Health IT, Hospitals, Legal

Behind the scenes: How health systems, EHR vendors will give patients unprecedented access to their data

Health systems and EHR vendors have been working for months to comply with the ONC’s final rule on interoperability and information blocking that goes into effect in April and is expected to grant patients unprecedented access to their health information. Here is a look at some of the issues they contended with.

virtual care

Next year is poised to be a banner year for people accessing their health information. In April, the Department of Health and Human Services will implement its long-awaited interoperability and information blocking rules.

Though providers were already giving patients access to their data to some extent, the new rules widen the scope of the information to be provided. As a result, providers are retooling their policies and processes around data access and working to iron out potential hurdles that may have a negative impact on patient experience. EHR vendors, on the other hand, are focusing on shoring up the technology infrastructure that will enable expanded patient access and helping to educate their provider clients. Both groups received a breather when HHS decided to push back the compliance date of the ONC’s final rule to April 5 from Nov. 2. 

presented by

What’s in the ONC’s final rule?
Together, the ONC and CMS rules implement the interoperability and patient access provisions of the 21st Century Cures Act and support the MyHealthEData initiative, which aims to provide patients control over their healthcare data so they can decide how it will be used.

The ONC’s final rule specifically establishes new regulations to prevent information blocking practices by healthcare providers, health IT developers, health information exchanges and health information networks. According to Leah Voigt, Spectrum Health’s chief compliance officer, there are two main reasons why information blocking occurs. First, complex privacy laws and regulations overlap at the federal and state levels, due to which these laws can be “over interpreted” to prevent the sharing of health information even when it is actually allowed, she said in an email. Second, the cost and complexity associated with making health information available can be a deterrent to data sharing.

“This is compounded by the first reason — it’s hard to know which law or regulation applies when, under what circumstances; and designing processes and technology solutions to make health information available in ways that comply with these laws and rules is not easy,” she said. “Often the more complex or nuanced the rules, the more costly the solution.”

The ONC’s final rule requires healthcare entities to give patients complete access to their personal health information, including clinician notes. It also establishes standards-based application programming interface requirements. APIs are the foundation of smartphone applications, and the new requirements will support the patient’s ability to securely obtain their health information from their provider’s EHR using an app of their choice.

“One of the goals of the 21st Century Cures Act is to make sure that health information is interoperable and computable, giving patients more control of their medical record,” said an ONC official in an email who declined to be publicly identified. “That seamless exchange of electronic health information and patient use of smartphone apps have the potential of delivering affordability and quality through transparency and competition.”

The law states that certified health IT developers and HIEs/HINs would be subject to penalties of up to $1 million per violation of information blocking, the ONC spokesperson said. But healthcare providers will be treated differently. The HHS is reviewing feedback on what the appropriate deterrents may be for situations where a provider is found to have engaged in information blocking.

By April, healthcare providers have to make a subset of health data available to patients. The subset called the United States Core Data for Interoperability set includes a dozen or so data elements, including information on allergies, medications and clinical notes. By October 2022, providers have to make all health data available to patients.

How health systems are preparing
Boston-based Mass General Brigham, which includes Brigham and Women’s Hospital and Massachusetts General Hospital, one of the many systems that would need to comply, set up a working group to discuss the process ahead, said Deborah Adair, executive director of enterprise health information management at the health system, in a phone interview. 

The health system was already in compliance with some of the regulations. For example, Mass General Brigham patients received their medical records on request. But to ensure compliance with the new rule, the health system now makes records immediately available via the patient portal. This includes inpatient information, as well as information related to ambulatory visits.

Other elements of the new rule, however, placed the health system in a quandary. What should they do when test results contain sensitive information? Up until now, these results were delayed to give clinicians enough time to review the results and personally contact the patient, with whom they have a relationship, to explain what the results mean and answer questions and concerns, Adair said.

But the new regulations stipulate that all test results be made available immediately and easily to patients, so the health system needed to decide how to comply while also considering how to deliver unwelcome health news to patients via the portal. 

“That was one of the biggest things we grappled with because the law requires you to share everything with the patient and we weren’t used to that, and our doctors were concerned it would cause [the patient] emotional harm if they get a cancer diagnosis without getting a call from them first,” Adair said. “And the regulation requires that you can only block a note if it’s going to cause significant physical harm or life-threatening injury. The law specifically excludes emotional harm.”

To ensure patients were not left feeling like they had to deal with traumatic diagnoses on their own, the health system decided to put a note on test results containing sensitive health news. That lets patients know that their provider would call them to discuss the results.

“It’s gone [over] pretty well,” Adair said. “I think people were nervous that there was going to be a lot of reactions from patients and phone calls and concerns and so forth. But it hasn’t proven to be that way. So, I think it’s good that patients have access to their information any time they want it.”

