On 9 March 2020, the U.S. Department of Health and Human Services (HHS) finalized two rules (the ONC final rule and the CMS final rule) that will give patients “unprecedented” access to their health data. These final rules require both public and private entities to share health information between patients and third-party developers, which will be allowed to include claims data and other patient health information in their apps.
ONC’s final rule establishes API requirements to support a patient’s securely and easily access and use their electronic health information from their provider’s medical records for free, using the smartphone app.
Beginning January 1, 2021, Medicare Advantage, Medicaid, CHIP, and, for plan years beginning on or after January 1, 2021, plans on the federal Exchanges will be required to share claims and other information related to their medical encounter, such as cost or clinical information, with patients through the Patient Access API (HL7 FHIR version 4.0.1).
This rule also requires MA organizations, Medicaid FFS programs, CHIP FFS programs, Medicaid managed care plans, and CHIP managed care entities to make provider directory information publicly available via FHIR-based Provider Directory API. This rule also has an implementation deadline of January 1, 2021.
This API will allow patients to access their data through any third-party application they choose and could also be used to integrate a health plan’s information to a patient’s EHR. Patients can take this information with them as they move from plan to plan, and provider to provider.
The CMS final rule establishes a new Condition of Participation for all Medicare and Medicaid participating hospitals, requiring them to send electronic notifications to another healthcare facility or community provider or practitioner when a patient is admitted, discharged, or transferred.
Follow these steps to get start
- One of your patients identifies a patient health app, for example, the Apple Health app that they would like to use to access their health information.
- Ask your EHR provider to give you links to the appropriate APIs, Including the patient's ID, Allergies, Assessments, all current Care Team members, all current Goals, all current Health Concerns, Immunizations, Lab Results, pending and future Lab Tests, current and past Medications, implanted and removed Medical Equipment records, current demographics (Race, Ethnicity, Name, Sex, Date of Birth, and Preferred Language), active, inactive and resolved Problems, Procedures, Social History data (Including Smoking Status), and Vital Signs.
- For third-party applications chosen by individuals to facilitate their access to their Electronic Health Information Export, you don’t need (page 465) to “vet” these applications on security grounds.
- Provide these links to the Apple Health app developers to allow them to connect to your EHR. Once they integrate them into their app, they should provide instructions for accessing health information for their users, including your patient.
Some EHR vendors express criticism
Among the most vocal critics of these final rules was EHR vendor Epic. It posted a long note, which points to a recent study showing that 79% of healthcare apps resell or share data. "By requiring health systems to send patient data to any app requested by the patient, the ONC rule inadvertently creates new privacy risks," according to Epic.
Earlier, Tommy Thompson, former HHS Secretary – and former governor of Wisconsin - wrote in the Wisconsin State Journal that the regs “would compel Epic to give its trade secrets away to venture capitalists, Big Tech, Silicon Valley interests, and overseas competitors for little or no compensation...HHS' rule would conscript Epic to work for these new entrants, subverting free-market principles at the expense of Wisconsin residents”.
Companies such as Apple, Google and Microsoft are all proponents of the new rules. They are members of the CARIN Alliance, which has advocated that "the two proposed rules should be finalized and released immediately." (By the way, Epic this month announced plans to stop integrations with Google Cloud.)