Rucker: Patient data access, choice is at heart of ONC rule
The Office of the National Coordinator for Health IT is pushing forward with a proposed rule meant to ensure patient access to their electronic healthcare information.
The agency’s efforts come despite industry concerns that policies are not in place to prevent inappropriate disclosures of patients’ medical records.
Stakeholders have made the case that—absent appropriate privacy protections—the finalization of ONC’s proposed rule, as written, would put patient information at risk.
Specifically, the American Medical Association has charged that ONC is making a policy decision to “not prioritize patient privacy” and that patients’ health information will be vulnerable to inappropriate secondary uses and disclosures from third-party apps.
However, National Coordinator for HIT Don Rucker told the ONC annual meeting on Tuesday that what the agency is proposing in its rule is the transmission of patient data through the use of OAuth 2 authentication to authorize data sharing via apps.
“Pretty much everybody in this room—I assume—has banking applications,” commented Rucker. “We’re using those types of security principles to facilitate this. And, that allows us in that OAuth 2 process to tie in some requirements on disclosures on very specific variant formed consent. This is going to have a very different flavor I think than what has been stated publicly by folks.”
Rucker added that “the data is not just all going to get stolen, as has been bandied about” by critics of the ONC proposed rule.
On Monday, Health and Human Services Secretary Alex Azar lashed out at healthcare stakeholders critical of ONC’s proposed rule. Speaking at the ONC annual meeting, Azar charged that EHR systems today are “balkanized” and “segmented,” creating data silos that prevent patients from accessing their health information.
“Unfortunately, some industry stakeholders are defending the balkanized, outdated status quo," Azar said, adding that some vendors holding patient data have "prevented new market entrants from participating in the space."
On Tuesday, Rucker echoed Azar’s remarks by pointing out that “there are all kinds of economic interests of folks who have spent their lives and careers in this space.”
“We are very thankful for the Secretary’s fierce support of the right for patients to access their electronic health information,” Lisa Lewis, ONC’s deputy national coordinator for operations and chief operating officer, told the agency’s meeting on Tuesday. “We, at ONC, are fighting to implement the will of Congress.”
The 21st Century Cures Act, passed by Congress and signed into law by President Barack Obama in December 2016, was intended to ensure greater patient access to healthcare records—and the sharing of such information—through several health IT interoperability provisions. Among them was a mandate from Congress to empower patients with open application programming interfaces (APIs) “without special effort” to assist with the access and exchange of health information.
When it comes APIs, Rucker said they are designed to “exist without elaborate requirements for providers to do any vetting of apps—because that would actually impede the consumer access.”
Lewis told the ONC meeting on Tuesday that “the work we’re doing can really be considered a type of civil rights movement” and that “the rights provided under HIPAA can only be realized when those rights are operationalized—it is time to operationalize the digital flow of health information in a private and secure way without special effort by the end user.”
However, some healthcare stakeholders have expressed concerns about the lack of consumer protection for health data beyond the HIPAA-regulated environment.
In a letter last month to members of Congress, the American Health Information Management Association warned that the existing regulatory landscape “lacks sufficient privacy and security guardrails to protect health information held by entities not covered by HIPAA.”
AHIMA contends that there are many health-related technologies that exist and operate outside of the scope of HIPAA. “While these health-related technologies produce and manage individually identifiable health information, they are not bound by or required to abide by the rules established under HIPAA because they are not considered covered entities’ or ‘business associates.’”
Nonetheless, Rucker pointed out that it’s the responsibility of providers to “clearly let folks know that when the patient accesses their data—under their right of access—this data has now left HIPAA.” He also emphasized that patients who use API-enabled health apps must keep their data safe and secure, like they do with information associated with their banking apps.
“I don’t think we can let the risks that are real prevent all of us as citizens and members of the United States from having all of our data,” Rucker concluded. “For each and every one of us, that should be our choice on what to do.”