Fear and Loathing in DC: an Interoperability Trip

12,000 steps.

Eight meetings.

One agenda: Let patients access their $%*@!&% records.  

I just returned from the Connected Health Initiative (CHI) Fly-In, in Washington D.C. This is my fourth trip, and I walked away with some observations about the current state of affairs: 

- Washington is a bit of a mess right now; from COVID sucking up health policy momentum over the last few years, to polarized political ideologies impacting progress across the aisle, to an administration (despite which way you lean) that just isn’t a big policy pusher. 

- Funding is really hard to find across agencies. We received an overall sentiment of “Wow, that’s a horrible problem… but we just can’t focus on that right now.” The phrase “This is a thinking congress… not an acting congress,” was even tossed around. 

To encounter this kind of response during a time when 70% of Americans “feel failed by our healthcare system” and are expected to spend $4.2 trillion dollars this year (20% of our GDP) is especially deflating.  

Here’s a rundown of whom I met with over the course of my 48 hours:

(1)   ONC

(2)   CMS

(3)   Senate Health, Education, Labor, Pensions Committee

(4)   House Ways and Means Health Committee, Subcommittee on Health

(5)   Senator Marco Rubio’s office 

(6)   Representative Don Beyer’s office

(7)   Representative Brett Guthrie (kind enough to step out and meet us in person mid-vote)

(8)   Senate Finance Committee Majority

‍

The goal of these eight meetings was to share our real-world experiences and observations with policymakers who advise and decide healthcare regulation. As the founder of Particle, I have an excellent bird’s eye view of nationwide medical record access… I mean, like, the actual numbers. This type of information typically doesn’t make its way to policymakers so it’s critical to share.

It was surprising to see that in only two of these meetings was there an understanding of the fundamental issue at hand: the fact that patients still cannot access their records via networks, despite the Info Blocking Rule.

How it all began…

For those of you catching up, let’s revisit 1996: 

(1)   HIPAA… P stands for ‘portability’... but medical records haven’t exactly become portable.

(2)   Meaningful Use (now called Promoting Interoperability) got some provider-to-provider sharing and some provider-payer sharing going,but then stopped there… sorry, patients. 

(3)   Anti-Information Blocking… pretty darn straightforward: don’t block patients requesting their records,  but this is currently getting chipped away into oblivion (👂grapevine: more exceptions are coming that will carve out EMRs from being required to respond to patient requests if they connect to TEFCA, but they won’t need to offer Individual Access Services).  

…And where it stands now... Year 27 of trying to get patient access working  

‍

Recently, the largest national data frameworks released a multi-year effort in the form of a proposed update to the data exchange rules, technical specs & legal agreements that establishes a requirement that you must respond to patients requesting their own data and provides a safe technical way of doing it. This was done in line with the new anti-information blocking rule. The update was released and comments were submitted. It's been more than a month and we’re still in purgatory, but word on the street is that patients may need to wait several more years until they can get another shot at accessing their records. Your response to this delay may be similar to mine: “But… isn't this why we spent billions of taxpayer dollars developing this law?” Well, in this case, it appears that the law doesn’t matter.

The folks at Particle think that when a patient downloads an app (like a personal health record app) connected to a national network vendor (like Particle) and wants to pull their health records into it, they should be able to access their data. These networks serve billions of transactions for providers today, and there’s no reason why patients shouldn’t have the same level of access. Here’s what we do to ensure that this process is safe and secure:

(1) We use IAL2 Identity resolution. There are a few Credential Service Providers (CSPs) that are ‘Kantera Approved’ which basically means they’ve gone through extensive third-party verification to ensure their identity validation service is actually really, really good. These CSPs serve organizations like the IRS today, so we know they’re good.

(2) We capture a patient's HIPAA Authorization signature - a legal document that says “according to the law, you need to give me my freaking records, man”. 

(3) We send this package out to EMRs hoping that they take this patient’s request seriously.  

Today, when a provider requests records for an upcoming appointment, we see a ~90% response rate; however, when a patient requests records, we see a 0% response rate.  

EMRs Hold All the Cards

The claim EMRs and providers are making is “we’re not comfortable sharing data back with patients because we’re scared we might send the wrong record to the wrong patient.” This translates to “we’re not good enough at finding the right record in our system” (even if we're doing 100% deterministic matching - i.e., every single character matches across name, DoB, address, phone).  

