Nilesh Chandra, healthcare expert at PA Consulting, comments on the new healthcare data interoperability rules.
The article notes that enforcement of rules to encourage the freer flow of healthcare data were delayed because of the COVID-19 pandemic. They are now scheduled to go into effect this year.
Perhaps no industry better straddles the dichotomy between cutting-edge technology and inefficient obsolete devices than the healthcare industry. In one corner of a hospital, a physician in another room (or another state) can perform precision surgery using state-of-the-art robotics, while just down the hall a nurse receives the patient’s medical records via fax machine and the patient’s spouse uses a pen to fill out paperwork.
Those throwbacks exist for many reasons, but perhaps the most important is the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which requires providers and health plans to protect a patient’s health data. Say what you will about fax machines, but they are sturdily HIPAA-compliant.
But if government regulation to protect patient privacy is the root cause of the vestigial methods for transferring healthcare data, then new regulations might pull them into the 21st century.
New regs, new era
The agents of change are new healthcare data interoperability rules from HHS Office of the National Coordinator for Health Information Technology (ONC) and CMS. Enforcement of some parts of the ONC rule is scheduled to begin in April after HHS delayed enforcement last year because of the COVID-19 pandemic. Other parts will go into effect in 2022 and 2023. The CMS rule will be enforced starting in July.
The intent of the ONC rule is to make it easier for patients to access their own health information and for patient healthcare information to circulate easily among providers and provider organizations. It is also supposed to ease the way for design and use of healthcare-oriented computer and smartphone applications.
Nilesh says the changes could have life-or-death implications. He paints the scenario of someone coming to the emergency department with a rapidly worsening case of COVID-19. Because of the interoperability rules, the patient’s records will be readily accessible. “The attending physician cannot speak to the sedated, intubated patient but can pull medical history to understand underlying health conditions and risk factors while administering care,” he says. In the past, providers of health-related services have used “information blocking” to keep data in-house in hopes of creating some kind of competitive advantage. Under the new rule, that will be illegal, with a limited number of exceptions, such as when requests are infeasible or pose privacy concerns.
The ONC rule also requires covered entities to adopt the Health Level 7 Fast Healthcare Interoperability Resources (FHIR) standard for application program interfaces (APIs). This change will make data sharing easier by standardizing the way data are stored and transmitted between payers, providers and other healthcare entities.
The new CMS rule leverages the new API requirements to force payers and plans to share claims and other health information securely with patients in a secure, user-friendly, electronic format. The rule applies only to clinical information already made available to payers and does not create a requirement for payers to access additional data from providers.
The CMS rule also requires participating hospitals to send electronic notifications to other providers anytime a patient is admitted, discharged or transferred from the hospital. The goal is to spark better care coordination and, ultimately, better patient outcomes. Starting in April 2022, states must begin sending daily data reports on Medicare and Medicaid beneficiaries, a requirement that is also supposed to lead to better coordination and more accurate billing.
Although providers, insurers and their business partners are covered by HIPAA, HHS acknowledged that the new rules raise the potential for health information to be sent to third parties that may or may not have sufficient data security protections. Eyles noted in the statement that even de-identified health information could easily be traced to individuals by combining it with other available personal and health information.
The American Hospital Association has voiced similar concerns. Nilesh concedes that there is risk associated with the transfer of data, particularly if the third-party applications don’t have secure data-transfer channels. But he believes the primary risk to patient privacy is the intentional theft of data, using ransomware or malware, not the incidental leakage of it. “I think those risks are substantially greater and pose a much greater risk to patient data than the accidental exposure through a poorly configured data interface between two HIPAA-covered entities."
As for the timing of enforcement, most agree that the delays were wise. The healthcare industry had more than enough to deal with last year with the COVID-19 pandemic. But the reality is that the covered entities have been preparing for the change for years. After all, the legislation authorizing the new rules, the 21st Century Cures Act, was passed in 2016.
Nilesh adds that the time has come for meaningful interoperability: “The pandemic has further exacerbated the need for data sharing with public health officials and also to coordinate care for patients affected by COVID-19.”
Telehealth – evolving the way we receive care