming interface), which represents the link between the data on various systems and [the] consumer's phone."

The rule also requires payers to make their provider directories publicly accessible through a provider directory API starting in 2021, said Verma. "This will allow innovative third parties to design apps that will help patients evaluate which plan networks are right for them and potentially avoid surprise billing by having a clearer picture of which clinicians are in network," she said.

HHS Secretary Alex Azar said he expects the rules to spawn a new era of innovation in healthcare. "We hope to see a whole ecosystem of condition- or disease-specific apps to help patients monitor and improve their health in real time, in part, by using data made available from their electronic health record via an API," said Azar.

Rucker further commented: "We're going to see a growth in patient-facing healthcare IT markets from an entirely new app ecosystem that's going to be fueled by transparency about both product and price. We think this health app economy is going to have new services and we see the smartphone—not just as a smartphone—but as a tool to connect other devices to it."

As expected, the ONC rule specifies the API certification criterion requires the use of the Health Level 7 (HL7) Fast Healthcare Interoperability Resources (FHIR) standard Release 4 and references other standards and implementation specifications to support standardization and interoperability.

Patient Privacy Concerns

The ONC rule received more than 2,000 comments from the public, said Rucker. While most pertained to price transparency, concerns about protecting patient privacy rose to the forefront when Verona, Wisconsin, EHR vendor Epic Systems launched an initiative to delay the ONC ruling until certain patient privacy issues were addressed. The company marshalled its health system clients to write a letter to Azar to request the delay.

Related: Special Report: Epic Uproar Exposes Conflict Between Data Privacy and Innovation

During the White House media briefing with reporters, Azar said, "I want to emphasize that we're taking these actions while maintaining and strengthening patient privacy protections. Patient privacy should never stand in the way of patient control."

In a later media briefing on Monday exclusively with ONC representatives, Rucker said the final rule does not offer explicit mandates for third-party app privacy requirements, in part, for legal reasons.

"Under the HIPAA right of access, [access to your] data is your right," said Rucker. "We cannot, as a general matter of course, presume to tell you how you are going to exercise your rights to your data."

In addition, he said that while the U.S. Food & Drug Administration has some regulatory control over consumer apps, the ONC does not want to institute measures that will stifle innovation so early in the app development process. "The future is really unbounded, and we do not want to prospectively clamp off business models … We should really be open to the opportunities, um, that modernity affords us."

In a statement issued Monday to HealthLeaders, Epic said, "The rule is very important to health systems and their patients, so we will read it carefully to understand its impact before making judgments." In Epic's statement today, among the issues it said it would closely scrutinize was "transparency for patients into companies’ data use and data handling practices.”

Yet the American Hospital Association (AHA) still has concerns. In a statement issued after the final rule was released,, the organization said, "America’s hospitals and health systems support giving patients greater access and control over their health data … However, today’s final rule fails to protect consumers’ most sensitive information about their personal health. The rule lacks the necessary guardrails to protect consumers from actors such as third-party apps that are not required to meet the same stringent privacy and security requirements as hospitals. This could lead to third-party apps using personal health information in ways in which patients are unaware."

America’s Health Insurance Plans (AHIP) expressed similar sentiments in a statement that said, in part, “We remain gravely concerned that patient privacy will still be at risk when health care information is transferred outside the protections of federal patient privacy laws."

Additional Industry Reaction

The news received mixed reviews by healthcare systems, healthcare organizations, and observers, but most had not yet had the opportunity to completely review the 1,244-page ONC final rule or the 474-page CMS rule.

Among the misgivings expressed:

• Disappointment that an interim ONC final rule wasn't issued: The American Health Information Management Association (AHIMA) issued a statement expressing support for the effort to "eradicate practices that unreasonably limit the access, exchange and use of electronic health information for authorized and permitted purposes including patient access to their health information. However, given that the rule introduces a number of new definitions and terminologies and the significant economic impact of this rule, we are disappointed the [ONC} did not heed stakeholders’ calls to issue an interim final rule.”
   
• Provider API costs: The Medical Group Management Association (MGMA) expressed support for the new opportunities for medical practices to share health information with their patients via user-friendly apps and CMS’s new hospital admission, discharge, and/or transfer notification requirements, but pointed out a significant issue. "MGMA is concerned that the ONC rule permits EHR vendors to push API costs onto providers," the association said in a statement. "We will lead industry efforts to protect medical groups from potentially excessive EHR upgrade fees to ensure limited practice resources are not diverted from patient care."

Others embraced the changes.

• Cerner: Brent Shafer, CEO of EHR company Cerner, based in North Kansas City, Missouri, also issued a statement to HealthLeaders, saying in part, "Today marks an important milestone in a decades-long pursuit of improving consumers access to their own personal health data and clearing unnecessary hurdles that have stood in the way. The rules announced today will support a seamless and connected health care world were patients are more empowered than ever before."
   
• Intermountain: Stanley Huff, chief medical informatics officer for Intermountain Healthcare, said, “We are excited to see a major step forward in healthcare interoperability that is enabled by releasing the final rules. We anticipate that adoption of the HL7 FHIR Application Programming Interface (API) and encouraging patient-controlled access to their data will lead to healthcare applications that will improve the quality of care we provide while improving access to care and decreasing costs.”
   
• Accenture: In a statement to HealthLeaders, Andy Truscott, managing director and technology consulting lead in Accenture’s health practice, said: "With today’s ruling, health systems have a clear compliance timeline to work toward. It does require gap assessment of existing people, processes, and technologies against the obligations of the new rules and to deliver change. The rules are a boost for health systems in that custodianship of information about patients cannot be used as a way of binding the patient to that provider. Health systems will now look at how to improve the quality of the services they provide patients by leveraging the richer stream of information that can be obtained from other providers under the new rules. The opportunity to provide patients and providers with heightened experiences supported by a rich information fabric is there for the taking of the innovator. A clear statement on FHIR R4 as the backbone now provides certainty to information systems developers. Accenture  believes that innovation is even more important now than ever." 

This story was updated on March 10, 2020.