Unraveling the Enigma of the 21st Cures Act & the Proposed Privacy Rule

It would be an understatement to say that a first, second, third…reading of the Proposed Privacy Rule (“Rule”) remained indecipherable for several reasons: (1) the appears (after several passes) to be a technical dependency regarding certain expansive right given individuals for sharing PHI. It took us a while to determine what the dependency consisted of because the Rule’s NPRM is opaque (understatement) about it.

We developed a solution for what we call the “three most insidious and disruptive” rights contained within the Rule (Enterprise MVP); which are as follows:

  1. The right to inspect at the time of appointment (“TOA”) and at the point of care (“POC”) enables patients to enter your facility "to view, create videos, take photographs and use other resources.”
  2. The right to enter your facility to inspect at a “convenient time and place” (“CP&T”) (e.g., OCR uses the examples of a medical records facility) to perform the same actions described above.
  3. The reduced time to provide patient’s access to their PHI (i.e., like the old Rule) except with the amount of time cut in half from thirty (30) to fifteen (15), with the extension remaining intact.

There were an additional set of expansive individual rights for individuals to share PHI which our Enterprise MVP ignored for the following reasons:

Generally, in our opinion, the other expansive rights were not as “massively disruptive,” for the following reasons:

    1. They represent business-to-business exchanges of patient PHI;
    2. They do not involve nuanced and complex legal decisions compared to three MVPs that 3LP addresses;
    3. They are far less likely to trigger a complaint (initially) and therefore far less likely to lead to liability; and finally,
    4. They only indirectly touch the patient.
    5. All these requirements are technically complex, non-trivial, and require implementation of APIs; some of which are allegedly defined by the 21st Century Cures Act (“Cures Act”)

Although we stand by that analysis, these other expansive rights contain a direct dependency on the 21st Century Cures Act that was far from obvious. Here are examples of some of the expansive rights that we are referring to:

  1. A Health Plan may now request PHI from a Covered Entity (“CE”) for an existing (or prospective) customer and, pursuant to the Rule, is entitled to get all of it; the minimum necessary principle is eliminated from the Rule in this one instance. As an aside, to get around requiring any individual authority for this transfer, HHS simply, including care coordination and case management as part of definition of “Operations” so that the PHI could be shared under treatment, payment and operation (“TPO”) exception of 164.506.
  2. A consumer company such a Fitbit or Peloton, on behalf of the individual, can make a request to a CE for the individual’s PHI and the CE is mandated to provided it.

There are numerous other examples however the two above are sufficient to make the point. When you start to think of the number of CEs that Health Plans interact with, the obvious questions become how could a Health Plan get PHI from hundreds of CEs in a format that it could read and process? The same thing applies to the consumer companies. The answer is that it can’t. The Rule’s NPRM only makes a vague reference to the solution as mandates by the Cures Act. Paraphrasing, “it states that Certified healthcare IT vendors are mandated to provide certain API, if they want to maintain their Certified status.”

It does not state what these APIs are for. It does not state what a “Certified IT Vendor” is and it certainly does not make a mention of the proposed Privacy Rule’s dependency on these APIs. It took a fair amount of research to determine that these vendors where EHR vendors that had been Certified under “Meaningful Use” over a decade ago. Once we understood that, the other expansive rights (e.g., multiple CEs sharing data with a Health Plan) were to be solved by Certified EHRs through APIs, and using the international HL7 EHR-to-EHR data sharing format. In fact, all these other expansive rights rely on the same solution, Certified EHRs creating the necessary APIs.

The Cures Act has a mandate completion date of the APIs as December 31, 2022. We explain the long promulgation of the proposed Privacy Rule. As it stands, the Rule cannot be promulgated “as is” until these API are completed and ready for production. Usually regulations are “descriptive but not prescriptive. They tell you the what but not the how. In this instance, the regulations are stringently prescriptive, although HHS/OCR appear to go out of their way to hide this fact.

EHR-to-EHR data sharing has been the holy grail of healthcare technology writ large for over twenty years now. It’s a noble objective. The Health Plan’s massive investment in care coordinators and case managers depends on it. Why HHS/OCR played “hide the ball” regarding the dependencies between this set of regulations continues to confound.

The law is a blunt instrument.