Power to the Patient: Our Record, Our Right, Our Choice

Steven Posnack, M.S., M.H.S. Deputy National Coordinator for Health Information Technology | March 12, 2020

On Monday, March 9th 2020, the Office of the National Coordinator for Health Information Technology (ONC) released the long awaited final rule to address information blocking and update the ONC Health IT Certification Program as directed by Congress through the 21st Century Cures Act of 2016 (the Cures Act).

As a patient, a caregiver for two kids, and an only child preparing to care for aging parents, I look forward to being able to access our medical records and manage our health with the ease and convenience I already experience in most of the economy outside of health care. With ONC’s Cures Act Final Rule, we are one step closer to making that happen. Soon, you will gain a greater ability to electronically access, exchange, and use your electronic health information (EHI) via internet-enabled devices (such as your smartphone).

Powered by the United States Core Data for Interoperability (USCDI), secure, standards-based application programming interfaces (APIs) (“certified APIs”) will stimulate the development of new patient-focused care models, price transparency insights, and a bunch of other tools to help take the hassle out of health care. In other words, you’ll be able to use your smartphone to actually be smart about your health.

As patients, we need to able to securely access our data any time we want via an app of our choice.It all starts with trust though, which in our context is built with a combination of organizational and business practices, laws, relationships, and literacy about data practices. ONC’s final rule includes specific technical requirements to empower individuals with choice. It also includes provisions that allow “actors” regulated by the information blocking rule (“IB actors”) to educate and advise individuals about privacy and security risks posed by third-party applications (“apps”).

As patients, we need to able to securely access our data any time we want via an app of our choice.

While the final rule paves the way for all of us to more easily access our health data, let’s make one thing clear. It’s your choice to determine which third-party’s service or app you want your healthcare provider to share your data with – if at all. You have to connect your chosen app, prove to your provider you are who you say you are (i.e., “authenticate” yourself), and then approve (“authorize”) the transmission of some or all of your USCDI data to your app. But you also need to make sure that the third-party’s policies and data practices meet your expectations. Especially because once this data is outside your health care provider’s hands it will not be covered by the Health Insurance Portability and Accountability Act (HIPAA) Rules.

What’s allowed under information blocking?

The final rule allows for and encourages IB actors to provide you with information that can help you select, use, and trust apps. While IB actors may implement certain practices to inform you about the privacy and security risks of third-party apps they may not prevent you from making your own decisions, including sharing your data with a particular app.

So long as IB actors provide you with factually accurate, objective, unbiased, fair, and non-discriminatory information they will likely avoid “interfering with” your ability to access your health data via patient portals, apps, or through other means (and, thus, likely would not be considered engaging in a practice that could be considered information blocking).

For example, an IB actor is permitted to establish a process where it first asks third-party app developers (before any patient uses their apps) to attest “yes” or “no” as to whether they have a privacy policy and, if so, whether such policy meets certain market-led “best practices.” Once the IB actor records this upfront attestation, it may display a warning to you that highlights how the app developer responded in order to inform your decision to continue. This kind of warning, for instance, could be positioned to inform you that the app with which you’re about to share your data doesn’t have a privacy policy. Well placed educational interventions like this can help people stop and think twice before sharing their data with an app. The final rule’s preamble covers these practices in detail along with this fact sheet.

Let’s talk tech

In response to the Cures Act, we’ve adopted a new secure, standards-based API certification criterion. This certification criterion includes references to industry consensus data and security standards, including HL7® FHIR®, the SMART App Launch Implementation Guide, OpenID Connect, and OAuth 2. (OAuth 2 is a security standard you may have never heard of but have probably already used many times with your smartphone and the internet.) Moreover, from a security perspective, health care providers will able to use audit logs to track a number of different dimensions like which patients used which apps and approved which data to be transmitted. Tracking this information and the disclosures made via certified APIs can offer health care providers several different insights too ranging from which apps and data are most popular among their patients to detecting abnormal usage patterns and malicious activity.

Over the next two years as health IT software developers design and rollout certified APIs, your health care provider’s health IT will have the ability to establish a secure connection with apps you choose, authenticate you to that provider, and present you with options for the scope of data you wish to approve your app to receive. Once implemented, certified APIs will allow for an automated, electronic process that enhances convenience for patients and poses little to no additional administrative burden for health care providers.

Our dialogue needs to continue on secondary uses  

While the final rule we released on Monday represents a big step forward, our work’s not done. From patients to Congress and everyone in between, we as a health care community need to discuss what protections should be applied to health data when it’s held by individuals and entities – beyond just the third-party apps patients use – that are not covered by the HIPAA Rules. Indeed, we need to broaden this dialogue to cover more than just health data in the traditional sense. We must also consider the data we generate throughout the day about our health like search, online purchases, and geolocation since companies potentially unknown to us can use that data to infer a lot about our health.

While the final rule we released on Monday represents a big step forward, our work’s not done.

Some possible protections that could be required for this growing group include: more public-facing transparency requirements, such as publicly accessible privacy policies and plain language versions; upfront statements about whether and how data may be provided to others, including whether it may be sold; and express consents for all or particular types of data uses and reuses. Ultimately, these kinds of rules of the road need to be something that are well understood and consistently followed. In 2016, we submitted a Congressional report about “non-covered entities,” which still remains relevant today and the National Committee on Vital and Health Statistics (NCVHS), one of HHS’ federal advisory committees, also published two reports on this issue in 2017 and 2019.

Our dialogue needs to continue, inclusive of patient voices and preferences, and ONC is ready to bring our ideas to the table.