The Gang Explains Cures
Part IV: Return of the EHR Certification Criteria
The big finale. The grand culmination. The Final Rose / World Series Game 7 of information blocking.
You’ve gone the distance, reading more words related orthogonally to statutory requirements and legal prose than you ever intended to. With a firm understanding of HIPAA, MU, and the information blocking provisions of the ONC Cures Rule under your belt, you’re finally ready to complete this educational quest and unlock multifaceted and nuanced opinions to steer your company’s strategy, navigating treacherous regulatory perils, and impress everyone you work with.
To round everything out, let’s explore the changes to the Certified Health IT criteria to understand what new capabilities the ONC Cures Rule creates. Because I'm always trying to keep things spicy in the newsletter room, let's roleplay from the perspectives of the various HIPAA actors.
Patient Access
Well, shitttt, here we are again, back at enabling patient access. The ripple effects of the Cures Act played out for patient access in two ways. ONC Cures Rule expanded and normalized the provider data access started in Meaningful Use, while CMS Patient Access opened up patient access to an entirely new source, their payer data.
The ONC Cures Rule took a fairly pragmatic approach to implement the patient access requirements above, fixing the mistakes of MU3 APIs by requiring a more standardized FHIR R4 approach with expanded content (the US Core Data for Interoperability or USCDI). This progression simplifies the life of our clinical data aggregators and Release of Information (ROI) vendors that we discussed in the Meaningful Use era of Part 2, allowing for retrieval of patient data with login credentials with much less work incurred than MU3’s varied approaches.
Beyond that, CMS used its weight to implement a similar provision for non-commercial payers via the Interoperability and Patient Access Final Rule (which went into effect July 2021). This required payers to enable their members to pull a new data set, the CPCDS (Common Payer Consumer Data Set), consisting of historic claims data, as well as any clinical data that the payer may have pertaining to the patient. All of a sudden, between the ONC Cures Rule and the CMS Patient Access Rule, the data available via patient access was far more standardized from both providers and payers, creating a much richer ecosystem of patient authorized exchange.
Health API Guy Take: The only piece that still troubles me here is that I don’t see clear requirements of open app approval, rather than healthcare organization activation. Cures mandated API and FHIR R4, which is cool, but didn’t actually mandate how an app would get access. While some (like Epic) have fully open distribution with patient authorization and it seems that Cerner may follow suit soon, but without it being strictly encoded into the regulation, I think we’ll see many EHRs with patient app policies that have HCO gatekeeping, rather than the true patient choice of app.
Covered Entity Exchange
The Cures Act could not have been more straightforward and explicit in its goals to advance the exchange between covered entities.
(A) IN GENERAL.—The National Coordinator shall, in collaboration with the National Institute of Standards and Technology and other relevant agencies within the Department of Health and Human Services, for the purpose of ensuring full network-to-network exchange of health information, convene public-private and public-public partnerships to build consensus and develop or support a trusted exchange framework, including a common agreement among health information networks nationally. Such convention may occur at a frequency determined appropriate by the Secretary.
This is clearly the spiritual successor to the NHIN which we discussed in the Meaningful Use article. With this verbiage, Congress is giving the explicit mandate to the ONC to figure out a national strategy for exchange and unite the disparate regional and incomplete networks.
So, with this decree, separately from the ONC Cures Rule, the ONC set upon creating a Trusted Exchange Framework and Common Agreement (TEFCA), dropping its first draft in January 2018, a little over a year after Cures had been signed into law. Despite the ONC’s interpretation creating this new framework as entirely voluntary, people did not like it (classic…) and complained in about every way possible. ONC tried again, releasing a second draft in April 2019. Tired of the continued chorus of rabble-rousers rousing the rabble, the ONC handed over the control and future of TEFCA to the Sequoia Project, the overall administrators over two pre-existing interoperability networks/frameworks, eHealth Exchange and Carequality.
There will always be some fear, uncertainty, and doubt from vested interests when it comes to NHIN, TEFCA, or any proposed national utility. If I’m an HIE, national networks seem scary, as they potentially threaten the utility of my core competency and erode my value proposition. Having seen the belly of the beast, though, it’s pretty clear that we need to take that leap - the regional HIEs are a vast and varied group, but most are not servicing the core regional needs today adequately, let alone nationally. Beyond that, the beauty of national infrastructure is that every HIE can benefit from that newly raised floor and focus on differentiating value specific to their regional needs.
In terms of improving exchange between Covered Entities, the jury is still out on whether the Cures Act’s regulatory initiatives will push the needle forward all that much:
As noted above, TEFCA languished under the Trump administration and the deadlines outlined explicitly in the Cures Act were ignored or missed.
The ONC Cures Final Rule actually may have hurt some existing Covered Entity exchange, as it removed support for “Secure Messaging”, meaning the aforementioned DirectTrust network (one of the few nearly ubiquitous nationwide networks) no longer is buoyed by federal incentive to use that technology.
Other Cures-inspired covered entity exchange initiatives are still stuck in draft or delayed indefinitely, such as the payer-to-payer exchange proposed in the CMS Patient Access Rule or the provider-to-payer exchange proposed in the CMS Prior Authorization Rule.
On the positive side, TEFCA continues to rumble forward now under the Biden administration, so there’s some possibility it actually comes to fruition. On the less positive side, it’s still a voluntary new framework, so it’s unclear what adoption will look like, especially if the onboarding and certification processes end up being heavy.
Health API Guy Take: I am conflicted on TEFCA. It advances things a bit, but it really represents a copy-paste of existing efforts (Carequality) that fixes many of the minor flaws but might add a lot more process and friction to onboarding. Realistically, I’d prefer an approach where we pick a particular infrastructural problem and choose to solve it for the whole nation, like we did with e-prescribing and Surescripts. We could/should do the same for specific healthcare handoffs - lab orders/results, referrals, prior authorizations, payer to payer exchange.
Business Associate Access
Buried in Cures are some special nuggets that do create (via new requirements) some EHR capabilities for Business Associate applications to play with via the EHR Certification Updates: the population API bulk APIs and the standardized patient-level APIs.
The former means support for Bulk FHIR / Flat FHIR, which is a novel way to export groups of patients according to different criteria. For instance, one could hit an endpoint and say “export all patients with diabetes diagnosis” and later a group of FHIR resources for such patients would be exported. This is neat since, previously, exports really were never standards-based and usually took the form of CSV.
This comes with some caveats and drawbacks, however. The bulk export for populations doesn’t necessarily help every use case, but for some particular sub-classes of Business Associates (namely, analytics and pharma), this has a lot of potential. It’s a net-new capability that has no precedent, aside from exporting custom flat files. More here on that topic:
Similarly, the single patient FHIR APIs are sweet and fill some gaps. It means EHRs will uniformly have the capability to do SMART SSO launches, as well as support USCDI FHIR querying. However:
It’s not a clean break from old standards. These APIs do not rip and replace all data flows and use cases that HL7 or proprietary APIs provide today, meaning that Business Associates may have to live in a hybrid world.
Given they’re limited to USCDI, they don’t actually help use cases that fall outside of core data, such as specialty information like oncology or administrative functions like scheduling.
Beyond those considerations, though, is that the ramifications of the Cures Act in terms of Business Associates’ ability to integrate with their covered entity partners didn’t change dramatically in Cures. While information blocking actually gives some power to them in terms of fair pricing and access to EHR API programs, allowing them to push back on things like relinquishing all IP rights to the actor, those EHRs are still allowed (to a certain extent) to charge fees in order to recoup the costs of those API programs.
Most importantly, Cures does not change the fact that applications need to convince healthcare organizations to sign a BAA in the first place, which is still largely the biggest barrier for most applications. To find the right users, to convince them that you solve a problem for them, to have them go to bat for you and push you ahead of the thousands of potential projects an HCO might be prioritizing, articulate value prop and return on investment at an organizational level, and to survive security and technical reviews - all this is still present in the post-Cures world. App programs offered by EHR or other entities may mitigate this by frontloading technical and security reviews, to some extent, but most health systems will be slow to openly trust external programs entirely and will continue to do their own processes as well.
Health API Guy Take: All in all, improvement, but not necessarily game-changing. We will see a lot of variety in terms of how EHR vendors approach exposing these capabilities, as they’re not incentivized to spend effort and money to create robust app program experiences that allow for easy onboarding. In the future, completing the BAA FHIR ecosystem with subscriptions/notifications and CDS Hooks would be beneficial for certain applications. Lastly, as noted before, we’re not deprecating legacy standards or technology, so it’s a messy situation for the foreseeable future
What’s so frustrating to me (and hopefully also you after this diatribe) about the policy history we see traced here is that the basic promises of HIPAA 25 years ago still remain unfulfilled - covered entities able to exchange patients’ records freely for permitted purposes, business associates able to help the healthcare organizations for whom they have a solution, patients able to access and own their designated record.
We’re in this infinite time loop trying to take the first step in where we need to go, with the government and HHS and ONC continually restating the same concepts over and over (note: this is not a critique of regulators; I’d like to applaud them for their perseverance) to get providers and payers to do the hard, but right thing to build a national digital health ecosystem. Maybe that’s just the way policy and regulation works, with vested interests resistant to change, but we frankly deserve better.
We deserve a patient’s record to be unified and complete, shared across all providers - with push and pull. As part of that, we deserve exchange to see all the radiology and cardiology and every other specialty of diagnostic quality images that exist buried in PACS and VNAs today. We deserve a referral network on a national scale. We deserve lab ordering and resulting beyond just Labcorp and Quest. We deserve accurate eligibility and timely prior authorizations. We deserve easy pathways to pick and try and choose specialized business association solutions, not just at the organizational level, but at the individual provider level. We deserve public health and registry aggregation to be at the scale that is required to combat the generational pandemics we failed so miserably to respond to today, but also the more common day-to-day illnesses and diseases and viruses. We deserve a unified network of de-identified data to allow for clinical research to scale their studies, trials, and successes. And last but certainly not least, we deserve patients to have their data, in the app of their choice, sure, but also to write back in the things they measure or think, to schedule and to pay, to communicate with their care team, and update the inaccuracies they know are wrong.
These are tough, expensive challenges, without a doubt. We’ve seen countries actually articulate this exact vision of the future of health and fail halfway. We know therefore that it is grand, ambitious and scarily costly, but the value is so incredibly clear: less pain and friction as the individual silos of today actually work at scale as one giant system; cheaper prices as liquidity of data means the quality of care and patient experience are the main differentiators of our health care institutions; access and control and understanding by the patient of their clinical (and administrative!) data allowing them to be active and excited participants in their health; exponential acceleration on research as the wild goose chase, easter egg hunt of finding and helping patients becomes a handful of clicks.
So let’s do better.
Huge shout out (again) to the squad of friends, colleagues, and Good Samaritans who contributed by editing this article - Colin Keeler (check out Atai if you think mental health could be transformed by psychedelic compounds), Garrett Rhodes (Redox is dope and their new payer offerings are sweet), Samir Jain (serial health tech legend, currently of RubiconMD), Ed Manzi (former law student building something new in-home medical equipment), Matthew Fisher (actual lawyer at Carium, a virtual care platform company, and host of Healthcare de Jure), and Joshua Schwartz (PM at Commure). It takes a village to navigate the legal norms we impose upon ourselves as a society, so appreciate their help.
Thanks for the summary. Informative and fun as always.
If I think out long term, I can't imagine when users/patients/gardians will ever be able to even note innaccuracies in their records - big expensive problems.