Providers and insurers are raising concerns that newly finalized rules from CMS and the Office of the National Coordinator for Health IT (ONC), which aim to expand patients' electronic access to health information and improve interoperability, could put patients' privacy at risk.
April 7 webinar: Your guide to HHS' final interoperability rules
About the final rules
CMS and ONC finalized the rules on Monday.
The CMS rule finalizes the agency's plan to improve access to clinical, encounter, claims, and other types of data that can be shared among patients, plans, and federal agencies through FHIR-standard Application Programming Interfaces (APIs). The rule also finalizes ways CMS can discourage information blocking, capture more electronic addresses for providers, and require hospitals to electronically send admission, discharge, and transfer notifications.
The ONC rule finalizes major changes to the health IT certification program that will require developers to update to their technologies. ONC's final rule also clarifies how the health care industry can prevent information blocking among health care providers, health IT developers, exchanges, and health information networks.
The final rules are largely consistent with proposals CMS and ONC released in February 2019, though they do include a few important differences when compared with the proposals, such as including an eighth exception to finalized information blocking standards.
The agencies received nearly 3,800 comments on the proposals, with many commenters citing implementation, security, and patient privacy, concerns. For example, some commenters pointed out that, once providers send patient data to third-party APIs, that data would no longer be protected under HIPPA.
Final rules draw mixed response
Final rules don't address patient privacy concerns
While stakeholders generally have said they support the final rules' goals, some already have noted that the final rules do not address their concerns regarding patient privacy.
For example, American Hospital Association (AHA) President and CEO Rick Pollack in a statement said, "America's hospitals and health systems support giving patients greater access and control over their health data," but the rules fail "to protect consumers' most sensitive information about their personal health." Pollack said the rules lack "the necessary guardrails to protect consumers from actors such as third-party apps that are not required to meet the same stringent privacy and security requirements as hospitals." He added, "This could lead to third-party apps using personal health information in ways in which patients are unaware."
For instance, Joy Pritts, a consultant who is a former federal health-privacy official, told the Wall Street Journal , "There is a legitimate concern that people will be sharing their sensitive health information with organizations that can use and sell that information however they want."
America's Health Insurance Plans President and CEO Matt Eyles in a statement raised similar concerns, saying although health insurers share the federal government's "vision for expanded consumer data access and are committed to building a truly interoperable health care system," they "remain gravely concerned that patient privacy will … be at risk when health care information is transferred outside the protections of federal patient privacy laws."
Chip Kahn, president and CEO of the Federation of American Hospitals, in a statement also said the final rules "lack adequate privacy and security requirements for third-party apps." He noted, "Hospitals are held to high standards to protect our patient privacy and security; third-party apps should be too."
Final rules don't address concerns around implementation timelines, EHR upgrade fees
Other stakeholders raised concerns that the final rules do not give affected providers, insurers, and health IT developers enough time to comply with new requirements.
Wylecia Wiggs Harris, American Health Information Management Association's CEO, said, "[G]iven that the rule introduces a number of new definitions and terminologies and the significant economic impact of this rule, we are disappointed [ONC] did not heed stakeholders' calls to issue an interim final rule" that would allow affected entities more time to comply with the new requirements.
The Medical Group Management Association raised concerns about the final rules allowing EHR vendors to charge providers fees associated with adopting APIs. "We will lead industry efforts to protect medical groups from potentially excessive EHR upgrade fees to ensure limited practice resources are not diverted from patient care," the group said.
Final rules praised for increasing access to health data
Meanwhile, others praised the final rules. For example, health data specialists said the rules will allow public health agencies to access better data to monitor disease outbreaks and track drug safety and effectiveness.
Kenneth Mandl, director of the Computational Health Informatics Program at Boston Children's Hospital, called the final rules "a big deal." Mandl said, "The appetite for interoperability and the appetite for moving medicine toward a data-driven enterprise has increased dramatically."
Cynthia Fisher, founder of Patients' Rights Advocate, also applauded the new rules, saying they "put patients at the center of their care, giving them the right of access to their complete health information at their fingertips on their mobile phones." She added, "Armed with complete information, patients and their doctors will benefit from more accurate diagnoses and better treatments" (Tahir/Cancryn, Politico, 2/19; Roth, HealthLeaders Media, 3/9; Jason, EHRIntelligence, 3/10; AMA release, 3/9; AHIP release, 3/9; FAH release, 3/9; Wilde Mathews/Evans, Wall Street Journal, 3/9; Owens, "Vitals," Axios, 3/10; Cirruzzo, Inside Health Policy, 3/9 [subscription required]).