Data sharing in healthcare is a double-edged sword for patients

The comment period for proposed rules on data sharing in healthcare is over. Now, industry stakeholders like John Halamka, M.D., health IT expert and former CIO of Beth Israel Deaconess Medical Center, must wait to see the results of the feedback.

The Office of the National Coordinator for Health IT (ONC) received more than 2,000 comments on the proposed rules, which were released earlier this year and aim to foster greater data sharing among providers and with patients through the use of APIs.

As ONC and CMS sift through feedback from industry stakeholders, Halamka, executive director of the Beth Israel Lahey Health Technology and Exploration Center, shared his thoughts on the proposed rules and their potential impact on data sharing in healthcare. He keyed in on information blocking, or when healthcare organizations or providers interfere with data sharing.  

Striking the right tone

John Halamka

The rules struck the right tone by addressing interoperability and information blocking in a manner that pushes for better data sharing without asking for too much or too little, Halamka said. When reading federal regulations like the ONC and CMS proposed rules, Halamka said it's important to read them in the context of, "What will be the compromise that comes out of this?"

Halamka believes the rules hit the "sweet spot."

"Unless you ask for Mars, you'll never get to the moon," he said.

Halamka believes the rules appropriately address information blocking, giving leniency and holding those accountable when necessary. He said he rarely sees volitional information blocking. Instead, Halamka said budget constraints and "a thousand competing initiatives" hinder an organization's ability to quickly respond to an information request.

"Suppose Beth Israel Lahey Health, which tries to be a very interoperable healthcare system for New England, gets a request from a two-doctor practice in Texas," Halamka said. "It's not that we would say no -- we don't say no. But if I had to work on, say, connecting North Boston to South Boston versus a two-doctor practice in Texas, I'm going to work on North and South Boston first. The way you set priorities ... you're not doing anything that is just blocking for blocking's sake. I thought that this is a regulation we can live with."   

Don't defer implementation timeline for providers

Some provider organizations have asked that, once finalized, rule requirements such as implementing the standards-based APIs be deferred, Halamka said.

Though he believes some leniency can be afforded to payers, a lot of which are operating on outdated systems that need to be brought up to date before implementing API technology, Halamka said he sees no reason to defer provider timelines.

Due to the Meaningful Use stages, EHRs already have data sharing capabilities, which is why Halamka said he doesn't think the API requirement as proposed by the rules should be delayed for providers. The goal behind Meaningful Use, an initiative led by CMS and ONC, was to ensure EHRs were used to enable the digital exchange of health information.  

"There are some policies in flow, but that's all politics, not technology," he said. "So, I would be cautious of people saying, 'We should delay this because it's hard.' If we delayed everything because it was hard, we'd never get anything done." 

Keeping patient security in mind

Unless you ask for Mars, you'll never get to the moon.

Data sharing in healthcare is a double-edged sword, Halamka said.

On one hand, he wants innovation in healthcare and for patients to be able to decide what data they want to share and with whom they want to share it. On the other hand, he wants guardrails, so when patients download health apps, they fully understand what's happening to their data and who has access to it.

Halamka said 80% of behavioral health apps in the Apple App Store share information with a third party. Determining who has access to that data once shared can be difficult, especially if a lengthy end-user license agreement is involved.  

"Have you ever read the Facebook end-user license agreement? It will take you nine hours," Halamka said. "So, when we talk about informed consent, an end-user license agreement in four-point type that takes nine hours to read out loud is not informed consent."

Impact on stakeholders, data sharing in healthcare

Once finalized, Halamka said he believes the rules will have a significant impact, as technology giants like Apple, Google and Amazon will begin adding APIs to their health products and services.

The rules will also have a significant impact on patients by putting information sharing abilities directly into their hands. Halamka said that will ultimately lower the information sharing risk for healthcare organizations. If a patient decides to share their medical data, HIPAA and general data protection rules do not apply, he said.

"That's why I think these regulations are a great way to get started, because in many ways it de-risks a lot of data sharing," he said.