ONC’s Proposed Rule is a Breakthrough in Patient Empowerment


Imagine solving wicked problems of patient matching, consent, and a patient-centered longitudinal health record while also enabling a world of new healthcare services for patients and physicians to use. The long-awaited Notice of Proposed Rulemaking (NPRM) on information blocking from the Office of the National Coordinator for Health Information Technology (ONC) promises nothing less.

Having data automatically follow the patient is a laudable goal but difficult for reasons of privacy, security, and institutional workflow. The privacy issues are clear if you use surveillance as the mechanism to follow the patient. Do patients know they’re under surveillance? By whom? Is there one surveillance agency or are there dozens in real-world practice? Can a patient choose who does the surveillance and which health encounters, including behavioral health, social relationships, location, and finance are excluded from the surveillance?

The security issues are pretty obvious if one uses the National Institutes of Standards and Technology (NIST) definition of security versus privacy: Security breaches, as opposed to privacy breaches, are unintentional — typically the result of hacks or bugs in the system. Institutional workflow issues also pose a major difficulty due to the risk of taking responsibility for information coming into a practice from uncontrolled sources. Whose job is it to validate incoming information and potentially alter the workflow? Can this step be automated with acceptable risk?

It’s not hard to see how surveillance as the basis for health information sharing would be contentious and risk the trust that’s fundamental to both individual and public health. Nowhere is this more apparent than in the various legislative efforts currently underway to expand HIPAA to include behavioral health and social determinants of health, preempt state privacy laws, grant data brokers HIPAA Covered Entity status, and limit transparency of how personal data is privately used for “predictive analytics”, machine learning, and artificial intelligence.

For more on the latter, I recommend Shoshana Zuboff’s work on surveillance capitalism, nicely summarized in this Data and Society talk:

The conventional approach to dealing with the issues raised by a desire to have data follow the patient is to invent or conceive various forms of health information exchange (HIE). To the hospitals and their electronic health record (EHR) vendors, shifting the problem to a new and separate entity makes total sense since it transfers responsibility (and cost) for privacy, security, and some workflow issues to others and leaves them to focus on the institutional silo that they can manage and control. The physicians and patients will just have to deal with it. There has been over a decade of HIE “invention,” starting with the Markle Foundation in 2006, the Nationwide Health Information Network in 2007, HITECH in 2009, state HIE subsidies, more recently CommonWell and its EHR vendor-operated cousins, and most recently the Trusted Exchange Framework and Common Agreement (TEFCA) that is also in the current NPRM.

It’s hard to predict how changes to HIPAA or novel HIE frameworks will evolve, but patient empowerment or the goal of a patient-controlled longitudinal health record, are hardly considered as the desired outcome. Regardless of how one defines a longitudinal health record, we might agree that it should follow the patient by being accessible to the physicians and other caregivers designated by the patient “without special effort,” a phrase that appears on 34 different pages in the NPRM.

Throughout this post, words in bold are terms used in the NPRM or ONC fact sheets.

The NPRM specifies standards and practices that enable automation for how a certified health record system exposes an application programming interface (API) that the patient or patient designee can access. The definition of designee is the core of the breakthrough and is best understood via this paragraph on page 452:

“A fee based on electronic access by an individual or their personal representative, agent, or designee to the individual’s EHI, in contrast, would arise if an actor sought to impose on individuals, or their personal representatives, agents, or designees, a fee that operated as a toll for the provision of electronic access. For example, a health care provider that charges individuals a fee in order that the individuals be given access to their EHI via the health care provider’s patient portal or another mode of web-based delivery, would not be able to benefit from this exception. Similarly, where an individual authorizes a consumer-facing app to retrieve EHI on the individual’s behalf, it would be impermissible for an actor to charge the app or its developer a fee to access or use APIs that enable access to the individual’s EHI. This would be true whether the actor is a supplier of the API technology or an individual or entity that has deployed the API technology, such as a health care provider.”

