HIMSS22: Regulatory picture around healthcare data sharing still evolving

Jeff Coughlin, senior government relations director at HIMSS, left, and 
Dr. Steven Lane, clinical informatics director at the Sutter Health Palo Alto Medical Foundation, speak Monday at HIMSS22 in Orlando.

Photo: Jeff Lagasse/Healthcare Finance News

ORLANDO, Fla. – Healthcare information technology now enables personal health information, or PHI, to be accessed immediately and directly by patients, but there are complex regulatory requirements around the sharing of patient data that affect all parties – physicians, payers and the patients themselves. 

The Trusted Exchange Framework and Common Agreement (TEFCA), which is moving forward and expected to be implemented soon, is aimed at providing clarity regarding information sharing and what constitutes information blocking. For the time being, guidance from the Centers for Medicare and Medicaid Services largely dictates what constitutes proper information exchanging behavior, with HIPAA and the 21st Century Cures Act acting as a sort of North Star.

Dr. Steven Lane, clinical informatics director at the Sutter Health Palo Alto Medical Foundation, and Jeff Coughlin, senior government relations director at HIMSS, Healthcare Finance News' parent company, sought to clarify some of these issues during their session, "A New Level of Openness Equals a New Level of Care," Monday at the HIMSS22 annual conference in Orlando.

"Physicians were early to this process, sharing data amongst ourselves and our patients, but now there are additional entities coming in, trying to leverage the efficiencies of interoperability," said Lane. "It's gotten to be a crowded field. It's not just about us being able to exchange data amongst each other."

Interoperability tools and networks continue to evolve and improve the methods for data sharing. That means other actors, such as healthcare payers and patient relatives and advocates, need to be considered when crafting a comprehensive regulatory environment.

That's where CMS and the Office of the National Coordinator for Health Information Technology (ONC) come in. To date, they've focused largely on regulations meant to reduce the burden on the physician community and to address payers attempting to access information from other payers.

The regulations stipulate new API requirements that patients can access all their electronic health information, whether it's structured or unstructured. They also support innovation and competition, according to Coughlin.

"What ONC is trying to promote is giving patients safe and secure access, but also allowing new tools to come into the market to allow for more options, more care and more treatment," he said.

That push started with CMS during the Trump administration. 

"It has been a couple of years since implementation," said Coughlin. "So, much of the work from the Biden administration has been to build on that – more secure APIs for more secure data exchange processes."

What CMS has communicated over the past couple of months is the direction the agency is likely headed in the future, with more robust healthcare directories and how they can better promote interoperability. The Trusted Exchange Framework and Common Agreement is poised to streamline processes around prior authorization to make it less burdensome for both patients and providers.

"There's this urban legend that interoperability isn't happening, that it doesn't work," said Lane. "And for doctors, it can be frustrating. But there are these iterative changes going on in our world that HHS, through CMS, is really pushing forward. We are seeing these dramatic changes that don't have an immediate effect on our world, but a lot of these are working in the background, and as the market evolves, we're going to see a whole lot of new things coming online."

As the regulatory picture evolves, what various actors need to keep in mind is what constitutes information blocking and what doesn't. Regulated actors, including physicians, are required to share all data under USCDI version 1; some of the data that must be shared upon request is the full electronic health API. Come October, all electronic health information will be required to be shared upon request without undue delays. 

"We're kind of in a gray zone currently in terms of the actual enforcement of information blocking," said Coughlin. "The regulation is still pending a final rule. We could be getting the final regulation any day now. The regulation would be effective 60 days after being published."

In the meantime, there's some leeway when it comes to what's considered information blocking. It's acceptable, for example, if a patient actively requests a delay in access, perhaps because they may want to speak to their provider before accessing the data. It's also unlikely to be considered information blocking if the delay is necessary; what's not acceptable is to have systems in place that consistently delay access.

Many of these issues will be addressed when TEFCA becomes a reality.

"It's complex, and still evolving, but it is proceeding," said Coughlin.
 

Twitter: @JELagasse
Email the writer: jeff.lagasse@himssmedia.com