What CMS and ONC’s Proposed Rules on Data Blocking in Healthcare Mean for Patient Privacy, Security
Because of laws like the 21st Century Cures Act, the healthcare industry has been encouraged to innovate, accelerate product development, and achieve new advancements in patient care. On February 11, 2019, the Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare and Medicaid Services (CMS) propelled this movement forward by issuing proposed rules to prohibit data blocking in healthcare. But what is data blocking, and what does this mean for privacy, security, and interoperability?
Data blocking at a high level
The U.S. Department of Health and Human Services defines data blocking as “practices that unreasonably limit the availability, disclosure, and use of electronic health information [to] undermine efforts to improve interoperability.” Basically, it prevents a patient’s medical records from being safely and economically transferred from one facility to another and makes it difficult for patients to access their own information.
During a March 26 Senate hearing on the ONC’s and CMS’s proposed rules, Sen. Patty Murray remarked that too many providers have created roadblocks to the flow of information, such as requiring fees to receive information and restricting patients from accessing their own records.
For example, several states have laws that limit or waive the amount providers can charge for copies of patient medical records. Many would argue that any fee is a burden: In Georgia, a 100-page patient medical record would cost $111.68. According to the American Medical Association, “If the patient earns Georgia’s minimum wage of $5.15, he or she will need to work more than 21 hours” to buy a copy of their full file.
“We cannot afford to have bad actors who prioritize their bottom line over a patient’s best interests,” Murray said.
Interoperability vs. Data Blocking
By prohibiting data blocking, the agencies hope to enable interoperability – in this case, the transfer of patient information from one facility to another. Interoperability, which has recently become a hot topic in healthcare, simply isn’t possible with data blocking – one cancels the other out.
When a patient sees their primary care doctor and is referred to a specialist, for example, interoperability allows their PHI to be transferred seamlessly between the two providers. This streamlined process improves patient care by reducing medical errors and saves patients time from having to fill out the same information repeatedly at every provider they visit.
How this affects patients
Efforts to prevent data blocking also allow patients to access to their own medical health records via online patient portals and similar means.
“[T]he days of holding patient data hostage are over…Our proposed rule includes a policy to publicly identify doctors, hospitals, and other healthcare providers who engage in information blocking. Simply put, we’re going to expose the bad actors who are purposely trying to keep patients from their own information. Patient data doesn’t belong to the doctor, hospital, or electronic health record. It belongs to the patient.” – Seema Verma, CMS Administrator
But what does this mean for the privacy and security of sensitive PHI? By allowing patients to access and transfer information, does it put their data at risk?
Some professionals, like CynergisTek CEO Mac McMillan, are concerned that the industry lacks sufficient security standards for the technology that fuels interoperability. He argues that risk to organizations, providers, and patients rise when networks become more connected with one another.
“Increasing interoperability, data sharing and use of commercial products through more APIs is just expanding the attack surface further,” he said.
To alleviate these concerns, healthcare organizations must create privacy and security standards for exchanging information. Because patient portals are often run by third-party applications, they must be vetted to ensure they meet privacy and security standards.
Dr. Christopher Rehm, CMIO at Brentwood, Tennessee-based Lifepoint Health, recommended an “industry-backed process to independently vet these applications to ensure they meet all relevant security standards, use data appropriately and in line with consumer expectations and, for those applications that offer medical advice, (ensure) the advice is clinically sound.”
Challenges to the proposed CMS and ONC rules
A major challenge to implementing the proposed rules is adapting to technology. In order to comply with data blocking prohibition and interoperability rules, facilities must have technology advanced enough to allow for information transfers. According to a Unisys survey of 220 healthcare IT professionals, nearly two-thirds of providers rate themselves as being behind the curve on digital health initiatives; only 11% consider themselves early adopters.
To improve digital health readiness, providers are encouraged to upgrade to cloud-based technology if they haven’t already, implement distributed ledger technology like blockchain, apply artificial intelligence/machine learning for clinical diagnoses and privacy monitoring, and establish a comprehensive, documented data governance plan.
Because these proposed regulations aren’t set in stone yet, they’ll likely change before they’re implemented. The deadline for the comment period on the CMS’s and ONC’s data blocking rules is currently May 3, 2019. Yet because roughly 64% of facilities lag behind on the required technology, many are requesting a 30-day extension to adjust implementation timelines and more thoroughly address the impact of the proposed rules.
Although not without their challenges, the proposed rules seek to improve the patient experience by removing barriers to the flow of information and allowing patients access to their records via patient portals. Naturally, it’s necessary to establish privacy and security guidelines, as well as a road map to implementing these rules. Then, transfers and access can happen safely, conveniently, and with the patient’s privacy in mind.