How the Law Holds Back Data Exchange in Healthcare

There are several legal barriers to true “interoperability” in the sense that policymakers use the word. Generally, when a member of the executive or legislative branch talks about an interoperable health IT ecosystem, they mean one in which the patient essentially has a single record that they can carry with them from one shop to the next without any real data migrations mapping issues. They also envision a universe where data flows so freely it enables predictive analytics and the ability to do things like intervene in outbreaks. There are a ton of barriers to this vision: the most important are cultural, others are business, and others still are technical.

That said, the legal ones are squarely within our control, but in some cases, continue to act as a continuing irritant.  1) The lack of a national patient identifier confuses our software when it looks at patients with similar identifiers, 2) property rights are not aligned with the government’s vision, and 3) the law that is meant to really push the free exchange of data is still only partially implemented.

First, the United States should repeal its ban against using federal funds to establish national patient identifier. Despite repeated attempts to repeal the ban against implementing a national patient identifier, it is still with us. In short, without one there’s no single common universal data field to match a patient’s records in two systems. It is so routinely and often cited as a barrier to interoperability I won’t bother to elaborate. Here’s a couple of letters from two very different industry associations on the subject from folks who have an idea of what they’re talking about:

The Electronic Health Record Association’s (“EHRA”) September 4, 2020 correspondence to the ONC:

• https://www.ehra.org/sites/ehra.org/files/EHR%20Association%20Comments%20to%20ONC%20on%20Patient%20Identity%20and%20Record%20Matching.pdf

The American Hospital Association (“AHA”) has argued for the same:

• https://www.aha.org/lettercomment/2019-09-06-aha-urges-senate-appropriators-allow-funding-unique-patient-identifier

Second, HHS should use its programmatic authority to adjust for quirks presented by state property law and HIPAA that hinder “big data.” A patient’s data is the property of the healthcare provider who delivers care. It’s basically a business record that the patient gets certain property interests in which are defined by state and federal statute. This has several important practical implications. First and foremost, a healthcare provider can, within the confines of HIPAA and the 21^st Century Cures Act, deny a patient access to their record, so there is always a risk the record is incomplete. Next, when healthcare providers do business with health IT systems, they execute a Business Associate Agreement (“BAA”). In those BAAs healthcare providers often restrict the rights of vendors to de-identify data and use it for any purpose. Large sets of de-identified data can be used to create accurate algorithms in a way that protects patient rights. HHS should look at how it can use its programmatic authority to encourage the creation and use of such data.

Third, HHS should finish implementing the 21^st Century Cures Act’s prohibition against information blocking in a manner that makes enforcement real, but not arbitrary or unpredictable. Health IT vendors are already on the hook through the ONC Health IT Certification Program, and providers are kind of on the hook because of the types of attestations they file when participating in the Merit-based Incentive Payment System (“MIPS”) or Medicaid Meaningful Use. However, neither are currently subject to any civil monetary penalties for information blocking because the OIG has not issued its final rule. Therefore, its current value is questionable. Hospitals, labs, or vendors may refuse to interface with certain systems or at different list prices for different provider networks, without incurring a substantial financial penalty. That said, the rule has a lot of shades of gray. It covers any potential corporate practice that could lead to information blocking. In tension with that breadth, it is also requires a fairly high level of intent: the actor must act knowingly. Vagueness and additional tension with HIPAA will lead to paralysis by healthcare actors when making data exchange decisions. After finalizing its rule, OIG should issue advisory opinions on the topic and publish decisions when it makes a finding of information blocking so that the market has precedence to follow, which will in turn make exchange policies easier to manage and design.

These three things, a national patient identifier, facilitating the use of data, and enforcing the 21^st Century Cures Act won’t solve healthcare interoperability. But they will make it easier to get there by removing legal – not technical or cultural – obstacles.