Remembering the Real Stakeholders: Patient Privacy Rights Comments on the Proposed CMS Regulation Pursuant to the Cures Act

Deborah C. Peele
Adrian Gropper


Electronic health records (EHRs) are a polarizing issue in health reform. In their current form, they are frustrating to many physicians and have failed to support cost improvements. The current round of federal intervention is proposed rulemaking pursuant to the 21st Century Cures Act calls for penalties for “information blocking” and for technology that physicians and patients could use “without special effort.”

The proposed rules are over one thousand pages of technical jargon that aims to govern how one machine communicates with another when the content of the communication is personal and very valuable information about an individual. Healthcare is a challenging and unique industry when it comes to interoperability. Hospitals spend lavishly on EHRs and pursue information blocking as a means to manipulate the physicians and patients who might otherwise bypass the hospital on the way to health reform. The result is a broken market where physicians and patients directly control trillions of dollars in spending but have virtually zero market power over the technology that hospitals and payers operate as information brokers.

What follows below are comments by Patient Privacy Rights on the proposed rule. The common thread of our comments is the need to treat patients and physicians, not the data brokers, as the real stakeholders.

Comments to the ONC Rule

Overview: 21st Century health care innovation, policy, and practice is increasingly dependent on personal information. This is obvious with respect to machine learning and risk adjustment, but personal information is now central to the competitive strategy for most of the health care economy, clinical as well as research. ONC’s drafting of this rule reflects the importance of competition to innovation and cost containment.

The Proposed Rule skillfully addresses the pro-competitive essentials but it leaves too much open to interpretation and delay by very wealthy and well-organized incumbents. The Patient Privacy Rights comments below endorse the structure and details of the Rule while pointing out ways to ensure that access to competitive services by clinicians on behalf of our patients must be “without special effort” on the part of either the clinician or the patient, ASAP.

We state clearly and emphatically that the Rule should be largely left intact in its spirit and in most of its details

Summary of Priority Goal: Clarify the scope and process of patient-directed interoperability

The common thread through almost all of PPR’s comments is to support and encourage patient-directed sharing via the mandated API as the foundation for meeting the pro-competitive goals of the 21st Century Cures Act “without special effort”. Patient-directed exchange inherently solves very difficult problems in patient matching, consent, and integration of sensitive information that cannot be shared under the HIPAA rules. Patient-directed exchange helps address the need for a patient-centered longitudinal patient record and provides a critical relief valve for both physicians who simply need “the data to follow the patient”. Patient-directed exchange also informs how we will implement TEFCA and various registries that can provide essential public health and health care innovation benefits.

Early versions of patient-directed sharing via API can make a visible and welcome impact for physicians and patients within 6 months of adoption of the final Regulation. That technical capability is already voluntarily enabled by some API Technology Suppliers and just needs to be mandated for adoption by API Data Providers. The timelines for standards development are long but when standards already exist for Dynamic Client Registration, Refresh Tokens, and User Managed Access, the adoption of these standards can begin immediately by new competitors and early adoption by CMS, VA, and other customers in the Federal Health Architecture can drive a competitive strategy.

Summary of Other Considerations:

21st Century health care innovation, policy, and practice is increasingly dependent on personal information and the rate of progress is increasingly limited by privacy and human dignity in how personal data is used. This is obvious with respect to machine learning and risk adjustment, but personal information is now central to the competitive strategy for most of the health care economy. Privacy now dominates the rate at which technology and policy can progress.

The cost and burden of interoperability at scale are both reduced if we approach the problems from the patient and clinician perspective rather than the institutional:

  • Patient matching is a non-issue when information is shared with patient consent and transparency. Modern-day automated bank transaction APIs are a good example. Once set-up by the customer, money can flow automatically and on-demand without further customer action. Email and text messages are used to notify of transactions. All transactions are logged and accessible to the customer online. The costs are lower with the API and transactions process faster.
  • HIPAA is a floor but Not Sufficient because it doesn’t cover the data originating in behavioral health practices on the sensitive end and data originating in consumer mobile devices and wearables which can also be quite sensitive. To avoid the limitations of HIPAA, we urge CMS to design interoperability on the basis of patient consent with full transparency to the patient. That also means patient notice and on-line accessible logs for all transactions including treatment, payment, and operations. HIPAA’s exclusion of T/P/O transparency is not justified with modern Open APIs and adds unacceptable security risks as we expand the scope and scale of interoperability.
  • Designation of Providers should be without special effort for both the patient and the providers using the Open API. That means accelerating and enforcing the need for providers to include voluntary digital contact addresses in their NPI and Physician Compare files. Patients can automatically link the digital contact info to their consent. Providers can use their digital credentials to automatically register their API client without special effort. It is easier and less burdensome to drive interoperability on the basis of the HIPAA patient right to designate recipients.
  • Competition for Authorization Services would be the ultimate cost and burden reduction for large-scale interoperability. The Open API, including FHIR, can be configured to allow the patient to specify the authorization server to the API Data Provider. (See User Managed Access standard in 2019 ISA). Current FHIR API practice forces patients to use a separate authorization server for each API Data Provider. Managing consent at a dozen or more patient portals requires undue effort on the part of patients. Allowing the patient to specify the authorization server would give patients market power to choose their consent service competitively and provide a competitive basis for health information network providers that want to serve the patient.

