What the new info blocking rules mean for you — with Deven McGraw

Deven McGraw: Obviously if you're if you have to comply with it it's probably not looking too exciting it's looking like it's looking scary it's looking burdensome it's looking, you know, how am I going to handle this. But when you're when you're when you're on the side of requesting information all it looks like is opportunity and I think there's gonna come a time and it's I, I hope that it will be relatively soon that even those entities that are subject to the role
will see the opportunity in it. In terms of being able to serve new customers in order to strengthen relationships with patients, because that opportunity is absolutely there.

[music]

Jonah Comstock: Hello and welcome to HIMSSCast. We're a little more than a week away from the start date of the info blocking rules, which we've covered extensively on this podcast and we're going to cover them a little more with a special guest. We're joined today by Devin McGraw, cofounder and chief regulatory officer for Ciitizen, a consumer health technology startup, and the previous Deputy Director of Health Information Privacy at HHS Office for Civil Rights, and also a former chief Privacy Officer at the ONC. And of course, as always, or as, as often, we're joined by Healthcare IT News Executive Editor Mike Miliard, who's going to help give us some additional context. Thanks so much for joining us, Deven and Mike. 

Deven McGraw: Thank you for, for having me.

Comstock: So Mike, I'll let you kind of kick us off with, with the first question.

Mike Miliard: Sure. Okay well Devon you know as we know you know the topical, the most pressing, you know topical, you know, discussion here is the start date of the info blocking rules which have been, you know, on people's radar screens for about a yea. These final rules were unveiled just as the pandemic was getting started back in March of 2020 and understandably I think most providers, had some more pressing concerns, especially you know this past spring and all through this past year. But, you know, the compliance date is April 5, after some you know discussion earlier on, and so this you know the rubber is kind of meeting the road here even though there's no enforcement that yet. There's no enforcement mechanism in place at the moment, is that correct?

McGraw: Yeah, no, That's right, no enforcement provisions from CMS for providers. 

Miliard: But that said, you know, this is something that folks are going to need to start thinking about. And what's to your mind are some of the, you know, potential hurdles, some of the more challenging aspects of of complying with this with this role.

McGraw: Yeah, I think there are many challenging aspects of complying with these rules I you know I think for health care providers.The idea that that they are again repositories of very valuable information that is necessary for a whole range of purposes is not something that's necessarily new for them. But the idea that they need to now really kind of seriously consider every request they get versus having a lot more discretion, about when to say yes and when to say no without having to really justify why they say no is really new for them. What the information blocking rules do for entities who are covered by those rules was kind of flip the presumption around data sharing, you know, HIPAA is traditionally about permissions to share, you know, except with respect to the requirements to share with the patient and with the government when you're being investigated it's, you can share and you can share and you can share in these circumstances and you can share if these conditions are met, but there's never a must share aspect to it. 

Essentially with the info blocking rules come in and say is that well for for electronic health information, when you're covered by the rule, it's kind of a presumption that you, you must share. As long as the law permits you to share. And as an any conditions are met, that would permit that sharing, unless you've got like one of you know the seven excuses that that ONC has put out in regulation so I do think the providers are a little more accustomed to again receiving a bunch of requests so they're going to have to turn that presumption of, well, you know what's in it for me and does it make sense for me to do it into something to have kind of an active process for considering these requests for health information exchanges and health information networks. I think this is a particular challenge for them because most of them were built, assuming a very narrow set of purposes for exchange, like, we will exchange data amongst our participants for treatment only. We will exchange data maybe for treatment maybe for payment and during COVID-19, many of them branched out into sharing with public health authorities and had to redo all their many, many of them had to redo agreements in order to facilitate all of that but they were, they were, they built trust with their participants by limiting the purposes for which they would share information.

Now I think they they're in a position of being primarily responsible for responding to requests that are likely to come in for purposes beyond just those four which those previously negotiated agreements were covering. So, so I think that's a long winded answer but I think it's a huge challenge because it's a mindset change. Right.

Miliard: Yeah. It's a mindset change, and it's going to require you know a whole bunch of changes from the conditions note taking in some cases you know they might be more self conscious about the kind of notes they're running down the technical infrastructure going
15:43:48 to have to have in place obviously the API's and FHIR and all that you're going to need to have for, you know, that so. 

