We begin by commending HHS, CMS, and ONC for skillfully addressing the pro-competitive and innovative essentials in crafting this Rule and the related materials. However, regulatory capture threatens to derail effective implementation of the rule unless HHS takes further action on the standards.
Regulatory capture in Wikipedia begins:
“Regulatory capture is a form of government failure which occurs when a regulatory agency, created to act in the public interest, instead advances the commercial or political concerns of special interest groups that dominate the industry or sector it is charged with regulating. When regulatory capture occurs, the interests of firms, organizations, or political groups are prioritized over the interests of the public, leading to a net loss for society. Government agencies suffering regulatory capture are called “captured agencies.” (end of Wikipedia quotation.)
The extent to which HHS has allowed itself to be influenced by special interests is not the subject of this comment. This comment is just about how HHS and the Federal Health Architecture can act to more effectively implement the sense of Congress in the 21st Century Cures Act.
TEFCA will succeed where previous national health information exchange efforts have failed only if it puts patients’ and families’, and/or their fiduciary agents, in control of health technology. This is the only path to restore trust in physicians, and to ensure accurate and complete data for treatment and research.
As physicians and patient advocates, we seek a longitudinal health record, patient-centered in the sense of being independent of any particular institution. An independent health record is also essential to enhancing competition and innovation for health services. TEFCA Draft 2 is the latest in a decade of starts down the path to an independent longitudinal health record, but it still fails to deal with the problems of consent, patient matching, and regulatory capture essential for a national-scale network. Our comments on regulatory capture will be filed separately.
We strongly support the importance in Draft 2 of Open APIs, Push, and a relationship locator service. We also strongly support expanding the scope to a wider range of data sources, beyond just HIPAA covered entities in order to better serve the real-world needs of patients and families.
However, Draft 2 still includes design practices such as the lack of patient transparency, lack of informed consent, and a core design based on involuntary surveillance. This institution-centered design barely works at a community level and leaves out many key real-world participants. It is wishful thinking to believe that it will work with expanded participant scope and on a national scale.
Electronic health records (EHRs) are a polarizing issue in health reform. In their current form, they are frustrating to many physicians and have failed to support cost improvements. The current round of federal intervention is proposed rulemaking pursuant to the 21st Century Cures Act calls for penalties for “information blocking” and for technology that physicians and patients could use “without special effort.”
The proposed rules are over one thousand pages of technical jargon that aims to govern how one machine communicates with another when the content of the communication is personal and very valuable information about an individual. Healthcare is a challenging and unique industry when it comes to interoperability. Hospitals spend lavishly on EHRs and pursue information blocking as a means to manipulate the physicians and patients who might otherwise bypass the hospital on the way to health reform. The result is a broken market where physicians and patients directly control trillions of dollars in spending but have virtually zero market power over the technology that hospitals and payers operate as information brokers.
What follows below are comments by Patient Privacy Rights on the proposed rule. The common thread of our comments is the need to treat patients and physicians, not the data brokers, as the real stakeholders.
Comments to the ONC Rule
Overview: 21st Century health care innovation, policy, and practice is increasingly dependent on personal information. This is obvious with respect to machine learning and risk adjustment, but personal information is now central to the competitive strategy for most of the health care economy, clinical as well as research. ONC’s drafting of this rule reflects the importance of competition to innovation and cost containment.
The 2016 21st Century CURES Act is the law. It is built around two phrases: “information blocking” and “without special effort” that give the administration tremendous power to regulate anti-competitive behavior in the health information sector. The resulting draft regulation, February’s Notice of Proposed Rulemaking (NPRM) is a breakthrough attempt to bend the healthcare cost curve through patient empowerment and competition. It could be the last best chance to avoid a $6 Trillion, 20% of GDP future without introducing strict price controls.
This post highlights patient-directed access as the essential pro-competition aspect of the NPRM which allows the patient’s data to follow the patient to any service, any physician, any caregiver, anywhere in the country or in the world.
On one hand, regulators are reluctant to limit private corporate action lest we reduce innovation and patient choice and promote moral hazards. On the other hand, a privatized marketplace for services requires transparency of costs and quality and a minimum of economic externalities that privatize profit and socialize costs.
For over two decades, the HIPAA law and regulations have dominated the way personal health data is used and abused to manipulate physician practice and increase costs. During these decades, digital technology has brought marvels of innovation and competition to markets as diverse as travel and publishing while healthcare technology is burning out physicians and driving patients to bankruptcy.
Let’s give the Office of the National Coordinator (ONC) credit for trying. In what’s arguably the first significant piece of policymaking, the newly Republican HHS issued a draft Trusted Exchange Framework and Common Agreement (TEFCA) that aims to implement the massively bipartisan 21st Century Cures act mandate to end information blocking. Are they succeeding?
Why should you care? After almost a decade and many tens of $billions spent on health information technology, neither physicians nor patients have access to a longitudinal health record, transparency of quality or cost, access to independent decision support, or even the ability to know what their out-of-pocket cost is going to be. After eight years of regulation, precious little benefit has trickled-down to patients and physicians. This post looks at the TEFCA proposal from the patient experience perspective.
