Industry groups voice privacy concerns over health IT proposals

Proposed rules to mitigate one of the biggest obstacles to value-based care––interoperability––and provide patients with access to their own health information for free are being met with privacy and security concerns from industry stakeholders.

In February, CMS, along with the Office for the National Coordinator for Health Information Technology (ONC) proposed new rules to improve interoperability and give patients access to their health records. Among other requirements, the proposal included mandates for healthcare providers to allow patients to access their health information––for free––on digital apps through third parties. The rules would affect all health plans doing business through the federal exchanges, Medicare and Medicaid, about 125 patients overall, according to CMS Administrator Seema Verma. The rules were an implementation of the 21st Century Cures Act.

The proposal comes at a time when only about half of individuals were offered access to their online medical record last year, according to recent data from ONC.

While the aims of the rules are patient-centric, some industry groups, including the American Medical Association, are concerned about privacy of health information, especially if sensitive medical records are given to third-party vendors. Industry stakeholders had an extended comment period to voice their criticisms or praise of the proposed rules posted on the Federal Register. Nearly 3,000 comments were received on the two proposed rules from CMS and ONC.

“The AMA strongly supports patients having access to their own health information, which is a laudable goal of the administration,” AMA President Barbara L. McAneny, MD, said in a statement “At the same time, the proposed rules are complicated, intertwined, and may result in a patient’s information being shared with third parties—including those under no obligation to keep information private—in a way the patient didn’t foresee or want.”

According to the AMA, the rules do not provide enough protections for patients when their health information is shared.

“For example, a patient’s app should have to reveal to the patient that his or her health information will be sold to other companies. And a health insurance company should be prohibited from using a patient’s medical record to increase prior authorization requirements,” McAneny further stated.

Other industry stakeholders voiced concerns about data security, though most are supportive of the direction of the proposed rules to better enable access to health records and improve care coordination through interoperability.

“We are concerned that the pace of implementation and the heavy reliance on third party apps not covered by HIPAA will jeopardize the security of patient information,” Ceci Connolly, president and CEO of the Alliance of Community Health Plans (ACHP), said in a statement about the rules. “We also believe medical providers should be responsible for providing patients accurate, private medical information––and have serious concerns about the unintended consequences of health plans being required to provide that data.”

Despite these concerns, the American Medical Group Association (AMGA) recommended that CMS and ONC use application program interfaces to share claims data to eliminate a major impediment of value-based care.

“Standards and interoperability are important and should not be overlooked, but we can’t lose sight of the why we use such systems,” Jerry Penso, MD, MBA, AMGA president and CEO, said in a statement. “And that’s to ensure our care teams have all the information necessary to provide patients the best care and practices have the data needed to develop population health strategies. That’s the promise of interoperability, but we know these systems are only as strong as the data they transmit, which is why we need real-time claims data.”

Information sharing should be viewed as a top need, AMGA stated.