Patient-Directed Access for Competition to Bend the Cost Curve


Many of you have received the email: Microsoft HealthVault is shutting down. By some accounts, Microsoft has spent over $1 Billion on a valiant attempt to create a patient-centered health information system. They were not greedy. They adopted standards that I worked on for about a decade. They generously funded non-profit Patient Privacy Rights to create an innovative privacy policy in a green field situation. They invited trusted patient surrogates like the American Heart Association to participate in the launch. They stuck with it for almost a dozen years. They failed. The broken market and promise of HITECH is to blame and now a new administration has the opportunity and the tools to avoid the rent-seekers’ trap.

The 2016 21st Century CURES Act is the law. It is built around two phrases: “information blocking” and “without special effort” that give the administration tremendous power to regulate anti-competitive behavior in the health information sector. The resulting draft regulation, February’s Notice of Proposed Rulemaking (NPRM) is a breakthrough attempt to bend the healthcare cost curve through patient empowerment and competition. It could be the last best chance to avoid a $6 Trillion, 20% of GDP future without introducing strict price controls.

This post highlights patient-directed access as the essential pro-competition aspect of the NPRM which allows the patient’s data to follow the patient to any service, any physician, any caregiver, anywhere in the country or in the world.

The NPRM is powerful regulation in the hands of an administration caught between anti-regulatory principles and an entrenched cabal of middlemen eager to keep their toll booth on the information highway. Readers interested in or frustrated by the evolution of patient-directed interoperability can review my posts on this over the HITECH years: 2012; 2013; 2013; 2014; 2015.

The struggle throughout has been a reluctance to allow digital patient-directed information exchange to bypass middlemen in the same way that fax or postal service information exchange does not introduce a rent-seeking intermediary capable of censorship over the connection.


Who are the middlemen? Simply put, they are everyone except the patient or the physician. Middlemen includes hospitals, health IT vendors, health information exchanges, certifiers like DirectTrust and CARIN Alliance, and a vast number of hidden data brokers like Surescripts, Optum, Lexis-Nexis, Equifax, and insurance rating services. The business model of the middlemen depends on keeping patients and physicians from bypassing their toll booth. In so doing, they are making it hard for new ventures to compete without paying the overhead imposed by the hospital or the fees imposed by the EHR vendors.

But what about data cleansing, search and discovery, outsourced security, and other value-added services these middlemen provide? A value-added service provider shouldn’t need to put barriers to bypass to stay in business. The doctor or patient should be able to choose which value-added services they want and pay for them in a competitive market. Information blocking and the requirement for special effort on the part of the patient or the physician would be illogical for any real value-added service provider.

In summary, patient-directed access is simply the ability for a patient to direct and control the access of information from one hospital system to another “without special effort”. Most of us know what that looks like because most of us already direct transfer of funds from one bank to another. We know how much effort is involved. We know that we need to sign-in to the sending bank portal in order to provide the destination address and to restrict how much money moves and whether it moves once or every month until further notice. We know that we can send this money not just to businesses but to anyone, including friends and family without censorship or restriction. In most cases today, these transfers don’t cost anything at all. Let’s call this kind of money interoperability “without special effort”.

Could interoperating money be even less effort than that? Yes. For instance, it’s obnoxious that each bank and each payee forces us to use a different user interface. Why can’t I just tell all of my banks and payees: use that managing agent or trustee that I choose? Why can’t we get rid of all of the different emails and passwords for each of the 50+ portals in our lives and replace them with a secure digital wallet on our phone with fingerprint or face recognition protection? This would further reduce the special effort but it does require more advanced standards. But, at least in payment, we can see it coming. Apple, for instance gives me a biometric wallet for my credit cards and person-to person payments. ApplePay also protects my privacy by not sharing my credit card info with the merchants. Beyond today’s walled garden solutions, self-sovereign identity standards groups are adding the next layer of privacy and security to password-less sign-in and control over credentials.

