In 2016, the United States Congress passed the 21st Century Cures Act to help facilitate and accelerate research into preventing and curing serious diseases, as well as accelerating medical device and pharmaceutical development and other critical areas for healthcare.
The legislation’s goal is to improve care coordination, provide better health outcomes, and reduce healthcare expenses.
Patient focus is at the heart of the Act, and as such, part of the legislation includes requirements designed to encourage healthcare organizations to adopt and implement more usage of electronic health records (EHRs) and promote more interoperability, or data sharing, between healthcare organizations.
The underlying goal is to give patients more and easier access to their electronic medical records (EMRs).
But one often overlooked area of the 21st Century Cures Act may be one of its most important-the Information Blocking Final Rule. The Information Blocking Final Rule has several components, and many people have characterized it as two separate rules.
It’s important to note, however, that these rules don’t amend HIPAA or the HITECH Act, although they appear to be related based on some of the core areas the Information Blocking Rule addresses.
What are some examples of information blocking in healthcare?
As outlined in the 21st Century Cures Act, some of these practices could be interpreted as information blocking:
- Any activities that restrict access or use of PHI for treatment and other uses as defined by state and federal laws.
- Adopting technologies that may ultimately increase costs, complexity, or other issues related to PHI access.
- Adopting technologies that prevent information sharing between health systems.
Want to take a closer look at more information blocking examples? Check out the full text of the Information Blocking Rule.
Right of Access
Through HIPAA’s Privacy Rule, individuals have the right, with some limited exceptions, to review and receive copies of their medical records and other health records that healthcare providers and health plans maintain. The Office for Civil Rights’ (ORC) Right of Access initiative has focused on improving accessibility for patients and enforcing potential investigations and penalties for healthcare covered entities that fail to meet those requirements.
Through Right of Access, individuals have the right to review PHI in the form and format of their choice, if it is readily achievable.
This is where interoperability comes in. When we talk about interoperability in healthcare, it can be helpful to think of healthcare data sharing similar to a more common practice you may use every day-your banking services.
You may be able to log into one financial services provider to manage your accounts with that provider, but you can also share data from one provider to another, for example, your routing and checking account numbers.
For example, you can log into a portal such as a bill payment system and share information about your financial services institution to pay that bill, even when the bank and the company you’re making a payment to are not related. Or, you can easily move funds from one financial institution to another, even if they’re not part of the same financial services company.
Over the years, the financial services sector has made this a seamless process for consumers and they do so under a tremendous amount of regulations for security and privacy.
Part of the reason these institutions don’t block one another is because they haven’t built siloed data ecosystems and they don’t prevent other agencies from plugging into that information sharing pipeline.
Generally, financial institutions don’t wall-off customer data so it can’t be shared with other institutions.
In financial services, sensitive data doesn’t live in its own ecosystem, like we have historically seen within healthcare.
In terms of data sharing, healthcare has not been as innovative and forward-looking when it comes to EMR systems. In fact, it wouldn’t be uncommon to see some proprietary EMR systems still in operation for healthcare organizations of all sizes today.
That’s because as healthcare organizations moved from traditional paper record-keeping systems, many built, or had built for them, electronic file systems that were unique to their individual practice, group, or location.
When healthcare providers fence in their EMR with proprietary and limited technical services, healthcare data becomes difficult and slow to access. There are a lot of implications that result from limiting data sharing.
It can increase costs. Limited data sharing makes it more difficult and more expensive for patients to obtain additional care or a second opinion. It can also decrease efficiency when providers don’t have complete access to important medical information.
It can limit quality of care. Preventing patients access to their PHI also limits their access to the best care. When PHI can move seamlessly some provider to provider, it can ultimately increase competition among medical providers, leading to better healthcare outcomes.
Still, even as healthcare data sharing becomes more widespread, we’ve yet to see the same use via third-party app plug-ins and APIs in healthcare as we have in financial services.
This is partly because third-party apps and API’s raise concerns for healthcare organizations and their business associates both in terms of privacy and security and expenses. While the Right of Access initiative promotes patient access to their healthcare data, it comes with a price tag for the organizations providing that access.
Many healthcare organizations are still trying to figure out exactly what constitutes a reasonable cost or charge for these services as expenses for providers can quickly add up. While there isn’t a simple answer to this, healthcare organizations could look toward the financial services industry for more insight into how to manage these expenses and pass them on in a more digestible way to consumers.
When it comes to healthcare data sharing, drawing on financial services experiences, we see it’s becoming increasingly feasible for healthcare to adopt and encourage interoperability of data.
This is especially true if healthcare providers embrace the end of information blocking and adopt trusted, secure applications that can connect APIs and build a communication layer for data-sharing.
More Interoperability, More Risk
While there are a lot of benefits the Cures Act brings to both consumers and providers, more interoperability brings with it additional privacy and security risks.
Building partnerships to use third-party apps and services will require a business associate agreement, especially for third-party apps that aren’t necessarily HIPAA compliant, but may also not need to be.
For example, if a patient uses an app to track their weight and blood pressure, that’s health information. However, the third-party app doesn’t directly provide a health service, so the information stored/shared in the application may not have to be HIPAA protected unless the app provider is a HIPAA-covered entity and receives medical reimbursements.
There are a range of benefits of allowing healthcare covered entities to access the services of these apps to help streamline data flow within their existing ecosystems.
In simple terms, guidance from the act should help to further break down silos between healthcare information data exchanges, whether it’s something as simple as a blood pressure or weight monitoring application or more complex and sensitive healthcare data.
As a result, with Cures Act guidance, patients should have improved abilities to take ownership of their health data. And, as an added benefit, providers can confidently provide improved care to patients. This cycle continues with forward momentum directly related to more efficient and effective care coordination and coverage, which ultimately benefits us all.