A Patient Experience-Based View of the TEFCA

Let’s give the Office of the National Coordinator (ONC) credit for trying. In what’s arguably the first significant piece of policymaking, the newly Republican HHS issued a draft Trusted Exchange Framework and Common Agreement (TEFCA) that aims to implement the massively bipartisan 21st Century Cures act mandate to end information blocking. Are they succeeding?

Why should you care? After almost a decade and many tens of $billions spent on health information technology, neither physicians nor patients have access to a longitudinal health record, transparency of quality or cost, access to independent decision support, or even the ability to know what their out-of-pocket cost is going to be. After eight years of regulation, precious little benefit has trickled-down to patients and physicians. This post looks at the TEFCA proposal from the patient experience perspective.

The patient perspective matters because, under HIPAA, patients do not have choice about how our data is accessed or used. This has led to information blocking as hospitals and EHR vendors slow-walk the ability of patients to direct data to information services we choose. Patients lost the “right of consent” in 2002. This puts a regulation-shy administration in a quandary: How do they regulate to implement Cures, when current HIPAA and HITECH-era regulations give all of the power to provider institutions bent on locking-in patients as key to value-based compensation?

As regulations go, the draft TEFCA is an interesting design. It’s “voluntary” but it tries to consolidate as much power as possible into a single, ONC selected, private Recognized Coordinating Entity (RCE). The ONC / RCE hybrid is like the nationalized health record systems in England or other rich nations: patients are tracked across all participating providers; a government-controlled entity collects personal information, and they control who gets to access your information. The big question is, do patients really have a choice?

The draft regulation seems vague with respect to Consent. On page 37:

6.1.6 Consent. If and to the extent that Applicable Law requires that an individual’s consent to the Use or Disclosure of his or her EHI, the Participant of a Qualified HIN (or the End User of such a Participant) that has a direct relationship with the individual shall be responsible for obtaining and maintaining the consent of the individual (each a “Qualified HIN’s Consenting Individual”) consistent with the applicable requirements. Each Qualified HIN shall specify such responsibility in its Participant Agreements. Each Qualified HIN shall require its Participants to provide the Qualified HIN with a copy of each consent of a Qualified HIN’s consenting individual and the Qualified HIN shall maintain copies of such consents and make them available electronically to any other Qualified HIN upon request.[37]

suggests that HIPAA’s lack of consent means you can’t opt-out whereas on page 43:

7.2 Individual Requests for No Data Exchange. Each Qualified HIN shall provide a method for individuals who do not wish to have their EHI exchanged and post instructions on its public website for both recording and communicating such requests to the Qualified HIN at no charge to the individuals. Each Qualified HIN shall process all requests from individuals or from Participants on behalf of individuals in a timely manner and ensure that such requests are honored by all other Qualified HINs on a prospective basis. As a HIPAA Business Associate, the Qualified HIN must also enable a Covered Entity to process the request consistent with the right of an individual to request restriction of Uses and Disclosures.[43]

the right to opt-out is not qualified by HIPAA (emphasis added).

The voluntary aspect of TEFCA does allow patients to avoid surveillance if they can find providers that will treat them without requiring ID and maybe also avoid sharing information with the RCE Framework. HIPAA Covered Entities (hospitals, medical practices, labs,…) would still be subject to requests for patient-directed exchange such as specified by HEAlth Relationship Trust (HEART), but TEFCA is silent on this patient-centered alternative.

An optimistic interpretation of the draft TEFCA suggests a good patient experience with every provider giving every patient a choice of surveillance they don’t control (a kind of auto-pilot for privacy) vs. directed exchange based on policies they inherit from any source they trust. Policies they can change if they choose. Patient-directed exchange would prove safer for some patients and riskier for others but, other than the added engagement needed to rarely manage consents, the user experience would be the same for either choice. Many patients will have some records in both systems but the patient-directed system would, logically, have more complete records because it could aggregate records accessed from the RCE Framework with the more sensitive records accessed via patient-directed exchange.

A pessimistic interpretation of the draft TEFCA would have ONC allow a more complicated user experience for patient-directed exchange. Providers would be able to ignore HEART essentials like Dynamic Client Registration and Refresh Tokens [page 41]. They would be allowed to delay patient-directed access by days. They could make the process of registering a patient’s HEART authorization server different for each provider, etc… It all depends on how ONC decides to interpret information blocking.