Rent Seekers

But healthcare isn’t banking because HITECH fertilized layers upon layers of middlemen that we, as patients and doctors, do not control and sometimes, as with Surescripts, don’t even know exist. You might say that Visa or American Express are middlemen but they are middlemen that compete fiercely for our consumer business. As patients we have zero market power over the EHR vendors, the health information exchanges, and even the hospitals that employ our doctors. Our doctors are in the same boat. The EHR they use is forced on them by the hospital and many doctors are unhappy about that but subject to gag orders unprecedented in medicine until recently.

This is what “information blocking” means for patients and doctors. This is what the draft NPRM is trying to fix by mandating “without special effort”. This is what the hospitals, EHR vendors, and health information exchanges are going to try to squash before the NPRM becomes final. After the NPRM becomes a final regulation, presumably later in 2019, the hospitals and middlemen will have two years to fix information blocking. That brings us to 2022. Past experience with HITECH and Washington politics assures us of many years of further foot dragging and delay. We’ve seen this before with HIPAA, misinterpreted by hospitals in ways that frustrate patients, families, and physicians for over a decade.

Large hospital systems have too much political power at the state and local level to be driven by mere technology regulations. They routinely ignore the regulations that are bad for business like the patient-access features of HIPAA and the Accounting for Disclosures rules. Patients have no private right of action in HIPAA and the federal government has not enforced provisions like health records access abuses or refusal to account for disclosures. Patients and physicians are not organized to counter regulatory capture by the hospitals and health IT vendors.

The one thing hospitals do care about is Medicare payments. Some of the information blocking provisions of the draft NPRM are linked to Medicare participation. Let’s hope these are kept and enforced after the final regulations.

Competition to Bend the Cost Curve

Government has two paths to bending the cost curve: setting prices or meaningful competition. The ACA and HITECH have done neither. In theory, the government could do some of both but let’s ignore the role of price controls because it can always be added on if competition proves inadequate. Anyway, we’re in an administration that wants to go the pro-competition path and they need visible progress for patients and doctors before the next election. Just blaming pharma for high costs is probably not enough.

Meaningful competition requires multiple easy choices for both the patients and the prescribers as well as transparency of quality and cost. This will require a reversal of the HITECH strategy that allows large hospitals and their large EHRs to restrict the choices offered and to obscure the quality and cost behind the choices that are offered. We need health records systems that make the choice of imaging center, lab, hospital, medical group practice, direct primary care practice, urgent care center, specialist, and even telemedicine equally easy. “Without special effort”.

The NPRM has the makings of a pro-competitive shift away from large hospitals and other rent-seeking intermediaries but the elements are buried in over a thousand pages of ONC and CMS jargon. This confuses implementers, physicians and advocates and should be fixed before the regulations are finalized. The fix requires a clear statement that middlemen are optional and the interoperability path that bypasses the middlemen as “data follows the patient” is the default and “without special effort”. What follows are the essential clarifications I recommend for the final information blocking regulations – the Regulation, below.

