More on Policy and Legislation

Interoperability rules risk patient privacy, say insurers, hospitals

Health information will be transferred outside the protection of federal privacy laws, with information bought and sold on open market, AHIP says.

Susan Morse, Managing Editor

Both insurer and hospital organizations have expressed concern that the new interoperability rules released on Monday are a risk to patient privacy.

Two final regulations promote interoperability, health information exchange and patient access to health information. They state that payers and health systems can no longer engage in information blocking and must use an API to give patients access to their data.

America's Health Insurance Plans said it remains "gravely concerned" that patient privacy will be at risk under the new interoperability rules. Health information will be transferred outside the protections of federal privacy laws, with information bought and sold on the open market, AHIP said.

The American Hospital Association said the rules allow patients to access their health information through third party apps, which are not under the same stringent privacy and security requirements as hospitals.

"This could lead to third party apps using personal health information in ways in which patients are unaware," AHA President and CEO Rick Pollack said.


Tom Leary, vice president of Government Relations at HIMSS, the parent company of Healthcare Finance News, said there's anxiety from the provider, hospital community in being seen as information blockers if they don't share apps with every patient. They were hoping CMS would have backed off the requirement that it be a condition of participation in the Medicare and Medicaid programs.

AHIP said insurers share HHS's vision for expanded consumer data access. But when it comes to transparency in healthcare, patients overwhelmingly want  clear, concise and customized information and for their privacy to be protected.

Jeff Coughlin. senior director, Federal and State Affairs at HIMSS said the overarching idea is that patients are in control of their data, something that's been talked about for a long time.

Americans live on their phones, advocates say, and the rules give them access through their smartphones.

Connected Health Initiative Executive Director Morgan Reed said, "Americans manage their lives on the smartphone via apps, and health information should be no different."

Although consumers have had the legal right to obtain a copy of their personal health information for two decades, many people face obstacles in getting that information.

NAACOS President and CEO Clif Gaus said the sharing of electronic notifications of patient's admission, discharge, and/or transfer is a win for better population health management.

"With this change, ACOs can learn when one of their patients enters or leaves the hospital, allowing that patient's primary clinician to step in and provide appropriate, well-coordinated care."


The Department of Health and Human Services' Office of the National Coordinator for Health Information Technology and Centers for Medicare and Medicaid Services finalized the rules to promote electronic health information exchange.

The Centers for Medicare and Medicaid Services released a final rule on interoperability and patient access and the ONC released a final rule on interoperability, information blocking, and the ONC Health IT Certification Program.

The CMS final rule requires Medicare Advantage organizations, state Medicaid and Children's Health Insurance Program fee-for-service programs, Medicaid managed care plans, CHIP managed care entities, and qualified health plan issuers in the federally facilitated exchanges to implement the same API standards as the ONC rule by 2021.

Among other provisions, the CMS rule requires Medicare-participating acute-care hospitals, long-term care hospitals, inpatient rehabilitation facilities, psychiatric hospitals, children's hospitals, cancer hospitals, and critical access hospitals to send electronic notifications to receiving providers when an inpatient is admitted, discharged or transferred. This requirement will go into effect six months after publication of the final rule.

The ONC final rule implements the information blocking provisions of the 21st Century Cures Act by outlining exceptions to the definition of information blocking under the law.

The rule also updates the 2015 Edition certification criteria for health information systems to ensure that certified health IT systems can send and receive electronic health information in a structured format; make that electronic health information available through application programming interfaces; and export a patient's electronic health information to a location designated by the patient.

The proposed rules were released last year from the Office of the National Coordinator and Centers for Medicare and Medicaid Services implementing the 21st Century Cures Act's provisions on information blocking and interoperability.


"We remain gravely concerned that patient privacy will still be at risk when healthcare information is transferred outside the protections of federal patient privacy laws. Individually identifiable health care information can readily be bought and sold on the open market and combined with other personal health data by unknown and potentially bad actors. Consumers will ultimately have no control over what data the app developers sell, to whom or for how long," said Matt Eyles, president and CEO of AHIP.

"America's hospitals and health systems support giving patients greater access and control over their health data," said AHA President and CEO Rick Pollack. "In fact, nearly all hospitals and health systems have made health information available to patients electronically. However, today's final rule fails to protect consumers' most sensitive information about their personal health. The rule lacks the necessary guardrails to protect consumers from actors such as third party apps that are not required to meet the same stringent privacy and security requirements as hospitals. This could lead to third party apps using personal health information in ways in which patients are unaware. These guidelines are too important not to get right. We need to stand on the side of the patient by protecting patient privacy and strengthening security in this rule."

"The AMA has been advocating on behalf of physicians and patients for over 10 years to ensure EHR usability, interoperability, and patient data and safety are top concerns when government agencies develop new policies," said American Medical Association President Dr. Patrice A. Harris. "We applied this knowledge and momentum as we worked with CMS and ONC in anticipation of today's release of the final rule."

Twitter: @SusanJMorse
Email the writer: