Another day, another piece on the regulatory policy of the USA, punctuated by charts, graphs, and memes to (hopefully) make things more consumable. In the last article (which is highly recommended to read first), we outlined the foundational concepts that HIPAA provides in domestic healthcare technology, such as covered entities, business associates, the designated record set, and why HITRUST exists.
The road is long and winding, though, and more fun meaty regulatory history sits before us - the era of the Office of the National Coordinator (ONC) and one of its largest achievements, Meaningful Use.
HITECH and Meaningful Use
Fast forward from Clinton and HIPAA to the Obama era. Looking around at the tremendous technological progress that had occurred in the 2000s, the Obama administration and Congress decided to push forward the laggard healthcare industry into the future with the HITECH Act, as part of the larger 2009 recovery package. Boiled down to its core, it was a large series of incentives and penalties to encourage the adoption of electronic health records. The point was to mandate the use of good EHR technology and to have providers use it meaningfully. That manifested itself in the creation of standards that all commercial off-the-shelf EHRs had to adhere to if they had any hopes of market viability with a fairly comprehensive set of measures that were intended to drive better clinical outcomes and improve data sharing.
There's enough content to write several articles when it comes to the varied ripple effects of Meaningful Use and whether it was good or bad ultimately. For our mission today, though, we will sidestep that contentious (and oft-discussed) topic and focus solely on the fact that it did accomplish its core goal of accelerating the use of technology (rather than paper) by provider organizations. While forcing that transition, it had several provisions that reinforced the principles of HIPAA we outlined in the first article.
Covered Entity Exchange
The first promise of HIPAA, that different types of organizations providing care or paying for care could share a patient’s record, was promoted across presidential administrations, regardless of party. While HIPAA under Clinton represented some of the first thoughts about how health data and information should be shared, it was in 2004 under Bush that the skeleton of healthcare’s current digital landscape took shape. Bush notably began the push for national usage of EHR, doubling funding for health IT to $100 million. He also created a health IT czar position, which eventually became the Office of the National Coordinator for Health Information Technology (ONC). Lastly, his administration began the attempt to define a federal network of exchange, the National Health Information Network. Looking back to HIPAA, this was exciting to see the chance for open exchange and aggregation of patient records clearly prioritized.
After putting out a Request for Information in 2005, the HHS found many of the principles we see evoked today in similar discussions (see Section 2 here): joint public/private effort, decentralized, and linked by standards, while ensuring privacy and security issues. Later that year, the HHS awarded contracts to prototype technologies to technology leaders of the era: Accenture, Computer Science Corporation (CSC), IBM and Northrop Grumman (looking at this list, it’s truly stunning to see how quickly things can change in a decade or two). The findings were consolidated by Gartner in a 2007 report and the NHIN Exchange was formed to start real work on the project in 2008.
NHIN Exchange had some big players involved (Kaiser, the VA, the Social Security Administration, and others) and substantial progress was made on pilots using query-based pulls of information across the network. However, NHIN was criticized by some as being geared towards large hospitals and integrated delivery networks: cloud computing was basically not a thing back then, and having a point-to-point query connection to hundreds of thousands of providers would have been a shitshow. This pushback led to the growth of a secondary approach, NHIN Direct, which focused on push transactions (akin to secure email) that many felt were lighter weight and easier for smaller hospitals and clinics. Health tech legend Arien Malec of Change Healthcare has an all-time thread on the subject here if you’d like to read more.
HITECH should have accelerated the shit out of NHIN efforts. By formally establishing the ONC with Congressional authority, it explicitly defined the need for not only the use but also the exchange of information (which you can check out here). It would have been logical to execute on that mandate and fulfill the first promise of HIPAA, especially since the bones were there with the previous administration’s work on NHIN.
But that’s not what happened. After dabbling with an RFI defining the exact governance, there was a significant drawdown and reversal of the government’s effort. The push under Bush and early Obama years to create a nationwide health exchange network stalled with the ONC deciding to issue no further rulemaking in September 2012. It’s unclear why that occurred and, in retrospect, is somewhat ironic as we turn our sights on the TEFCA, a new framework for interoperable exchange, which, when you squint your eyes a little, looks quite like a clone of this earlier NHIN RFI, only with different acronyms. We can guess a bit at the why, though:
Often cited is that it was too early - the Internet barely had functional email (lest it be forgotten: Gmail exited beta in 2009), let alone robust standards to communicate across healthcare enterprises. This is naive at best, bad-faith at worst - the choice of technology is always dated by the time it is implemented, whether at a company scale or a national scale. The act of choosing is a bet one makes, knowing that you’ll have to replace what you’ve built eventually regardless of how well you choose. Choosing quickly means implementing quickly or failing quickly. In both cases, you’re better off than you were.
