ONC urged to slow down for the sake of patient data security
Patient data security is sorely lacking in ONC and CMS's proposed information blocking and interoperability rules, according to healthcare leadership organizations.
In a letter to the House Committee on Energy and Commerce, healthcare organizations including the American Medical Association (AMA), the College of Healthcare Information Management Executives (CHIME) and the American Health Information Management Association (AHIMA) outlined their concerns with security of healthcare data apps and a lack of security guidelines enabling third-party access to patient data.
They also worry there will be confusion about exceptions to information blocking and are concerned about implementation timelines for regulation requirements.
In February, the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS) proposed rules that would require healthcare organizations to use FHIR-enabled APIs to share data with healthcare apps. They also seek to define exceptions to information blocking, or unreasonably preventing patient data from being shared. The goal of the proposed rules is to foster greater data sharing and easier patient access to healthcare data.
"The use of APIs and third-party applications has the potential to improve patient and provider access to needed health information," the letter said. "It also brings us into uncharted territory as patients leave the protections of HIPAA behind."
The organizations stated that they support the work to improve information sharing through the use of APIs, but they noted it is "imperative that policies be put in place to prevent inappropriate disclosures to third-parties and resultant harm to patients."
Letter underscores patient data security concern
It's not the first time ONC has heard concerns about patient data security.
During a U.S. Senate Committee on Health, Education, Labor and Pensions meeting in May, committee chairman Sen. Lamar Alexander cautioned ONC to take interoperability slow and address issues such as privacy concerns when downloading patient data to healthcare apps.
The letter echoes that caution, suggesting that certified APIs should be required to have more security features and provide patients with privacy notices and transparency statements about whether data will be disclosed or sold. Additionally, the letter notes a lack of security guidelines for providers as they bring third-party apps into their systems, and urges ONC to require API vendors to mitigate threats and security issues that could impact the provider connected to the API.
While healthcare apps and patient data security is the biggest sticking point, healthcare leaders also outlined other areas of concern such as "reasonable timelines" for implementing the final rules, and making exceptions to information blocking clearer. The healthcare leaders asked that ONC provide more examples of actions that would satisfy the exception requirements before the final rules are implemented.
'Getting it right'
Healthcare leaders then requested ONC continue with the rulemaking process instead of finalizing the rules as they are now, and take more time to work through the issues outlined in the letter.
Lauren Riplinger, vice president of policy and government affairs at AHIMA, said the letter is a formal message to Congress to stress the importance of slowing down and "getting it right."
She wants the community to "make sure we're defining things properly, that the implementation periods make sense, and that it's reflective of the environment and landscape in which we're currently at as we work toward implementation of these final rules -- whenever it gets finalized."
They say Mars, and this letter says Hawaii. Eventually, everyone will say the moon. That's where we're headed.
John HalamkaExecutive director of the health technology exploration center, Beth Israel Lahey Health
In response to the letter, ONC prepared a statement that said the organization is "mindful of the need to balance concerns of incumbent stakeholders with the rights of patients to have transparency and actionable choice in their healthcare."
John Halamka, executive director of the health technology exploration center at Beth Israel Lahey Health in Boston, said when it comes to rulemaking, it's better for ONC to ask for Mars and settle for the moon, which he said was the intended goal to begin with.
Because it's part of the rulemaking process, federal agencies no doubt anticipated pushback from the healthcare community, Halamka said. Ultimately, he believes ONC is headed in the right direction, and the letter asking for the time necessary to work through the details is understandable. Fine tuning of the proposed rules, or sub-regulatory guidance, is crucial, he said. "They say Mars, and this letter says Hawaii," Halamka said. "Eventually, everyone will say the moon. That's where we're headed."
