UPDATE: June 5, 2019: The number of comments has continued to tick up since Monday's midnight deadline as HHS updates its website to reflect the processed tally. As of this update, the total is approaching 3,800 on the CMS and ONC interoperability rules.
The comments from a few high-profile groups trickled in over the past 24 or so hours. The story has been updated to reflect the points of view of the American Medical Association, HITAC and six former ONC heads.
More than 2,800 comments poured in on two wide-reaching HHS rules to promote interoperability and discourage information blocking in healthcare, with industry groups largely lauding the goal but not the means of achieving it.
Health IT groups, providers, payers and other industry stakeholders took issue with much of the fine print in the government's plan.
"At a core level, the rules do not work," Joel White, executive director of lobbying group Health Innovation Alliance, said on a press call earlier this month. "ONC and CMS ought to go back to the drawing board."
The quick implementation timeline, proposal to publicize prices, requirement that providers share with a patient's team when they're admitted, transferred or discharged, matching patients to their correct medical record and perennial concerns with data privacy and security took up the bulk of healthcare groups' concerns.
And some definitions in the rules, like what constitutes "electronic health information," are too broad or unclear, groups from all sectors say, which could make information blocking enforcement difficult or variable case-by-case. More clarity is also needed around the exceptions to info blocking, providers argue, noting concerns that the burden of reporting will be solely on hospitals — and some worry EHR usability isn't strong enough to support the strict standards HHS wants to enact.
CMS and HHS' health IT arm, the Office of the National Coordinator, each released their proposed rule in February, following a prolonged stint in the Office of Management and Budget.
CMS's rule proposes requiring Medicaid, the Children’s Health Insurance Program, Medicare Advantage plans and health plans in the Affordable Care Act exchanges provide their combined 125 million patients with free electronic access to their personal health information, including claims, by 2020.
And ONC wants to require the industry to adopt standardized application programming interfaces (APIs), which allow computer systems to talk to each other. It would also require health IT vendors and providers come into compliance with provisions to stop information blocking the day after the rule is finalized.
'Impractical' and 'not realistic'
A slew of different industry groups said the government wasn't allowing enough time for implementation, with the American Hospital Association slamming the timeline as "impractical" and Health Innovation Alliance calling the schedule "not realistic."
AHA said getting in compliance with the info blocking provisions of the rules would require significant business modifications, along with new accounting methods and documentation.
"Since organizations will not know what is in the final rule until it is released, they will be left with no time to make these modifications or put systems into place to ensure compliance with the regulations," the group's comment reads.
Health IT groups were similarly concerned with the timing for vendors, payers and providers, noting the requirements represent a fundamental shift in each of their business processes. Health information exchange nonprofit The Sequoia Project, which includes major EHR vendors like Epic, Cerner and athenahealth, along with some providers, called it "overly aggressive."
"Such transformation will require an appropriate transition period to ensure that stakeholders have sufficient time to revise existing organizational and business practices and policies," commented the American Health Information Management Association, noting it's "concerned" that a year won't be enough for actors to adjust and come into compliance.
Stakeholders varied in how much time they wanted CMS to give for information blocking, with AHA and The Sequoia Project requesting a minimum of 18 months, AHIMA 18 to 24 months and payer group America's Health Insurance Plans 24 months. Health IT executive organization CHIME requested ONC give another 36 months minimum for providers to make sure their health IT programs are up to date with the rules.
"Given the magnitude of changes encompassed in these rules, CMS and ONC should be publishing interim final rules rather than final rules to allow additional opportunity for stakeholder comments," CHIME said.
Providers, payers dead set against price transparency in electronic health information
Though HHS merely hinted it could include prices under the definition of electronic health information in the future, provider and payer interests came out fiercely against the idea, which would expose their pricing tactics to the public eye.
AHA called the plan, which would mandate disclosure of proprietary provider pricing, "arbitrary and capricious,” while the AMA said it would create a "very broad and very complex web of compliance risk."
"It goes well beyond what Congress intended and would seriously harm patients, hospitals and other health care providers," AHA said, alleging ONC doesn't have the authority to include price information in the definition of EHI, price transparency would reduce competition and disrupt negotiations with plans and even that the move could violate the First Amendment by compelling disclosure of confidential commercial information.
AHIP was similarly concerned, arguing in its comments to ONC that "shoehorning prospective price estimates in the definition of EHI in order to include it within information blocking is not substantiated by the underlying legal authority."
The payer lobby agreed with the AHA that there could be "unintended consequences" of releasing pricing data, and that much of the data isn't useful to consumers.
Yet HHS received an "unusual" amount of individual comment submissions, especially around the price transparency rule, ONC spokesperson Peter Ashkenaz told Healthcare Dive. Many patients shared personal anecdotes of their negative experiences with the country's healthcare system, and how transparent pricing could have helped.
"A few years ago, I injured my wrist and sent by my general practitioner to the hospital. They couldn't or wouldn't tell me what any of the procedures would cost. X-rays, MRI, and CAT scan all totaled up to over $1700," one uninsured patient from Washington state commented. "I had to pay for it out of my own pocket. Had I known in advance what the costs would be, I would have looked for alternatives."
The scores of individual comments and stories were driven in part by advocacy group Patient Rights Advocate, run by Cynthia Fisher, who is also a member of the Health IT Advisory Committee.
HITAC, created under the 21st Century Cures Act to advise ONC, also recommended ONC explicitly include "pricing information which can be attributable to an individual patient" under the definition of EHI as pricing information is necessary for patients to make "informed decisions about the nature and location of their care."
Committee members stressed in a late May meeting the issue should be a focus for ONC moving forward, recommending the agency establish a task force on the matter.
Privacy, security of third-party applications
Stakeholders reiterated their strong concerns about security and privacy of patients' electronic health information, especially when it's shared with third-party applications such as consumer portals or health apps on a smartphone.
Such third-party apps often don't have business associate agreements with payers, meaning they're not covered under existing HIPAA liability provisions. HHS rules as written don't include a certification process for apps.
"Patients may be unaware that once they authorize a covered entity to push their health information to a third-party app and such an entity is a HIPAA non-covered entity, the rights afforded under HIPAA no longer apply," AHIMA wrote.
Additionally, patients may not know how an app intends to use their sensitive health information. The AMA pointed out in its comments apps could have the ability to license patients' data for marketing or advertising or sell aggregated personal information to third parties.
The apps also may not have invested strongly in security. About a quarter of healthcare organizations suffered a security breach from a mobile device in 2018, a high figure in an industry that beat out all others for the most cybersecurity incidents last year.
Comments recommended the administration clearly regulate what actors are liable for data breaches and when, with AHIP advocating the Federal Trade Commission and HHS work together to vet apps and make sure there are no bad actors. A coalition of previous ONC heads suggesting relevant agencies and private sector groups develop a companion consumer privacy framework.
"Security concerns must be more thoroughly probed," CHIME wrote, with AHIMA adding: "As currently proposed, the rule does not include sufficient guardrails around HIPAA non-covered entities."