A Patient’s View of the Cures Regulations


How should we react to 1,718 pages of new regulation? Let’s start by stipulating the White House and HHS perspective

“Taken together, these reforms will deliver on the promise to put patients at their center of their own health care — you are empowered with control over your own health care choices.” 

Next, let’s stipulate the patient perspective via this video lovingly assembled by e-Patient Dave, Morgan Gleason, and the folks at the Society for Participatory Medicine. In less than 3 minutes, there are 15 patient stories, each with a slightly different take on success.

Third, allow me to summarize the 15 stories:

  1. Regina – needs a hospital to know her pain meds
  2. Sue – needs a doctor to know her path report
  3. Morgan – has 23 patient portals with records to show her doctor
  4. Amy – wants her doctor to retrieve records
  5. Sue – needs records to make critical appointments
  6. Adrian – needs all doctors to share an authoritative current medication list
  7. Janice – needs notification of critical follow-up from doctors
  8. Bray – misses a comprehensive health record
  9. Stacey – needs her doctors to access her mammograms
  10. Bailey – is frustrated by manual repetition
  11. Stacy – wants to be an effective navigator for patient clients
  12. G – was victim of a transcription error
  13. Betty – was harmed by records lost in transit
  14. Anne – caught an error in her chart
  15. Grace – wants a single record available everywhere

Notice that all but one or two of these patient stories has a doctor, hospital, or staff as the target and the real goal of the patient-directed access. 

Now, here’s the challenge to my expert friends and pundits reviewing the 1,718 pages. All of these pages are about basically one thing, a regulation on how to build and operate electronic health records that doctors and staff use. Will these regulations actually achieve the goal?

“Taken together, these reforms will deliver on the promise to put patients at their center of their own health care — you are empowered with control over your own health care choices.” 

The Cures regulations are clearly a step in the right direction but they seem to be missing essential components. Simply put, the regulations mandate access by patients but not by the patient’s doctors – and that’s not nearly enough. The missing link is a mandate for EHRs to enable patient-centered input in a way that is convenient and time-effective for doctors and staff. Patients can manage stacks of paper and dozens of apps but if there’s no way to deliver authoritative, current, and succinct information to their doctors then most of the 15 patient stories will remain unfulfilled and the goal of “control over your own health care choices” will be just rhetoric. 

Fortunately, HHS still has some powerful cards to play, and how they play them in 2020 will make a huge difference. 

  • One of these is TEFCA, which has yet to issue rules for how a hospital EHR gets access to records from another source. TEFCA can be strongly linked to the patient’s right of access that the Cures regulations provide. This would avoid the loss of provenance and authenticity that will otherwise occur if patients are forced to use an app in the middle of the transfer as the CARIN Alliance is suggesting. Unfortunately, patient and physician advocates like Patient Privacy Rights are not considered principal stakeholders in the TEFCA design. We’re excluded from the core decision-making process.
  • Another lever is the power of the purse as the Federal Health Architecture is deploying a new commercial EHR in the coming years. The VA and others can require that their EHR behaves symmetrically, where anything the Cures regulations say can be sent out of a certified EHR can also be brought into the VA EHR. This would set a good example without introducing additional regulatory or standards delays that might easily eat-up another decade. 
  • Lastly, HHS can drive for the next generation of standards that are based on modern, self-sovereign identifiers and zero-trust architecture. They can do this by contributing to the HEART Workgroup and launching the next iteration of the API Task Force to make clear that patient control of the regulated API is separate form patient control of the data itself. Standards for identity and consent apply to APIs for wearables, banking, and social services as well as they do to regulated health care providers. Health industry API standards like FHIR are critical but a patient-centered perspective will bring in other APIs and so the identity and consent practices should follow industry practices beyond healthcare.

Implementation of the Cures regulations is mandated over the next four years. Now that this major milestone has been reached, HHS needs to pull the next levers of power to drive meaningful competition and a new generation of healthcare innovation.

Adrian Gropper, MD, is the CTO of Patient Privacy Rights, a national organization representing 10.3 million patients and among the foremost open data advocates in the country.

1 reply »

  1. The regulations, as I heard, require that records expose data through SMART over FHIR. Am I right? And am I right that SMART is a one-way standard, reading out data but not writing data back? That seems to be a key design choice leading to the problem you describe, Adrian. Good article.

Leave a Reply

Your email address will not be published. Required fields are marked *