On October 6, 2022, health data sharing will be expanding to all EHI, not just those data elements represented in Version One of the United States Core Data for Interoperability (USCDI). This article will help you get in-the-know of how we got here and how to maintain compliance going forward.
‘Until recently, physicians have mostly served as the sole owners of patient data and have held the determination of what to do with it.’
On October 6, 2022, the scope of the 21st Century Cures Act Information Blocking Rule is expanding, prohibiting health care providers from interfering with patient access to their health data in a “designated record set,” defined under The Health Insurance Portability and Accountability Act (HIPAA). For health care providers, noncompliance with this will lead to fines.
So, the question to answer is: What information falls within the designated record set? What is the obligation to make this information available to patients in real-time?
Let’s revisit the policy. HIPAA defines a designated record set as applied to health care providers to include:
A group of records maintained by or for the health care provider that is:
(i) The medical records and billing records about individuals maintained by or for the health care provider; or
(ii) Used, in whole or in part, by or for the health care provider to make decisions about individuals.
There does seem to be some confusion around what constitutes required data. A Department of Health and Human Services (HHS) Office for Civil Rights case example helps to clear that up. They state that the information subject to the HIPAA right of access should include any information created by another health care provider if that information has been incorporated into the provider’s records.
Accordingly, health care providers will need to include access to records within their systems that originated from other providers if the information is used to make decisions about the individual.
How We Got Here
It is now the norm for healthcare organizations to store their data in an EMR. However, back in 2000, when a patient arrived at a hospital, clinic or any healthcare facility, an office employee would be required to sift through paper charts to find a patient’s previous record. Logistically, it was a nightmare. Those who went through it shudder at the thought, recalling those earlier days when interoperability between hospitals was unheard. The below timeline illustrates the two decades it has taken to get us where we are today.
The first step to modernizing electronic medical records (EMRs) was to digitize them. In 2004, President George W. Bush signed an executive order designed to oversee the development of health IT infrastructure that included adopting electronic medical records. Then, in 2009, the Obama administration emphasized technology to revitalize the economy. Some of the actions included backing software tools that give doctors easier access to patient data.
Seven years later, in 2016, the Cures Act was passed. This law encompasses efforts to fund precision medicine, nationwide interoperability and information blocking. The Cures Act places strong emphasis on providing patients access to their health data. This promotes interoperability among disparate electronic health records.
Because health IT standards are federally developed by the Office of the National Coordinator for Health Information Technology (ONC), the Cures Act instructs the ONC to work with the National Institute of Standards and Technology to ensure full network to network exchange of data. In addition, Health and Human Services must educate healthcare providers on ways to leverage the exchange of health information.
As an update to the 2016 Cures Act, the Department of Health and Human Services released two rules to facilitate access, use, and transmit their healthcare data. This update set the technical requirements for the development of user-friendly applications that will enable consumers to access and use their electronic health information in their medical record at no cost.
Improving Health Data Sharing
The CMS final rule on interoperability and patient access requires CMS-regulated payers to have “secure, standards-based” application programming interfaces (APIs). The rule enables patients to access claims, encounter, and cost data electronically through apps.
The CMS-regulated payers are the health plans serving Medicare Advantage, Medicaid and CHIP programs, as well as qualified health plans on the federal exchanges. The sole exceptions are stand-alone dental plans and plans in the federally facilitated Small Business Health Options Program (SHOP).
The newest bill also marked the first mental health reform in over 50 years. As part of the changes, the bill calls for revision and clarification of HIPAA privacy rules when family members and caregivers can receive health data on behalf of the patient, when that patient is unable to make the decision themselves. The law gives medical caregivers access to the protected health data so that they can use to their judgement.
On May 1st, 2020, the ONC published the Cures Act Final Rule in the Federal Register and, on April 5, 2021, the information blocking provisions of the rule went into effect requiring that all covered actors engage in information sharing or be subject to penalties (Pub. L. No. 114-255, Sect. 4004, 130 Stat. 1176 (2016)).
To ease compliance with new requirements, the Cures Act Final Rule allows an incremental approach. In other words, it starts with what is already easily shareable today. This allows more time for actors to develop and implement policies, processes, and technology for sharing more unstructured and non-standardized data.
What You Need To Know Now To Comply
Up until October 5th, 2022, the definition of electronic health information (EHI) is limited to the data elements represented in United States Core Data for Interoperability V1 (USCDI V1). This refers to an ONC standard that many providers and vendors already support today. It’s a requirement for numerous Centers for Medicare and Medicaid Services payment models and the ONC Health IT Certification Program.
However, starting on October 6, 2022, all actors—providers, certified health IT developers, and health information networks—will be expected to share all EHI, not just the data elements represented in USCDI V1 (45 C.F.R. Sect. 171.102; 45 C.F.R. Sect. 171.103). EHI beyond such data elements is typically non-standardized, heterogenous, and often not easily shareable. Thus, the rule allows some flexibility in how an actor can make EHI available in a variety of industry-standard formats. It can even, as a last resort, in a “machine-readable” format (45 C.F.R. Sect. 171.301).
Expanding the aperture of interoperability to include as much electronic information as possible will provide richer information . This will reduce the burden on patients of having to manually gather paper records from provider to provider. It will also open new horizons for modernization across the entire health care continuum.
Health care providers, health IT developers of certified health IT and HIEs/HINs should be aware that effective Oct. 6, 2022, however, the EHI will expand beyond the USCDI v1 to include all electronic protected health information (ePHI). This will extend to information that is a part of a designated record set, regardless of whether the records are used, maintained by, or for a covered entity, as defined by the Health Insurance Portability and Accountability Act (HIPAA). The below graphic from Healthcase IT News breaks down the new rule.
What’s to Come in Health Data Sharing
With all this new data in the patients’ hands, app developers are working to streamline the way patients and physicians interact. However, the FDA is not allowed to regulate mobile health applications — this is so that more innovative and low-risk technology can get to the patient’s hands at home. Despite the lack of FDA involvement, according to InsightAce Analytic, the global clinical-grade wearable market was worth USD$ 19.55 billion in 2021 and is predicted to reach USD$ 148.76 billion in 2030.
This is the other side of the coin: we’re talking about patient-entered or patient-produced data. Wearable clinical-grade medical devices are patient-worn smart devices with sensors and software. Such technology connects to the cloud to allow real-time data collection.
User-generated data seems to be the next frontier. Efforts in this area will continue to transform the patient-physician data exchange as well as patients’ views of the medical practice. As I wrote in a previous paper, “like the early stages of clinical trial designs in the 1960s and 1970s, these efforts will take time to properly form and develop in a meaningful way.
The future questions many will need to answer are the following: how to integrate, validate, and trust new data sources? This will be particularly relevant when large registry data conflict with traditionally accepted evidence-based medicine and research. An algorithm, a referee, or a validating mechanism will be needed to merge findings from these sources and inform clinical decision making. Ultimately, there is tremendous potential once natural biases are lifted and protocols are established.”
To remain competitive and relevant in modern practice, physicians and health systems must tackle and engage the implementation of big data and advanced applications for increasingly complex care. Therefore, the first step in the process is following the new guidelines on October 6th, 2022.
How Can Hakkoda Help
At Hakkoda, we handle the complexities of data and ensure your organization complies with new guidelines. Our big picture approach considers aspects such as data pipelines, speed, quality, and performance requirements for your organization.
We allow your company to scale on demand and embrace new changes and requirements with ease.