What you need to know about the forces reshaping our industry.


June 7, 2019

'Too far, too fast': What industry stakeholders are saying about HHS' proposed data sharing rules

Daily Briefing

    HHS has received nearly 3,800 comments on its proposals to give patients greater access to their electronic health information—and many of the comments urge the department to go back to the drawing board.

    Our 4 key takeaways from the big new ONC, CMS health IT proposals

    Background: HHS proposes rules to bolster patients' access to EHI

    HHS in February proposed two rules that aim to bolster patient's access to their electronic health information and call out health care providers that impede health data sharing.

    CMS issued one of the proposed rules, which would require Medicaid, CHIP, Medicare Advantage, and Affordable Care Act exchange insurers to provide enrollees with electronic access to their health information and medical claims by 2020. The proposed rule also would require affected insurers, as well as health care providers, to use open data sharing technologies to support patients as they move between different health plans. In addition, the proposed rule would require affected health plans to use application programming interfaces APIs to make it easier for enrollees, prospective enrollees, and health care providers to access to data on the plans' provider networks.

    Further, the proposed rule would allow CMS to publicly report any hospitals or other health care providers found to "participate in 'information blocking' practices that unreasonably limit the availability, disclosure, and use of [electronic health information]" and "undermine efforts to improve interoperability," HHS said in a release. In addition, CMS under the proposed rule would publicly report health care providers that have not added digital contact information to their entries in the National Plan and Provider Enumeration System. CMS would begin such reporting during the second half of 2020.

    CMS also proposed requiring critical access hospitals, hospitals, and psychiatric hospitals that participate in Medicare to send electronic patient notifications whenever a patient is admitted, discharged, or transferred.

    The Office of the National Coordinator for Health IT (ONC) issued the second proposed rule, which would require certain entities in the health care industry to adopt standardized APIs to help developers give individuals easier and more secure access to their electronic health information via smartphones and other mobile devices. The proposed rule also would require health care providers to allow patients to access their health information electronically at no cost to them.

    In addition, the proposed rule would implement certain data blocking restrictions called for under the 21st Century Cures Act. The proposed rule also sought public comments on what types of pricing information should be included in patients' electronic health information to help consumers better understand how much they are paying for health care services.

    HHS' public comment period for the rule ended June 3.

    Stakeholders praise overall goal, but take issue with proposed rules' provisions

    HHS received more than 3,800 comments on the proposed rules from health IT groups, insurers, providers, and former health IT policymakers, Healthcare Dive reports. While stakeholders praised the proposals' goals, they largely criticized how HHS would implement the proposed rules and urged HHS to reconsider its plan, according to Healthcare Dive.

    Implementation concerns

    According to Healthcare Dive, many stakeholders lamented the proposed rules' implementation timelines and a proposal to require hospitals to send electronic patient notifications whenever a patient is admitted, discharged, or transferred.

    Specifically, the Health Innovation Alliance (HIA) called the proposed rules' implementation timelines unrealistic.

    The American Hospital Association (AHA) said the proposed implementation timelines are "impractical," arguing that hospitals would have to significantly change their accounting methods and documentation and other business processes to meet the proposed rules' requirements.

    The Sequoia Project, a health information exchange nonprofit that works with electronic health record vendors, made similar arguments, calling the proposed timelines "overly aggressive."

    Overall, the American Health Information Management Association (AHIMA) said, "Such transformation will require an appropriate transition period to ensure that stakeholders have sufficient time to revise existing organizational and business practices and policies," which the group believes would take more than one year.

    Al Guida, president and CEO of the Behavioral Health Information Technology Coalition, said behavioral health centers, including psychiatric hospitals and community health centers, do not have the resources needed to comply with the proposed rules' interoperability requirements. Instead, he said HHS should make the requirements part of demonstrations managed by CMS' Center for Medicare and Medicaid Innovation and offer higher reimbursement rates or lump-sum payments to behavioral health providers that comply with the requirements.

    The Medical Group Management Association (MGMA) also expressed concerns about providers having the resources needed to meet the proposed requirements, and Anders Gilberg, MGMA's senior vice president of government affairs, said the group is worried "that the proposed approach goes too far, too fast."

    Data privacy and security concerns

    Stakeholders also raised data privacy and security concerns and said some stipulations in the proposed rules are unclear, Healthcare Dive reports. For instance, various groups, including MGMA, argued that the proposed rules' definition of electronic health information is vague, which could make it difficult to enforce requirements related to data blocking, according to Healthcare Dive.

    In addition, Healthcare Dive reports that commenters asked HHS to better clarify the exceptions for the proposed information blocking requirements, with some provider groups noting the burden of the proposed requirements' largely would fall on hospitals.

    Stakeholders also said being required to share patients' information with third-party applications, such as consumer portals or health applications on smartphones, could put the patients' data at risk. Stakeholders noted that, in many cases, third-party apps are not covered under HIPAA.

    AHIMA said, "Patients may be unaware that once they authorize a covered entity to push their health information to a third-party app and such an entity is a HIPAA non-covered entity, the rights afforded under HIPAA no longer apply." The group added, "As currently proposed, the rule does not include sufficient guardrails around HIPAA non-covered entities."

    Concerns about publicizing prices

    Further, stakeholders said they would oppose efforts to include health care price transparency as part of the definition for electronic health information.

    AHA called such a proposal "arbitrary and capricious." The group said, "It goes well beyond what Congress intended and would seriously harm patients, hospitals, and other health care providers."

    Similarly America's Health Insurance Plans (AHIP) said, "[S]hoehorning prospective price estimates in the definition of [electronic health information] in order to include it within information blocking is not substantiated by the underlying legal authority." AHIP also argued that much of providers' and insurers' pricing data would not be beneficial to patients.

    However, one uninsured patient from Washington recalled an instance in which the patient sought care for an injured wrist and the hospital "couldn't or wouldn't tell [him or her] what any of the procedures would cost." The patient said, "X-rays, MRI, and CAT scan all totaled up to over $1700," and her or she "had to pay for it out of [his or her] own pocket." The patient added, "Had I known in advance what the costs would be, I would have looked for alternatives."

    Overall, CHIME said, "Given the magnitude of changes encompassed in these rules, CMS and ONC should be publishing interim final rules rather than final rules to allow additional opportunity for stakeholder comments."

    HIA called on ONC to rescind its proposed rule altogether, and to reissue a proposed rule that more clearly defines what would constitute information blocking, Modern Healthcare reports (Pifer, Healthcare Dive, 6/4; Kim Cohen, Modern Healthcare, 6/4; Cirruzzo, Inside Health Policy, 5/30 [subscription required]; Miliard, Healthcare IT News, 5/31).

    What you need to know about prevention of information blocking in 30 minutes

    CMS requires hospitals and providers that report to the Medicare and/or Medicaid Promoting Interoperability (PI) Programs, including as part of the Merit-based Incentive Payment System (MIPS), to attest to prevention of information blocking statements.

    But what exactly is information blocking and how can it be prevented? Join our experts on Tuesday, June 25 to find out.

    Register Now

    Have a Question?


    Ask our experts a question on any topic in health care by visiting our member portal, AskAdvisory.