HHS Releases Final Data Sharing RulesONC, CMS Rules Aim to Provide Patients with Secure Access to Health Data
The Department of Health and Human Services on Monday released its long-awaited interoperability and information blocking final rules as called for under the 21st Century Cures Act. The aim of both rules is ultimately to provide patients with easy, secure access to their electronic health information - from electronic health record systems as well as from payers.
See Also: The Evolution of Email Security
"We're taking these actions while maintaining and strengthening patient privacy protections," Alex Azar, secretary of the Department of Health and Human Services said in a press briefing. "Patient privacy should never stand in the way of patient control."
The two rules, issued by the HHS Office of the National Coordinator for Health IT and the Centers for Medicare and Medicaid Services, implement interoperability and patient access provisions of the bipartisan 21st Century Cures Act and support the Trump administration's MyHealthEData initiative, Azar said.
The MyHealthEData effort is designed to empower patients around a common aim - giving every American access to their medical information so they can make better healthcare decisions, Azar said.
The 1,244-page ONC rule sets in place new requirements for certified health IT developers to establish a secure, standards-based API for use by providers and to support a patient's access to core data in their electronic health record.
The rule is "unprecedented" in providing patients with "safe and secure" access to their health information using their smartphones, said ONC leader Don Rucker, M.D. "This will allow patients to manage their healthcare like finance and travel," he says.
The aim is also to allow patients to use their smartphones "as a tool to connect to other IoT devices," such as health monitoring devices and other applications, Rucker says.
Among other requirements, CMS' 474-page interoperability and patient access rule "unleashes claims data" from payers that participate in Medicare and Medicaid programs, Azar says.
Beginning in 2021, payers participating in federal programs such as Medicare, and as well as federal exchanges under the Affordable Care Act, will be required to share claims and other health information with patients in a safe, secure, electronic format through APIs, said Seema Verma, CMS administrator .
The aim is to enable patients to access their data through any third-party application they choose and also integrate a health plan's information to a patient's electronic health record, the officials said.
Under the ONC and CMS rules:
- Hospitals will be required to send electronic notification to patients' primary care providers when patients are admitted, transferred or discharged;
- Hospitals and other health IT users will no longer be bound by so-called "gag rules" preventing doctors and nurses from discussing health IT product usability issues, including interoperability and security;
- A new "U.S. Core Data for Interoperability" or USCDI, is created to set a baseline for interoperability that includes "clinical notes" among other data important for clinical care that must be accessible to patients.
In a statement, ONC says: "The USCDI will help to improve the flow of EHI and help ensure that the information can be effectively understood when it is received. Over time, it will be updated to expand the baseline set of interoperable data available nationwide."
ONC and CMS originally issued their proposed interoperability and information blocking rules in February 2019, receiving more than 2,000 public comment. While many of the comments encouraged HHS to move forward with rules that ultimately put electronic health information in the hands of patients, some industry stakeholders and others voiced strong opposition to proposals, including the focus on APIs (see Long Awaited HHS Data Sharing Rules Raise Privacy Worries).
Among vocal opponents was EHR vendor Epic Systems, which contended that by requiring health systems to send patient data to any app as requested by the patient, the ONC, which coordinates efforts around national secure health information exchange, rule inadvertently creates new privacy risks.
ONC's rule finalized "eight common sense exceptions" to prohibited information blocking, taking in mind "three overarching policy considerations," the ONC regulation notes.
"First, the exceptions are limited to certain activities that we believe are important to the successful functioning of the U.S. healthcare system, including promoting public confidence in health IT infrastructure by supporting the privacy and security of EHI, and protecting patient safety and promoting competition and innovation in health IT and its use to provide health care services to consumers," the regulations say.
"Second, each exception is intended to address a significant risk that regulated individuals and entities (i.e., health care providers, health IT developers of certified health IT, health information networks, and health information exchanges) will not engage in these reasonable and necessary activities because of potential uncertainty regarding whether they would be considered information blocking."
Third, "each exception is intended to be tailored, through appropriate conditions, so that it is limited to the reasonable and necessary activities that it is designed to exempt. "
On Monday, some industry groups began issuing guarded statements about the rules as experts began to dig into the regulations.
"We look forward to reviewing the final rule in greater detail. We support the intent of the Cures Act to eradicate practices that unreasonably limit the access, exchange and use of electronic health information for authorized and permitted purposes including patient access to their health information," says Wylecia Wiggs Harris, CEO of the American Health Information Management Association.
"However, given that the rule introduces a number of new definitions and terminologies and the significant economic impact of this rule, we are disappointed the Office of the National Coordinator for Health Information Technology did not heed stakeholders' calls to issue an interim final rule."