The Interoperability and Patient Access final rule is about to digitally supercharge patients’ ownership of their health information and how they choose to manage it. Data ownership, protection, access and sharing all were spelled out in the Health Insurance Portability and Accountability Act (HIPAA). Interoperability calls for the digitization of a subset of HIPAA and related privacy rights while preserving all the act’s protections. The Centers for Medicare and Medicaid Services (CMS) explains that interoperability does “not change any payer or provider’s obligations to abide by existing federal and state regulations…” and that “these policies just allow this information to be transmitted via an [application programming interface, or API] with the approval and at the direction of the patient.”
The consequence for payers is that the privacy and consent aspects of interoperability are among the most complex aspects of achieving compliance with the rule, requiring processes and procedures never done before. While CMS deferred certain complexities, such as segmenting data, many requirements arise not just from the interoperability rule but from other federal, state, tribal and local laws. Payers must approach API development and interoperability processes with a great deal of flexibility as they work toward compliance because the requirements of these various jurisdictions likely will change over time. Further, best practices and new data uses will emerge as interoperability unfurls and plan members exercise their access rights. Payers taking a flexible, engine-driven approach to privacy and consent management will be able to swiftly adapt to these opportunities while minimizing expensive rework.
Interoperability digitizes many of the rights underlying the Authorization to Release Medical Information Form. The following compares the two capabilities that payers will offer. The paper-based solution must support all the rights that the HIPAA Privacy Rule and other laws and regulations afford. Interoperability digitizes a specific subset of these rights.
The interoperability rule essentially digitizes a subset of the provisions within traditional “Authorization to Release Medical Information” forms that payers developed under HIPAA. Yet the digitization of key data, plus interoperability data sharing and security requirements, create a variety of operational and data management challenges. Here are the key issues:
Identity management: Payers must store the identities of members and their personal representatives. Today, when plans receive requests for data from a paper form, member data is not always easily traceable. Misspelled names and incorrect addresses can lead to the same member having multiple identities and records. Payers often manually trace member data in these situations.
Storing personal representative data adds significant operational complexity and risk. While many payers have systems that manage the identities of their members, they do not have a robust, enterprise-wide IT infrastructure to manage the identities of personal representatives, many of whom are not members — either as subscribers or dependents — of their health plans.
Identification and legal documentation: Payers will need to manage identifying documentation for personal representatives and the legal documents that authorize them to act on behalf of patients.
Highly sensitive data labeling: Payers need mechanisms for identifying highly sensitive data, such as notes, procedures, medications and more, that relate to behavioral health care, birth control, pregnancy, sexually transmitted disease, testing and treatment for HIV/AIDS, and other conditions. Interoperability does not yet require data segmentation, mainly because CMS decided the technical specs to do so are not yet widely adopted. That said, CMS did indicate payers should anticipate data segmentation, and payers must prepare now for future filtering and masking of data types and highly sensitive data.
Workflow and approval processes: Payers must define and operationalize policies, procedures and processes for review and approval of consents.
Compliance auditability: Payers must have clear audit trails showing their organizations have followed these processes and can trace health information accesses and disclosures to the authorizations that have enabled them.
Patient education: Payers must inform members of their rights and risks under interoperability, both in general and possibly in the context of specific apps. The rule requires general education. Payers may go beyond that to offer app-specific education. This could be as simple as using SMART on FHIR, which incorporates the OAuth 2.0 workflow, to alert members in real-time that they are encountering an unsafe and/or unregistered third-party application.
It’s critical members understand that data access under interoperability is all or nothing; they cannot withhold specific data elements. CMS recommends that payers use or require app privacy policies that attest to how a patient’s health information may be “accessed, exchanged or used by any person or other entity,” including whether that data may be shared or sold, and that the policy require a member’s express consent before any such access, exchange, share or sale occurs. Members also need to understand that not all electronic health information, such as X-rays, may be shareable.
Experience design: Payers must ensure interoperability delivers a positive experience of new, valuable features, rather than an incomprehensible and risky process. An example would be providing an app or creating features in member portals that show members what apps they have authorized, when those authorizations expire, and what data and when has been accessed by each app.
In addition to the requirements spelled out and implicit in the interoperability rule now, we expect additional amplifications, either to the rule or to best practices, including:
All electronic health information (EHI) will have provenance metadata.
All EHI will have sensitivity tagging.
Data will move externally in multiple ways (e.g., business associate agreements, or BAAs and others under HIPAA as well as via patient consent).
Payers will need to journal external data movements, both received and sent, with traceability to consents and authorizations.
Patients, personal representatives and many internal users will need visibility into these consents and data movements (“Where have you sent my data in the last 90 days?”).
Payers will need to systematically journal B2B data movements.
Future, complex consents and authorizations will require the complexity of masking and filtering based on sensitivity labels and more. A member would not need or likely want to share, for example, her mental health data with an orthopedic surgeon to whom she’s referred for ACL repair.
Hard-coding today’s compliance workflows will almost certainly lead to expensive future rework when new requirements and practices emerge after interoperability goes live. A rules-engine-based approach to privacy and consent compliance will give payers more flexibility to adapt to new requirements and best practices.
Instead of using a narrow set of rules and information request scenarios, the engine should have a multilayered decision framework and base decisions on who is requesting the data (member, an app, an authorized representation); whether member consent is on file; and data sensitivity. The engine can then make a yes/no decision — all in real time while capturing a complete audit record. An engine must also support payer configuration requirements to meet federal, state, local, tribal and organization-specific rules. Delivery through a SaaS model helps ensure scalability as demand for data grows. Ideally, an engine can extend consent management workflows to external systems such as customer service platforms and member portals via APIs.
Powering interoperability privacy and consent with an engine should enable payers to turn data access into an engaging, empowering experience for members. Payers that can help members easily manage and secure their data will meet compliance requirements while fulfilling the spirit of the rule, differentiating themselves and earning greater ROI on their interoperability investments.