“We did not spend $35 Billion to create 5 data silos.” This was said by Vice President Biden at the beginning of Datapalooza on Monday and repeated by CMS’s Andy Slavitt on Tuesday. On Wednesday, at the Privacy and Security Datapalooza at HHS, I proposed a very simple definition of electronic health record (EHR) interoperability as the ability for patients and physicians to access independent decision support at the point of care regardless of what EHR system was being used.
Over the three days of Datapalooza, I talked to both advocates and officials about data blocking. In my opinion, current work on FHIR and HEART is not going to make a big dent in data blocking and would not enable independent decision support at the point of care. The reasons are:
Digital signatures are not supported for patient-authorized release of information directly to third parties. This would require a mechanism for the patient to register a signing key via the EHR View, Download, Transmit (VDT) portal so that from then on the EHR could accept Release of Information (ROI) requests digitally signed by the patient. Lacking this automation feature, the patient would have to sign-in to the EHR VDT portal for each ROI request that directed access to a new destination.
There is no provision for the EHR to notify or warn the patient when an ROI request is made unless the patient is signed-in to the VDT portal. HIPAA allows the patient to specify any destination for the ROI but HIPAA also allows a warning to be issued by the hospital if they don’t like the destination. Lacking a means to issue this warning in a convenient way that is specified or controlled by the patient, the scope of automation is limited and interoperability becomes less practical.
There is no standardized provision for notification of the patient whenever a release of information is made via the FHIR API. In finance and most of web commerce, we expect an email whenever our account is accessed externally, but HIPAA does not require, and EHR vendors do not provide, this kind of accounting for disclosures. This delays discovery of security breaches and contributes to inappropriate snooping in health systems and HIEs that now each provide access to millions of patients by tens of thousands of staff.
There is no provision for alerting the patient’s caregivers, AI, or medical home technology that a change has been made to her record in the EHR. This key feature of the now abandoned Blue Button Plus, has no equivalent in FHIR. This makes decision support at the point of care entirely dependent on the EHR vendor and hospital organization. Lacking this feature, an ROI request would have to be issued and re-issued blindly to check if anything has changed. EHR vendors and hospitals will be able to claim that will overload their systems and refuse to provide access for independent decision support at the point of care.
Any one of these four missing standards can be used to continue data blocking even as FHIR and HEART are released. All of these four standards would be consistent with HIPAA and the oft-cited goal of interoperability to facilitate health reform and the Precision Medicine Initiative.
Also around Datapalooza, CMS is promoting Blue Button on FHIR and ONC announced the first initiatives that involve both FHIR and HEART. They say: “The goal of this Challenge is to incentivize participants to create a Solution that utilizes the HEART implementation specifications to enable individuals to securely authorize the movement of their health data to destinations they choose.” … “Engaging individuals is a requirement of the Challenge. Participants are expected to engage individuals to test implementation of the Solution and enable processes that require individuals to authorize the release of their health data to a destination they choose.”
Lacking adequate standards support by FHIR and HEART, data blockers will find all sorts of excuses for their actions. They say “it’s too hard”, “too expensive”, “the standards don’t exist”, and invoke the HIPAA Security Rule. We have seen this with health information exchanges, Blue Button, Blue Button Plus, Direct messaging, and Meaningful Use View, Download, Transmit. On the current path, MACRA and the EHR regulators will not have the tools they need to promote practical interoperability and to execute on the vision of VP Biden and Andy Slavitt.