McGraw: Well, actually, the info blocking rules do not require you to use a fire API to -- 

Miliard: I'm confused with the CMS rules 

McGraw: Yeah that's some, you know, separate set of interoperability provisions, you're right, CMS with respect to health plans under their purview they have to adopt FHIR API's certified certified EHR vendors have to adopt API's for purposes of certification, but the info blocking
rules do not require you to set up a FHIR infrastructure. You kind of have to use what you've got 

Comstock: But do they have provisions more generally around format, because I know that, you know, when we think about patient complaints about information blocking, a lot of times it's not just that, you know, they wouldn't give me my records it's, you know, they gave them to me on a CD ROM and what am I gonna do with that? 

Miliard: Or they dragged their feet. We saw a big uptick and enforcement from from OCR this past year, have you know HIPAA right of access enforcement. And so if they were kind of having that attitude and that appetite for enforcing, you know, I think it should probably send a message that they're going to be serious about this as well going forward once there is an enforcement mechanism in place, ya know, as well.

McGraw: Absolutely. I think they are going to be serious about that there's no doubt that the 21st Century Cures emphasize the right of patients to access their health information.

And so I think that is going to be an enforcement priority, once we actually have some enforcement in place. But the form and format issue is dealt with a little bit differently in the two different legal regimes so if you're, you're, you're right, Mike that when you think about the HIPAA Right of Access you know the patient says I wanted in this format and don't don't send this to me on a CD and and you know you get it in at least some digital format that the patient that's that's that's usable by the patient and that's readily reproducible by the by the by the entity.

And I think as more and more data starts flowing through API's that will become, you know for a lot of patients the mechanism of choice in terms of how they get their records when for info blocking. There is this, this exception the content and manner exception, where, you know, an entity can say, can specify well this is the form and format that I want my data in and and it only applies to electronic health information so we're not dealing with an issue of getting things on paper has to have some sort of digital way of doing this but the but then there is sort of a pecking order in which you kind of go down through you know first year you're supposed to use you know the FHIR API's if they're if you have them available right and then second is, you know, some other standards based method and the third is basically a catch-all of well whatever you can negotiate between each other in terms of how you get this data
so, so, so it's just a way and then there are different sort of ways that you can charge you can levy fees and licensing conditions around some of those options.

Now of course if if it's a patient accessing data then that, then there, there should be no fees for. If the transmission is done in a way that requires no manual work on their part so so again it's, you know, you could get some, it is, it kind of underscores one of the other challenges which is that these requests are not going to be uniform, these requests are not going to be in terms of form and format in terms of types of data and things of that nature and so it does it really requires I think a lot of these entities to kind of turn into much more sophisticated kind of data purveyors, without any additional money for doing this.

Comstock: So does this create opportunities in the market for like third parties that can come and help do that? 

McGraw: Absolutely. Absolutely, it does create market opportunities for third parties to come and help do that, I mean if you think about HIPAA with it's right of access rule created a market opportunity for a set of vendors, known as release of information vendors to come in and help all of these mostly larger entities, but not exclusively larger entities comply with the, with with data requests, like they're actually very well positioned to assist their clients in complying with the info blocking roles as are, frankly, even though they're also subject to these rules themselves they're also in a great position to help their, you know, traditional participants, who's who they serve, and who mostly provide the business model for them to stay afloat through service fees, like there are opportunities there and then of course you know tech companies like like Ciitizen like you know sort of other interoperability solutions that exist in the marketplace would be more than happy to help these entities, at least from a technical standpoint, I don't think that nothing technically this is a lift. This is not a technical lift. The hard part is the kind of the the opening of the doors the wider opening of these doors and the comfort level that entities are going to have to start to get with processing and dealing with requests that are going to come from non traditional requesters for them.

Miliard: Devon, the last time I saw you in person in the before times was, I think it was October, 2019 we were in California and we had a discussion on stage, about, you know, the concept that you were exploring with we've been curious on the health care blog to it you know this this idea of the Goldilocks dilemma of, you know, we want this data flowing around for better care and better outcomes. But as more and more of it is unlocked , you know that only increases the privacy risks as well. And that's the concept you've been thinking about a lot. Are we any closer to solving this or is this, or is that, you know, the advent of these rules only going to make it that much more thorny in the near term.

