Stakeholders sound off on ONC, CMS interoperability rules

Federal regulators unveiled finalized interoperability and information blocking rules this week, and healthcare stakeholders have a lot to say about them.

The Office of the National Coordinator for Health IT (ONC) developed an interoperability rule that would meet the requirements of the 21st Century Cures Act to foster greater sharing in healthcare. The regulation that dropped earlier this week mandates healthcare systems to implement Fast Healthcare Interoperability Resources (FHIR)-based APIs to share data with patients, and outlines eight situations when interfering with data exchange, or information blocking, is acceptable.

The Centers for Medicare and Medicaid Services (CMS) released a companion patient data access rule, which requires health insurers to share data with patients and other health insurers upon a patient's request. ONC and CMS are both housed within the U.S. Department of Health and Human Services (HHS).

Stakeholders are still digesting the combined 1,700 pages of regulations, but several have shared initial takeaways. While some applauded the interoperability rules for striving to give patients better access to their health data, others cautioned healthcare organizations to consider additional measures for making data access safe and secure.

Dick Flanigan
Senior vice president of ITWorks, Cerner Corp.

Dick Flanigan

Getting patients real-time, comprehensive access to their record has been a policy goal of Cerner for the last 15 years. And it was a personal goal of our late chairman Neal Patterson to really free up that data because there was this belief that, if the patients gained control of their data, good things would happen in the transformation of our industry. It would help improve quality, it would improve transparency, it would help affect a lowering of costs over time ... so this is a good day. Big investments were made in the health IT space in 2009 and our clients and Cerner have built that digital infrastructure across the United States, along with lots of other companies, and that came both with funding and a regulatory framework. We have been living and working in that regulatory framework for longer than 10 years and the interoperability objectives and now the prohibitions against information blocking are the next turn of that crank. It was the next aspect of regulatory review to help lead to better outcomes for patients.

Erin Benson
Senior director of market planning, LexisNexis Risk Solutions Health Care

Erin Benson

It is great to see that the government is supporting the healthcare industry's goal to better engage patients in their own care, as this has been shown to improve overall health outcomes. The new rules also raise questions for healthcare organizations about how they can best continue to protect patient data security and privacy, especially with healthcare data now potentially passing through non-healthcare organization apps. 

Two key data initiatives, as well as general patient education, will be foundational to making the new rules implementation successful. First, healthcare organizations will need to ensure data integrity of their patient records -- using tools like unique patient identifiers to make sure that a patient's record is complete and that there are no duplicates. That way, when a patient goes to access their file, they will be granted access to the right, complete file. Second, healthcare organizations will need to ensure the security of patient information. They will want to find ways to validate that individuals requesting access to the patient data really are the patients they say they are. This can be accomplished through multi-factor authentication practices.

Finally, healthcare organizations will want to educate their patients on what it means to request the data through the various formats available. Outside of healthcare, additional regulations will likely be needed to further govern the third-party use of that data, once it leaves the healthcare organization.

Twila Brase
President and co-founder, Citizens' Council for Health Freedom

Twila Brase

While we appreciate the Trump administration's effort to help patients get timely access to their medical records, the rules only give patients the power to choose which data in their electronic health records a smartphone app can receive. But that is as far as their authority over their personal medical information goes. The new interoperability rules require patients to be informed about how their data is shared, but that is not consent. The administration claims the rules give patients control over their medical records, but it doesn't stop their hospitals or doctors from sharing those records with untold numbers of business associates, which the permissive HIPAA data-sharing rule allows them to do. For example, it won't stop Ascension or any other hospital system from sharing 50 million patient records with Google. These rules are a combined 1,718 pages of missed opportunities to truly restore the patient consent requirement over the sharing of their medical records that HIPAA eliminated.

Cynthia Fisher
Founder and chairman, PatientRightsAdvocate.org

Cynthia Fisher

We thank the Trump administration and HHS for delivering on the bipartisan 21st Century Cures Act by giving American consumers complete, real-time, free transparency to their comprehensive electronic health information (EHI) and putting a stop to information blocking by enforcing substantial penalties. These new rules put patients at the center of their care, giving them the right of access to their complete health information at their fingertips on their mobile phones. Armed with complete information, patients and their doctors will benefit from more accurate diagnoses and better treatments.

Nick Hatt
Product designer and policy expert, Redox

Nick Hatt

The [United States Core Data for Interoperability (USCDI)] has become the national standard for data that needs to be exposed via APIs. The overall impact of [ONC] adopting USCDI doesn't change much: [Health Level Seven International] Argonaut Project adopters have essentially already had APIs for this data for five years. The bigger story here is the adoption of a national standard.

Requirements for Certified EHR Technology (CEHRT) have become more strict. ... EHR vendors are being asked to raise the minimum bar for what functionality their software must have. In addition to new requirements, a new framework called 'Conditions of Certification' is imposed that allows certification to be revoked for bad behavior. Such behavior includes 'gag clauses' around sharing screenshots, inability to demonstrate real-world interoperability, or practicing information blocking. Penalties for not meeting these conditions of certification include probation [or] suspension of certification in addition to data blocking fines.