Security is at the heart of healthcare data sharing concerns

Healthcare data sharing concerns center on security

In his letter, Warner urged HHS to include "clear standards and defined controls" for healthcare providers who are giving access to patient data and third parties accessing the data. He argued doing so will help to ensure that any third-party apps accessing patient data will protect patient data and inform patients about how their data is being used.

He isn't alone in asking for security standards. In September, seven healthcare organizations, including AMIA, sent a letter to ONC outlining similar healthcare data sharing concerns. Before that, Sen. Lamar Alexander, chairman of the U.S. Senate Committee on Health, Education, Labor and Pensions, urged ONC to slow finalization down and spend more time considering patient data security concerns.

Responding to the call for better security, ONC noted in a statement that it is "mindful of the need to balance concerns of incumbent stakeholders with the rights of patients to have transparency and actionable choice in their healthcare." By crafting the proposed rules, ONC and CMS are following mandates in the 21st Century Cures Act, a sweeping healthcare bill with several interoperability provisions that was signed into law in 2016, to foster greater healthcare data sharing and patient access to data.

The proposed rules are currently with the Office of Management and Budget, the last stage before finalization. AMIA's Smith said this stage of the rulemaking process is "incredibly opaque," and it's difficult to tell if changes are being made. He hopes some of the policies around information blocking, or unreasonable interference with healthcare data sharing from a healthcare organization, will get another look, since that is one of the greatest areas of concern next to patient data security.

Indeed, the letter sent to ONC in September called for supplemental rulemaking and further assessment of the defined exceptions to data blocking in healthcare. Smith said definitions for electronic health information and health information network are "quite broad," leaving room for interpretation. And when tethered to information blocking, they can create a "complicated conversation."

He argued that healthcare organizations be given a "period of learning" before enforcement starts so they can make the necessary adjustments. The concept of information blocking is hard to define, and a two-year period of learning could give vendors, providers and patients time to understand where the line is drawn, he said. Otherwise litigation around information access will become the norm.

"There's really a need to give the public another chance to provide input," Smith said. "We were hoping and remain hopeful that ONC will think about some of the ambiguities in definitions related to information blocking."

John Halamka

John Halamka, health IT expert and executive director of the Health Technology Exploration Center of Beth Israel Lahey Health, said the proposed rules are a step in the right direction, helping address "friction in data flows" that have long existed in healthcare. They also ensure patients can access their data with no unnecessary difficulty. But he does question the timing of enforcement.

"I would guess because of Meaningful Use, that most provider organizations have the tech ready, but may not have some of the workflow processes ready to figure out how they're going to accept which apps can get the data and that kind of thing," he said. "And payers have never done this before, so payers are probably going to need a little more time to get that done."

How healthcare organizations can prepare

Regardless of the timeline, healthcare CIOs need to prepare for what's coming.

They can start with an accounting of what the organization's designated record set looks like, Smith said. According to the American Health Information Management Association (AHIMA), the designated record set as defined by the HIPAA privacy rule is a broad group of records containing everything from patient medical and billing records to payment and claims information. It addresses all protected health information and is used to define the patient's rights to data access.

"If you're going to do due diligence on this, I think making sure you have some semblance of a handle on what your designated record set looks like is probably the smartest thing you can do to prepare for this rule," Smith said.

After the rules are published, he recommended healthcare CIOs establish a series of timelines that lay out when the requirements are going to start being enforced. Smith said plotting a timeline is a critical step, since the requirement timelines can vary greatly.

Information blocking provisions, for example, would likely be enforced within 60 days of the final rule, which Smith said is a "tremendously short" amount of time to make sure an organization is compliant.

With the API requirement, healthcare organizations are already required to have a patient-facing API, but the proposed rules will require they use the same Fast Healthcare Interoperability Resources (FHIR) standards and implementation guides for APIs in an effort to boost interoperability. That requirement could take 24 months or longer.

"What this rule will do is take what is right now a fairly varied landscape of different flavors of standards and protocols for that patient-facing API and require in two years' time that everybody is using the same standards and the same implementation guides," Smith said.

Beth Israel's Halamka said it's an "existential imperative" that healthcare executives embrace the regulations and find ways to offer patients access to their data in the ways they want. Doing so helps to create the "digital healthcare ecosystem that all of us want."