By ADRIAN GROPPER, MD
The 2016 21st Century CURES Act is the law. It is built around two phrases: “information blocking” and “without special effort” that give the administration tremendous power to regulate anti-competitive behavior in the health information sector. The resulting draft regulation, February’s Notice of Proposed Rulemaking (NPRM) is a breakthrough attempt to bend the healthcare cost curve through patient empowerment and competition. It could be the last best chance to avoid a $6 Trillion, 20% of GDP future without introducing strict price controls.
This post highlights patient-directed access as the essential pro-competition aspect of the NPRM which allows the patient’s data to follow the patient to any service, any physician, any caregiver, anywhere in the country or in the world.
The NPRM is powerful regulation in the hands of an administration caught between anti-regulatory principles and an entrenched cabal of middlemen eager to keep their toll booth on the information highway. Readers interested in or frustrated by the evolution of patient-directed interoperability can review my posts on this over the HITECH years: 2012; 2013; 2013; 2014; 2015.
The struggle throughout has been a reluctance to allow digital patient-directed information exchange to bypass middlemen in the same way that fax or postal service information exchange does not introduce a rent-seeking intermediary capable of censorship over the connection.
Who are the middlemen? Simply put, they are everyone except the patient or the physician. Middlemen includes hospitals, health IT vendors, health information exchanges, certifiers like DirectTrust and CARIN Alliance, and a vast number of hidden data brokers like Surescripts, Optum, Lexis-Nexis, Equifax, and insurance rating services. The business model of the middlemen depends on keeping patients and physicians from bypassing their toll booth. In so doing, they are making it hard for new ventures to compete without paying the overhead imposed by the hospital or the fees imposed by the EHR vendors.
But what about data cleansing, search and discovery, outsourced security, and other value-added services these middlemen provide? A value-added service provider shouldn’t need to put barriers to bypass to stay in business. The doctor or patient should be able to choose which value-added services they want and pay for them in a competitive market. Information blocking and the requirement for special effort on the part of the patient or the physician would be illogical for any real value-added service provider.
In summary, patient-directed access is simply the ability for a patient to direct and control the access of information from one hospital system to another “without special effort”. Most of us know what that looks like because most of us already direct transfer of funds from one bank to another. We know how much effort is involved. We know that we need to sign-in to the sending bank portal in order to provide the destination address and to restrict how much money moves and whether it moves once or every month until further notice. We know that we can send this money not just to businesses but to anyone, including friends and family without censorship or restriction. In most cases today, these transfers don’t cost anything at all. Let’s call this kind of money interoperability “without special effort”.
Could interoperating money be even less effort than that? Yes. For instance, it’s obnoxious that each bank and each payee forces us to use a different user interface. Why can’t I just tell all of my banks and payees: use that managing agent or trustee that I choose? Why can’t we get rid of all of the different emails and passwords for each of the 50+ portals in our lives and replace them with a secure digital wallet on our phone with fingerprint or face recognition protection? This would further reduce the special effort but it does require more advanced standards. But, at least in payment, we can see it coming. Apple, for instance gives me a biometric wallet for my credit cards and person-to person payments. ApplePay also protects my privacy by not sharing my credit card info with the merchants. Beyond today’s walled garden solutions, self-sovereign identity standards groups are adding the next layer of privacy and security to password-less sign-in and control over credentials.
But healthcare isn’t banking because HITECH fertilized layers upon layers of middlemen that we, as patients and doctors, do not control and sometimes, as with Surescripts, don’t even know exist. You might say that Visa or American Express are middlemen but they are middlemen that compete fiercely for our consumer business. As patients we have zero market power over the EHR vendors, the health information exchanges, and even the hospitals that employ our doctors. Our doctors are in the same boat. The EHR they use is forced on them by the hospital and many doctors are unhappy about that but subject to gag orders unprecedented in medicine until recently.
This is what “information blocking” means for patients and doctors. This is what the draft NPRM is trying to fix by mandating “without special effort”. This is what the hospitals, EHR vendors, and health information exchanges are going to try to squash before the NPRM becomes final. After the NPRM becomes a final regulation, presumably later in 2019, the hospitals and middlemen will have two years to fix information blocking. That brings us to 2022. Past experience with HITECH and Washington politics assures us of many years of further foot dragging and delay. We’ve seen this before with HIPAA, misinterpreted by hospitals in ways that frustrate patients, families, and physicians for over a decade.
Large hospital systems have too much political power at the state and local level to be driven by mere technology regulations. They routinely ignore the regulations that are bad for business like the patient-access features of HIPAA and the Accounting for Disclosures rules. Patients have no private right of action in HIPAA and the federal government has not enforced provisions like health records access abuses or refusal to account for disclosures. Patients and physicians are not organized to counter regulatory capture by the hospitals and health IT vendors.
The one thing hospitals do care about is Medicare payments. Some of the information blocking provisions of the draft NPRM are linked to Medicare participation. Let’s hope these are kept and enforced after the final regulations.
Competition to Bend the Cost Curve
Government has two paths to bending the cost curve: setting prices or meaningful competition. The ACA and HITECH have done neither. In theory, the government could do some of both but let’s ignore the role of price controls because it can always be added on if competition proves inadequate. Anyway, we’re in an administration that wants to go the pro-competition path and they need visible progress for patients and doctors before the next election. Just blaming pharma for high costs is probably not enough.
