Health Information Exchange Rule Raises Privacy ConcernsGroups Ask Congress to Delay Finalization of Proposed Rule
Seven healthcare and health IT industry groups are asking Congress to apply the brakes in issuing a final rule on interoperability, information blocking and health information exchange as required under the 21st Century Cures Act, citing concerns about privacy and other issues.
The groups express worries about the privacy and security of application programming interfaces, which have been proposed to play a central role in facilitating the exchange of health information and providing patients with easier access to their records.
In its proposed rule for interoperable health information exchange, the Department of Health and Human Services' Office of the National Coordinator for Health IT states that health APIs "must allow health information to be accessed, exchanged and used without special effort." (See Deciphering HHS' Proposed Information Blocking Rules).
Need for Safeguards
The College of Healthcare Information Management Executives, the American Healthcare Information Management Association, and the American Medical Association are among the seven groups signing letters sent Monday to health committee leaders in both the Senate and House.
"While we are pleased the administration is working to operationalize several requirements ... that seek to improve information sharing and patient care through use of APIs, at the same time, it is imperative that policies be put in place to prevent inappropriate disclosures to third-parties and resultant harm to patients," the groups write.
The groups are urging Congressional leaders to continue oversight "to ensure that the 21st Century Cures Act is implemented in a manner that best meets the needs of patients and those who deliver their care."
The groups say they are concerned that specific provisions of ONC's proposed rule, which was issued in February, "jeopardize important goals to foster a healthcare system that is interoperable, patient engaged and reduces burdens for those delivering care."
The letters include a list of recommendations aimed at furthering the objectives of the 21st Century Cures Act "while ensuring that the final regulation does not unreasonably increase provider burden or hinder patient care."
Those recommendations include urging HHS to issue interim or "supplemental" rulemaking before issuing a final rule "in order to address outstanding questions and concerns" from industry stakeholders.
The groups are asking for "enhanced privacy and security," especially for APIs.
"The proposed rule does not sufficiently address [the Act's] directives to protect patient data privacy and ensure health IT security," the groups write. "Further, it is imperative that the [Congressional committees] continue oversight of privacy and security issues that fall outside of the HIPAA regulatory framework."
While the use of APIs and third-party applications has the potential to improve patient and provider access to needed health information, their use "brings us into uncharted territory as patients leave the protections of HIPAA behind," the letters note.
"We support patients using apps to access their information; however, there is building concern that data will be commoditized by app developers and other third parties and used in ways not intended by patients."
Certified APIs should include mechanisms to strengthen patients' control over their data -statements of whether data will be disclosed or sold - and ensure adherence to industry-recognized best practices, the groups write. "This basic level of transparency is critical to strengthening patients' trust in an increasingly digital healthcare system."
The groups contend that ONC should work with stakeholders to develop a pathway to address security concerns in APIs and apps. "For example, API technology suppliers should be required to conduct surveillance and mitigate threats and vulnerabilities that could be introduced to an information system to which the API could connect," their letter states.
"We are mindful of the need to balance concerns of incumbent stakeholders with the rights of patients to have transparency and actionable choice in their healthcare."
—Office of the National Coordinator for Health IT
Also, as more sensitive data is exchanged "data segmentation capability should be prioritized" for certified electronic health record technology, the groups add.
"Standards and functionalities that enable data segmentation, tagging and privacy labeling are critical to ensuring the privacy of patient data. Segmentation of patient data will also be critical as we transition to a health information exchange trust framework and as the nation seeks to leverage health IT in addressing the opioid addiction crisis."
The groups also contend that regulatory enforcement authority over emerging health information exchange issues is unclear.
"Multiple federal agencies have jurisdiction over the privacy and security of patient and consumer information, including the HHS Office for Civil Rights, the Federal Trade Commission, the Centers for Medicare and Medicaid Services and ONC," the letter states. "We recommend the federal government adopt a holistic and coordinated approach to addressing the access, exchange and use of health information by third parties not governed by HIPAA, including the sale and commoditization of data not intended by patients."
Additional requirements are needed to mitigate security concerns that arise with the on-boarding of third-party applications onto clinician and other providers' systems, the groups contend. "Failure to do so could introduce significant cybersecurity threats to our healthcare system."
The groups contend that before ONC issues a final rule, the agency should issue a "supplemental notice of proposed rulemaking" and seek further input from impacted healthcare industry stakeholders on several issues, including providing more clarity around the issue of preventing the blocking of information sharing.
ONC's proposed rule would require health IT developers to provide the capability to electronically export all electronic health information they produce and electronically manage it in a computable format.
The proposed rule says that requirement "is intended to provide patients and health IT users with a means to efficiently export the entire electronic health records for a single patient or all patients in a computable, electronic format, and facilitate the receiving health IT system's interpretation and use of the EHI, to the extent reasonably practicable using the developer's existing technology."
But the groups who wrote to Congress contend that "due to the breadth of the proposed EHI definition ... ONC should modify the information blocking proposal to ensure that the requirements and exceptions are well defined and understandable, and clinicians, hospitals and health information professionals are not inappropriately penalized if they are unable to provide a patient's entire EHI through an API."
The groups also contend that HHS needs to slow down any planned enforcement of the information-blocking provisions. HHS' proposed rule contains examples of information blocking that could be prohibited - and potential penalties up to $1 million per violation that could be imposed by HHS' Office of Inspector General.
HHS "should use discretion in its initial enforcement of the data blocking provisions of the regulation, prioritizing education and corrective action plans over monetary penalties," the groups urge.
In a statement provided to Information Security Media Group, an ONC spokesman says: "We are mindful of the need to balance concerns of incumbent stakeholders with the rights of patients to have transparency and actionable choice in their healthcare."
DirectTrust, a non-profit collaborative that maintains the policies, standards, and practices of the Direct protocol for point-to-point encrypted messaging for healthcare, also has concerns about some of ONC's proposals.
"DirectTrust is concerned there are little or no guardrails for the new app economy foreseen by the rules," says Scott Stuewe, president and CEO of DirectTrust, in a statement provided to ISMG. The group did not sign the letter to Congress.
"We strongly believe in patient and consumer access to health information, but also believe those participants should be able to know and trust usage of their health data within apps," he says.