Journal AHIMA Federal Regulations Put Patients in the Drivers Seat
October 12, 2020

Journal of AHIMA: Federal Regulators Put Patients in the Driver’s Seat

Providers and payers need to be ready to fulfill data requests without delay.


The clock is ticking. The much talked about and much debated regulatory push towards greater healthcare interoperability is getting ready to launch. On November 2, 2020, the information blocking and interoperability rules for healthcare organizations and developers regulated by the Office of the National Coordinator (ONC) go into effect. Parallel rules for health plans regulated by the Centers for Medicare and Medicaid Services (CMS) go into effect January 1, 2021.

The policy goals are clear—give patients control of their medical data.

The technology goals are clear as well—eliminate data blocking practices that stifle innovation and create barrier for patients.

What is unclear is the extent to which industry is ready to respond to these sweeping changes. After years of lobbying unsuccessfully against these new rules, compliance with them requires both technological and cultural changes. Arguably, the technology is the easier part of the equation as the industry standards being deployed to support these changes have been around for more than a decade.

Below are key changes that every healthcare organization will have to adjust to—and quickly—since ONC enforcement starts February 2, 2021 and CMS enforcement begins July 1, 2021. The Health and Human Services’ (HHS) Office of the Inspector General (OIG), which is authorized by Congress to investigate the information blocking practices of providers, IT developers, health information exchanges (HIEs), and health information networks (HINs), can potentially issue civil monetary penalties of up to $1 million per violation for interfering with the access, use, or exchange of electronic health information (EHI).

The Patient Is in Control

The new rules by both ONC and CMS put the patients in the driver’s seat. Stiff penalties for information blocking were designed to prevent healthcare organizations from putting up roadblocks to access data.

A recent survey of 1,300 patients found that 40 percent of patients had to go to their provider’s office in person to submit requests for medical records. Additionally, 40 percent received those medical records on a CD, a 1980s technology that is obsolete in the modern consumer world. Nearly 23 percent of patients are still given medical images on physical films.

It’s not the lack of technology that is the issue. The survey found that 66 percent of respondents have access to at least one portal connected to their provider’s electronic health record (EHR). However, only 18 percent of patient respondents have been able to receive records of any type digitally (email, app, or through a portal). This result indicates that, while patients have access to portals, records and information are still not being effectively shared.

Whether or not the reasons were intentional or unintentional, inadvertent or inertia, the federal government recognized that these practices were still occurring decades after the 1996 HIPAA Right to Access rule was formalized into federal law. Patients have had a legal right to their own health data in the form and format of their choosing for nearly 25 years.

The ONC added new API conditions of certification to address these practices and minimize the “special effort” necessary to access, exchange, and use EHI through the use of application programming interface (API) technology. Compliance with these conditions of certification is required by November 2, but ONC will exercise enforcement discretion for three months thereafter (until February 2, 2021). These rules apply to health plans as well, with compliance set for January 1, 2021 and enforcement six months later.

Organizations must provide this data, as well as a broader set of healthcare data, quickly and without delay.

Definition of Healthcare Data Gets an Upgrade

The ONC rules define eight standard data elements, US Core Data for Interoperability (USCDI), that are now required for nationwide interoperability of health information. Data elements include pathology reports, diagnostic imaging and the corresponding narrative, and lab report narratives, among other data now required as part of new API certification criteria to make data more accessible. Never mandated before, this significant development will advance the availability of common data and expand to include other clinical data over time. Unlike structured data in claims and EHRs, these more complex elements provide serious clinical value which, when exposed, have the opportunity of reducing misdiagnoses, medical errors, and suboptimal outcomes.

Healthcare organizations must be prepared to provide this data as part of the EHR. Not only must they tackle change management within their organization, the vendor chosen must be able to provide a wide gamut of information—from basic structured data to more advanced, complex data that’s often unstructured—and do it with speed.

Who Can Be Trusted with Patient Data?

One argument that is often invoked in order to cast doubt on the obligation to share data with the patient is a question of trust—will these apps be reliable stewards of sensitive personal health information (PHI)?

The Silicon Valley tech giants that conquered the consumer world—and who are looking to do the same in healthcare—didn’t do themselves any favors over the past few years given the controversy over the lack of transparency over how consumer data is being handled. A senator once famously told Facebook CEO Mark Zuckerberg at a hearing, “Your user agreement sucks.”

That jockeying to own large amounts of patient data is already happening and, yes, not everyone is going to be a good actor. While we absolutely should continue to push the industry to democratize data, we should have a parallel conversation about data ownership and transparency.

This begs the question again: who can be a trusted vendor partner in the industry to meet interoperability challenges? As is usually the case in the industry, trust those with whom you’ve worked successfully in the past. There have been myriad healthcare technology companies that have been working on interoperability for as long as interoperability has been an issue. Mature technology solutions already exist today to address incompatible data formats, incompatible platforms, lack of robust APIs, insufficient communication channels, and an inability to distinguish between valuable and irrelevant data. Once again, technology isn’t the issue.

With the countdown clock ticking, it’s time to evaluate and implement technology solutions. Start with these questions when considering a vendor:

  • Have you or similar healthcare organizations had a business associate agreement (BAA) with the company previously?
  • Has the company successfully protected PHI while managing complex clinical and population health needs?
  • Has the company operated in healthcare as an interoperability provider with a proven track record?

By getting ahead of the curve, organizations must determine who they want to handle sensitive data to successfully and securely transfer it to the patient or its designated representative at either an individual or bulk data level. Waiting too long to determine a trusted partner to deliver effective solutions will increase the risk of missing out on the best solution to meet information blocking and interoperable compliance mandates. If you wait too long, you run the risk of being forced to accept a solution that you may not be comfortable with.


Originally published in the Journal of AHIMA, October 5, 2020.

Matthew A. Michela, President and CEO

Matthew A. Michela

President and CEO