As Congress looks to draft follow-up legislation to the 21st Century Cures Act, industry groups want to see lawmakers institute wide-ranging reforms to advance digital health and biomedical research.
Responding to a public request from Reps. Diana DeGette (D-Colo.) and Fred Upton (R-Mich.) for stakeholder input, these associations contend that barriers remain to the widespread and effective use of health information technology—challenges that “Cures 2.0” must address.
The 21st Century Cures Act, signed into law by President Barack Obama in December 2016, was meant to ensure greater patient access to healthcare records—and the sharing of such information—as well as to accelerate the development of medical innovations and breakthroughs.
The Cures Act included several health IT interoperability provisions. Among them was a mandate from Congress to empower patients with open application programming interfaces (API) “without special effort” to assist with the access and exchange of health information.
While the College of Healthcare Information Management Executives’ letter to DeGette and Upton voiced CHIME support for improving information sharing and patient care through use of APIs, at the same time the group said it is “imperative that policies be put in place to prevent inappropriate disclosures of patient data to third-parties and resultant harm.”
Similarly, the Medical Group Management Association said it supports the use of APIs to enhance interoperability and give patients access to their health information. However, MGMA’s letter to DeGette and Upton laid out the group’s concerns about the security implications with the deployment of APIs.
“Absent appropriate privacy protections, we believe patient information is at risk of being sold, used for vendor marketing and shared without permission with third parties,” wrote Anders Gilberg, senior vice president for government affairs at MGMA.
Likewise, the American Medical Informatics Association called for updating privacy policies in light of “real and significant” privacy risks and opportunities for fraud—outside the HIPAA-regulated environment—as patients increasingly gain access to their health data via APIs.
“The challenges posed to privacy, fraud and abuse in the near-term API-driven future will require that Congress acts to fill the consumer protection gaps residing just beyond the reach of HIPAA—either now, as part of ongoing consumer data protection legislation discussions or at some point after more demonstrable harm is committed against Medicare and Medicaid beneficiaries and other patients who erroneously believe that their data is protected from misuse,” according to AMIA.
“Major technology companies and major retail stores are investing heavily in digital health tools and are working to leverage new troves of data to better understand patients’ picture of health,” AMIA president and CEO Doug Fridsma, MD, wrote in a letter to DeGette and Upton.
Fridsma warned the members of Congress that “this blurring of clinical and consumer technologies brings both promise and opportunity for improving Americans’ health and wellness, as well as increases risks to privacy and safety.”
In particular, Fridsma expressed his concerns about a “lack of consumer protection for health data beyond the HIPAA-regulated environment” and a “lack of evidentiary standards for digital health tools and mobile applications.”
It’s a sentiment shared by the American Health Information Management Association. In a letter to DeGette and Upton, AHIMA CEO Wylecia Wiggs Harris voiced similar concerns about the existing regulatory landscape, which “lacks sufficient privacy and security guardrails to protect health information held by entities not covered by HIPAA.”
AHIMA’s letter points out that there are many health-related technologies that exist and operate outside of the scope of HIPAA. “While these health-related technologies produce and manage individually identifiable health information, they are not bound by or required to abide by the rules established under HIPAA because they are not considered covered entities’ or ‘business associates.’ ”
CHIME President and CEO Russ Branzell emphasized his group’s strong support of patient access to their medical data, but expressed his members’ concerns that “patients are unaware of how their data is being used once it is released and, in some cases, may be under the false impression that it is still safeguarded under HIPAA.”
Overall, AMIA’s Fridsma urged Congress to “think centrally about how to ensure safety in our fast-approaching future dominated by innovations in artificial intelligence, big data aggregation, and advances in biotechnology.”
Specifically, Fridsma made the following policy recommendations for congressional drafting of Cures 2.0:
- Establish consumer protections for health data privacy.
- Break down data silos funded by the National Institutes of Health.
- Modernize regulation of software that performs medical device functions.
- Focus on health data standards research & development.
- Enable innovation and research within HIPAA-protected environments.
- Improve patient safety and security with unique patient identifiers.
Regarding the latter, AHIMA similarly asked that Congress “consider legislative solutions to address the challenge of patient identification to ensure that patients are accurately identified and matched to their health information.”
CHIME’s Branzell charged that “without a standard patient identification solution, the creation of a longitudinal care record is simply not feasible.” As a result, CHIME encouraged DeGette and Upton to examine the issue of patient ID and consider legislative solutions to ensure patients are accurately identified and matched to their data, including a “discussion of expansion of the Medicare Beneficiary Identifier (MBI) created through MACRA, beyond the Medicare population.”
For its part, MGMA proposed that the Centers for Medicare and Medicaid Services “should be required to work with appropriate industry stakeholders in addressing the issue of the accurate and appropriate matching of patient records.”
In addition, to improve patient matching, the group recommended that the Office of the National Coordinator for Health IT “support the standardization of demographic data, including applying the U.S. Postal Service Standard to the address field” as well as “encourage exploring the use of email address as an additional patient matching element.”
In compliance with the Cures Act, ONC developed a proposed rule to advance interoperability—among other provisions—and to support the access, exchange and use of electronic healthcare information. In September, ONC’s proposed rule was sent to the Office of Management and Budget for OMB’s review. ONC is expected to release its final regulations in early 2020.
“The Cures Act is vast, and the provisions established in Section 4000, for example, have not yet been finalized, nearly three years after passage,” wrote Fridsma to DeGette and Upton. “As part of the fact-finding for Cures 2.0, AMIA encourages your offices to identify what key provisions are still in development and better understand how Cures 1.0 is being implemented.”