McGraw: I don't know that we're closer to solving this I think a lot of people were have speculated that with Congress and the White House in the, in the control of one political party that we might actually get progress on some national privacy legislation, and in addition to some increased pressure from more states, passing privacy laws which is not welcomed by, you know companies that have to operate nationally and would prefer to have one single national standard even if that national standard is a strong one. It's just one standard versus 50 different ones so. So, there was, there was a bill that was introduced by Congresswoman to get that I saw that was endorsed by the Chamber of Commerce. That's a pretty interesting development, because, again, you've got a pro business that, if not the pro business lobby, essentially endorsing a Democratic bill on privacy.

So at any rate there there are big issues to resolve in that conversation, there's the issue of preemption. Do you preempt the state laws? Obviously that's of great interest to companies, less desired by privacy advocates, particularly if the federal standard is too weak. And then there is, you know, how do you enforce these laws and is there room for for some form of private right of action, which is obviously a post by the business lobby but desired by privacy advocates and will those well those two interests, be sort of played off against one another right where you get your preemption, but only if you get your private right of action, you know, or some version of a private right of action doesn't have to be, you know, I think there are kind of multiple ways to, to deal with that but we really will not get any resolution on that until Congress acts because there's no authority under HIPAA there's no authority that ONC has. There are few with our CMS has a few more authorities up its sleeve in terms of Medicare Conditions of Participation and things of that nature but like Ciitizen frankly that are not going to be covered by federal privacy laws were covered by California State privacy law but if you're not in California, you won't be covered by that loss so it's just, it is not a great situation.

And we really do need federal privacy legislation. But I also think that some of what we're doing with, you know, sort of having these information blocking rules go into effect having more and more patients get access to their data and store their data in an Apps or services that they choose that are not covered by HIPAA, it just, it creates a increased pressure on Congress to act. I mean, I hope, I hope that's the case because it's not going to serve as an obstacle, when we started, we had that debate, and we said, you know, we're not going to stop. We're not going to stop this because we haven't gotten our act together.

Comstock: And on the privacy side here is I mean do you expect I mean based on the existing state laws and you know what you've seen of, you know, proposed in the federal privacy. I mean you do expect that it will involve creating a kind of a third category of data you know HIPAA covered health data and non HIPAA covered health data and then like regular data, or is it just like, Is it is it just anything that's not covered by HIPAA is going to be. It's going to be in the same standards, whether it's health data or not? Does that make sense? 

McGraw: Yeah, no, it totally makes sense and I actually that's a policy question that hasn't necessarily been resolved. I mean, you know, you saw in the last Congress that there were the there was at least one bill that was just about health data. And then they had to define what health data was, which --

Comstock: which is much harder than it seems.

McGraw: Very much so Jonah because if you think about the way that social determinants of health that don't look like health data on their face, and yet can be very indicative of how healthy we are right, if you have you know what's my level of education, what's the zip code I live in, what's my age, and how much money do I make you can actually do a pretty darn good job of predicting whether or not. I'm going to take a medication that's prescribed to me.

And so that's not health data, and yet it's very private and when it's used for health related purposes it becomes health data so that's, that's another way to define health data but but but there could essentially be a kind of particular approach for health, or I wrote a paper about this recently with Ken Mandel from Boston Children's Hospital, health relevant data. And yet, and then another approach altogether to deal with other personal data that isn't health relevant and it's just your normal everyday, like data about you kind of stuff.

Miliard: Speaking of HIPAA, as we have often in this conversation. There was a proposed rulemaking that came out in this past December with some modifications for the Privacy Rule, they've extended the comment period which was initially going to be I think in March and they push that out till May. You know what are your thoughts on these potential changes? What do they mean, and, you know, is it enough? As you know this, you know, HIPAA law that's been around for 25 years you know kind of tries to adjust to the 21st century, with with technology evolving by the day. What do these changes to the role mean? 

McGraw: There there are a number of changes in this role and I'm excited about a number of them and I'm less excited about others. You know I would not have called this proposed rulemaking a complete update to the rule to sort of modernize it for modern times, but they did include a lot of measures that are better that are aimed at, you know, sort of 21st Century healthcare system realities. Lots and lots of proposed changes to the right of access shortening the timeframe from 30 to 15 days, making it clear that certain actions by healthcare providers constitute burdens on individuals and and that
Can't happen. Clarifying you know what that HI-TECH language meant when it said individuals have the right to have information sent from an electronic health record to another third party and cannot be a way to facilitate transactions even between providers and payers if that's directed by the individual and then clarifying that an individual can get their information sent to an app or service that they're using and that's not really a third party that's really the person acting on their own but just choosing to use a tool or a service to to store and manage their data.

