Enforcement of rules to encourage the freer flow of healthcare data were delayed because of the COVID-19 pandemic. They are now scheduled to go into effect this year.
Perhaps no industry better straddles the dichotomy between cutting-edge technology and inefficient obsolete devices than the healthcare industry.
In one corner of a hospital, a physician in another room (or another state) can perform precision surgery using state-of-the-art robotics, while just down the hall a nurse receives the patient’s medical records via fax machine and the patient’s spouse uses a pen to fill out paperwork.
Those throwbacks exist for many reasons, but perhaps the most important is the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which requires providers and health plans to protect a patient’s health data. Say what you will about fax machines, but they are sturdily HIPAA-compliant.
But if government regulation to protect patient privacy is the root cause of the vestigial methods for transferring healthcare data, then new regulations might pull them into the 21st century.
New regs, new era
The agents of change are new healthcare data interoperability rules from HHS Office of the National Coordinator for Health Information Technology (ONC) and CMS. Enforcement of some parts of the ONC rule is scheduled to begin in April after HHS delayed enforcement last year because of the COVID-19 pandemic. Other parts will go into effect in 2022 and 2023. The CMS rule will be enforced starting in July.
The intent of the ONC rule is to make it easier for patients to access their own health information and for patient healthcare information to circulate easily among providers and provider organizations. It is also supposed to ease the way for design and use of healthcare-oriented computer and smartphone applications.
Nilesh Chandra, MBA, a partner in healthcare strategy at PA Consulting, an international consulting firm, says the changes could have life-or-death implications. He paints the scenario of someone coming to the emergency department with a rapidly worsening case of COVID-19. Because of the interoperability rules, the patient’s records will be readily accessible. “The attending physician cannot speak to the sedated, intubated patient but can pull medical history to understand underlying health conditions and risk factors while administering care,” he says. In the past, providers of health-related services have used “information blocking” to keep data in-house in hopes of creating some kind of competitive advantage. Under the new rule, that will be illegal, with a limited number of exceptions, such as when requests are infeasible or pose privacy concerns.
The ONC rule also requires covered entities to adopt the Health Level 7 Fast Healthcare Interoperability Resources (FHIR) standard for application program interfaces (APIs). This change will make data sharing easier by standardizing the way data are stored and transmitted between payers, providers and other healthcare entities.
John D’Amore, M.S., co-founder and president of Diameter Health, a health information company, explained in an interview with Managed Healthcare Executive® that once the FHIR — pronounced “fire” — standards are universal, healthcare records won’t function like a single document but, rather, as separate pieces of information. That will make information about, say, a patient’s allergies or current medications more easily extracted from those records.
“It’s really going to bring us a lot more into the 21st century for how data exchange occurs,” D’Amore says noting that easily shareable data have made other industries fertile grounds for innovation. He points to the financial industry and its ability to access and aggregate a user’s financial data to provide financial tracking and insights.
The new CMS rule leverages the new API requirements to force payers and plans to share claims and other health information securely with patients in a secure, user-friendly, electronic format. The rule applies only to clinical information already made available to payers and does not create a requirement for payers to access additional data from providers.
The CMS rule also requires participating hospitals to send electronic notifications to other providers anytime a patient is admitted, discharged or transferred from the hospital. The goal is to spark better care coordination and, ultimately, better patient outcomes. Starting in April 2022, states must begin sending daily data reports on Medicare and Medicaid beneficiaries, a requirement that is also supposed to lead to better coordination and more accurate billing.
These new requirements technically apply only to payers and plans that participate in Medicare, Medicaid or other federally facilitated exchanges. D’Amore says they’re likely to carry over into the private market — even the self-insured one — because the insurance industry’s major players are all so deeply involved in the public payer programs. Although proponents of the new regulations say that they merely bring healthcare in line with patient expectations for data access and functionality, the insurance and hospital industries have pushed back on them. Matt Eyles, M.S., president and CEO of America’s Health Insurance Plans, the industry’s main trade group, is on record as saying the new rules could threaten patient privacy. “We are seriously concerned that patient privacy will still be at risk when healthcare information is transferred outside the protections of federal patient privacy laws,” he said in a press release last year.
Although providers, insurers and their business partners are covered by HIPAA, HHS acknowledged that the new rules raise the potential for health information to be sent to third parties that may or may not have sufficient data security protections. Eyles noted in the statement that even de-identified health information could easily be traced to individuals by combining it with other available personal and health information.
The American Hospital Association has voiced similar concerns. In March 2020, Rick Pollack, the association’s president and CEO, said in a prepared statement that the rules lack “the necessary guardrails to protect consumers.” HHS partially addressed this concern by publishing a guidance indicating that covered entities would not be held responsible for leaks related to the transfer of patient health data to noncovered entities, such as third-party applications. Chandra concedes that there is risk associated with the transfer of data, particularly if the third-party applications don’t have secure data-transfer channels. But he believes the primary risk to patient privacy is the intentional theft of data, using ransomware or malware, not the incidental leakage of it. “I think those risks are substantially greater and pose a much greater risk to patient data than the accidental exposure through a poorly configured data interface between two HIPAA-covered entities,” he says.
As for the timing of enforcement, most agree that the delays were wise. The healthcare industry had more than enough to deal with last year with the COVID-19 pandemic. But the reality is that the covered entities have been preparing for the change for years. After all, the legislation authorizing the new rules, the 21st Century Cures Act, was passed in 2016.
Chandra says the time has come for meaningful interoperability: “The pandemic has further exacerbated the need for data sharing with public health officials and also to coordinate care for patients affected by COVID-19.”
Jared Kaltwasser is a healthcare reporter in Iowa.