The information sharing is of course not a one-way street from providers to patients. With the new rule, health systems have to make provisions for patients authorizing third-party apps like Apple Health, to access their health information. Mass General Brigham however, was already prepared for this. 

The health system uses Epic EHR technology, which provides an industry standard set of Fast Healthcare Interoperability Resources (FHIR) APIs that can be used by third-party apps to access medical records it manages. Further, Mass General Brigham has a security protocol that allows third-party apps to request access to patient information in a secure way, Adair said.

Getting to compliance, wasn’t just a matter of IT tweaks and allaying physicians’ concerns. It required internal education as well. Mass General Brigham worked with its clinicians — educating them on the rule, how it affects them and what they need to do to remain in compliance, she added.

Like Mass General Brigham, Spectrum Health, based in Grand Rapids, Michigan, has also started sharing clinician notes for all types of visits with its patients, Voigt, the system’s compliance chief, said in a phone interview. Though it already had an initiative in place to share notes from ambulatory visits, it has spent the last few months providing notes from inpatient visits as well to patients via Spectrum Health’s online portal.

“Use of our EMR and an app for a portal to grant patient access is not something new to us,” Voight said. “We’ve just expanded the scope of the information we are giving patients access to.”

Over the next few months, Spectrum Health plans to monitor the new processes and understand whether any tweaks need to be made. For example, as noted above, clinicians can hold back information for patients if they feel it may cause them physical harm, but that is at the clinician’s discretion. The health system will monitor EHRs and disclosures to apps to see how often clinicians are holding back information and what their reasons are, Voigt said.

Spectrum Health will also examine other trends, such as whether the withholding of information is occurring more often in a certain specialty area or among a certain set of clinicians. This is important “so we can go back and look at those patterns to determine whether or not we need to have focused education for providers on the information blocking [regulations].” Further, it can help to determine “if there is something we need to change in our process of providing those open notes that will further help ensure compliance. So, we are really taking advantage of this time,” before compliance is required, she added.   

The EHR vendor perspective
Both Cerner and Epic — the two biggest EHR vendors in the country — make APIs available for third-party app developers so that the health information on their respective systems can be easily shared with patients. To ensure compliance with the new rule, both companies are making changes to their ongoing efforts.

“In response to the ONC’s 21st Century Cures Act final rule, we are pursuing development efforts to upgrade those APIs to the latest version of FHIR adopted as a standard by ONC,” said Dick Flanigan, senior vice president at Cerner, in an email. “We will also be overhauling our app registration and onboarding processes to ensure that apps used by patients to access their health information can connect as seamlessly and effortlessly as possible. Incorporated into these processes are industry standard privacy and security capabilities to ensure that a patient’s health information is securely transmitted and only made accessible to an app when authorized by the patient.”

In addition, the company is making enhancements to consolidated-clinical document architecture (C-CDA) documents, which are “used by providers to exchange information for referrals and other critical technologies,” he said. 

Epic already makes several APIs available to share data elements in the United States Core Data for Interoperability set, including data on medications, allergies and other information, said Stirling Martin, senior vice president and chief security officer at Epic, in a phone interview. More recently, the company added clinical notes to the set of APIs available.

For both Epic and Cerner, educating customers — the health systems which use their EHRs —is a must.

“Where a lot of our time and energy has gone [in the last six to nine months] is into educating the customer community on what the rule really requires and the scope of what it applies to,” Martin said. “[The rule] certainly applies to the data in their Epic system but it also applies to the lab system, dietary system, heck it even applies — if they exchange health information by email, it applies to that as well. As organizations get [data] requests, they need to think about what’s their workflow, what’s their process for managing those requests.”

Cerner’s Flanigan said that his company is providing education and resources to customers on how they can use the company’s software to exchange health information in different scenarios.

While health systems and EHR vendors alike accelerate efforts to comply with the new rule, it’s worth noting that it’ll likely be years before the regulations become fully integrated with the healthcare ecosystem.

It will be a “multi-year journey,” Voigt of Spectrum Health said. Industry stakeholders can expect updates and changes along the way.

Voight believes the “journey” will likely mimic other major policy changes that have been instituted.

“The one thing I would say, from a compliance officer and a privacy officer standpoint, is similar to what the healthcare industry experienced when the HIPAA rules were created…it took several years for the healthcare industry as well as the government agency that enforced the HIPAA rules, in that case the ONC, to really understand how those rules would be implemented and where those regulations weren’t so clear, or where the agency needed to provide guidance,” she said. “We know a lot more about how to comply with HIPAA now, about 20 years in, than we did [initially], and I think it’s going to take similarly that time for the healthcare industry, and ONC and CMS to understand how these regulations really work in practice.”

Photo credit: ipopba, Getty Images