So that's a number of provisions there and then they've got, you know, a recognition of, you know, whether minimum necessary, whether care coordination and
care management which is often done by health plans, whether that's very similar to when it's done by providers for treatment purposes so therefore we should not have minimum necessary apply there and do we need to provide some clarity and the standards for data sharing with friends and family, or an emergency circumstances so that health care providers have a greater level of comfort of acting on their best judgment in terms of whether that whether and when that data should be shared.

You know those are some of the big ones the elimination of the, of the requirement to get the privacy noticed acknowledged is something that that I'm actually very much in favor of because I think it's a lot of it's it's a lot of paperwork over substance. You know people very rarely read those things and then when they do and if they sign it they think it's a consent form which it's not and it's a huge hassle to get it signed so it's one of those little sort of irritants that that give HIPAA, a bad name and they don't really accomplish very much from a privacy perspective so. So I think they've done a lot I you know that was there more that they could do probably but it's rulemaking isn't easy.

 And I actually what I hope is that this is the first of sort of more of a cycle of kind of regularly considering whether HIPAA is still serving, both the public and it's stakeholders in the right way and tweaking it as necessary to sort of bring it into the digital age it's actually aged reasonably well all things considered, but there definitely were some things to to tweak so again I was pretty excited was probably the only person who was a little bit disappointed that the comment deadline got moved because I was ready. But then when the deadline got moved I, I kind of took my pen, you know, put my pen aside and said oh I don't really need to finish this by this week so, but I'm close.

Miliard: As a writer I can relate, when that deadline gets moved you take your foot off the gas and

McGraw: Yeah, go do something else.

Comstock: Until you're just as close to the new deadline this you were to the old one when you stopped right.

McGraw: Just about, but not quite. May 5h feels like a lifetime away at this point but of course it's not like the month of April will go as quickly as all these other month sorry I don't know about you all but I can't believe we're already through the first quarter of the year. 

Comstock: Yeah, absolutely. So we wanted to talk about just a couple of other things always got you in one is speaking of early May, when President Biden says everyone in the country will be eligible for vaccine shot, we've been talking a lot about the privacy implications of these ideas of vaccine credentialing and vaccine passports, um, you know it, it stands to reason that it would be good to have a way of track who isn't isn't vaccinated for a variety of, of, sort of public life reasons, not even public health. But obviously, obviously it's a little bit of a privacy minefield. So, what, what have you noticed about that or or I've been thinking about it trend wise, or any insights, especially as it relates to HIPAA.

McGraw: Yeah. So, I am, I try, I think about these sorts of initiatives is sort of very similar to immunization requirements for kids in schools, right, which which have been around for a long time I mean obviously different states have different exemptions for, you know, people who have medical reasons why they're not immunized or sometimes religious reasons why their kids aren't immunized and. But there, it's, it's very much along a very similar trajectory, which is, you know, these are public health diseases, right, and where vaccination is an effective strategy for for establishing you know whether you call it herd immunity or for reducing the risk of transmission.

We pursue those because that's what we do in the name of public health and there and a lot of times that, that, that is an, some infringement on your into your rights as an individual to not do certain things right. Same thing with, you can't you can't smoke in a public place anymore, right, because when you smoke, you are exposing other people to a hazard. And so we're not, we're going to do that we're not going to let you drive over certain speed limit on the road, even though you have a great car that can go faster and you're always in a hurry, like, too bad for public health reasons we're not going to let you do this so so long list of sort of public health initiatives and infringe on individual liberties, to some degree, and they are permitted because you know these, there's a balance. And it's the same thing with these with these vaccine certificates, it gets harder, of course, depending on the context in which you're sort of requiring people to show proof that they've been vaccinated and what kinds of exceptions are you going to tolerate.

And the balance in this case is affected by just how transmissible this this illness really is which is very high and especially with some of these variants that are coming out now that are turning out to be even more transmissible then the original COVID illness that we were dealing with. So, so that that ratchets up the need for, you know, at least when you're talking about congregate settings where there's lots of people where it's harder to maintain distance that you might have these requirements and and expect them to be honored with few or very few exceptions permitted mostly due to medical grounds, to the extent that those are defensible HIPAA isn't really involved here. And I see a lot on Twitter about people saying I, you know, theyasked me for a vaccine certificate at work that's a violation of HIPAA. It's not a violation of HIPAA, your, your employer actually isn't covered by HIPAA, they are to the extent that they're offering a health plan. But your health plan will know you're vaccinated because they're going to get a bill for it, or they're going to get at least some record of it even if they're not even if they're not asked to pay for it so.

