Sergey Nivens - Fotolia

Security is at the heart of healthcare data sharing concerns

As proposed interoperability and information blocking rules from ONC and CMS are reviewed by the Office of Management and Budget, the healthcare community expresses more concern about patient data security.

Proposed healthcare data sharing rules from federal regulators are under review by the Office of Management and Budget, signaling to healthcare organizations they need to prepare for what's coming despite the concerns some may have.

In February, the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS) proposed interoperability and information blocking rules to increase healthcare data sharing and make it easier for patients to access their health data.

The two agencies have continued to push the proposed rules forward despite concerns from the healthcare community and congressional officials about the lack of security standards as well as how exceptions to the blocking of data sharing are defined.

On Nov. 15, U.S. Sen. Mark Warner, vice chairman of the Senate Intelligence Committee and co-founder of the Senate Cybersecurity Caucus, submitted a letter to the U.S. Department of Health and Human Services (HHS) urging CMS to bolster security around a requirement that would enable access to health data through APIs from mobile app developers.

Jeffery SmithJeffery Smith

"Third-party data stewardship is a critical component of information security, and a failure to ensure robust requirements and controls are in place is often the cause of the most devastating breaches of sensitive personal information," Warner said in his letter.

Warner is not the only one to express concern with the proposed rules, which have entered the final stage before publication. Jeffery Smith, vice president of public policy for the American Medical Informatics Association (AMIA), said he hopes several changes are made before then. But he stressed healthcare organizations can't count on that and suggested ways they can start preparing to adhere to the rules now.

Healthcare data sharing concerns center on security

In his letter, Warner urged HHS to include "clear standards and defined controls" for healthcare providers who are giving access to patient data and third parties accessing the data. He argued doing so will help to ensure that any third-party apps accessing patient data will protect patient data and inform patients about how their data is being used.

He isn't alone in asking for security standards. In September, seven healthcare organizations, including AMIA, sent a letter to ONC outlining similar healthcare data sharing concerns. Before that, Sen. Lamar Alexander, chairman of the U.S. Senate Committee on Health, Education, Labor and Pensions, urged ONC to slow finalization down and spend more time considering patient data security concerns.

Health IT expert John Halamka sounds off on proposed interoperability and information blocking rules.

Responding to the call for better security, ONC noted in a statement that it is "mindful of the need to balance concerns of incumbent stakeholders with the rights of patients to have transparency and actionable choice in their healthcare." By crafting the proposed rules, ONC and CMS are following mandates in the 21st Century Cures Act, a sweeping healthcare bill with several interoperability provisions that was signed into law in 2016, to foster greater healthcare data sharing and patient access to data.

The proposed rules are currently with the Office of Management and Budget, the last stage before finalization. AMIA's Smith said this stage of the rulemaking process is "incredibly opaque," and it's difficult to tell if changes are being made. He hopes some of the policies around information blocking, or unreasonable interference with healthcare data sharing from a healthcare organization, will get another look, since that is one of the greatest areas of concern next to patient data security.

Indeed, the letter sent to ONC in September called for supplemental rulemaking and further assessment of the defined exceptions to data blocking in healthcare. Smith said definitions for electronic health information and health information network are "quite broad," leaving room for interpretation. And when tethered to information blocking, they can create a "complicated conversation."

He argued that healthcare organizations be given a "period of learning" before enforcement starts so they can make the necessary adjustments. The concept of information blocking is hard to define, and a two-year period of learning could give vendors, providers and patients time to understand where the line is drawn, he said. Otherwise litigation around information access will become the norm.

"There's really a need to give the public another chance to provide input," Smith said. "We were hoping and remain hopeful that ONC will think about some of the ambiguities in definitions related to information blocking."

John HalamkaJohn Halamka

John Halamka, health IT expert and executive director of the Health Technology Exploration Center of Beth Israel Lahey Health, said the proposed rules are a step in the right direction, helping address "friction in data flows" that have long existed in healthcare. They also ensure patients can access their data with no unnecessary difficulty. But he does question the timing of enforcement.

"I would guess because of Meaningful Use, that most provider organizations have the tech ready, but may not have some of the workflow processes ready to figure out how they're going to accept which apps can get the data and that kind of thing," he said. "And payers have never done this before, so payers are probably going to need a little more time to get that done."

How healthcare organizations can prepare

Regardless of the timeline, healthcare CIOs need to prepare for what's coming.

They can start with an accounting of what the organization's designated record set looks like, Smith said. According to the American Health Information Management Association (AHIMA), the designated record set as defined by the HIPAA privacy rule is a broad group of records containing everything from patient medical and billing records to payment and claims information. It addresses all protected health information and is used to define the patient's rights to data access.

"If you're going to do due diligence on this, I think making sure you have some semblance of a handle on what your designated record set looks like is probably the smartest thing you can do to prepare for this rule," Smith said.

After the rules are published, he recommended healthcare CIOs establish a series of timelines that lay out when the requirements are going to start being enforced. Smith said plotting a timeline is a critical step, since the requirement timelines can vary greatly.

Information blocking provisions, for example, would likely be enforced within 60 days of the final rule, which Smith said is a "tremendously short" amount of time to make sure an organization is compliant.

With the API requirement, healthcare organizations are already required to have a patient-facing API, but the proposed rules will require they use the same Fast Healthcare Interoperability Resources (FHIR) standards and implementation guides for APIs in an effort to boost interoperability. That requirement could take 24 months or longer.

"What this rule will do is take what is right now a fairly varied landscape of different flavors of standards and protocols for that patient-facing API and require in two years' time that everybody is using the same standards and the same implementation guides," Smith said.

Beth Israel's Halamka said it's an "existential imperative" that healthcare executives embrace the regulations and find ways to offer patients access to their data in the ways they want. Doing so helps to create the "digital healthcare ecosystem that all of us want."

Next Steps

Learn about the concerns and benefits surrounding Project Nightingale

Dig Deeper on Federal healthcare regulations and compliance

Cloud Computing
Mobile Computing