Payers and providers protested the long-awaited HHS rules promoting interoperability that dropped Monday, contending the rules could threaten patient privacy by allowing personal health information to flow to third-party companies not covered under HIPAA.
Healthcare organizations are still digesting the ramifications the 1,700 page rules could have on their business models and bottom lines.
How third-party apps can use patient authorized data was one of the most hotly contested issue in the lead-up to the final rules, with EHR behemoth Epic lobbying fiercely for added privacy guidelines. However, much of the specific language around access for developers didn't change between the proposed and final rule.
The American Hospital Association, which represents nearly 5,000 hospitals, blasted the rules for failing "to protect consumers' most sensitive information about their personal health" and lacking "the necessary guardrails" to protect consumers from malevolent actors using their data in unforeseen ways.
The final CMS rule includes a controversial provision requiring hospitals to send electronic notifications to other caregivers when a patient is admitted, discharged or transferred. Provider interests have objected to the provision.
AHA said it plans to pursue changes through the "relevant government agencies and channels," SVP for public policy analysis and development Ashley Thompson told Healthcare Dive. The American Medical Association also said it planned to closely review the privacy controls in the final rule.
Powerful health insurance lobby America's Health Insurance Plans also aired privacy concerns while citing the work payers do to make personalized tools available to consumers to help them digest health information, like patient portals and mobile apps.
"We remain gravely concerned that patient privacy will still be at risk when healthcare information is transferred outside the protections of federal patient privacy laws," AHIP CEO Matt Eyles said in a Monday statement.
The final rule from CMS places more of a data-sharing onus on payers than expected. It requires plans participating in Medicaid, the Children's Health Insurance Program, Medicare Advantage and Affordable Care Act exchange to give their some 125 million beneficiaries free electronic access to their data, including claims and encounter information, by 2021. They also have to curate an up-to-date, interoperable provider directory, also by 2021, and share clinical information with each other at the patient's request by 2022.
All these requirements rely on standardized application programming interfaces, which allow computer systems to send and receive information, mandated by the Office of the National Coordinator for Health IT's rule.
"When you're in the electronic world, there's always risk," ONC head Don Rucker said on a Monday morning call with reporters. "I think we've put in some powerful protections here."
Additionally, patients will be able to access which specific electronic health information applications are receiving. For example, if a patient downloads a medication management app, they can limit that app to only information contained in the "MedicationRequest" and "Medication" profile of their provider's EHR.
ONC made this a volitional process — it's the patient's choice whether they want to download any apps at all — and apps will be required to inform the patient that their data is leaving HIPAA's protections. Privacy experts say a patient's access to his or her own data is also a right under the law and under the Federal Trade Commission's fair information practices.
But providers still have significant questions about whether they, or the apps, are responsible for making sure patients are educated and informed about the status and safety of their sensitive medical information.
"I fail to understand how this will reduce administrative burden if the belief is that the providers are going to be the ones responsible for alerting the patients, or answering detailed questions about whether or not an app is secure," Mari Savickis, VP of Public Policy for the College of Health Information Management Executives, told Healthcare Dive.
HHS doesn't have the authority to regulate any bad actors once patient data has left the umbrella of the sweeping privacy law. That's the job of the FTC, though there are a number of bills in Congress and in states like California and Washington to expand consumer data protections.
But it doesn't make sense to stress the confidentiality provisions of the rule without giving equal weight to the other side of the coin: giving people access to their data, Lucia Savage, a former ONC chief privacy officer who now works for chronic care manager Omada Health, told Healthcare Dive.
The U.S. doesn't have a single industry besides healthcare where adults aren't trusted to manage their own information — and the country's data protections are weak in general, giving rise to scandals like Cambridge Analytica in 2018, Savage said.
"Nobody is ignoring that problem. It's more that ONC doesn't have the authority to solve that problem. Nor does OCR. Nor does HHS," said Savage.
Savage, among other health data experts, believes some companies publicly hammer privacy concerns as a smokescreen to protect their business practices. EHR behemoth Epic, which counts 60% of large U.S. hospitals among its clients, has been accused of doing that, calling earlier this year for the federal government to stipulate transparency and privacy requirements for applications before the rules were finalized, which could have set the publication of the regulations back by months.
A spokesperson for Verona, Wisconsin-based Epic told Healthcare Dive it was still digesting the rule, but was looking closely into "transparency for patients into companies' data use and data handling practices."
"Other industries have solved this approach to balance the interest of safe and secure interests with a right to get your information in a form you can use," Dick Flanigan, senior vice president of EHR giant Cerner, told Healthcare Dive. "There are frameworks to be built and extensions to be addressed but we don't want the chilling effect of fighting this rule on privacy grounds."