During a Senate Health, Education, Labor & Pensions Committee (HELP) committee hearing on March 26, members of Congress and health IT stakeholders discoursed on patient privacy and data access, in the context of two recently proposed rules the government released on interoperability.
The hearing, which took place on Tuesday morning, titled “Implementing the 21st Century Cures Act: Making Electronic Health Information Available to Patients and Providers,” was led by Senate HELP committee Chairman Lamar Alexander (R-Tenn.) and involved witness testimonies from multiple industry stakeholders, including: Ben Moscovitch, project director health information technology, The Pew Charitable Trusts; Lucia Savage, chief privacy and regulatory officer, Omada Health, Inc.; Mary Grealy, president, Healthcare Leadership Council (HLC); and Christopher Rehm, M.D., chief medical informatics officer (CMIO), LifePoint Health.
Chairman Alexander, in his opening remarks, noted, “In 2015—six years after the Meaningful Use program started and as the 1991 [National Academy of Medicine] report [on the digitization of health records] predicted—we realized that, in many cases, electronic health records added to administrative burden and increased unnecessary healthcare spending. So, in 2015, this committee held six bipartisan hearings and formed a working group to find ways to fix the interoperability of electronic health records.”
As such, in the 21st Century Cures Act, signed into law in December 2016, Congress took steps to help improve digital health data exchange, and to this end, Alexander stated that two new proposed regulations dropped last month—one from CMS (the Centers for Medicare & Medicaid Services) and one from ONC (the Office of the National Coordinator for Health IT)—related to interoperability and patient access “should give more than 125 million patients easier access to their own records in an electronic format, according to HHS [the U.S. Department of Health & Human Services].”
He added, “This will be a huge relief to any of us who have spent hours tracking down paper copies of our records and carting them back and forth to different doctors’ offices. The rules will reduce administrative burden on doctors so they can spend more time with patients.”
Within the two proposed rules are a multitude of elements related to improving patient access to their health data. For instance, both rules proposed to require the use of the FHIR (Fast Healthcare Interoperability Resources) standard for APIs (application programming interfaces). By having the industry adopt standardized APIs, individuals would more easily be able to securely and easily access structured electronic health information using smartphone applications, federal officials have attested.
In the hearing, Alexander posed the concern that requiring certain standards comes with risk because if they are wrongly developed, or the standards required turn out to be the wrong ones, there would be even more of an administrative burden and a “great mess” to deal with. But Rehm, the Tennessee-based provider, said that being as descriptive as possible with standards is a good thing. “When a standard is broad and left up to the industry to implement, [there is too much room for interpretation] and manual work will fall on the providers. So I think being descriptive will accelerate interoperability,” he said.
Grealy, from the HLC, an organization comprised of C-suite healthcare executives, agreed with Rehm, noting, “There is broad and deep agreement that FHIR and open APIs [are the direction] we need to go in. Everyone is committed to interoperability, and we do need some rules of the road that [folks] can understand and implement.”
In its proposed regulation, CMS touted industry adoption that already has taken place in this area, noting that approximately 32 percent of certified health IT developers have published via the Certified Health Products List that they are using FHIR Release 2, as of mid-September 2018. Additionally, 51 percent of health IT developers appear to be using a version of FHIR and OAuth 2.0 together.
Moscovitch, with The Pew Charitable Trusts, remarked that “APIs are the foundation of the modern Internet.” However, he added, for them to be effectively used, “different systems need to exchange information in a common way. ONC accomplishes that goal by requiring use of the FHIR standard, which technology developers are increasingly adopting, for how to exchange information. As ONC finalizes the rule, Congress should ensure that ONC maintains a commitment to standardized APIs,” he said.
Talk Around Patient Privacy Heats Up
For much of the hearing, members of Congress grilled the witnesses on issues around patient privacy; particularly the concern of patients sharing their data with certain third-party health apps that are not governed by HIPAA law.
Many of these questions and concerns were directed to Savage, now at San Francisco-based digital health company Omada Health, but previously the chief privacy officer at ONC. Sen. Bill Cassidy (R-La.) said he recently learned that in his state, Louisiana, patients do not own their data. He then asked Savage, what types of health plan data do patients have a right to?
Savage said that patients have a right to any data the insurer is using to get medical information about them. “You have legal access to that data, but there are problems in carrying that out. Individuals getting their data has been a top five complaint at the OCR [Office for Civil Rights],” Savage admitted.
When the conversation then shifted to third-party apps, Savage explained that unless the company is covered by HIPAA, or the context in which the data is being released is covered by HIPAA, there is unfortunately no legal protection of patient data in these situations. “We need [privacy] policies to converge, and that are easy to understand, so that the expectations are the same for consumers wherever they go,” Savage attested.
Rehm said he believes there is risk associated with third-party apps that aren’t covered by HIPAA, since “no organization is vetting the technology infrastructure security of that application. If patients are drawn to a consumer-driven app, and they use it and the open API, who is making sure that the company has put in proper safeguards to keep the data secure?” he asked.
Savage added that the HELP committee “is rightfully concerned about privacy and security, so the best thing [the committee] can do is work with its colleagues [to figure out] what is working and what needs to be migrated. Nothing will matter if there is no confidence in the privacy of data, on the part of both providers and patients.”