The HEART workgroup, co-chaired by ONC, has run for about two years and delivered its mandate as much as it can absent participation by providers. So far, neither SMART, nor Argonaut, nor CMS BlueButton on FHIR, nor VA, nor All of Us, nor any major HIPAA Covered Entity has seen fit to participate in HEART. As a result, a user-directed exchange experience is not available to patients to match the way Open.Epic already allows live API access to over 60 medical centers.

In conclusion, let’s give ONC high marks for trying and hope the final version of TEFCA and subsequent enforcement will provide a patient-directed exchange user experience that makes the government-controlled exchange alternative compete for the patient’s trust. Some of these questions might be answered at the next ONC informational webinar on January 19. Comments on the draft TEFCA are open until February 20.

Adrian Gropper is CTO at Patient Privacy Rights

Categories: Uncategorized

Tagged as: ,

5 replies »

  1. Very well-written and informative. Thanks for sharing the post. HIPAA compliant solutions help share data on a secure platform. True that patients are tracked across all participating providers and it is important to keep patient data safe.

  2. Another update: https://www.nytimes.com/2018/01/24/technology/Apple-iPhone-medical-records.html

    Apple building patient access to hospital records directly into the operating system could come to define what 21st C Cures calls “without special effort”. EHR vendors, hospitals, and regulators are still treating “information blocking” without considering the patient experience or the privacy implications of a national health record under “All applicable law” instead of a patient’s right of consent.

    This announcement is a big step in both the patient experience and privacy directions because it sets expectations. It’s still up to the regulators and industry to work on the standards, like HEART, that will enable patient-directed exchange beyond Apple’s walled garden app store.

  3. What you are doing, Adrian, is super important, critical, and much appreciated. I hope people read your stuff carefully and join your cause.

    We can just feel the patients beginning to question their participation in the EHR experience. It is just a matter of time before spurious information is entered.

  4. I continue to be reminded that the original analysis of medical record computerization was initiated by the Academy of Medicine, performed by the Rand Institute folks, and funded by General Electric, Epic and Cerner. No systematic trials were ever done. And, we have arrived at a cross roads characterized as: neither the patient nor the physician has any control over the use of these records, let alone the appropriate use of them for managing the person’s overall health needs.

  5. I had the opportunity to ask the central question posed by this post at today’s ONC TEFCA webinar and the answer is very concerning. The official referred to “All Applicable Law”, which suggests that the lack of consent in HIPAA is being carried over to a national surveillance system that goes way beyond what HIPAA might have envisioned when abolishing consent in 2002.

    Equally worrisome, the response mentioned the IHE method of managing consent that continues the user experience of having to chase down separate consent mechanisms at every different provider. Has anyone ever managed to restrict sharing of their information by asking a particular provider to do “something special” for them? Even if this asymmetry of power is regulated, it still leaves each of us chasing around provider-by-provider and encounter-by-encounter, dealing with separate user experience and different usernames and passwords at every site. I guess the TEFCA principle of “avoid multiple interfaces” applies to institutions but does not apply to patient experience.

    But it gets worse. Patients do not have voluntary or even transparent relationships with many components of the national surveillance system. You might be able to choose a doctor or a hospital that offers to respect your consent preferences, but you can’t usually shop for your insurance company, lab, or pharmacy in any practical sense. I experienced this first-hand when I tried to control how Surescripts collects and shares information on me and 230 million others. After months of back and forth it became obvious that my request was futile by any practical measure.

    The erosion of our rights to control our medical information is continuing at a staggering pace. Here is the VA asking to eliminate the need for direct consent https://www.federalregister.gov/documents/2018/01/19/2018-00758/consent-for-release-of-va-medical-records and here is a bill by hidden clearing houses offering to join the coercive surveillance parade and then cynically asking to sell our data back to us https://www.govtrack.us/congress/bills/115/hr4613/text . The weakening of privacy protections on behavioral health and substance abuse data is already well under way. It too is about to join the no consent under HIPAA category.

    If the user experience around personal data in healthcare does not keep up with the reality of ubiquitous networking and forever storage by anyone who can touch our data, then people will increasingly resort to withholding information from providers, seeking advice from overseas services that do not require identity proofing like TEFCA does, and maybe even injecting false information into the national surveillance system in order to protect our privacy. How many parents want their children’s mental health-related issues to carry over into adulthood?

    It’s time for ONC to acknowledge the HEART standards and to make patient experience and patient control the future of our 21st Century Cures health record.