ONC’s Proposed Rule is a Breakthrough in Patient Empowerment

By Adrian Gropper

Imagine solving wicked problems of patient matching, consent, and a patient-centered longitudinal health record while also enabling a world of new healthcare services for patients and physicians to use. The long-awaited Notice of Proposed Rulemaking (NPRM) on information blocking from the Office of the National Coordinator for Health Information Technology (ONC) promises nothing less. 

Having data automatically follow the patient is a laudable goal but difficult for reasons of privacy, security, and institutional workflow. The privacy issues are clear if you use surveillance as the mechanism to follow the patient. Do patients know they’re under surveillance? By whom? Is there one surveillance agency or are there dozens in real-world practice? Can a patient choose who does the surveillance and which health encounters, including behavioral health, social relationships, location, and finance are excluded from the surveillance?

The security issues are pretty obvious if one uses the National Institutes of Standards and Technology (NIST) definition of security versus privacy: Security breaches, as opposed to privacy breaches, are unintentional — typically the result of hacks or bugs in the system. Institutional workflow issues also pose a major difficulty due to the risk of taking responsibility for information coming into a practice from uncontrolled sources. Whose job is it to validate incoming information and potentially alter the workflow? Can this step be automated with acceptable risk?

It’s not hard to see how surveillance as the basis for health information sharing would be contentious and risk the trust that’s fundamental to both individual and public health. Nowhere is this more apparent than in the various legislative efforts currently underway to expand HIPAA to include behavioral health and social determinants of health, preempt state privacy laws, grant data brokers HIPAA Covered Entity status, and limit transparency of how personal data is privately used for “predictive analytics”, machine learning, and artificial intelligence.

For more on the latter, I recommend Shoshana Zuboff’s work on surveillance capitalism, nicely summarized in this Data and Society talk:

The conventional approach to dealing with the issues raised by a desire to have data follow the patient is to invent or conceive various forms of health information exchange (HIE). To the hospitals and their electronic health record (EHR) vendors, shifting the problem to a new and separate entity makes total sense since it transfers responsibility (and cost) for privacy, security, and some workflow issues to others and leaves them to focus on the institutional silo that they can manage and control. The physicians and patients will just have to deal with it. There has been over a decade of HIE “invention,” starting with the Markle Foundation in 2006, the Nationwide Health Information Network in 2007, HITECH in 2009, state HIE subsidies, more recently CommonWell and its EHR vendor-operated cousins, and most recently the Trusted Exchange Framework and Common Agreement (TEFCA) that is also in the current NPRM.

It’s hard to predict how changes to HIPAA or novel HIE frameworks will evolve, but patient empowerment or the goal of a patient-controlled longitudinal health record, are hardly considered as the desired outcome. Regardless of how one defines a longitudinal health record, we might agree that it should follow the patient by being accessible to the physicians and other caregivers designated by the patient “without special effort,” a phrase that appears on 34 different pages in the NPRM.

Throughout this post, words in bold are terms used in the NPRM or ONC fact sheets.

The NPRM specifies standards and practices that enable automation for how a certified health record system exposes an application programming interface (API) that the patient or patient designee can access. The definition of designee is the core of the breakthrough and is best understood via this paragraph on page 452:

A fee based on electronic access by an individual or their personal representative, agent, or designee to the individual’s EHI, in contrast, would arise if an actor sought to impose on individuals, or their personal representatives, agents, or designees, a fee that operated as a toll for the provision of electronic access. For example, a health care provider that charges individuals a fee in order that the individuals be given access to their EHI via the health care provider’s patient portal or another mode of web-based delivery, would not be able to benefit from this exception. Similarly, where an individual authorizes a consumer-facing app to retrieve EHI on the individual’s behalf, it would be impermissible for an actor to charge the app or its developer a fee to access or use APIs that enable access to the individual’s EHI. This would be true whether the actor is a supplier of the API technology or an individual or entity that has deployed the API technology, such as a health care provider.”

The clarity of that last sentence is breathtaking. It augurs a solution to consent, patient matching, and workflow issues at once. Let’s examine the practices under the NPRM that combine to create this solution. To do that, it’s easiest to start from the workflow issue and work backward to patient matching and consent.

The workflow issue is really about money.