The draft rules for interoperability, CMS, ONC, TEFCA, USCDI are over a thousand pages. Most of the complexity stems from a design that avoids direct patient direction and transparency the way we expect banking and other automated services. This approach fragments the patient and physician experience and poses privacy and security risks that may never be solved. On the other hand, an interoperability design based on patient-designated sharing with clinicians that voluntarily post their digital contact info (personal, group, or institution) works across the full range of patient data (behavioral, HIPAA, patient-generated) and provides patients and family caregivers the transparency and accountability over health services that we need. Allowing patients to specify their authorization server further simplifies things by enabling competition for the authorization service – a digital concierge – that would give market power to individuals and deliver the pro-competitive benefits the Rule seeks.

Link to the complete comment here.

Adrian Gropper, MD, is the CTO of Patient Privacy Rights, a national organization representing 10.3 million patients and among the foremost open data advocates in the country. 

Deborah C. Peel, MD, is the Founder and President of Patient Privacy Rights.

This post originally appeared on Bill of Health here.

3 replies »

  1. “Upcoding and billing fraud would be reduced if”

    Don’t you guys think that the modern EHR is a machine precisely for upcoding? Ask yourself (if you haven’t already) – what business would spend mid-seven figures on an investment with no ROI? Answer: None.

    So then, there is an ROI. So what is it? It sure isn’t any of the things we have been promised. It’s longer days, less patient contact, more coding seminars, shorter visits, duplicated effort (spend time explaining things, then document the discussion on the EOV form), and so on. Everyone knows this.

    The purchasers (hospitals) and their partners (payers) seem quite happy with their investments, however. Why is this?

    It’s because “Pain US crying TM dusky red Dx OM Rx amox” is not codeable. A structured note which requires certain elements, even though they are unnecessary, is codeable, and it’s very easy for the PMs to identify newer and better ways to fill out that structured note so 75% of your 99212s become 992013s.

    I do not know if anyone is tracking revenue streams per unit after EHR adoption (we do know total units go down), but it would be an interesting exercise.

  2. Willam’s point is key in a couple of ways. One is that upcoding and billing fraud would likely be reduced if patients had convenient transparency on what was being billed. The second is that the policies that determine how patient data is accessed and used can be shifted to patient communities and other groups that are much smaller and more focused than today’s “integrated delivery networks” and governments.

    But “downsizing the functional interactive units of medicine” as William calls them requires standards for how records are secured and accessed. We can’t expect the various health care professionals and provider groups to access and use independent and decentralized health records without having a secure single-sign-on technology and reasonable expectations for how information is laid out. Work on these standards is proceeding. Some is reflected in comments by Patient Privacy Rights to the Federal TEFCA regulations (due today) that will be posted soon.

  3. Health care interactions should occur in smaller groups, small enough that the provider can feel sympathy and empathy for his patient and small enough that the patient can be intimate and cooperative and thoroughly honest with her provider. Groups that are small enough to feel grief for each other are the right size. When we downsize the functional interactive units of medicine we will not defraud one another and we will value all the resources that we use appropriately. Providers will also value the privacy of their patients as they would a member of their family. It is important that we like one another. We are not mean to family members.

    As functional units become large, the instinctive love we have for our family members and similar small groups of friends disappears and we only seek return on investments. We also begin to fight and litigate and conduct wars. Our only interest becomes profit.

    This is not hypothetical and psychologists and evolutionary anthropologists know the optimum and customary size of human tribes and groups over the last half million years….groups that had to trust each another intramurally—absolute trust was essential for survival— or they wouldn’t be here today.

    A small example of policy change that might implement some of this would be that physicians mostly always explain and talk to patients about their bills and send claims to indemnity insurers who return money to the patient who directly pays the physician. Or not…if he was unsatisfied. Or partially return. The physician has to know the billing system and use it himself.

    To bring about such a radical change in health care would require a revolution in power relationships, and is hardly doable today. Of course, as the authors above recommend, the patient must have much control of his medical records.

    With large institutions running health care you can predict exactly what is now happening.