Early last year, before COVID-19 swept the nation, HHS was busy finalizing two highly anticipated rules promising to free up the U.S.'s siloed medical data. One of the rules, from the Office of the National Coordinator, the agency that regulates the nation's health information technology framework, is meant to give consumers free electronic access to their structured and unstructured medical data for free, implementing provisions in the 21st Century Cures Act passed in 2016.
The rules are extensive and have faced numerous challenges, including significant industry pushback and deadline extensions during COVID-19. Important questions still hang over their implementation: Some providers have pushed for additional timeline delays, citing the pandemic, while regulators have yet to determine an appropriate punishment for providers found blocking the free flow of information between disparate systems.
Newly minted ONC head Micky Tripathi, who comes with decades of experience in the interoperability and privacy standards space, now spearheads this push toward interoperability. In a wide-ranging interview, Tripathi addressed what the government can do to build on the regulations, noting further delays are improbable and that industry will likely see further action on codifying disincentives for bad actors before the end of the year. He also outlined his agency's biggest priorities as it looks to modernize the U.S.'s outdated public health data reporting infrastructure.
Editor’s note: This interview has been edited for clarity and brevity.
HEALTHCARE DIVE: You’re about three months into this new role. Now that you’re a bit more settled, what's been challenging or surprising about leading ONC?
TRIPATHI: A bunch of things, actually. With the pandemic, I certainly knew that I was entering a space that was unfamiliar terrain really to everyone. And when you have a transition to a new administration, with a different outlook on the world, that also meant there were going to be a lot of changes that were hard to specifically anticipate or predict.
One of them is certainly all of the work that we're doing in evaluating the public health data systems. We certainly knew that we would be involved in public health as we started to look ahead. But there's been an executive order that's focused on evaluating public health data systems, there's now a lot of investment going into public health data infrastructure that I think we can probably all agree we've underinvested in across many administrations for too long. And now we're seeing the results of that. And so there's a lot of investment going into that, and therefore a lot of attention. I don't think I would have anticipated that we would be as directly involved as we are in that.
Another surprise was just some of these very specific tactical things that pop up, where we try to provide a little bit of guidance, a little bit of direction, using all sorts of different levers. So we're doing some work in scheduling, for example. We can't fix the world with respect to vaccination scheduling. But we have to get fairly creative in terms of trying to figure out how we can get the industry to move toward a standards-based approach, to do whatever improvements we could make in the vaccination schedule experience that individuals are having. And we didn't have regulations to fall back on or anything. So we spent a fair amount of time with our partners at the White House, U.S. Digital Service, and with folks from standards development organizations to essentially evangelize and get a coalition of the willing, who want to work together on approaching it in a standards-based way. I think we're going to see some pretty good success there, but that was a little bit of a surprise as well.
You have a lot on your plate at the moment with interoperability, COVID-19, reducing health disparities — what is ONC tackling first?
TRIPATHI: A mix of those things. The public health thing, that's a fairly big effort for us. There's also the work on implementing the information blocking rule, which went into effect on April 5. That's been a long time coming, since you're finally putting into effect a law passed in 2016. That's a big focus area for us: getting that rule out, finally, and now preparing the industry for it. So we're doing a lot of proactive outreach, in terms of trying to educate the industry on what the rule says, what it means to be in compliance with the rule, and more important to me, how do we think about what opportunities lie there. There's a lot of proactive work there, as well as some reactive work, I think. If you're familiar with information blocking, there's a complaint process that goes along with that, where organizations may complain about what they think may be violations of information blocking. So we're certainly preparing ourselves for the enforcement of that as well — that's definitely one priority.
The other one is TEFCA, the Trusted Exchange Framework, which is the network governance, which is also a part of 21st Century Cures. We want to put renewed energy into that, so we can help to do the hard work of getting network-level interoperability to the place where it needs to be.
That's a great segue into interoperability. You’ve spoken about using a range of regulatory levers to incent organizations to stay apace with the information blocking rule, but that it’s important not to hamstring innovation. How do you navigate that tightrope?
TRIPATHI: A lot of it is to maintain as many options as possible. We're very focused in the U.S. in general but certainly in this administration on being able to allow the private sector to innovate as much as possible, but providing guardrails along the way so that it's focused on the public interest.
When you think about things like TEFCA, for example, it's very much about trying to empower the private sector to get to that point of network-level governance, but not being too prescriptive in terms of exactly how they have to do it. It's really just trying to focus more on the what, and what are the appropriate guardrails around it, but leaving a lot of room for the innovative capacity of the private sector to define sort of the how. It's a balance.
