ONC and CMS Pave a New Express Lane for Personalized Health under the 21st Century Cures Act

New Rules and Functionality

The U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS), recently published rules implementing interoperability and patient access provisions of the 21st Century Cures Act. New functionality required under the rules includes, among other things:

• Provider Directory API that will allow third-party app developers to access information to create services that help patients find providers for care and treatment
• Payer-to-Payer Data Exchange that will allow patients to take their health insurance information with them as they move from payer to payer
• Patient Access API that will allow patients to use third-party applications to access and download electronic claims and cost information and certain clinical information from electronic health records directly from the source (i.e., providers, payors and others)

While this enhanced access creates an express lane for patient-empowered digital health, it potentially increases the risk of medical records identity theft and highlights the importance of consumer trust.

Patient Access API

The rules create opportunities for consumer health apps and represent a major advancement in the traditionally restrictive health information space. They will enable a new, personalized health information ecosystem architecture with a direct connection to the consumer via required patient access APIs or application programming interfaces (i.e., tools for software development and integration). Indeed, the consumer now becomes a primary custodian and source for health information for innovative healthcare companies, making databases of valid, structured health information a new reality. In other words, the consumer can download health information for the consumer’s own use and subsequent processing, sale and disclosure—including interaction with third-party apps—all outside of the Health Insurance Portability and Accountability Act (HIPAA).

Accessed Health Information Is Regulated but Not under HIPAA

From a regulatory perspective, a data flow with access and download by the consumer through an independent third-party application will take the health information outside regulation under HIPAA. However, third-party applications will be subject to privacy regulation by the Federal Trade Commission (FTC). Additionally, while not subject to HIPAA, this health information remains sensitive and subject to regulation under various state-level privacy, security and breach laws.

Five Considerations You Need to Know Now

Delivering on data protection and building trust in this new data environment will become key market differentiators. With the table set, the following are five things to consider now:

1. The Race for Health Information Starts Now. Patients are in control of the data they download and are the ultimate decision-makers as to the companies and associated apps/software with which to share their valuable data. New entrants and larger players will compete over and have a ready data source for outcomes-based research, cost research, population health and other uses.
2. Envision Personalized and Customized Health Regimes. Artificial intelligence and machine learning will enable apps to offer consumers an opportunity to use their valid clinical records to freely explore health and treatment options ranging from diet and fitness to cancer treatment (and new personalized treatments and services to be developed).
3. Shape Your Privacy and Data Protection Message. As a condition of access, app developers will be required to attest to covered entities that a clear, understandable privacy policy is in place, that the privacy policy describes how health information will be used and shared (including secondary uses), and that appropriate controls have been implemented. To support these obligations companies have started and are increasingly starting initiatives to (1) understand/map their current and future data flows and uses; (2) develop/fine-tune applicable privacy policies to address new information and uses enabled; and (3) implement key security controls such as encryption, multi-factor authentication, logging and monitoring and data access (of their own data and to offer to consumers who elect to access and download their electronic health record data).
4. Educate Consumers. Identity thieves may begin to target consumers because they are easier targets than secure electronic health record systems. Consider FAQs or other guidance to help consumers protect their own health information.
5. Find New Big Data Opportunities. Fewer restrictions and easily accessible records will allow patients to contribute data to a data lake (opt in or possibly for a fee), opening new doors for commercialization and an innovative health-information economy with new business models.

If you have questions about realizing these new opportunities, we’re here to help. Please email Jim Koenig, Brent Hoard, Kenia Rincon, Michael Esquivel or Stefano Quintini for a more in-depth discussion regarding your organization’s plans.