Federal Health Information Technology Rules Issued; AHA Expresses Privacy Concerns
This week, the federal Department of Health and Human Services (HHS) issued two final rules regulating health information technology. The rules enable patients to download their electronic health records (EHRs) onto their smartphones using third-party apps, raising concerns about the privacy of that data, and require hospitals send electronic notifications to health care facilities or community providers when a patient is admitted, discharged, or transferred.
The first rule implements parts of the 21st Century Cures Act and was promulgated by the federal Office of the National Coordinator for Health Information Technology (ONC). It encourages developers to produce new apps that “provide patients with more choices” while calling upon the industry to adopt standardized application programming interfaces (APIs). Such policies, asserts ONC director Don Rucker, will help patients “manage their health care the same way they manage their finances or travel, or other parts of their life, on their smartphone.”
However, American Hospital Association President and CEO Rick Pollack says that the final rule “fails to protect consumers’ most sensitive information” from third-party apps, which are not governed by the same rigorous security requirements hospitals must meet. Privacy experts agree and remain concerned about how such apps may sell or use patient data. ONC’s rule also requires hospitals to standardize EHRs to include core common data in a standard format, including clinical notes and medications, to ensure readability of patient data across different platforms.
The second rule, “Interoperability and Patient Access,” was promulgated by the Centers for Medicare and Medicaid Services (CMS). It includes a new condition of participation for all Medicare and Medicaid participating hospitals (including psychiatric and critical access hospitals) mandating that they send electronic notifications to health care facilities or community providers when a patient is admitted, discharged, or transferred—enforceable six months from today.
CMS’s rule also directs CMS-regulated payers (health plans participating in Medicare advantage, Medicaid, CHIP, and the federal Exchanges) to share claims data electronically with patients. This effort expands the 2018 Medicare Blue Button 2.0 program, which enabled beneficiaries to download their Medicare Part A, Part B, and Part D claims and encounter data using third-party apps. Beginning January 1, 2021, plans participating in these federal programs will be required to share data using API technology. HHS expects these changes will empower patients to “take this information with them as they move from plan to plan and provider to provider.”
HAP will continue to support Pennsylvania hospitals as its members implement policies to comply with these two new regulations. HAP also actively participate in stakeholder discussions around privacy and logistical issues as its members seek to identify best practices in meeting these new requirements most efficiently.
For more information, contact Sari Siegel, Ph.D., HAP’s vice president, health care research.