Industry healthcare organizations are taking a cautious posture toward the interoperability and information-blocking final rules from ONC and CMS, and are still harboring concerns that the push may risk patient-data privacy and may be onerous for some organizations to implement.

On Monday, the Office of the National Coordinator for Health Information Technology put forth its final rule on interoperability and information blocking, pursuant to the requirements of the 21st Cures Act. The Centers for Medicare and Medicaid Services also released its own companion final rule on interoperability and patient access.

The rules call for wider use of application programming interfaces to help consumers access their healthcare data from both payers and providers – so enabling them to send it to other healthcare organizations or integrate with the smartphone app of their choice.

But a variety of organizations are raising concerns about third-party vendors that take consumers’ complex medical information from claims and EHRs and dish it to them in understandable language.

It’s the lack of oversight of those vendors that is concerning to America’s Health Insurance Plans.

"Americans should be able to get their healthcare information when they need it, in a format that is convenient for them, to help them make better, more informed healthcare choices," said Matt Eyles, AHIP’s president and CEO.

But he voiced his worry that third-party app developers may not be governed by HIPAA.

"We remain gravely concerned that patient privacy will still be at risk when healthcare information is transferred outside the protections of federal patient privacy laws," said Eyles. 

"Individually identifiable healthcare information can readily be bought and sold on the open market and combined with other personal health data by unknown and potentially bad actors. Consumers will ultimately have no control over what data the app developers sell, to whom or for how long.

"Patients overwhelmingly want two things: for the information to be clear, concise and customized, and for their privacy to be protected," Eyles added. "Any new rules must ensure we protect patient privacy, reduce healthcare costs and get personalized information into the hands of patients. 

He noted that "some 62 percent of consumers say that stronger protection of their personal privacy should outweigh any efforts to make it easier to access consumer healthcare data."

The final rules will give consumers access to their records or medical claims. But that information can be complex or coded, so app developers will provide the middleware that makes the information understandable, said Robert Tennant, director of health information technology policy for the Medical Group Management Association.

"The data dump" from EHRs and medical claims "will be leveraged by third-party vendors to take the data and present it in a usable format," Tennant said.

The new rules set out deadlines for healthcare organizations to adopt them. ONC officials said Monday that enforcement of the law won't be immediate – starting in about six months, followed by a two-year phase-in period, during which providers will be required to share any data elements contained in the United States Core Data for Interoperability, or USCDI.

However, that’s not much time for healthcare IT vendors to develop products that comply with the new rules – and implementing them will require small providers to expend money and effort to put them in place, Tennant noted.

"It’s one thing for a large practice to do this, but if a small practice is working with a smaller vendor, we see this as a real challenge that you have to create a technical infrastructure to achieve this," he said.

"Practices will be forced to hire consultants or lawyers" to make sure they’re implementing systems, "and that adds more cost and administrative burden," Tennant added. These added expenses place more pressure on practices, an additional burden on already overstressed physicians.

"Even when we had meaningful use regulations and there were significant incentive dollars, it was still an enormous lift for practices," Tennant added. 

"In updating systems, there’s really no money to help defray the costs," he explained. "IT vendors will have costs, but they can just charge fees to the practices, and we’re not likely to see Medicare reimbursements increase to defer some of the costs. We will be taking on the role to keep tabs on the fees that our members are going to be charged [by the vendors]."

The American Medical Association also said it will be monitoring vendor fees – seeking to ensure that rules will be enforced to prevent them from charging excessive fees, "including ‘gag clauses’ that prevent physicians from publicizing problems with their EHRs."

The AMA also is promoting a usage-based fee structure that complies with federal requirements in order to limit EHR vendor fees and prevent physicians from incurring costs. It also wants less aggressive and separate EHR-implementation timelines for vendors and physicians.

"The AMA has been advocating on behalf of physicians and patients for over 10 years to ensure EHR usability, interoperability, and patient data and safety," said AMA President Dr. Patrice A. Harris. "As the AMA reviews the new rules, we will pay special attention to policies aimed at creating efficiencies in data exchange, reduction in physician burden, and patient control over and access to their data."

In the coming weeks, the nation’s largest physician organization says it will undertake aggressive action to provide physicians and patients with resources to help understand how these new regulations will affect their medical practices and care, and reduce confusion around state and federal regulations on data access and EHR interoperability. It will also provide timelines showing when to expect updates to EHR products and vendor contracts.

Fred Bazzoli is a contributing writer to Healthcare IT News.
Twitter: @fbazzoli

Healthcare IT News is a HIMSS Media publication