It may seem counterintuitive for a Republican administration to be proposing lots of new health IT regulations when they usually tend to take a market-driven approach. Nevertheless, 2019 turns out to be a banner year for regulations, with health system executives responding to three major proposed rules around interoperability and information blocking.
The comment period closed in June on the second draft of the Office of the National Coordinator’s ambitious Trusted Exchange Framework and Common Agreement (TEFCA) for connecting health information networks and the creation of a nonprofit Recognized Coordinating Entity (RCE) to manage the network of networks. Most stakeholders seem to see the potential for the new framework to set the rules of the road for interoperability, but they also can find areas of concern, and some even question the need for TEFCA at all, given the progress made on network-to-network query by CommonWell and Carequality. And as the old saying goes, where you stand depends on where you sit. In other words, the more it looks like TEFCA might disrupt your business model, the more concerned you are.
In their responses to ONC, several organizations stress that the initial phase of TEFCA needs to be achievable for everyone in order to encourage participation. “If there are folks who choose not to participate in a voluntary program, that is fine, but the onboarding bar needs to be low for the first phase,” says Jeff Smith, vice president of public policy for the American Medical Informatics Association (AMIA). Because the statute stresses the voluntary nature of the program, Smith adds that it could get contentious if the Centers for Medicare and Medicaid Services (CMS) tries to make TEFCA participation a condition of payment for Medicare.
Kate Horle, the chief operating officer and privacy officer for the Colorado Regional Health Information Organization (CORHIO), helped draft the response to ONC from the Strategic Health Information Exchange Collaborative (SHIEC) of which CORHIO is a member. She stresses that SHIEC was encouraged by several changes ONC made in response to stakeholder responses to the first draft.
Horle suggests looking at TEFCA in context with the information blocking rule and the CMS rule on interoperability. “They are trying to build a structure where an organization like CORHIO could provide an array of services and charge reasonable fees for that, but we would have to respond to queries without any charge. Is that feasible? Maybe. I am going to have to spend a lot of time doing analysis to understand how we would make that happen,” she says. If TEFCA starts to require broadcast query, CORHIO would have to do a lot of normalization and analytics, she explains. It would have to hire a data analytics person at $120,000 per year in order to meet a requirement for which it can’t recoup that spending and it would be to provide a service its community members have not asked it to do. “For really small HIEs and for rural communities, that could be problematic,” Horle says.
Meeting the needs of smaller players is a way the nonprofit recognized coordinating entity (RCE) could potentially be very helpful, Horle adds, but conversely it could become a roadblock. “If that organization makes it hard to be a QHIN [Qualified Health Information Network] or puts a lot of regulations on how QHINs exchange data or is not thoughtful about the differential technology gaps that exist in this space, then people are just going to walk away,” she says. “Then we are going to have a digital divide that becomes unmanageable. You would have HIEs in the game and HIEs out of the game, and that would totally defeat the purpose of interoperability.”
Rewriting data-sharing agreements
One sticking point for HIEs and other networks that remains after the second draft is that the Common Agreement requires a QHIN to ensure that participants abide by certain mandatory minimum obligations, such as privacy and security requirements. To implement these obligations, data-sharing agreements between QHINs and participants will need to incorporate these mandatory minimum obligations, which may necessitate modifications to existing data-sharing agreements and trust frameworks. HIE executives have noted that those data-sharing agreements took a long time to develop and put in place. Re-writing them all will be a challenge.
SHIEC has asked for a longer time frame to make that change. “If this process is going to be voluntary, it doesn’t seem fair to say you have to do it in 18 months,” Horle says. “It would be our request that the time frame be a minimum of three years. An HIE the size of CORHIO has thousands of agreements in place. Our agreement with the Department of Defense took three years to execute. It is not practical for our team to spend all their time modifying agreements.”
