On February 11, 2019, the Office of the National Coordinator for Health Information Technology (ONC) released its Notice of Proposed Rulemaking for implementing data interoperability provisions of the 21st Century Cures Act. Under the proposed rule, all health information technology (HIT) vendors that sell “certified electronic health record technology” (CEHRT) to health care providers will be required to meet new security, data governance and API standards, once final rules take effect. The proposed rule also describes steps to end business practices that emerged during the years when electronic health records were being adopted, which Congress viewed as anti-competitive.
In a related announcement, the Centers for Medicare and Medicaid Services (CMS) released a Proposed Rule to promote data interoperability by health plans that participate in the Medicare, Medicaid or the CHIP program, or that issue qualified health plans in the individual health insurance marketplace.
Both proposed rules mark a long-awaited step towards standardizing the rules of the road for data interoperability in healthcare. Of course, the industry hasn’t been sitting on their heels. Epic’s App Orchard, Xealth’s API marketplace and Apple Health Record are examples of the kind of tracks that are already being laid to connect consumers with their health data. In a blog posted when the proposed rules were released, National Coordinator for Health Information Technology Don Rucker drew an analogy to the federal standards enacted during the Civil War for railroad gauges. It’s hard not to be excited by comparing the potential impact of data interoperability in health data to westward expansion and President Eisenhower’s interstate highway system.
Both the ONC and CMS are clear about their end-goal. Creating standards for the support of accessing data through open APIs “without special effort” is intended to liberate patient data from their silos, increase patients’ access to their health data, and ultimately allow data to flow into digital services that make it easier for patients to make decisions about their health, and the health care services they receive and pay for. ‘Will the proposed rules finally democratize the opportunities for health data to flow?’ is a necessary but liberating question to keep top-of-mind.
A competitive digital health marketplace is ultimately pro-consumer, but it will also require a disruption in established contracting arrangements for protecting consumer privacy and securing protected health information. Right now, it’s common for HIPAA covered entities to restrict their business associate tech vendors from using and aggregating protected health information. In a data liquid environment, digital health innovators will receive their authority to use, disclose an aggregate and individuals’ protected health information directly from consumers. As these new contracting arrangements emerge, HIPAA business associate agreements will need to evolve, or be replaced by other types of contractual arrangements.
At the same time, a digital health marketplace won’t flourish in conditions where data interoperability leads to consumer’s privacy being less protected and their health data being less secure. In this respect, it’s worth remembering that the ONC or CMS do not hold direct enforcement authority on privacy and data security matters. Even as standards emerge under these proposed rules, strengthening privacy and security laws of general applicability is gaining traction, as reflected in a growing list of federal and state legislative proposals.
The size of the proposed rules are daunting, and dense with technical requirements. The ONC rule has 724 pages, double-spaced (187 pages in the Federal Register). The CMS rule is comparatively diminutive at 71 pages in the Federal Register. The technical requirements can be numbingly picayune, but have profound implications for the strategic orientation and priorities of digital health innovators.
As a way to wrangle these rulemakings and make them strategically and operationally relevant, this blog is a kick-off for a series of articles about the proposed rules, highlighting provisions that I think are notable or useful to digital health innovators across the health care ecosystem.
How do I decide if a provision is notable or useful? First, I think about you, my target reader: a digital health innovator. Are you the “show runner” for a digital health product? Are you a chief strategist, involved in positioning a digital health solution within the complex digital health ecosystem? Are you an executive at a health care provider, health plan or digital health tech company, making investment decisions for your product roadmap or future sustainability? Or, are you a chief technology architect, responsible for implementing and delivering a consumer-centered digital health service? As with all things in healthcare, making data interoperability a reality is a team sport.
I’m excited about the project. It makes me feel like a contributor to the Lonely Planet travel guide, helping you plan your journey down healthcare’s emerging data interoperability highway. It will also lay down some of my own tracks, providing context for a related series on emerging privacy and security legislation. Welcome to the journey.