It would be an understatement to say that a first, second, third…reading of the Proposed Privacy Rule (“Rule”) remained indecipherable for several reasons: (1) the appears (after several passes) to be a technical dependency regarding certain expansive right given individuals for sharing PHI. It took us a while to determine what the dependency consisted of because the Rule’s NPRM is opaque (understatement) about it.
We developed a solution for what we call the “three most insidious and disruptive” rights contained within the Rule (Enterprise MVP); which are as follows:
There were an additional set of expansive individual rights for individuals to share PHI which our Enterprise MVP ignored for the following reasons:
Generally, in our opinion, the other expansive rights were not as “massively disruptive,” for the following reasons:
Although we stand by that analysis, these other expansive rights contain a direct dependency on the 21st Century Cures Act that was far from obvious. Here are examples of some of the expansive rights that we are referring to:
There are numerous other examples however the two above are sufficient to make the point. When you start to think of the number of CEs that Health Plans interact with, the obvious questions become how could a Health Plan get PHI from hundreds of CEs in a format that it could read and process? The same thing applies to the consumer companies. The answer is that it can’t. The Rule’s NPRM only makes a vague reference to the solution as mandates by the Cures Act. Paraphrasing, “it states that Certified healthcare IT vendors are mandated to provide certain API, if they want to maintain their Certified status.”
It does not state what these APIs are for. It does not state what a “Certified IT Vendor” is and it certainly does not make a mention of the proposed Privacy Rule’s dependency on these APIs. It took a fair amount of research to determine that these vendors where EHR vendors that had been Certified under “Meaningful Use” over a decade ago. Once we understood that, the other expansive rights (e.g., multiple CEs sharing data with a Health Plan) were to be solved by Certified EHRs through APIs, and using the international HL7 EHR-to-EHR data sharing format. In fact, all these other expansive rights rely on the same solution, Certified EHRs creating the necessary APIs.
The Cures Act has a mandate completion date of the APIs as December 31, 2022. We explain the long promulgation of the proposed Privacy Rule. As it stands, the Rule cannot be promulgated “as is” until these API are completed and ready for production. Usually regulations are “descriptive but not prescriptive. They tell you the what but not the how. In this instance, the regulations are stringently prescriptive, although HHS/OCR appear to go out of their way to hide this fact.
EHR-to-EHR data sharing has been the holy grail of healthcare technology writ large for over twenty years now. It’s a noble objective. The Health Plan’s massive investment in care coordinators and case managers depends on it. Why HHS/OCR played “hide the ball” regarding the dependencies between this set of regulations continues to confound.
The law is a blunt instrument.