The patient perspective matters because, under HIPAA, patients do not have choice about how our data is accessed or used. This has led to information blocking as hospitals and EHR vendors slow-walk the ability of patients to direct data to information services we choose. Patients lost the “right of consent” in 2002. This puts a regulation-shy administration in a quandary: How do they regulate to implement Cures, when current HIPAA and HITECH-era regulations give all of the power to provider institutions bent on locking-in patients as key to value-based compensation?
21st Century Cures is now law. Aside from its touted research and mental health provisions, it’s the most significant health information technology regulation since HITECH, now 8 years ago. A decent summary of the health IT provisions of the bill by John Halamka concludes with “That is just not realistic.” He’s almost certainly right to the extent your perspective is the hospital-centered mega-EHR model. You can’t get there from here.
Halamka and others who think that consolidated institutions will drive interoperability are in denial of the gap between financial integration and clinical integration. This recent post by Kip Sullivan describes some of the wishful thinking. But there’s another reason why HITECH’s institutional EHRs cannot get us to the Triple Aim, and it’s mostly about liability.
Halamka ignored one of the items in 21st Century Cures that could lead to clinical integration around a patient: a longitudinal health record. Section 4006 on page 149 includes:
“(1) IN GENERAL.—The Secretary shall use existing authorities to encourage partnerships between health information exchange organizations and networks and health care providers, health plans, and other appropriate entities with the goal of offering patients access to their electronic health information in a single, longitudinal format that is easy to understand, secure, and may be updated automatically.”
Useful longitudinal health records require curation and, almost by definition, the curators are not going to be affiliated with any single hospital or other institution operating a traditional EHR. Allowing licensed physicians, family caregivers, and the patient themselves to edit an institutional EHR is risky to the point of impossible. That’s why the current initiatives to introduce modern APIs into EHRs like SMART and Sync for Science are read-only.
President Obama’s legacy for health information technology is about to see its first test at the hands of a little-known project for access to Medicare beneficiary data. The President’s Precision Medicine Initiative (PMI) database is the big brother of Medicare’s database. Although both databases will be managed by the Government, the PMI one will also have our DNA and as many of our health records as we are willing to move there. How much control will patients have over our data in either of these databases? Federal policy on these databases will impact all of healthcare.
The test is whether either of these databases will limit one’s ability to control and use our own data.
Can I have free first-class network access to my own data?
Can I send my own data instantly to anywhere I choose?
Can I direct my data digitally, without paper forms?
These three questions apply equally to my Medicare data, my data in a private-sector EHR, and my PMI data. Current HIPAA law allows it but will the Government and hospitals actually implement it? The policy for the Medicare database is being implemented as Blue Button on FHIR this summer, and so-far it doesn’t look good.
If our Federal Health Architecture (FHA) will not allow us the maximum control allowed by the law, then how can we expect private-sector healthcare systems to do it? I wrote about the current HIPAA law and how it needs to be changed to make a patient’s first-class access a right, instead of an option, in a previous post.
Now it’s clear. On Thursday, the Office for Civil Rights, responsible for HIPAA enforcement and protecting the public, published a new guidance to interpret HIPAA with respect to data blocking. The limits of the current law are now evident. In the interest of affordable health care, the Precision Medicine Initiative, and common sense, it’s time for Congress update HIPAA. Believe it or not, HIPAA still allows hospitals and other electronic health record (EHR) systems to require paper forms before they release data under patient direction. Along with an allowed 30-day delay in access to electronic health records, this data blocking makes second opinions and price comparisons practically inaccessible. Over $30B in stimulus funds have been spent on EHRs and now it is still up to Congress to give to patients full digital access to digital data.
Data blocking is the result of deliberate barriers designed into current EHRs that prevent patients being able to use their own data in efficient and innovative ways. It is practiced by both EHR vendors and healthcare institutions to avoid competition by favoring the services they control. As hospitals consolidate into massive “integrated delivery networks”, the business logic for data blocking becomes clear and irrefutable. Data blocking ensures the largest health delivery networks will get larger and control pricing. The bigger they are, the more data they have about each patient and the more money each patient’s data is worth to outside interests like pharmaceutical companies and data brokers. The results are ruinous healthcare costs and hidden discrimination in insurance, credit, employment, and other key life opportunities.
Why Are Apple’s Competitors Staying Silent On the iPhone Unlocking Fight? is the question of the day on tech blogs. The answer is hardly technical and may not be legal, it’s all about privacy policies and business strategy and it is very evident in healthcare.
Class 3 – “We will use your data according to xyz policy and if you don’t like it, take your illness elsewhere.” This is pretty much how healthcare and much of the Web world runs today. We have limited rights to our own data. On the other hand, the services that have our data can sell it and profit in dozens of ways. This includes selling de-identified data. In Class 3, you, the subject of the data are a third-class citizen, at best. In many cases, the subject doesn’t even know that the data exists. See, for example, The Data Map.
We are so completely engulfed by Class 3 privacy policies that we have lost perspective on what could or should be. A Class 1 policy like Apple’s is widely seen as un-American. A Class 2 policy like PPR’s is indirectly attacked as “insurmountable”.