Meaningful competition requires multiple easy choices for both the patients and the prescribers as well as transparency of quality and cost. This will require a reversal of the HITECH strategy that allows large hospitals and their large EHRs to restrict the choices offered and to obscure the quality and cost behind the choices that are offered. We need health records systems that make the choice of imaging center, lab, hospital, medical group practice, direct primary care practice, urgent care center, specialist, and even telemedicine equally easy. “Without special effort”.
The NPRM has the makings of a pro-competitive shift away from large hospitals and other rent-seeking intermediaries but the elements are buried in over a thousand pages of ONC and CMS jargon. This confuses implementers, physicians and advocates and should be fixed before the regulations are finalized. The fix requires a clear statement that middlemen are optional and the interoperability path that bypasses the middlemen as “data follows the patient” is the default and “without special effort”. What follows are the essential clarifications I recommend for the final information blocking regulations – the Regulation, below.
- Covered Entity – A hospital or technology provider subject to the Regulation and/or to Medicare conditions of participation.
- Patient-directed vs. HIPAA TPO – Information is shared by a covered entity either as directed by the patient vs. without patient consent under the HIPAA Treatment, Payment, or Operations.
- FHIR – The standard for information to follow the patient is FHIR. The FHIR standard will evolve under industry direction, primarily to meet the needs of large hospitals and large EHR vendors. The FHIR standard serves both patient-directed and HIPAA TPO sharing.
- FHIR API – FHIR is necessary but not synonymous with a standard Application Programming Interface (API). The FHIR API can be used for both patient-directed and TPO APIs. Under the Regulation, all patient information available for sharing under TPO will also be available for sharing under patient direction. Information sharing that does not use the FHIR API, such as bulk transfers or private interfaces with business partners will be regulated according to the information blocking provisions of the Regulations.
- Server FHIR API – The FHIR API operated by a Covered Entity.
- Client FHIR API – The FHIR API operated by a patient-designee. The patient designee can be anyone (doctor, family, service provider, research institution) anywhere in the world.
- Patient-designee – A patient can direct a Covered Entity to connect to any Client FHIR API by specifying either the responsible user of a Client FHIR API or the responsible institution operating a Client FHIR API. Under no circumstances does the Regulation require the patient to use an intermediary such as a personal health record or data bank in order to designate a Client FHIR API connection. Patient-controlled intermediaries such as personal health records or data banks are just another Client FHIR API that happen to be owned, operated, or controlled by the patient themselves.
- Dynamic Client Registration – The Server FHIR API will register the Client FHIR API without special effort as long as the patient clearly designates the operator of the Client. Examples of a clear designation would include: (a) a National Provider Identifier (NPI) as published in the NPPES https://npiregistry.cms.hhs.gov; (b) an email address; (c) an https://… FHIR API endpoint; (d) any other standardized identifier that is provided by the patient as part of a declaration digitally signed by the patient.
- Digital Signature – The Client FHIR API must present a valid signed authorization token to the Server FHIR API. The authorization token may be digitally signed by the patient. The patient can sign such a token using: (a) a patient portal operated by the Server FHIR API; (b) a standard Authorization Server designated by the patient using the patient portal of the sever operator (e.g. the UMA standard referenced in the Interoperability Standards Advisory); (c) a software statement from the Client FHIR API that is digitally signed by the Patient-designee.
- Refresh Tokens – Once the patient provides a digital signature that enables a FHIR API connection, that signed authorization should suffice for multiple future connections by that same Client FHIR API, typically for a year, or until revoked by the patient. The duration of the authorization can be set by the patient and revoked by the patient using the patient portal of the Server FHIR API.
- Patient-designated Authorization Servers – The draft NPRM correctly recognizes the problem of patients having to visit multiple patient portals in order to review which Clients are authorized to receive what data and to revoke access authorization. A patient may not even know how many patient portals they have enabled and how to reach them to check for sharing authorizations. By allowing the patient to designate the FHIR Authorization Server, a Server FHIR API operator would enable the patient to choose one service provider that would then manage authorizations in one place. This would also benefit the operator of the Server FHIR API by reducing their cost and risk of operating an authorization server. UMA, as referenced in the Interoperability Standards Advisory is one candidate standard for enhancing FHIR APIs to enable a patient-designated authorization server.
Big Win for Patients and Physicians
As I read it, the 11 definitions above are consistent with the draft NPRM. Entrepreneurs, private investors, educators, and licensing boards stand ready to offer patients and physicians innovative services that compete with each other and with the incumbents that were so heavily subsidized by HITECH. To encourage this private-sector investment and provide a visible win to their constituents, Federal health architecture regulators and managers, including ONC, CMS, VA, and DoD would do well to reorganize the Regulations in a way that makes the opportunity to compete on the basis of patient-directed exchange as clear as possible. As an alternative to reorganizing the Regulations, guidance could be provided that makes clear the 11 definitions above. Furthermore, although it could take years for the private-sector covered entities to fully deploy patient-directed sharing, deployments directly controlled by the Federal government such as access to the Medicare database and VA-DoD information sharing could begin to implement patient-directed information sharing “without special effort” immediately. Give patients and doctors the power of modern technology.
Adrian Gropper, MD, is the CTO of Patient Privacy Rights, a national organization representing 10.3 million patients and among the foremost open data advocates in the country.