Also often cited: there were many successful networks already in play. To federally mandate or incentivize a network would potentially kill these supposedly viable state HIEs and private networks. This again is a bit of a fallacy. The 119 HIEs that existed in 2012 have dwindled, with less than half of those that remain being even financially viable, let alone servicing patient needs satisfactorily. Trying for something more cohesive has distinct advantages.
More likely: Democrats’ fortunes had turned significantly as we entered the 2012 elections (or even 2010 midterms) and as HITECH and Meaningful Use started to hit in force, the government and ONC also started to get a little apprehensive about owning and maintaining a federal service of such magnitude (perhaps due to anticipated budgetary constraints or perhaps due to the belief in public/private partnerships). To turn NHIN private was a way to focus efforts on tasks that felt more achievable and politically viable.
Regardless, the planned national network did not proceed. Fragmentation ensued.
The original Nationwide Health Information Network (NHIN Exchange) that focused on query-based pulls was rebranded to eHealthExchange and transitioned from the ONC to a public-private partnership, Healtheway, now known as the Sequoia Project.
The spinoff NHIN Direct that tried to simplify nationwide exchange by focusing on push-based transactions turned into public-private The Direct Project (and later the fully private trade association DirectTrust).
Health API Guy Take: Both eHealthExchange (as part of the broader Carequality framework) and DirectTrust have found some success as national utilities, but they are not fully ubiquitous and do not work together in the comprehensive way you’d hope. More on this topic from a previous article, Ramps and Rails:
Negatives: “Wait, Brendan, why isn’t this in the top tier?” you might ask. While each individual network has wide deployment, the whole would be significantly greater than the sum of its parts. Event notification is fragmented geographically between PatientPing, Collective Medical, and Audacious Inquiry, meaning none can be fully counted on at a national scale. As a query-only arrangement, Carequality is filled with extraneous traffic. DirectTrust suffers from data quality issues in regards to its organizational/provider directory (as entries are often out-of-date or invalid). A complete and comprehensive strategy at a minimum needs to be national in scope and ideally would combine or overlay the three functions. Proper and reliable event notification would reduce Carequality’s traffic problem, where the clean directory of Carequality would be hugely beneficial for DirectTrust when pushing data.
It’s worth noting that even as the government deemphasized its role in governance and delegated to the private industry in the early 2010s, it did in some ways effectively promote nationwide exchange. Meaningful Use 2, the regulatory application of HITECH in 2012, bolstered Direct by requiring that providers be able to send a summary of care to providers on different EHRs than their own. As we’ve discussed before, the regulatory requirement of the use of a network is a great way to push it to ubiquity, which we’ve seen with DirectTrust (one can push to 1.5 million providers across the US, at least on paper).
Patient Access
HITECH and Meaningful Use also touched upon one of the other promises of HIPAA: Give patients a super clear path to pull their data outside of HIPAA and provide it to whomever they want.
Buried in the core and menu requirements of Meaningful Use was the View, Download, and Transmit (VDT) measure. As part of this measure, providers had to give patients the ability to access, download, and transmit core data maintained in an EHR to third parties via a C-CDA download functionality - which covered some, but not all, of patient data (as shown below). As we moved to the electronic age in healthcare, regulators included these capability requirements to ensure a patient’s HIPAA right to access was made available intrinsically in the novel digital systems that providers would be implementing. With this functionality encoded into the DNA of all certified health IT, patient access would clearly no longer be a problem. Smart, right?
But that’s not how it played out. VDT made things easier for the third ring of HIPAA, patients and non-covered entities, to get medical records, but the friction of the experience still remained a blocker for many patients. The functionality was hidden and buried in screens deep within patient portals. It also was a mere summary of the care and not inclusive of all pertinent data.
Interestingly, a number of middlemen created businesses based on VDT, though. Human API followed the blueprint Plaid had outlined in financial services, aggregating the various patient portals, asking for patients’ login credentials, automatically jumping through screens to download data, and exposing via an API. Cerner interestingly has a somewhat underpublicized Release of Information (ROI) business unit (Healthehistory) that does the same, scraping data exposed via VDT (generally from other EHRs’ portals) and selling to non-covered entities like life sciences, life insurance, and legal teams.
