Privacy as a concept: shadowy opaque faces overlaid with 1s and 0s

Remembering the Real Stakeholders: Patient Privacy Rights Comments on the Proposed CMS Regulation Pursuant to the Cures Act

By Adrian Gropper and Deborah C. Peel

Electronic health records (EHRs) are a polarizing issue in health reform. In their current form, they are frustrating to many physicians and have failed to support cost improvements. The current round of federal intervention is proposed rulemaking pursuant to the 21st Century Cures Act calls for penalties for “information blocking” and for technology that physicians and patients could use “without special effort.”

The proposed rules are over one thousand pages of technical jargon that aims to govern how one machine communicates with another when the content of the communication is personal and very valuable information about an individual. Healthcare is a challenging and unique industry when it comes to interoperability. Hospitals spend lavishly on EHRs and pursue information blocking as a means to manipulate the physicians and patients who might otherwise bypass the hospital on the way to health reform. The result is a broken market where physicians and patients directly control trillions of dollars in spending but have virtually zero market power over the technology that hospitals and payers operate as information brokers.

What follows below are comments by Patient Privacy Rights on the proposed rule. The common thread of our comments is the need to treat patients and physicians, not the data brokers, as the real stakeholders.

Comments to the ONC Rule

Overview: 21st Century health care innovation, policy, and practice is increasingly dependent on personal information. This is obvious with respect to machine learning and risk adjustment, but personal information is now central to the competitive strategy for most of the health care economy, clinical as well as research. ONC’s drafting of this rule reflects the importance of competition to innovation and cost containment.

The Proposed Rule skillfully addresses the pro-competitive essentials but it leaves too much open to interpretation and delay by very wealthy and well-organized incumbents. The Patient Privacy Rights comments below endorse the structure and details of the Rule while pointing out ways to ensure that access to competitive services by clinicians on behalf of our patients must be “without special effort” on the part of either the clinician or the patient, ASAP.

We state clearly and emphatically that the Rule should be largely left intact in its spirit and in most of its details

Summary of Priority Goal: Clarify the scope and process of patient-directed interoperability

The common thread through almost all of PPR’s comments is to support and encourage patient-directed sharing via the mandated API as the foundation for meeting the pro-competitive goals of the 21st Century Cures Act “without special effort”. Patient-directed exchange inherently solves very difficult problems in patient matching, consent, and integration of sensitive information that cannot be shared under the HIPAA rules. Patient-directed exchange helps address the need for a patient-centered longitudinal patient record and provides a critical relief valve for both physicians who simply need “the data to follow the patient”. Patient-directed exchange also informs how we will implement TEFCA and various registries that can provide essential public health and health care innovation benefits.

Early versions of patient-directed sharing via API can make a visible and welcome impact for physicians and patients within 6 months of adoption of the final Regulation. That technical capability is already voluntarily enabled by some API Technology Suppliers and just needs to be mandated for adoption by API Data Providers. The timelines for standards development are long but when standards already exist for Dynamic Client Registration, Refresh Tokens, and User Managed Access, the adoption of these standards can begin immediately by new competitors and early adoption by CMS, VA, and other customers in the Federal Health Architecture can drive a competitive strategy.

Summary of Other Considerations:

21st Century health care innovation, policy, and practice is increasingly dependent on personal information and the rate of progress is increasingly limited by privacy and human dignity in how personal data is used. This is obvious with respect to machine learning and risk adjustment, but personal information is now central to the competitive strategy for most of the health care economy. Privacy now dominates the rate at which technology and policy can progress.

The cost and burden of interoperability at scale are both reduced if we approach the problems from the patient and clinician perspective rather than the institutional:

  • Patient matching is a non-issue when information is shared with patient consent and transparency. Modern-day automated bank transaction APIs are a good example. Once set-up by the customer, money can flow automatically and on-demand without further customer action. Email and text messages are used to notify of transactions. All transactions are logged and accessible to the customer online. The costs are lower with the API and transactions process faster.
  • HIPAA is a floor but Not Sufficient because it doesn’t cover the data originating in behavioral health practices on the sensitive end and data originating in consumer mobile devices and wearables which can also be quite sensitive. To avoid the limitations of HIPAA, we urge CMS to design interoperability on the basis of patient consent with full transparency to the patient. That also means patient notice and on-line accessible logs for all transactions _including_ treatment, payment, and operations. HIPAA’s exclusion of T/P/O transparency is not justified with modern Open APIs and adds unacceptable security risks as we expand the scope and scale of interoperability.
  • Designation of Providers should be without special effort for both the patient and the providers using the Open API. That means accelerating and enforcing the need for providers to include voluntary digital contact addresses in their NPI and Physician Compare files. Patients can automatically link the digital contact info to their consent. Providers can use their digital credentials to automatically register their API client without special effort. It is easier and less burdensome to drive interoperability on the basis of the HIPAA patient right to designate recipients.
  • Competition for Authorization Services would be the ultimate cost and burden reduction for large-scale interoperability. The Open API, including FHIR, can be configured to allow the patient to specify the authorization server to the API Data Provider. (See User Managed Access standard in 2019 ISA). Current FHIR API practice forces patients to use a separate authorization server for each API Data Provider. Managing consent at a dozen or more patient portals requires undue effort on the part of patients. Allowing the patient to specify the authorization server would give patients market power to choose their consent service competitively and provide a competitive basis for health information network providers that want to serve the patient.

The draft rules for interoperability, CMS, ONC, TEFCA, USCDI are over a thousand pages. Most of the complexity stems from a design that avoids direct patient direction and transparency the way we expect banking and other automated services. This approach fragments the patient and physician experience and poses privacy and security risks that may never be solved. On the other hand, an interoperability design based on patient-designated sharing with clinicians that voluntarily post their digital contact info (personal, group, or institution) works across the full range of patient data (behavioral, HIPAA, patient-generated) and provides patients and family caregivers the transparency and accountability over health services that we need. Allowing patients to specify their authorization server further simplifies things by enabling competition for the authorization service – a digital concierge – that would give market power to individuals and deliver the pro-competitive benefits the Rule seeks.

Link to the complete comment here.


Adrian Gropper, MD, is the CTO of Patient Privacy Rights, a national organization representing 10.3 million patients and among the foremost open data advocates in the country. 

Deborah C. Peel, MD, is the Founder and President of Patient Privacy Rights.

Adrian Gropper

Adrian Gropper, MD, is the CTO of Patient Privacy Rights, a national organization representing 10.3 million patients and among the foremost open data advocates in the country.