Two federal agencies have proposed rules pertaining to health information technology that will have a significant impact on the exchange, access and use of all health care data. While there are elements in both that deserve support, there are also several problems—particularly when it comes to patient privacy.
As proposed, the rules would shift the paradigm from permitting data sharing to requiring that data be shared—including with third parties who would be under no obligation to keep the information private.
“The proposed rules are complicated, intertwined and may result in a patient’s information being shared with third parties in a way that patient didn’t foresee or want,” said AMA Immediate Past President Barbara L. McAneny, MD, an oncologist in private practice in Albuquerque, New Mexico.
The AMA is committed to making technology an asset in the delivery of health care, not a burden.
One proposal comes from the Office of the National Coordinator for Health IT (ONC) and covers the agency’s potential new health IT certification requirements, as well as the information-blocking provisions from the 21st Century Cures Act.
The other proposal, which comes from the Centers for Medicare & Medicaid Services (CMS), seeks to spur health IT interoperability and promote a patient’s access to the information their health plan has about them, including claims information.
While these proposals include laudable goals, they could result in patient data being sold, marketed or traded. The AMA is calling for controls to be instituted that establish transparency as to how health information is being used, who is using it, and how to prevent the profiteering of patients’ data.
“Once the information is out there, it’s virtually impossible to get it back,” Dr. McAneny said. “The technological capability to implement these controls exists. If ONC doesn’t implement controls, it is making a policy decision to not prioritize privacy.”
ONC's proposals give software applications and their developers protections and benefits equal to those enjoyed by patients. The AMA cautions that smartphone apps share sensitive health information with third parties, often without an individual's knowledge. Much of this information can end up in the hands of data brokers or be used for advertising and marketing.
Most patients will not be aware of who has access to the information, how and why they received it, and how it is being used. For example, an app may collect or use information for its own purposes, such as an insurer using health information to limit or exclude coverage for certain services, or may sell information to clients such as to an employer.
Data being used in this way may ultimately erode patients’ privacy and their willingness to disclose information to their physicians, noted AMA Executive Vice President and CEO James L. Madara, MD, in a letter to National Coordinator Don Rucker, MD.
Similarly, in a letter to CMS Administrator Seema Verma, Dr. Madara notes that “the AMA appreciates many of CMS’ proposals,” but has several concerns related to patient privacy, payer-to-to payer exchange of clinical data, and “unfettered” payer access to data contained in EHRs.
“Historically, payers have only had access to clinical information when necessary for payment,” Dr. Madara’s letter states. “Physicians have acted as ‘gatekeepers’ to determine what information is necessary for each individual to be covered and for the physician to be paid.” Payers could use CMS and ONC’s proposals to demand patients’ medical information and circumvent a physician’s clinical decision-making.
Physicians take data stewardship very seriously. Removing physicians’ ability to safeguard patient data could have “negative downstream consequences for patients and physicians,” that would delay needed care, Dr. Madara writes.
To prevent this, payers should attest that the clinical data they exchange with another health plan cannot be used as a basis to deny or delay coverage, increase rates, or implement step therapy. This attestation should be posted on the company’s website and displayed in coverage documents.
CMS also should restrict payers from conditioning physician participation in a plan based on whether a doctor will grant the payer electronic access to the practice’s EHR.
Final rules are expected in the late fall. The AMA has recommended that ONC first release a document that clarifies questions that have been raised regarding the proposed rule. That would give the agency flexibility to finalize certain aspects of the rule while still refining others.