Providers, health plans and trade groups are calling on HHS agencies to slow down a push to put health data in patients' hands via third-party apps, citing privacy and implementation concerns.
Patient-facing apps are a key component of the CMS and the Office of the National Coordinator for Health Information Technology's companion interoperability and information-blocking proposals released in February. The rules outline how regulators will require insurers and providers to share medical data with patients. That could include using application programming interfaces that connect electronic health record systems with third-party apps.
Despite the ONC's efforts, privacy is still a core concern for the healthcare industry.
In comments to the CMS, Allina Health in Minneapolis suggested the agency create a certification program for APIs to reduce providers' potential liability and burden when they contract with app developers. It also recommended the CMS establish a safe harbor for providers sharing patient data through an API.
The American Hospital Association went a step further in a letter to the ONC, questioning whether encouraging patients to use tools not governed by HIPAA would lead patients to unintentionally cede control of their health data.
A third-party app that's not held to the same privacy standards as healthcare providers might be able to use health data in ways patients are not aware of, such as by monetizing it or use it to target advertisements, the association said.
HHS in April extended the public comment periods for both rules to June 3, a 30-day extension from the original deadline. At the time, ONC chief Dr. Don Rucker said that was largely due to confusion over whether providers could be held responsible for patients' health data use.
Under the ONC's rule, Rucker said patients would be able to decide what types of third-party apps to use to access their health data. And once a patient decides to share their protected health information with an app, the provider is not liable for subsequent use or disclosure of this data—so long as the app developer is not a business associate of the group.
Dr. Barbara L. McAneny, the American Medical Association's president, said the ONC's proposed rule could lead to patient information being shared with third parties in ways the patient didn't expect.
To address this gap in privacy protections, the AMA suggested the ONC should ask API technology suppliers to abide by specific privacy and industry guidelines, such as the Federal Trade Commission's best practices for mobile health app developers.
Developing a privacy framework that goes hand-in-hand with the proposed rules would also help to address patient privacy concerns, six former ONC chiefs wrote in a joint comment to the agencies. They suggested the CMS and the ONC work with the private sector to create a companion framework that protects patient privacy and ensures patients understand how their data is being used.
Still, the six authors offered "enthusiastic support for the proposed rules," and called the CMS' plan to expand APIs to health plans "game-changing." That's why the former national coordinators emphasized the agencies should implement the proposed rules "as quickly as possible," while designing the framework in parallel.
But not everyone agreed with this call to action and many healthcare groups called on the agencies to publish interim rules and push back implementation timelines.
Healthcare groups were particularly concerned about the timeline for payers to begin using APIs. Under the CMS' rule, payers would begin offering patients access to claims and other data via APIs beginning in 2020.
Spectrum Health in Grand Rapids, Mich., urged the CMS to delay this mandate by several years to give payers more time to meet the requirements, arguing that providers had multiple years to implement and comply with data-sharing standards under the Medicare and Medicaid EHR Incentive Programs, now dubbed Promoting Interoperability.
"CMS must work with effected stakeholders to ensure that appropriate guardrails are in place to prevent unintended consequences for how public and private health plan data is accessed, shared and acted upon," Spectrum Health wrote in its comments.
United Health and the not-for-profit Sequoia Project also requested delays of 12 to 18 months at least.
The Alliance of Community Health Plans suggested the CMS issue an interim final rule to clarify what data payers will be required to share with patients via APIs and how the mandate will be enforced. The trade group also requested at least 18 months from the final rule's publication to prepare for compliance.
"For payers, significant resources will be necessary to collect data from numerous sources and conform them into a data set that could supply an API," ACHP wrote, noting payers tend to have data spread across multiple payer platforms and provider systems. "Constructing these APIs is a non-trivial undertaking."