The clarity of that last sentence is breathtaking. It augurs a solution to consent, patient matching, and workflow issues at once. Let’s examine the practices under the NPRM that combine to create this solution. To do that, it’s easiest to start from the workflow issue and work backward to patient matching and consent.

The workflow issue is really about money.

Whether a practice manages incoming health record information manually or automatically, the risks are significant and so are the costs. Take, for example, an abnormal lab result or radiologist’s impression on an incoming message. The practice has to check whether this is a new finding, decide if they are responsible for follow-up, and capture the decision within their EHR and their workflow. If they are are subject to value-based payment, the follow-up can be a direct hit to the bottom line.

In any case, the follow-up will mean some risk and some out-of-pocket cost to the patient. By stating clearly that the designee can be a health care provider and their API technology, the NPRM is empowering the patient or their insurance to pay for the workflow costs they are creating. This effectively gives every patient the opportunity to pay for their longitudinal health record to be managed by anyone they choose, regardless of where they are actually receiving the majority of health care services. The standards and practices of the NPRM are designed to keep the cost of a patient-controlled longitudinal health record to a minimum the same way as mandated issue of standard W2 and 1099 tax forms empowers a person to choose an accountant to process their income at reasonable cost.

Once the patient is empowered to designate and pay for the processor of their longitudinal health record the potential providers have a financial incentive to install standard APIs with patient portals and even advanced features such as automation. Let’s refer to this as the designee patient portal – related to what the NPRM calls the API User – to distinguish it from the hospital patient portal – related to the NPRM’s API Data Provider.

Once the patient has access to both the designee patient portal and the hospital patient portal in a single standard transaction, the patient matching problem is solved. The patient is now responsible for the match. There is no cost or risk to neither the designee or the hospital because both ends of the API transaction identified the patient however they want when they issued the patient a username and password to their respective patient portals. The importance of this from a privacy perspective cannot be understated. Patient matching without patient involvement is the essence of involuntary surveillance. Recent efforts to improve the performance of probabilistic patient matching have introduced the concept of “referential matching” which employs surveillance by data brokers and credit bureaus beyond healthcare. It’s hard to imagine a more coercive and trust-eroding approach.

Finally, empowering the patient to link the API Data Provider to their designated API Data User provides an opportunity for consent. Although the specifics of what choices are offered to the patient and how they are labeled in an understandable, standardized manner still require work, the clarity and power of the patient designee in the NPRM is clearly a breakthrough in consent.

Under the information blocking mandate, ONC needs to interpret the meaning of “without special effort” in the 21st Century Cures act.

Most of the NPRM seems designed to provide private-sector incentives to make the physician and patient experience as effortless as modern standards and technology allow. To get the patient-matching, consent, and workflow benefits described above, it is essential that patient engagement be limited by default. Designated health care providers should not be delayed by multi-step patient actions spread over five days before API access is enabled.

Ideally, all of the steps required for designee access should be built into the patient’s registration with a new health care provider, similar to how registration captures insurance information. For example, a registration kiosk could be integrated with the patient portal credentialing functions and complete “Dynamic Registration” with insurance, hospital, and other certified health IT system APIs in seconds. “Refresh tokens” associated with the API reduce both burden and cost by not asking the patient to redundantly enter their username and password. Apple Health and CMS Blue Button 2.0 have already demonstrated the utility of this feature of the current standards.

To enable the breakthrough of a cost-effective longitudinal patient record without imposing a government-run health records bureaucracy common in other rich economies, our regulators will also need to deal with the exploding number of patient and consumer portals. Fortunately, we have OAuth standards to deal with that as well. UMA (User Managed Access) on page 91 of the 2019 ONC Interoperability Standards Advisory is indirectly in the NPRM.

Thanks to bipartisan efforts to fix the frustrations and escalating costs of HITECH via the 21st Century Cures Act, and now the breakthrough regulation by HHS in this NPRM, we have light a the end of the Health IT tunnel.

