The U.S. Department of Health and Human Services is preparing to change the rules on how medical records are shared, and former Governor Tommy Thompson is worried.
In a Wisconsin State Journal op-ed last week, Thompson, who headed HHS under former President George W. Bush, wrote that “the requirements threaten the booming healthcare tech economy that helps all of Wisconsin.”
It’s not yet clear exactly what the new rules will require of health information technology companies like Verona medical records software giant Epic Systems. The proposed rules announced last February called on the healthcare industry to “adopt standardized application programming interfaces (APIs)” to allow individuals to access electronic health records through third-party smartphone applications.
In statement to the Cap Times, Epic Systems executive Sumit Rana said the proposed rules would require Epic and other electronic health records companies to “share their intellectual property with venture capitalists and others seeking to monetize patient data.
“It threatens patient and family privacy if privacy regulations for app vendors aren’t in place before the rule begins,” Rana said. “The rule would hurt the thriving health IT sector here in Wisconsin and consequently endangers the economy of the state.”
The Office of the National Coordinator for Health Information Technology, meanwhile, asserts that the change would “increase innovation and competition by giving patients and their healthcare providers secure access to health information and new tools, allowing for more choice in care and treatment.” The office provides voluntary certification for health information technology.
Making records play nice
The new rule would require that companies seeking to maintain their certification make health records more “interoperable,” allowing different health information systems to share patient data across clinics, hospitals, pharmacies and labs, as well as allowing patients themselves to access their health data through smartphone applications like Apple Health.
The nonprofit Healthcare Information and Management Systems Society, Inc. has backed the move toward interoperability, issuing a 2017 “Call to Action” on the matter. “We must achieve secure, appropriate, and ubiquitous data access and electronic exchange of health information,” the document reads. “Now is the time for bold action.”
The concept is nothing new, said Nick Hatt, senior developer at Redox. The company, which was founded in Madison in 2014 by a former Epic employee, makes a business out of “simplifying how healthcare shares data.”
The 21st Century Cures Act, passed in 2016, prohibited health IT companies from anticompetitive “information blocking,” but the new rule would clarify what that entails. The February 2019 proposal offers seven exceptions under which such companies may block a patient’s information from being shared, including when sharing the information could harm a person or violate a patient’s privacy. The proposed rule also allows for companies to charge a fee for sharing “for reasonable costs incurred,” and it allows companies to license their products in order to protect their intellectual property.
The February proposal also requires certified health IT companies to offer the ability to export the full medical record for a single patient or for all of a provider’s patients, a feature intended to give patients more access to their records and to allow providers to switch to a new IT system if needed.
"A positive light”
Hatt said Redox views the new requirements “in a positive light.”
“It’s going to allow people to take their records with them in a digital format in a way we’ve never seen before,” Hatt said.
Dr. David Kunstman, associate chief medical information officer for ambulatory care at UW Health, did not discuss the proposed rule with the Cap Times but said when medical records transfer easily and electronically, patients and doctors benefit.
Kunstman, who spends about half his time working as a primary care doctor, noted that when patients change employers or insurance plans, they often change doctors. At UW Health, which uses Epic for its records, he’s able to easily transfer records for any patient coming from another provider that uses Epic. “It makes my job a lot easier because I don’t have to repeat basically everything,” Kunstman said.
For other patients, it’s another story, Kunstman said. “We still do it the old-fashioned way. We still request records, they show up on paper, we scan those into the chart,” a process that Kunstman said typically takes about three weeks. “Instantaneous versus three weeks.”
Until he gets the records, he’s left to guess about the patient’s medical history. “Usually somebody shows up at my door — a brand new patient — and they remember that they had something done but they’re not really quite sure what.” In one recent case, a patient knew he’d had heart surgery but didn’t know just what was done. Reviewing prior notes in the patient’s record, Kunstman was able to gather the details he needed.
Kunstman appreciates the ease with which he can transfer records among Epic customers using Epic’s Care Everywhere functionality. “If more folks could be on those standards, it would certainly be helpful,” he said.
A threat from Silicon Valley?
Hatt thinks it’s “too early to tell” whether former Gov. Thompson is right about the threat to Epic, but he noted that the new rule would affect Epic and its competitors in the health records industry equally. The rule won’t allow some Silicon Valley tech company to require Epic to turn over all its records, he said, noting that health privacy laws still govern these data exchanges.
“It’s not designed to help the big tech companies get more data and take over and displace people,” Hatt said. “It really is centered around the patient and what the patient can do. It’s about patient access to data.”
But, he said, the rule will place a heavy compliance burden on big companies like Epic. As for startups, he said, “it’s kind of like a knife that cuts both ways,” as it could give new opportunities to developers who can offer new health-related apps. But any startup charged with information blocking could face steep fines if found in violation.
Hatt believes that the more stringent certification requirements are likely to consolidate the industry, a trend he's been tracking over the last decade. “Some firms have done really well,” Hatt said. “It’s hard to say what the effects will be.”
Speak now, or …
Companies like Epic were given ample opportunity to comment on the proposal, said regulation attorney Amy S. Leopard. HHS planned for a three-month comment period and then extended that period for an additional month in response to the thousands of responses it had received, a move Leopard called “unusual.” The extended period ended on June 3, 2019.
Leopard, who submitted comment on the rules on behalf of clients — mainly healthcare providers — and professional organizations, described a “hip hip hooray,” response. “Everybody seems excited about APIs and how to safely and securely direct patient information,” Leopard said.
She’s heard concerns, but they’ve focused less on intellectual property and more on patient privacy and data security. “Everybody is in favor of innovation and automation,” Leopard said. “How do we do it in a way that’s as good stewards of patient information?”
HHS did not respond to requests for comment before publication and has not announced when the new rules will be released, but Leopard said she’s hearing rumblings that the move is “right around the corner.” When the announcement is made, she said, it will likely be 60 days before the rules go into effect, and some rules that would be more difficult to implement may come with their own timetables.
Until then, she’s waiting to see how the flood of feedback shapes the new version of the rules. “It’s hard to say whether it’s good or bad until you see the final pudding,” Leopard said.