  • Covered Entity – A hospital or technology provider subject to the Regulation and/or to Medicare conditions of participation.
  • Patient-directed vs. HIPAA TPO – Information is shared by a covered entity either as directed by the patient vs. without patient consent under the HIPAA Treatment, Payment, or Operations.
  • FHIR – The standard for information to follow the patient is FHIR. The FHIR standard will evolve under industry direction, primarily to meet the needs of large hospitals and large EHR vendors. The FHIR standard serves both patient-directed and HIPAA TPO sharing.
  • FHIR API – FHIR is necessary but not synonymous with a standard Application Programming Interface (API). The FHIR API can be used for both patient-directed and TPO APIs. Under the Regulation, all patient information available for sharing under TPO will also be available for sharing under patient direction. Information sharing that does not use the FHIR API, such as bulk transfers or private interfaces with business partners will be regulated according to the information blocking provisions of the Regulations.
  • Server FHIR API – The FHIR API operated by a Covered Entity.
  • Client FHIR API – The FHIR API operated by a patient-designee. The patient designee can be anyone (doctor, family, service provider, research institution) anywhere in the world.
  • Patient-designee – A patient can direct a Covered Entity to connect to any Client FHIR API by specifying either the responsible user of a Client FHIR API or the responsible institution operating a Client FHIR API. Under no circumstances does the Regulation require the patient to use an intermediary such as a personal health record or data bank in order to designate a Client FHIR API connection. Patient-controlled intermediaries such as personal health records or data banks are just another Client FHIR API that happen to be owned, operated, or controlled by the patient themselves.
  • Dynamic Client Registration – The Server FHIR API will register the Client FHIR API without special effort as long as the patient clearly designates the operator of the Client. Examples of a clear designation would include: (a) a National Provider Identifier (NPI) as published in the NPPES https://npiregistry.cms.hhs.gov; (b) an email address; (c) an https://… FHIR API endpoint; (d) any other standardized identifier that is provided by the patient as part of a declaration digitally signed by the patient.
  • Digital Signature – The Client FHIR API must present a valid signed authorization token to the Server FHIR API. The authorization token may be digitally signed by the patient. The patient can sign such a token using: (a) a patient portal operated by the Server FHIR API; (b) a standard Authorization Server designated by the patient using the patient portal of the sever operator (e.g. the UMA standard referenced in the Interoperability Standards Advisory); (c) a software statement from the Client FHIR API that is digitally signed by the Patient-designee.
  • Refresh Tokens – Once the patient provides a digital signature that enables a FHIR API connection, that signed authorization should suffice for multiple future connections by that same Client FHIR API, typically for a year, or until revoked by the patient. The duration of the authorization can be set by the patient and revoked by the patient using the patient portal of the Server FHIR API.
  • Patient-designated Authorization Servers – The draft NPRM correctly recognizes the problem of patients having to visit multiple patient portals in order to review which Clients are authorized to receive what data and to revoke access authorization. A patient may not even know how many patient portals they have enabled and how to reach them to check for sharing authorizations. By allowing the patient to designate the FHIR Authorization Server, a Server FHIR API operator would enable the patient to choose one service provider that would then manage authorizations in one place. This would also benefit the operator of the Server FHIR API by reducing their cost and risk of operating an authorization server. UMA, as referenced in the Interoperability Standards Advisory is one candidate standard for enhancing FHIR APIs to enable a patient-designated authorization server.

Big Win for Patients and Physicians

As I read it, the 11 definitions above are consistent with the draft NPRM. Entrepreneurs, private investors, educators, and licensing boards stand ready to offer patients and physicians innovative services that compete with each other and with the incumbents that were so heavily subsidized by HITECH. To encourage this private-sector investment and provide a visible win to their constituents, Federal health architecture regulators and managers, including ONC, CMS, VA, and DoD would do well to reorganize the Regulations in a way that makes the opportunity to compete on the basis of patient-directed exchange as clear as possible. As an alternative to reorganizing the Regulations, guidance could be provided that makes clear the 11 definitions above. Furthermore, although it could take years for the private-sector covered entities to fully deploy patient-directed sharing, deployments directly controlled by the Federal government such as access to the Medicare database and VA-DoD information sharing could begin to implement patient-directed information sharing “without special effort” immediately. Give patients and doctors the power of modern technology.

Adrian Gropper, MD, is the CTO of Patient Privacy Rights, a national organization representing 10.3 million patients and among the foremost open data advocates in the country. 

9 replies »

  1. Informative blog. 50% of people already spending lot of amount for their healthy lives. In that some people choosing the other destinations for Cost effective treatments.. We here proudly says medical tourism company assisting people who are in need to connect with best doctors in India.

  2. Thanks for your support Adrian. We are definitely filing comments (as we did on HIPAA revision proposals) and I have reached out to the rare disease community. Agree that it is difficult to organize the patient community or even those involved in participant driven research registries.

  3. We’re all one mishap away from being part of a vulnerable community. If we include close family, we’re probably all already there. I welcome your redefinition of the Client FHIR API.

    It’s critically important for comments like yours to be made directly and separately to ONC and CMS. There is plenty of organized opposition to putting patients in control of our own health records but I’m not aware of any organized support. Input comments from patient communities would ensure that the final regulations, guidance, and enforcement strengthen and accelerate the ability for patients to direct access to innovative competitive services.

    The comment period has just been extended to June 3:

    – ONC Comments: https://www.healthit.gov/topic/laws-regulation-and-policy/notice-proposed-rulemaking-improve-interoperability-health

    – CMS Comments: https://www.federalregister.gov/documents/2019/03/04/2019-02200/medicare-and-medicaid-programs-patient-protection-and-affordable-care-act-interoperability-and

  4. Adrian–this is a thoughtful and thought provoking analysis. I appreciate your taking the time to share your thoughts. I would explicitly add to your definition of Client FHIR API patient advocacy organizations and patient registries.

    I agree that patients need to be at the center of consent–I would also like to see an “I elect to share this, but not that with X designee” aspect that is more granular than what we now see (e.g. mental health). Many patient communities are stigmatized or marginalized and face discrimination for their condition. For example, these are huge issues in the Lyme community but there is no protection of sharing information under HIPAA specific to this population (as there is for substance abuse, for example). I know that from your work in this area you have a fine awareness that stigmatized populations may forego care entirely is disclosure is at risk.

    Just as individuals can be harmed by unauthorized data sharing so can their vulnersable communities– as the Barrow, Alaska research illustrates.

    Nice definition of vulnerable populations here: https://www.ncbi.nlm.nih.gov/pubmed/23385323

    Greater understanding of the cause of the health effects of being socioeconomically disadvantaged or being a member of a vulnerable population may be the first steps toward specific policy recommendations. Professional medical organizations and advocacy groups should raise awareness, provide education, publish guidelines and define the goals for the medical care for certain vulnerable populations.Vulnerable populations are at risk for disparate healthcare access and outcomes because of economic, cultural, ethnic or health characteristics. Vulnerable populations include patients who are racial or ethnic minorities, children, elderly, socioeconomically disadvantaged, underinsured or those with certain medical conditions. Members of vulnerable populations often have health conditions that are exacerbated by unnecessarily inadequate healthcare.

    Redefinition of Client FHIR API: The patient designee can be anyone (doctor, family, service provider, research institution, patient advocacy organizations and patient registries) anywhere in the world.

    Lorraine Johnson, CEO, LymeDisease.org/PI MyLymeData patient registry.

  5. Data from the Medical Expenditure Panel Survey of 2014 (AHRC) indicates the following: 50% of citizens represent 2.8% of health spending, 30% represent 15.1%, 15% represent 31.7%, and 5% represent 50.4% (1% using 21.8%). It represents an upload shift within a standard Power Law Distribution curve. While our healthcare industry seemingly finds endless ways to follow Parkinson’s Law (see above), the HEALTH of our nation’s citizens needs to be rejuvenated by a different principle. Best lamented by Eleanor Roosevelt, she said “It’s better for everybody when it gets better for everybody.”

    To “down load” the high end of health spending for our citizens, the only ethical strategy for this commitment may be a rejuvenation of Primary Healthcare and its attendant community-based Social Capital, community by community. Nationally sanctioned and locally initiated, we need only to “repurpose for healthcare” the strategies already in place for our nation’s monetary policy (Federal Reserve) and our nation’s agriculture industry ( Cooperative Extension Service). Enacted by Congress respectively in 1913 and 1914, our nation’s DOLLAR is still the most prominent means of asset transfer among the world’s nations, AND our nation’s agriculture industry is the most effective and efficient among all the world’s nations (both by wide margins).

    To “free-up” the institutional codependency between the payors and the providers of Complex Healthcare, we will need to rationalize a transparent process to appropriately allocate the financial risk among all the participants of our nation’s health spending, its Common-Pool Resource (the portion of our GDP allocated to health spending). We have no choice but to unravel the basis of Parkinson’s Law. Ignoring the Elephant in the Closet is no longer acceptable. Limiting the annual increase in health spending to a level that is, AT LEAST, 0.5% less than our nation’s economic growth is the only feasible strategy. Once accomplished over 10 years, a portion of the attendant decrease in the Federal expense for our nation’s healthcare should be allocated to the financial obligations for our nation’s under-graduate and post-graduate medical education. This allocation should be tagged to a national goal of 13% or less of the GDP for health spending.