Patients and patient designees as API Clients will use their power of the purse to revitalize and transform EHRs for both clinical and research uses. Now that a path to having data follow the patient is in hand, it will be critical that Medicare, VA, NIH All of Us, and the Office for Civil Rights follow through by example and by enforcement to empower patients as the foundation for a globally competitive US health care system.

Adrian Gropper, MD, is the CTO of Patient Privacy Rights, a national organization representing 10.3 million patients and among the foremost open data advocates in the country. This post originally appeared on the Petrie Flom Center’s Bill of Health here

7 replies »

  1. Adrian, Your distinction here is very helpful:

    “Let’s refer to this as the designee patient portal – related to what the NPRM calls the API User – to distinguish it from the hospital patient portal – related to the NPRM’s API Data Provider.”

    …and this is exactly the scenario that is HIGHLY DISRUPTIVE to hospitals. I wonder how many recognize this?

    The battle has been over creating the “digital front door” for patients. I foresee a future where the “designee patient portal” becomes a much stronger candidate to become that digital front door.

  2. I wonder if the average Jane or Joe Public understands that CMS sells claims data to “qualified entities” including suppliers. And that those entities can combine that data with data accumulated from other sources. And that those entities can fairly simply re-identify patients by analysis of that combination. If anyone out there wonders why their phone blows up with offers of knee braces, back braces, pain creams, genetic testing, and other unnecessary garbage as soon as they sign up for Medicare: that is why. I report it when I can. CMS does not do jack about it. The law is only as good as the ability to enforce it. So privacy laws protect very little when there is that degree of disrespect for patient data. CMS has proven repeatedly that they cannot keep up with the amount of fraud that is perpetrated upon the public. Clearly evidenced by very public multi-million dollar fraud scemes exposed. In other words: you have to raid the public for millions before it gets on CMS’s radar. Im sure it is the tip of the iceburg. The safest thing CMS could do in that environment is protect patient data entirely. But it will not. Welcome to surveillance capitalism.

  3. Here is a real life, scenario to assure patient privacy. As a Primary Physician, a married couple enters your practice. Each person signs a HIPAA compliant authorization for the release of their health information to the spouse upon their request. Six months later, a divorce petition occurs, and both person’s sign HIPAA compliant authorizations to no longer release their protected information to the other person. How reliable is your office personnel, including patient accounting processes, able to honor these release of information transitions? And, are your training and documentation processes sufficient? If a sentinel event occurs, good or bad, how is it used to improve collaborative, work flow?

    For my small private, group practice involving @3,000 persons, this scenario occurred at least once very 2-3 years. I learned, early on, to avoid being recruited to participate in the legal process. Once was a sufficient learning curve.

  4. I join and understand your sanguine reception of the NPRM….but you don’t demand enough.

    As I mentioned elsewhere in THCB, I suggest now is a time for symmetry….symmetry between the rights and needs of the providers and the third party payers and government agencies and insurers and Big Pharma and all the other stakeholders AND the patients. Patients as a source of all this data are at least—arguably—the largest equity owners of the data, and their agents, are surely going to need this data eventually…as the system grows ever more complex and injustices, intentional or not, eventually accumulate. Patients and agents need to study the data and write about the data, submit scholarly articles to journals and newspapers about it and use the data in legislation and for accountability purposes. Furthermore, patients and agents should not be limited to a select sampling of the data determined by the name of a particular patient. They should be able to sample the global de-annomysed set of data just as would an insurer or a federal agency ( limited of course by specific laws). And the data cannot be stripped of financial facts anymore that patient data is stripped of this important component.

    Only by transparency of this sector, which is 1/7 of the GDP, can eventual justice be done to patients and the monetized surveillance brought to a halt. And this requires information and knowledge in patients’ hands.

  5. My comment mainly applied to the EHR issues, viz “citizens.” Unfortunately, the everybody includes not only the illegally present persons but also the world wide visitors that are periodically, presumably with a visa, residing in the USA.

