Privacy and Security, Regulatory and Health Industry
Why Compliance Is Not Enough to Achieve Interoperability
As far as buzzwords go in healthcare, there is none quite as popular as “interoperability”—the ability for one system to exchange and/or make use of information from another system. It is discussed, and clearly is a shared focus, across US healthcare regulatory agencies: the Office of the National Coordinator for Health IT (ONC) 21st Cures Act, which introduced the Trusted Exchange Framework and Common Agreement (TEFCA); the US Core Data for Interoperability (USCDI) standard; and, perhaps most notably, the Centers for Medicare and Medicaid Services (CMS) Information Blocking Final Rule, which includes requirements to facilitate the sharing of information both with members and with other relevant health plans.
But accomplishing true interoperability in healthcare is proving to be challenging, and monetary investment is lacking. While there are many factors that could ultimately be impacting the lack of investment, three stand out.
1. Balancing Patient Privacy and Interoperability
The most obvious reason organizations have been hesitant to share data with other organizations is federal and state privacy regulations such as HIPAA—and the lofty fines and penalties for a related breach—have disincentivized them from doing so. The ONC and CMS interoperability requirements not only require organizations to make technological changes but force them to change how they think about data sharing as a whole. Most notably, under the information blocking provisions, disclosures under HIPAA that used to be considered permissible—namely those related to treatment, payment and/or operations—are now essentially required, barring some exceptions.
To make matters more complicated, while these new regulations incentivize and encourage organizations to focus on the exchange and accessibility of data, HIPAA and other existing privacy laws have not been amended to reflect these changing attitudes. In addition to day-to-day operations, organizations are now further tasked with the challenge of balancing patient privacy with interoperability requirements. Changing the internal decision-making processes and guiding principles around sharing personal health information (PHI) and other sensitive data requires a concerted effort and is not something that can be outsourced to a third-party vendor. This lack of regulatory guidance from a privacy perspective, coupled with resourcing constraints due to other regulations and the COVID-19 pandemic, have led to these efforts being heavily deprioritized across the industry.
2. Emphasis on Data Exchange Rather than Data Utility
The second reason many healthcare organizations have not truly prioritized interoperability beyond checking the mandatory compliance box is the current regulatory requirements are heavily focused on the “exchange,” as opposed to the “make use of,” component of the definition of interoperability.
The regulations have made strides in defining exchange methodologies, content requirements, and standardized formats in which data is made available, but data quality requirements and standards remain wanting. Simply ingesting data from other organizations, without the ability to make use of that data, offers little value for the organization—and provides little incentive.
Exchange functionality and technology have rapidly improved over the years, but there is still a technological gap when it comes to making that data functional. To ensure that the data is of a sufficient quality, an organization would have to improve the accuracy and completeness of the data it maintains and inputs, as well as create and maintain certain processes and procedures to ensure ongoing consistency in the input of such data. If organizations truly invest in making their data available and accessible to others, especially using an industry-recognized standard, such as Fast Healthcare Interoperability Resources (FHIR), the quality and completeness of the data will begin to improve naturally, as data from disparate sources can be stored and aggregated by organizations in not only a singular format, but in a singular location.
Without that investment in technology—much like balancing patient privacy and interoperability—a substantial adjustment to the day-to-day operations of the organization would be required, as well as an exorbitant amount of resources and effort. To incentivize organizations to invest in interoperability, the benefit to the organization must be significant. This would necessitate that the new data is both technically interoperable as well as complete and of a sufficient quality to fulfill the purpose.
3. The Lack of Industry Inertia
The last, and perhaps the most impactful, reason interoperability efforts have been deprioritized is because systemically, they long have been. The US healthcare system is fundamentally caught in a vicious cycle in which manual, resource-draining, and expensive workflows and processes continue to force healthcare organizations to deprioritize the very efforts designed to improve those workflows. Given lack of funding and human resources, many organizations focus on the immediate risks to their bottom lines, like the threat of fees and penalties for noncompliance, because they can’t invest the time and money to automate and improve the workflows that could fundamentally change not only their day-to-day operations, but the industry as a whole.
An example is the way organizations have addressed the patient access requirements that are part of the CMS interoperability regulations. The patient access rule requires federally funded health plans to make certain patient information available to member-selected third-party applications via a FHIR application programming interface (API).
The overarching goal of this regulation was to empower members to make better, more informed healthcare decisions by giving them access to their data. Many federally funded health plans have prioritized looking for vendors, systems, and tools that functionally and technically meet the requirements of the regulations to avoid losing their reimbursement eligibility.
However, experience working with those organizations demonstrates that few have spent time or resources incentivizing or educating their members on how to take advantage of the patient data access regulations. While many organizations have successfully secured a solution to ensure compliance if audited, it seems unlikely that many members will benefit from the plan’s compliance in the way the regulation intends.
Interoperability Is the Means, Not the End
While these regulations have provided some incentive to invest in interoperability, it is fundamentally important to remember that interoperability is not the end; it is the means. In the language of both the ONC and CMS regulations, and the related comments, it is clear that these organizations are striving for a universe where data is not only readily available, but utilized, so that individuals are empowered to make more informed healthcare decisions; healthcare professionals and organizations can provide better healthcare services; and health plans have sufficient data to proactively reduce the cost of those services across their various member populations.
Unlike many other public services, healthcare is not a one-size-fits-all model; it’s personal. When more data is available, can be accessed, and used efficiently and effectively, providers can better understand the medical history and needs of the patient to provide more tailored care and service, which, in turn, reduces expenditures for unnecessary services, materially reducing the cost of care.
This is the true end goal: cost-effective and efficacious healthcare driven by informed decisions. However, to achieve the goals outlined in the interoperability regulations, the healthcare industry needs more than compliance; it needs a revolution. Thomas Jefferson once said, “Every generation needs a new revolution.” I think, in healthcare, we have found ours.
Eden Avraham-Katz is general counsel for 1upHealth.
Learn about the positions AHIMA takes from a policy perspective to benefit patients, communities, clinicians, and other stakeholders through health information access, integrity, and connection here.