Let’s give the Office of the National Coordinator (ONC) credit for trying. In what’s arguably the first significant piece of policymaking, the newly Republican HHS issued a draft Trusted Exchange Framework and Common Agreement (TEFCA) that aims to implement the massively bipartisan 21st Century Cures act mandate to end information blocking. Are they succeeding?
Why should you care? After almost a decade and many tens of $billions spent on health information technology, neither physicians nor patients have access to a longitudinal health record, transparency of quality or cost, access to independent decision support, or even the ability to know what their out-of-pocket cost is going to be. After eight years of regulation, precious little benefit has trickled-down to patients and physicians. This post looks at the TEFCA proposal from the patient experience perspective.
The patient perspective matters because, under HIPAA, patients do not have choice about how our data is accessed or used. This has led to information blocking as hospitals and EHR vendors slow-walk the ability of patients to direct data to information services we choose. Patients lost the “right of consent” in 2002. This puts a regulation-shy administration in a quandary: How do they regulate to implement Cures, when current HIPAA and HITECH-era regulations give all of the power to provider institutions bent on locking-in patients as key to value-based compensation?
As regulations go, the draft TEFCA is an interesting design. It’s “voluntary” but it tries to consolidate as much power as possible into a single, ONC selected, private Recognized Coordinating Entity (RCE). The ONC / RCE hybrid is like the nationalized health record systems in England or other rich nations: patients are tracked across all participating providers; a government-controlled entity collects personal information, and they control who gets to access your information. The big question is, do patients really have a choice?
The draft regulation seems vague with respect to Consent. On page 37:
6.1.6 Consent. If and to the extent that Applicable Law requires that an individual’s consent to the Use or Disclosure of his or her EHI, the Participant of a Qualified HIN (or the End User of such a Participant) that has a direct relationship with the individual shall be responsible for obtaining and maintaining the consent of the individual (each a “Qualified HIN’s Consenting Individual”) consistent with the applicable requirements. Each Qualified HIN shall specify such responsibility in its Participant Agreements. Each Qualified HIN shall require its Participants to provide the Qualified HIN with a copy of each consent of a Qualified HIN’s consenting individual and the Qualified HIN shall maintain copies of such consents and make them available electronically to any other Qualified HIN upon request.
suggests that HIPAA’s lack of consent means you can’t opt-out whereas on page 43:
7.2 Individual Requests for No Data Exchange. Each Qualified HIN shall provide a method for individuals who do not wish to have their EHI exchanged and post instructions on its public website for both recording and communicating such requests to the Qualified HIN at no charge to the individuals. Each Qualified HIN shall process all requests from individuals or from Participants on behalf of individuals in a timely manner and ensure that such requests are honored by all other Qualified HINs on a prospective basis. As a HIPAA Business Associate, the Qualified HIN must also enable a Covered Entity to process the request consistent with the right of an individual to request restriction of Uses and Disclosures.
the right to opt-out is not qualified by HIPAA (emphasis added).
The voluntary aspect of TEFCA does allow patients to avoid surveillance if they can find providers that will treat them without requiring ID and maybe also avoid sharing information with the RCE Framework. HIPAA Covered Entities (hospitals, medical practices, labs,…) would still be subject to requests for patient-directed exchange such as specified by HEAlth Relationship Trust (HEART), but TEFCA is silent on this patient-centered alternative.
An optimistic interpretation of the draft TEFCA suggests a good patient experience with every provider giving every patient a choice of surveillance they don’t control (a kind of auto-pilot for privacy) vs. directed exchange based on policies they inherit from any source they trust. Policies they can change if they choose. Patient-directed exchange would prove safer for some patients and riskier for others but, other than the added engagement needed to rarely manage consents, the user experience would be the same for either choice. Many patients will have some records in both systems but the patient-directed system would, logically, have more complete records because it could aggregate records accessed from the RCE Framework with the more sensitive records accessed via patient-directed exchange.
A pessimistic interpretation of the draft TEFCA would have ONC allow a more complicated user experience for patient-directed exchange. Providers would be able to ignore HEART essentials like Dynamic Client Registration and Refresh Tokens [page 41]. They would be allowed to delay patient-directed access by days. They could make the process of registering a patient’s HEART authorization server different for each provider, etc… It all depends on how ONC decides to interpret information blocking.
The HEART workgroup, co-chaired by ONC, has run for about two years and delivered its mandate as much as it can absent participation by providers. So far, neither SMART, nor Argonaut, nor CMS BlueButton on FHIR, nor VA, nor All of Us, nor any major HIPAA Covered Entity has seen fit to participate in HEART. As a result, a user-directed exchange experience is not available to patients to match the way Open.Epic already allows live API access to over 60 medical centers.
In conclusion, let’s give ONC high marks for trying and hope the final version of TEFCA and subsequent enforcement will provide a patient-directed exchange user experience that makes the government-controlled exchange alternative compete for the patient’s trust. Some of these questions might be answered at the next ONC informational webinar on January 19. Comments on the draft TEFCA are open until February 20.
Adrian Gropper is CTO at Patient Privacy Rights