But that's not supposed to come over into the employment sector I mean HIPAA doesn't immunize Krispy Kreme from giving vaccinated people donuts. It doesn't you know it's people, it's amazing to me, just how much misinformation there is about what HIPAA doesn't doesn't do but in terms of these vaccine passports it's, it really plays a minor if any role of course depending on the context.  So, it these are more issues for employers for labor law issues, issues around discrimination based on, on, on, you know persons with a disability.

More important I think is you know to what degree are we going to, as a society, kind of acknowledge some of the vaccine hesitancy among certain communities that are due to sort of years of just poor very poor treatment and abuse of certain populations with respect to vaccines that have made them mistrust these vaccines, do we need to sort of be quite careful that we're not creating a society where, you know, folks, again, who have, who have historical mistrust of vaccines are now precluded from enjoying different aspects of public life. That's That's, I think that was a that that's a tougher set of questions than whether you know your employer can by law require you to be vaccinated or whether a concert venue by law can require people to be vaccinated it's, it's, it's, it's a cultural issue to, like, you know, what are we going to do for people that want, what are we going to do for people that want a vaccine but for whom we it's been made very hard because the mechanisms for getting vaccine, are you know it helps to have broadband access so you can schedule your appointment. You know I think those issues have to be considered too.

Comstock: Absolutely. Well, Mike, do you have any other questions you wanted to make sure we got to?
 
Miliard: Well we are the top of the hour but I, you know, I suppose we could ask, you know what's been new with with Ciitizen, you know what's been on your radar screen recently and what projects have you got cooking over there? 

McGraw: Yeah, so we are. We're actually pretty excited about the information blocking rules I will say, We're excited for a couple of reasons so many people may not know this about Citizen so most people know that we're a platform that helps individuals get access to their health information and we've been focusing a lot on individuals with cancer, getting their records connecting them to clinical trials, connecting them to research opportunities in addition to giving them information that they can use for their own care. We're, also in rare and some rare neurological conditions that that mostly affect kids were young adults, and that's been really super exciting.  So we're obviously eager to tap into additional sources for records sources that that might facilitate faster access to data than, then you know just having to go to the Health Information Management Department to have each hospital to get it.

But we also we required some assets from a company called Stella Technologies, which makes quality, quality data software and, and gateway software for health information exchanges. So we're actually sort of super engaged in these information blocking conversations, not just because we're excited about requesting data for actually excited about helping entities comply with the info blocking rules so that we can get, you know, sort of more of these more of this data moving, for reasons that, for which it should move right right in. And so, so it is a bit of a big focus so April 5, you know, probably we won't see the world change dramatically on that day, but it's kind of a red letter day for us because we sort of see it as the kickoff of the year of enormous change.

Comstock: I'm so glad we came back around to that because it occurred to me at the beginning of the conversation Mike asked about challenges and info blocking rule, he didn't really ask about like, what's good about it, why, why should we be excited about it.

McGraw: So yeah, no I mean that you know obviously if you're if you have to comply with it it's probably not looking too exciting it's looking like it's looking scary it's looking burdensome it's looking, you know, how am I going to handle this. But when you're when you're when you're on the side of requesting information all it looks like is opportunity and I think there's gonna come a time and it's I, I hope that it will be relatively soon that even those entities that are subject to the role
will see the opportunity in it. In terms of being able to serve new customers in order to strengthen relationships with patients, because that opportunity is absolutely there.

Comstock: Awesome. For sure. But I think that, that, that about wraps us up though we're at the at the half hour mark thank you so much for joining us, Deven it's really been a pleasure.

McGraw: Thank you for having me. I appreciate it.

Comstock: And any final thoughts advice for folks as the deadline approaches?

McGraw: Take it, take it seriously. Right. I mean a hammer is not going to fall on your head. On that day, right but if you haven't really been paying attention to this yet, you should start like actually I wouldn't wait till April 5, I'd start now.

Comstock: Well, thank you, thank you Mike, as I speak for your insights here, and obviously thank you to all of you, HIMSSCast listeners for tuning in, week after week, we really do appreciate the support. Please tell your friends, subscribe if you haven't, and until next time, stay healthy, stay safe.

[music]