The thing that freaks me out here is that the EMRs are doing the matching. Think about that -- they’re Certified Health IT but after 6 years of preparation (since the Info Blocking Rule was published) they can’t meet the requirement and that perceived liability is good enough to deny patient access? If they don’t want the matching to be good enough, they’re in complete control of never letting it get good enough and can continue to claim “we can’t share with patients because matching just isn’t that great.” 

This is coming from organizations that employ 10,000+ people– many of whom are the premier healthcare engineers in the country. If we can trust them to build clinical decision-support tools, predictive algorithms, and internal patient-matching solutions used at the point of care… why can’t they trust their tech works well enough for patient access? 

To further complicate matters, policymakers are getting hammered by EMR lobbyists. Every week EMRs are sending folks to the Hill to meet and argue for protecting their walled gardens. “We cannot possibly consider sharing data with patients because we might share the wrong record and that is of the utmost importance.”

‍

How many faxes have been sent to the wrong person? How many portal passwords have been shared, lost or stolen? How many APIs have security flaws due to the Username/Password paradigm in use today? 

Last month, Particle exchanged 18M records using this system. We have never heard of a wrong patient match. It’s not like we think it’s never happened… it could. But will it happen more than someone pressing the wrong button when sending a fax? Or sending someone the wrong portal login?  

My hot take? If this happens, and patients can access their records at scale, then that walled garden starts to crumble. EMR consolidation is at unprecedented levels… one organization owns 70%+ of all healthcare data in the U.S. because they don’t share data with other systems.  That is very valuable and incredibly critical to maintain market dominance.  

How information blocking translates to unfair business

Maintaining market dominance by not sharing data – really, by information blocking – is the definition of unfair business. One major EMR player (who shall remain nameless) has long been successful in blocking access to patient data, meaning patients and other EMRs can’t reasonably exchange data with them.  Because of this, when a major hospital system buys this EMR system, they have to use it at all affiliated sites so that they can move patient records from a practice to a clinic, to a lab, to a hospital all within their own system. If this hospital system wanted to use a new, innovative app, for example, that enables patients to get their lab results interpreted for them, the EMR can just say, “no, you need to use our app or you can go figure out the integration yourself.”

Some large EMRs have shut down their App Stores, citing patient privacy concerns, severing the only avenue small businesses had to exchange data with their systems. They claim the program, which is essentially the only way to access patient data (and takes revenue + IP rights). For example, this page is still empty today on some of their websites. 

People are paying attention to these efforts to stymie the industry’s move towards greater interoperability. Just recently, the ex-CEO of Beth Israel, a major NYC hospital, wrote a blog post calling out antitrust claims against a major EMR.  

The quiet, yet sweeping, state effort

In reaction to Dobbs, a major lack of modernized, national data privacy regulation, and the growing list of bad actors (Better Health, GoodRx, etc.), states are beginning to take matters into their own hands. Since the beginning of the year, a whopping 289 new bills have been introduced across most U.S. states. Some notable new bills include Virginia & Washington’s My Health My Data Act, and you can bet lobbyists have been active in every corner of these arenas.  

We are in the middle of a war between big tech and consumer data privacy rights. The big question is: “Do you, the consumer, have the right to control, access, and own your data?” The answer will certainly not be as simple as ‘yes’.   

In Conclusion…

One thing I saw clearly while in DC is the power of the corporation in the United States. While there are both good and bad attributes to capitalism, where the dollar can be stronger than what may be deemed ‘right’, the effectiveness of corporate interests is profound. The United States needs a comprehensive privacy framework. It’s borderline embarrassing that we don’t have one. Federal policymakers are stuck in gridlock, budgetary restrictions and voting stalemates and so states have begun picking up where the federal government can’t win.  

Without a federal data privacy framework, large corporations will continue to lobby for corporate interests and will win small battles with large implications. They will argue for loopholes citing privacy concerns while simultaneously obfuscating the reasons why they have those concerns in the first place.  

Where bleakness is abundant, there is some light.  Just recently, the Ways and Means Committee started down a path of antitrust investigation via the FTC into another highly consolidated area of healthcare: PBMs.  A hearing on 5/17 was held called, ‘Health Subcommittee Hearing on Why Healthcare is Unaffordable: Anticompetitive and Consolidated Markets’.  You can view the video here.  

And without a way to legally protect patient data & enforce those rules, corporations will continue to exploit it. At Particle, we are working on the front lines– by building technology for patients to control their data and at the policy level, by participating in working groups for standards bodies + frameworks and by reaching out (sometimes on deaf ears) to policymakers and federal agencies. This is a hard fight, but every inch forward is progress. One day, patients will be able to easily access, share and control their healthcare data and we hope to play a role in that vision. 

‍