    Since the advent of Medicare/Medicaid in 1965, health spending as a portion of our economy has increased faster than economic growth. It likely that Parkinson’s Law is a major contributor to this level of growth, viz “work expands to use the resources available.” It is also possible that institutional co-dependency between the major payers and the major providers of healthcare has occurred. The underlying business model of these two classes of institutions is driven by market-share dominance. The co-dependency among these institutions interferes, subtly but importantly, with their social responsibilities to collaborate for solving the dominate social problems of their service arenas. The maternal mortality data on page 1030 of the 2018 JAMA Health Care spending report by Papanicolas (see below) says it all.

    Healthcare reform as we currently pursue it is on track to bankrupt our nation. Soon 8 years ago, a NEJM Commentary by Henry Aaron PhD at the Brookings Institute says it all ( 2011;365:466-8 ). A renewal of our nation’s healthcare reform strategy will be required.

    This is a complicated problem since the Paradigm Paralysis affecting our nation’s healthcare institutions is inextricably interwoven among all of its institutions. No matter how we solve this problem, the research underlying the management of a Common Pool Resource, i.e. our nation’s health spending as a portion of the GDP, will be required. ( see second citation below) And, no matter how we adjust the Power Law Distribution character of our nation’s health spending, we will need to solve the dramatic loss of social capital, community by community, that has occurred within the last 50 years.

    Remember, mass shootings have increased since 2000 by 234% as compared to 1984-99. And, during the same two intervals, our nation’s maternal mortality ratio has worsened by 239%. In short, it is unlikely that increased health spending will solve the malignant evolution of the social determinants underlying our nation’s declining HEALTH. How many people under-stand the benefits to our nation that has occurred since the Smith-Lever Act was passed by Congress in 1914? Just think, this Act has led its national industry to become the most effective and efficient as compared to all of the other world-wide nations.

    Papanicolas et al https://doi:10.1001/jama.2018.1150

    Wilson et al http://dx.doi.org/10.1016/l.jebo.2012.12.010

  6. @PJ Who is everybody?

    CMS projects $6 trillion healthcare bill in just 8 years and over 19% of GDP. https://www.hcinnovationgroup.com/policy-value-based-care/blog/21069430/our-6-trillion-healthcare-billand-the-fierce-urgency-of-now This is in an increasingly globalized marketplace where our competitors in Europe and Asia are spending less than 10% of GDP for better outcomes. Worse, this US-exclusivie slow motion economic disaster is accompanied by huge discrepancies in access between seniors, government employees, and everyone else except the uninsured as each scrambles to tax the “other”. Who is everybody?

    Is anybody currently in the $3.4 trillion healthcare business looking to forego their piece of the $6 trillion? Who is expecting them to go along with the plan to give everybody the ability to direct their healthcare purchases in an open and transparent marketplace?

    The only everybody that can change this trajectory is the everybody that’s buying. Nothing about this is going to voluntarily happen from the ones that are selling. The government is already buying over almost half of the $3.4 trillion. If the government doesn’t drive the implementation of patient empowerment unilaterally through the power of the Medicare program such as “condition of participation” and constraints on the Cerner implementation at VA we will be looking at future interoperability plans in 2027 as $6 trillion blows by.

  7. “Its better for everybody when it gets better for everybody.”

    The use of a nationally chartered, semi-autonomous institution to standardize this proposal should be its most outstanding attribute. The key issue would be its governance. I commend Adrian for the diligence he has applied to understanding these issues. The age-old, lurking presence of the data base shared by all of the life insurance companies still gives me the “chills.” Hopefully, it would on its own initiative seek to unwind is existence.

    Would the likely disappearance of data hording within the large institutions of the healthcare industry actually trigger a move toward greater collaboration for promoting community HEALTH? We can only imagine the benefits of locally responsive processes to form strategies for solving the uniquely structured traditions that adversely impact population HEALTH within each community.

    The quotation cited above from Eleanor Roosevelt should apply. Remember that she was prominently involved in the origins of the United Nation’s Declaration of Human Rights established in 1948.