The Trump administration finalized two massive rules to expand patients' access to their medical information Monday, to applause from patient advocates, scant comment from payers and general wariness from EHR vendors and providers.
CMS and the Office of the National Coordinator for Health IT proposed the regulations more than a year ago, but they've been held up by a fierce national debate on privacy versus consumer agency and a stringent fiscal review from the Office of Management and Budget.
The rules are now final, and the first deadline is in six months. Major EHR vendor Cerner thinks it can make the timeline, though others aren't so bullish. Privacy hawks continue to exhort the pitfalls of allowing sensitive medical information outside of the HIPAA umbrella and into the hands of third-party applications, and there's still a lot of gray area in the regulations that could spell trouble for payers, providers and health IT companies alike.
Some stakeholders worry the ONC rule is particularly burdensome. In aiming to give consumers free electronic access to their medical data, it pushes to make all providers interoperable for a limited set of data, called the U.S. Core Data for Interoperability, within six months.
ONC head Don Rucker has been spearheading the regulation over his three-year tenure as chief of the health information agency for the Trump administration. In his first print interview since the publication of the final rules, here's what Rucker had to say about patient agency, privacy and incumbents whose business models are threatened by the sweeping regulations in this modern smartphone era.
This interview has been lightly edited for brevity and clarity.
HEALTHCARE DIVE: The rules are the culmination of a significant amount of work. How does it feel to have them out?
DON RUCKER: The work spans five years when you get down to some of the original information blocking efforts. The Cures Act was December 2016, so that alone is pushing almost three and a half years. So we're pleased. The time, in large part, reflects the complexity of the federal government, along with the opportunity for public comment and to incorporating those comments. I think we've done exactly that.
How did public input shape the genesis of the rule?
RUCKER: The single biggest category of comments was the public requesting transparency, especially on price. The price stuff is being handled by other work in the administration, like the executive order from the president. But people want transparency, and they would like it sooner rather than later. That came through loud and clear.
Stakeholders always have concerns about rules in terms of the volume and nature of the work. The incumbent economic stakeholders obviously realize that with the modern world of smartphones and transparency, for many of them, this is going to require a change in their business models.
The comments reflected that. If you built up a business based fundamentally on lack of transparency about what your services cost — and that has been the case with many folks in the American healthcare industry — this is a new era, and requires a new thinking. We got the usual response about it's too much, too soon. So, in the final rule, we focused more in the first two years on the USCDI, both in information blocking and the API certification. We delayed the other data on the information blocking side past two years. We added in a six month period when there's no enforcement, and the actual rules to do enforcement are still being worked on.
We also put in a number of provisions on patients' privacy. Providers will clearly let patients know they're moving their data from HIPAA, and details about the consent policy of the app they're giving permission to.
Some providers are worried they're on the hook for informing patients about the security of apps. Is that a valid concern?
RUCKER: No. This is all automated. The vendors are going to provide this. This is a splash screen that says you are leaving HIPAA, and then here's the consent policy. It's not a manual process — that may have gotten lost. Or sometimes, these things are tilted in a way even by people who know that it is not exactly the case.
Stakeholders are worried about bringing medical data outside HIPAA. Do you think we need some sort of national consumer data protection legislation?
RUCKER: Congress is working on it today as we speak. There is an ongoing national dialogue about what our expectations of privacy are that transcends health information. It's important for people to know that most of the facts that a marketing party could find out about your health, most of that can be inferred without even touching anything in HIPAA.
HIPAA touches the records created by doctors and hospitals and labs. But your geo-location, your accelerometer, your search history — all of those things are vastly predictive of your health. If your geo-location shows you're going to the liquor store or to the bar or to the crack house or to McDonald's, versus the gym, the 1,000-foot-steep Rocky Mountain Trail, that you're biking 50 miles that day — all of these things are vastly predictive of your health.
I think Congress and we all certainly have to think more about our consent policies. But all of this has to be balanced against the fact that patients are absolutely being harmed by the non-transparency of healthcare today. We have roughly 500,000 medical bankruptcies. How many of those are bankruptcies because people had no idea what they were going to be charged? The American public is desperately screaming for transparency.
Now, obviously the incumbent stakeholders with non-transparent business models are going to utterly ignore that. But when you look at the big picture, the issue fundamentally is way more about the global lack of transparency and control in healthcare than that the patient may somehow pick a bad app, right? We know for secure information that's important, like in banking, people are not just randomly putting their money in things that have no security.
So all of these arguments start with the patronizing assumption that patients are idiots and that they don't have a right to their data.
Does HHS expect a legal challenge from some of those incumbents?
RUCKER: We're not in the business of commenting on future legal challenges that may or may not happen. If there is going to be a legal challenge here, the assumption that the American public is somehow not going to find out or is going to stand still for their rights being removed from them — that's going to backfire.
I think we've seen in the recent past couple of months, the public does not want providers and EMR vendors choosing what they can do with their medical care, their healthcare, their dollars or their human rights. What we've seen from all the outcry over the past several months is the public gets it. This faux concern from people who are running totally nontransparent businesses — the American public gets it. That's why we're having this political discussion about what to do about healthcare.
Civil monetary penalties aren't yet in place. What are the next steps for enforcing information blocking?
RUCKER: Enforcement is a work in progress. I would also point out, I'm not sure that this world is going to get changed by threat of enforcement. I actually personally believe that a little bit of transparency begets a lot of transparency. I think a lot of this is just going to happen because the public expectation of convenience around services is going to drive this faster than our rulemaking timeline.
Without getting into companies and names, I think you're already seeing bits of transparency all over the landscape. The public expectation is changing absolutely rapidly here. And I think that our rule, when it's all said and done years down the road, while we hope it may have accelerated it, I think it'll be the public demand of transparency that will really have been the push here — along with just the expectations of a modern smartphone world.