It's also really important to try to leverage the things that are coming out of industry. There's sort of this notion that standards come from the top down. But they really don't. The best standards, the standards that we've seen that are durable, are the ones that come from the bottom up, with a tailwind behind them, so that the people who worked on those standards and want to do real things have the opportunity to do those things with those standards. That's a lot of what we do is align activities that are already going on. Because the healthcare industry is so fragmented that ONC and the federal government in general plays a really important role in helping to provide that directional guidance to the healthcare delivery system, and industry overall.
With the information blocking rule, organizations have 18 months before they have to share a larger swath of data, including unstructured data, beyond what's in the U.S. Core Data for Interoperability (USCDI) dataset. Sharing unstructured data is significantly more difficult and compliance with this tenet is somewhat vague, as there’s really no one definition of electronic health information (EHI). That could pose a challenge for providers. What is ONC doing to ameliorate this? Are you at all concerned that leaving the definition of EHI amorphous might hamper interoperability and compliance?
TRIPATHI: That's a great question. And the answer is, we don't know what exactly that's going to look like. I think we just have to keep partnering with anyone working on it. I will just say, what we try to do is leverage things that are out there. So the notion of EHI — it's basically the the electronic version of the designated record set, which is defined in HIPAA. That in itself is sort of an ambiguous definition, because every provider organization according to HIPAA can define the designated record set themselves. I don't think we're introducing more ambiguity into it. What we are doing is trying to say, well, there's something that's established there, let's not try to recreate everything and create more confusion. But let's draw an electronic boundary around those things or say to providers, 'You need to draw an electronic boundary around that designated record set', and then make that available. I think that because of the high heterogeneity of medical records in general in the healthcare delivery system, I think that was an appropriate way to approach it. Which is to say, there's already variation that the law recognizes, and let's not try to pretend that we can solve that.
But that shouldn't prevent us from moving forward, saying that you need to make that information available. So it's certainly beyond the USCDI. It's a lot more than that, a lot of unstructured data. I don't think that we'll have problems seeing that directionally, I think people will sort of be doing what they should. I think that will be very case by case if issues come up, rather than being general and across the board about it because it is defined differently in different places.
Makes sense going back to what you said about not being prescriptive, from a regulatory perspective.
TRIPATHI: Yeah. Most organizations have a sense of there being a whole bunch of other stuff that's in the EHR. So you got to make that available. Where we could get into weird stuff is really around the edges, around scanned documents that came in from other places. Are those electronic? Or are they not? How do you easily make those available, more obscure diagnostic systems, for example, that are difficult to integrate even within the hospital. Are those included? Or are those not? Old written records that go back a long way and that are scanned and are like in a deep archive somewhere? Those kinds of things around the edges, those will probably be the issues.
Eighteen months from now seems like a long time, but providers have already pushed back against what they view as a speedy implementation. The Trump administration already pushed back compliance dates twice, so does ONC plan to keep the current deadlines in place? Do you think the timeline is fair?
TRIPATHI: We certainly don't have immediate plans to change that. But obviously we stay very close to the market to understand what's going on there. We certainly don't want don't want to impose additional hardship in the middle of huge national emergencies. But we felt pretty strongly that given the delays that have already happened, that it made sense to move forward with that, particularly when you consider that the benefits of it are things that make the response to the pandemic better, and help to address some of those gaps.
So you want to strike that balance. It's like, yes, when you're in the middle of the crisis, it's hard to sort of make some changes. On the other hand, how long can you keep going into crisis without recognizing that some of these things are going to be things that are going to help your response to the crisis? I think we're trying to get over it as fast as we can. But it's not going to end tomorrow; its not going to end next month; it's not going to end the month after that. So we better get on the way to thinking about the future.
With respect to the 18 months, that is a long way away, but we have no intent to expand that. Right now, I'm trying to exercise as many of the soft levers as we have to get people to accelerate that timeline. To say that, 'You shouldn't wait 18 months. If you can start to make that information available sooner, you should do that.' And, again, we don't have regulatory authority to require that, but I'm doing everything I can to try to encourage industry to do that.
There’s still a lot to be done to build on the interoperability rules. Along with standardizing additional capabilities like application programming interface write access, providers are still waiting on the government to codify disincentives for information blocking. What are your thoughts on how that system should work? When can industry expect that step?
TRIPATHI: We're waiting for and working with our partners at CMS to help define the penalty side of the disincentives to providers. Information blocking is sort of a multi-agency thing to the extent that ONC defines the policy, and has some enforcement discretion or ability with respect to certification of EHRs. But then the HHS Office of the Inspector General works on the other aspects of enforcement. And CMS defines what the disincentives are to providers.
So we're working with both OIG and CMS to get the timing of all of this lined up. And I don't really have any more knowledge right now about when exactly that will happen. The OIG rule, that draft rule is out there already. And I think that the expectation is that before the end of the year, they will have the final rule out. And obviously the CMS piece of that will have to be decided on and incorporated in that as well.