During a Congressional hearing today, Senate Health, Education, Labor & Pensions Committee (HELP) committee Chairman Lamar Alexander (R.-Tenn.) urged senior federal health officials to avoid moving too far, too fast on implementing the government’s proposed rules on interoperability and patient access to data.
The May 7 hearing was the second one in the series, “Implementing the 21st Century Cures Act: Making Electronic Health Information Available to Patients and Providers,” and was led by Chairman Alexander, while including testimonies from two key witnesses from the Trump administration—Donald Rucker, M.D., National Coordinator for Health IT at the Office of the National Coordinator for Health IT (ONC), and Kate Goodrich, M.D., Director and Center for Medicare & Medicaid Services (CMS) Chief Medical Officer, Center for Clinical Standards and Quality. The first part of this hearing occurred in late March.
Alexander opened by expressing a major concern of his: that the administration could potentially be moving too fast in its implementation of two recently proposed interoperability rules issued by ONC and CMS. “In 2015, I urged the Obama Administration to slow down implementation of Stage 3 of the Meaningful Use program. They did not slow down, and looking back, the results would have been better if they had,” said Alexander, who later in the hearing said MU Stage 3 was “terrifying.”
Alexander did show appreciation toward Rucker and Goodrich for the government’s extension of the comment period for the public to weigh in on these two complex rules. Comments were originally due in by May 3, but now stakeholders have until June 3 to give their feedback. “I asked CMS and ONC to extend the comment period, and I am glad to see they have done so and want to thank our witnesses for allowing more time for comment,” Alexander stated.
The ensuring discussion, much like it did in the first hearing, turned to very specific elements of the two proposed rules, such as the information blocking provisions, the adoption of standardized APIs—that will enable patients to have easier access to their health data through smartphone applications—as well as the privacy issues that could emerge as a result of this expanded app ecosystem.
National Coordinator Rucker noted that ONC’s proposed rule would require providers’ electronic health records (EHRs) to allow patients to download their medical data to apps of the patient’s choosing. “App ecosystems have helped transformed many industries, such as travel and shopping, and they can do the same in healthcare,” Rucker stated. He continued, “The Cures Act directed ONC to identify activities that would not be treated as data blocking and the proposed rule outlines seven exceptions. Our proposed rule makes it clear that data should move seamlessly, in a private and secure manner, without special effort from the end user.”
Rucker also noted that ONC is actively engaged with the Office for Civil Rights (OCR) to inform patients about both their HIPAA rights and the potential risks that come with the creation of an app ecosystem that uses open APIs. “Individuals should balance their selection and use of a health app with the potential risk of having negative implications,” he said.
This point was echoed by Alexander, who said if the Cures Act gets successfully implemented, “patients should be able to get their own health data more easily and send it to their healthcare providers. Patients may also choose to send that data to third parties—like an exercise tracking app on their smartphone—but this raises new questions about privacy.”
For example, smartphone apps created by third-party developers and not by providers or business associates covered under the Health Insurance Portability and Accountability Act (HIPAA) are not subject to HIPAA rules, even if a breach occurs. Sen. Bill Cassidy (R-La.) specifically asked if anything is protecting consumers from their health data being sold to Facebook, for example, if they were to allow their data to be downloaded to a third-party app.
Rucker didn’t have a definitive answer, noting that there are contractual agreements between both parties that are subject to be overseen by the Federal Trade Commission (FTC). He added, “It’s a real and major issue, and patients have to make conscious decisions on if they want their data to be downloaded to the [third-party] app,” he said. Cassidy, though, said that due to lengthy agreements that few people actually read, it’s easy for patients to unknowingly give permission to the app, which leads to the possibility their health data could be sold. “What are the rules and who is in charge when patients give their data to a third party?” Sen. Alexander asked. “It’s very much still an open area [to figure out],” Rucker acknowledged.
Nonetheless, the ONC chief said the proposed rules move healthcare “into a competitive place it literally hasn’t been in 50 years. Modern APIs have changed business after business after business, and we think they will transform healthcare by bringing new parties into the game that aren’t part of the [traditional] healthcare system.”
Implementing the Information Blocking Provisions
The ONC proposed rule implements the information blocking provisions of the 2016 Cures Act, which defined information blocking as interfering with, preventing, or materially discouraging access, exchange, or use of electronic health information. The ONC rule proposes seven exceptions to the definition of information blocking. As it outlines, there are four specific healthcare “actors” regulated by the information blocking provision: providers, certified health IT developers, HIEs (health information exchanges) and HINs (health information networks).
Rucker said that for the most part, he believes the exceptions outlined in the rule are “common sense types of things,” and were established after more than 100 meetings with health IT stakeholders. He did specifically point out one of the exceptions—recovering costs reasonable incurred, which acknowledges that it will not be information blocking for a vendor to cover its reasonable costs of enabling access, exchange, or use of health data, for example. But Rucker admitted there does still need to be a definition on what that allowable cost is. He said he’s heard of vendors, in some cases, charging $1 million for a startup to obtain that data.
As part of the CMS rule, meanwhile, the agency proposed it would make public the names of clinicians and hospitals that submitted "no" to three attestation statements committing them to data sharing. When asked by Sen. Patty Murray (D-Wash.) about the point of the public disclosures, and what happens if a provider attests they aren’t data blocking when in reality they are, Goodrich said that any concerns would be addressed by the OIG (Office of Inspector General). She added that CMS is looking at alternative methods to addressing this specific information blocking provision before the rule gets finalized.