Claudia Williams, CEO of California-based health information organization Manifest Medex, agrees, noting that her organization merged with another HIO two years ago. “As a result of the merger, we had to rewrite all our contracts, and we are still not done. It was almost a full-time role for our general counsel for two years. I think it is a nonstarter to get people to rewrite contracts. That is an incredibly voluminous amount of work for an HIO. I don’t know what the reward is we would get for that.”
Williams knows something about writing health IT regulations. She previously worked on HIE policy issues at ONC. But she is concerned that ONC and CMS may be trying to do too much at once. “We are in complete alignment with ONC and CMS in their rulemaking regarding the urgent need for reducing information blocking,” she says, “but we have two proposed regulations that have a lot of new policy, and we have national networks that are showing extraordinary operational success around connecting EHRs. Our belief is that this is a bad time to introduce additional complicated policies. It would be smarter to hold back on TEFCA and let information blocking and other parts of the policies take effect and then assess in two to three years if additional policymaking or guidance is necessary.”
What’s the value to HIOs?
Williams says she doesn’t see what the value of TEFCA is for an HIO beyond what it can get today by joining Carequality. She says the only use case where it makes sense to take a network-to-network approach is the individual patient summary lookup, which is what Manifest Medex does today on Carequality, eHealth exchange and CommonWell. “That doesn’t require a lot of infrastructure in the middle because it leaves a lot of the complexity at the edges,” she says. “But we already have a national approach through the merging of Carequality eHealth Exchange and CommonWell.” For other use cases, such as notifying care providers when their patient shows up in the ED, that requires a lot of infrastructure in the middle – it requires each HIE to hold the eligibility list for every single provider, so they know when to push that information, she explains. “The only use case that makes sense is one where we already have a solution.”
No room in the tent
Scott Stuewe, president and CEO of DirectTrust, suggests that the industry landscape has shifted faster than ONC was able to in writing its two drafts of the TEFCA regulation. “If you think about what Carequality represents and how federated it is, and what DirectTrust is and how federated it is, both work by taking best advantage of the internet, communicating point to point but with a directory. DirectTrust has a PKI framework and identity proofing so you know who you are talking to. Those things are what is needed in a future that involves a FHIR ecosystem,” Stuewe says. “As we leave behind a world where everyone is communicating through gateways, which will happen, the query-based exchange approaches in Carequality and CommonWell, are a big part of what is being done. Once you are querying and also interacting more broadly using FHIR, you will need something more like DirectTrust than like TEFCA.”
Stuewe notes that DirectTrust couldn’t be a QHIN because it doesn’t support all the modalities of exchange required. “We want to figure out how to operate within it, but it is currently very restrictive and doesn’t actually provide room in the tent for us.”
Ben Moscovitch, who directs The Pew Charitable Trust’s health information technology initiative, notes that patient matching issues are going to be important to address as TEFCA is rolled out. Today, patient matching rates between organizations can be as low as 50 percent, he says. “ONC, working with the RCE, should make patient matching a priority,” he adds. It should align patient matching requirements with the demographic data in the US Core Data for Interoperability (USCDI) and indicate that certain standards should be used for some demographic data, specifically the U.S. Postal Service standard for addresses. He says research has found that standardizing phone number and date of birth and a few other data elements does not meaningfully improve match rates. However, standardizing to the USPS format does improve match rates. Another step his organization recommends is to evaluate what other demographic elements already exist in the record and leverage those for matching. One example is e-mail address. “Research has shown that e-mail addresses are already in almost half of patient records. If the data are available, that information could be used to better match records,” he says.
Although some stakeholders might see TEFCA as over-regulation or trying to solve a problem that is already being addressed, AMIA’s Jeff Smith says that if ONC delayed or trimmed way back on the regulation, “a lot of the type of exchange you would want to see as a public good would take a lot longer through the private sector. One of the values of a program like this is that you have a nonprofit entity who can prioritize things for the public benefit that paying customers of for-profit entities may not prioritize,” he says. “The notion of individual access to health data is a perfect example. There are a lot of forces that would rather not prioritize the ability of a patient to get up in the morning, hit a button and have all their health information refresh on their phone.”