VDT also led to a surge in Personal Health Records, aggregator consumer-facing apps designed to serve as a patient-centric hub of all medical data, that looked to mimic the success of Mint.com in finance and capitalize on the expanded digital access. Ranging from Microsoft’s HealthVault to the OG Google Health, they suffered from the same fatal flaw we still see today with PHRs (and discussed in “Indiana Jones and the Personal Health Record”) - PHRs continually chase the health problems most patients don’t care about (aggregating clinical data) and not solving the problems we actually need (simplifying the friction of scheduling, payment, and other health administration).
It was progress! Patients were guaranteed a path to own their data by means of those certification requirements. So time to call it a day and move on to the next challenge, right?
Meaningful Use 3
Fortunately or unfortunately, our story does not end here. As we entered the 2010s, the API revolution hit in full force. XML was out, JSON was in. It wasn’t good enough to offer just a user interface to download a CDA file, as that user interface was tightly coupled to the health system where the care was provided. If a patient wanted to centralize in their health system of their choice or use a third-party application, the pain and friction of this approach meant it was clunky at best. So as Meaningful Use Stage 3 started to crystalize, it included provisions for APIs offering roughly equivalent data, authorized by the patient’s login credentials, reiterating yet again the ONC’s commitment to creating pathways for HIPAA’s patient access to thrive.
It also defined the Common Clinical Data Set to ensure that the right information was included in these APIs, as well as other certified health IT functionalities, such as sending a C-CDA for transitions of care or reporting to health agencies:
Unfortunately, the MU3 guidelines were not overly prescriptive in the format of the API. It was 2015 and FHIR was raw and uncut, not yet ready for primetime. It was an absolutely greenfield space, so implementations varied. Some just offered an API to download a CDA with the required data. Some used that early FHIR version. Some made custom APIs. Some did JSON and some did XML. Some created OpenAPIs, real documentation, and developer experiences, but many just phoned it in and threw their API in a PDF. Looking at the public data set on certified EHRs (one of the coolest data sets in health tech, available via UI, downloadable Excel, and API), we can clearly see the variation in content and authorization formats that ensued.
Additionally, activation of a given third-party patient-facing application was still in the hands of the healthcare organization (notably, aside from Epic’s implementation). This means the goal of enabling patients to choose and use an application of their choice was largely dependent on that application vendor hustling to convince hundreds or thousands of organizations to turn their connectivity on. For a small Personal Health Record, that sort of investment (to engage thousands of health systems, gain their approval, and have them technically enable access) was well beyond their means. Beyond that, the incentives for an HCO to say yes to something like this was essentially zero, given the likely uptick in patient leakage. The right of HIPAA Patient Access, denied again.
Phew, Meaningful Use was a lot, wasn’t it? A few key things to remember:
Exchange of data between Covered Entities had a meandering and mixed path during the Meaningful Use era, leading to the DirectTrust (push) and eHealthExchange (pull) networks
Patient access was advanced with Meaningful Use 2 via the View, Download, and Transmit provisions creating a downloadable CDA document
Patient access was further boosted with Meaningful Use 3 via the provisions for APIs to provide the Common Clinical Data Set
Despite these advances, patient access was still hindered by the disparity of API formats and the gatekeeping of the HCO-centric app activation process
Luckily we’re now pretty much caught up until current times. In the interest of cutting this up some more and making it a little easier on your eyes, we’ll turn this series from a sequel into a trilogy. See you next week, where we dive into the actual content of the Cures Act.
Huge shout out to the squad of friends, colleagues, and Good Samaritans who contributed by editing this article - Colin Keeler (check out Atai if you think mental health could be transformed by psychedelic compounds), Garrett Rhodes (Redox is dope and their new payer offerings are sweet), Samir Jain (serial health tech legend, currently of RubiconMD), Ed Manzi (former law student building something new in-home medical equipment), Matthew Fisher (actual lawyer at Carium, a virtual care platform company, and host of Healthcare de Jure), and Joshua Schwartz (PM at Commure). It takes a village to navigate the legal norms we impose upon ourselves as a society, so appreciate their help.
Really good article. In your PHI drawing you have HITRUST pointing to C-CDA, should that be HITECH?
Wow there's alot here. This must have taken forever to write. Great take, and a great walk down memory lane.