Whether a practice manages incoming health record information manually or automatically, the risks are significant and so are the costs. Take, for example, an abnormal lab result or radiologist’s impression on an incoming message. The practice has to check whether this is a new finding, decide if they are responsible for follow-up, and capture the decision within their EHR and their workflow. If they are are subject to value-based payment, the follow-up can be a direct hit to the bottom line.

In any case, the follow-up will mean some risk and some out-of-pocket cost to the patient. By stating clearly that the designee can be a health care provider and their API technology, the NPRM is empowering the patient or their insurance to pay for the workflow costs they are creating. This effectively gives every patient the opportunity to pay for their longitudinal health record to be managed by anyone they choose, regardless of where they are actually receiving the majority of health care services. The standards and practices of the NPRM are designed to keep the cost of a patient-controlled longitudinal health record to a minimum the same way as mandated issue of standard W2 and 1099 tax forms empowers a person to choose an accountant to process their income at reasonable cost.

Once the patient is empowered to designate and pay for the processor of their longitudinal health record the potential providers have a financial incentive to install standard APIs with patient portals and even advanced features such as automation. Let’s refer to this as the designee patient portal – related to what the NPRM calls the API User – to distinguish it from the hospital patient portal – related to the NPRM’s API Data Provider.

Once the patient has access to both the designee patient portal and the hospital patient portal in a single standard transaction, the patient matching problem is solved. The patient is now responsible for the match. There is no cost or risk to neither the designee or the hospital because both ends of the API transaction identified the patient however they want when they issued the patient a username and password to their respective patient portals. The importance of this from a privacy perspective cannot be understated. Patient matching without patient involvement is the essence of involuntary surveillance. Recent efforts to improve the performance of probabilistic patient matching have introduced the concept of “referential matching” which employs surveillance by data brokers and credit bureaus beyond healthcare. It’s hard to imagine a more coercive and trust-eroding approach.

Finally, empowering the patient to link the API Data Provider to their designated API Data User provides an opportunity for consent. Although the specifics of what choices are offered to the patient and how they are labeled in an understandable, standardized manner still require work, the clarity and power of the patient designee in the NPRM is clearly a breakthrough in consent.

Under the information blocking mandate, ONC needs to interpret the meaning of “without special effort” in the 21st Century Cures act.

Most of the NPRM seems designed to provide private-sector incentives to make the physician and patient experience as effortless as modern standards and technology allow. To get the patient-matching, consent, and workflow benefits described above, it is essential that patient engagement be limited by default. Designated health care providers should not be delayed by multi-step patient actions spread over five days before API access is enabled.

Ideally, all of the steps required for designee access should be built into the patient’s registration with a new health care provider, similar to how registration captures insurance information. For example, a registration kiosk could be integrated with the patient portal credentialing functions and complete “Dynamic Registration” with insurance, hospital, and other certified health IT system APIs in seconds. “Refresh tokens” associated with the API reduce both burden and cost by not asking the patient to redundantly enter their username and password. Apple Health and CMS Blue Button 2.0 have already demonstrated the utility of this feature of the current standards.

To enable the breakthrough of a cost-effective longitudinal patient record without imposing a government-run health records bureaucracy common in other rich economies, our regulators will also need to deal with the exploding number of patient and consumer portals. Fortunately, we have OAuth standards to deal with that as well. UMA (User Managed Access) on page 91 of the 2019 ONC Interoperability Standards Advisory is indirectly in the NPRM.

Thanks to bipartisan efforts to fix the frustrations and escalating costs of HITECH via the 21st Century Cures Act, and now the breakthrough regulation by HHS in this NPRM, we have light a the end of the Health IT tunnel.

Patients and patient designees as API Clients will use their power of the purse to revitalize and transform EHRs for both clinical and research uses. Now that a path to having data follow the patient is in hand, it will be critical that Medicare, VA, NIH All of Us, and the Office for Civil Rights follow through by example and by enforcement to empower patients as the foundation for a globally competitive US health care system.


Adrian Gropper, MD, is the CTO of Patient Privacy Rights, a national organization representing 10.3 million patients and among the foremost open data advocates in the country. 

Adrian Gropper

Adrian Gropper, MD, is the CTO of Patient Privacy Rights, a national organization representing 10.3 million patients and among the foremost open data advocates in the country.