I Can Access My Health Data. Now What?
Our legal team at Steptoe & Johnson gave a recent update on health data access. There’s been a lot of political momentum around the topic—with roots formed during the Obama administration—founded on the desire to harness health data to extract insights and facilitate a level of transparency the industry has never seen before. In short, the lack of standardization of and interoperability between providers’ health data systems is no longer acceptable as status quo.
The Trump administration hopes to put patients at the helm by creating mechanisms for them to access and share their health data because it’s their right under HIPAA. One way to do that is through a consumer-directed data exchange, where patients exercise their rights to their private health information through a technology asset that retrieves the data and grants certain third parties—think a primary care provider—access to it. That tech asset is what’s known as an open application programming interface (API), which standardizes information and the way it’s shared, enabling individuals to easily access their complete health data (claims cost information, clinical notes, lab test results and more).
Check out our breakdown of this exchange.
These proposed changes spearheaded by the administration do not technically apply to the private market right now, but they will soon. As CMS moves forward with its plans to strengthen its API system, we may start to see private health insurers do the same. The majority of private major medical insurers have Medicare Advantage Plans that have to meet these new requirements by 2020.
In fact, within the private sector, new data-sharing models have already been developed. In July, the Creating Access to Real-time Information Now (CARIN) Alliance, consisting of hospitals, physicians, employers and other stakeholders, announced its Blue Button data model, which is designed to standardize claims data among multiple regional and national health plans. Apple, Google, Amazon and Microsoft have signed on to pilot the model.
Other companies, like Human API, have developed on the belief that data, while not valuable on its own, is critical when leveraged for a specific purpose. Their model also puts the consumer in the driver’s seat, encouraging them to identify transactions that already happen (e.g., my primary care provider needs information from my cardiologist) and intervene to make their health data portable and sharable.
The consensus thus far is that consumers are the key to facilitating data interoperability.
However, as clearly as the administration has laid it out, challenges abound. The Health Information Management Systems Society (HIMSS) recently conducted a survey looking at interoperability between other hospitals, payers and patients. They found that a little more than half (57%) were successful at sharing medical data with patients. About two-thirds (69%) of respondents (hospital IT and business leaders) said their hospital was successful at sharing medical data within their own organization, while a little over a third (37%) indicated their institution successfully shares data with other health systems.
Another study uncovered that more than half of providers fail to comply with HIPAA right of access—the key element of the administration’s proposal to interoperability.
Besides slow systemic change, there are privacy concerns. APIs are facilitators, allowing third party applications to access and share health data. Individuals are wary of sharing personal information despite their ability to do so. It also begs the question: what is everyone else going to do with my health data?
Privacy concerns are only the first hurdle. Empowering consumers to be in charge of their private health information is asking them to take on a new kind of ownership over their own and their family’s healthcare needs. Not only would a consumer have to request electronic access to their data, they would need to indicate where to send it, and then be educated on how their data will be used and who will use it. This is asking the consumer—the patient—to understand how the healthcare delivery system works well enough to willingly hand over their private health information, which contains some of the most personal details about their lives. And not only is the system difficult to navigate, but it’s especially difficult to be an informed consumer (look no further than surprise medical billing practices).
In many ways, consumers are operating at a disadvantage. Even calling them consumers might be a stretch, considering how hard it is to understand cost and pricing mechanisms. Enabling individuals to choose any application to retrieve their digital health information from any provider or health plan isn’t meaningful without their understanding of how that information is going to be used. Even if codes of conduct—like this one from the CARIN Alliance—exist with specific instructions to obtain consent before any data is shared, actually measuring how informed an individual is might be difficult.
Nevertheless, the administration’s proposal symbolizes a turning point toward transparency and interoperability, which traditionally have not been pillars of the healthcare system.
One possibility is that new tech standards bring changes to the ways we measure health information and record data. And, changes to what providers believe is necessary information to delivering appropriate care. The Gravity Project—an academically driven, social determinants of health program—is now integrating with the interoperability standard, Fast Healthcare Interoperability Resources (FHIR), to focus on standardizing medical codes to cover topics like work, lifestyle and socioeconomic factors.
Thinking specifically about the employer-sponsored insurance market, there seems to be an opportunity to be one of the first at table when it comes to supporting and adopting new API standards for ERISA plans. More broadly, commercial brokers and consultants can drive conversations with insurers and other stakeholders about the need to easily access and share data.
While it’s evident that allowing employees (patients) to access and share their health data could directly affect cost, quality and access to healthcare, the benefit to the employer is less obvious.
If the employer is self-insured, access to more contextual data could help develop more targeted population health management strategies. There is also no doubt room to explore other opportunities around underwriting, risk assessment and predictive analytics within the commercial market.
As Steptoe’s Scott Sinder and Kate Jensen articulated, more health data is a good thing for the industry, but the question remains on how stakeholders will navigate new privacy obligations and legal exposure. For now, our goal is to understand how data-driven opportunities like this one would benefit employer clients, and perhaps more importantly, their employees.