    Once and for all, let us remind our selves that there is absolutely no reason to project that the current strategies for healthcare reform will reduce our nation’s worsening maternal mortality incidence (worsening for at least 30 years). Among all of the social adversities affecting each citizen’s health, it is the most regretful. Out of a bit more than 4 million live births, there are at least 700 women who die annually with a pregnancy just because they lived in the wrong nation at the time of conception. We would need to reduce these deaths by 70% to achieve the mortality incidence experienced among the 10 OECD nation’s with the lowest maternal mortality incidence. Remember this HEALTH risk affects “” 50% “” of our nation’s citizens for a significant portion of their lives. As an aside, remember also that the cytoplasm of the fertilized ovum is supplied solely by the ovum. Think about it, one more time!

  6. Sam Harris, the neuroscientist-philosopher had a guest on his podcast who worked closely with Zuckerberg and the Facebook founders. …a guy named Roger McNamee. He has written a book “Zucked: Waking up to the Facebook Catastrophe.” He mentioned his worries about healthcare becoming, if not already, a part of surveillance capitalism, where the big players are selling personal data all the time as part of their business model.


  7. Interesting perspective. One interesting consequence of digitizing records and updating Information Systems as ACA was rolling out (I generally supported ACA) the very information technology that was supposed to streamline costs and improve data access became counter productive, as well, as on a bloated budget; many clients, servers and databases were prone to known security breaches. Doctors were ill prepared as were many patients. Still, I do not see this as a preemptive reason to eliminate the ‘middleman’ nor does the technology exist to manage via AI or biometric a handful of chosen platforms chosen by doctors, and/or patients. The technology has come along, but data transfer of patient information, securing it and retrieving it is still complex and there is no one system fits all.


  8. Indeed, the professional societies are key. They have been slow to catch on but there’s hope from a different angle – money!

    The upcoming comments deadline for information blocking regulations is the single most important thing professional societies can do for their members in years.

    Right now, physicians have zero market power over information technology. Anything we want to do has to be approved by either a hospital or a big EHR vendor. Often both. No technology can be purchased or prescribed directly by physicians. No sane investor will put money into something that physicians want knowing that an EHR “platform” will eat their lunch if they’re actually successful. Having to pay a platform an arbitrary amount is an unreasonable risk to investors.

    The NPRM allows patients to direct access to hospital health records to any physician in a way that hospitals and EHR vendors can’t block. This means that services, including AI, can be marketed directly to physicians and patients as long as payers or patients are willing to pay. Why is this THE most important thing for our profession?

    We are already seeing the emergence of physician groups as prime contractors for value-based payment. In places where two or more hospitals compete, a large enough group can force competition between the hospitals. Physician groups can also differentiate in ways that large hospitals can’t and physician groups don’t have the huge administrative overhead of the hospitals.

    The large hospitals are stuck with Epic or Cerner. The physician groups can pick any EHR that helps them differentiate and control costs. If the Regulations are interpreted way I describe in the post, the hospitals will have to compete on how nicely they play with the physician groups that hold the contracts.

  9. This is great stuff, Adrian. I think it would work fine and it matches, and is commensurate with, the complexity of the current regulations. Your thinking, however, is in a different league from most physician providers and patients, but alas you need political support from them desperately. [ You are like a college math professor trying to get political support to build a new mathematics buildings.] It seems the only way forward is for you to take this to medical societies and professional groups like county medical societies and state societies and try to explain it to them. The AMA would probably fight you. To make it simple to understand is key. You have to develope a teaching format that reduces the acronyms and the argot of the CMS…until people can understand what you are doing.

    But what you are doing is important and wonderful and will really help medicine. However, It is a little in the clouds for most of us. And, of course, it terrifies the rent-seekers in health care. I keep trying to tell people my simple version: “the patient should control where his data goes”.