This article is published in sponsorship with Ciox.

By Jonathan Arkin, Ciox SVP and Elizabeth Delahoussaye, Ciox Chief Privacy Officer

Digital transformation may finally be here for health information management (HIM) and release of information (ROI). Will it be a revolution or an evolution?

Questions about the electronic health record (EHR) and the role it will play in automating ROI have been asked since the early 1990s. Today, we have a mature EHR marketplace with Meaningful Use, and the future of ROI is just starting to take shape.

This future is shepherded ahead by the 21st Century Cures Act and subsequent regulation supporting its implementation. We should all be excited about the future of healthcare interoperability and the possibilities to improve patient care. We seem to be on the precipice of a tremendous opportunity to change healthcare for the greater good.

But let’s face it – release of information (ROI) has already seen massive changes with Patient Right of Access and the introduction of state privacy rules such as CCPA. And while interoperability has been a topic of active discussion since the proliferation of the EHR, the publication of the ONC and CMS Final Rules may signal a revolution in ROI as we know it. Or perhaps they are simply another step in the evolution of health information management (HIM)?

Is the industry ready for November 2?

A CHIME survey found that 70 percent of CIOs and digital health executives are concerned about meeting the November 2 information blocking effective date. Additionally, 7 percent said that they hadn’t had time to learn about the deadlines because they were devoting their attention to the COVID 19 pandemic.

Providing patients’ access to their healthcare data is a shared goal throughout the healthcare industry; however, the new interoperability rules present their fair share of mindset and operational challenges. Practices that have traditionally developed to help protect patient privacy and prevent unauthorized access could now also be considered information blocking. Application programming interfaces (APIs) empower patients to freely access their data and may also unintentionally create a new market for healthcare data that could attract unscrupulous actors.

The ROI marketplace is no longer defined only by the traditional outsourcing services or the in-house option. There are numerous disruptors popping up with visions of APIs harvesting patient data from any health system or physician office in seconds, all in the name of and interest of “THE PATIENT.” In addition, Apple, Google and Amazon are busy planting their stakes in the budding new consumer data marketplace – healthcare data.

Amidst this new maze of rules, enforcement and innovations confronting the healthcare provider, one issue has not changed – the healthcare provider continues to be legally responsible for protecting personal health information (PHI). In this case, like many others, technology can be a double-edged sword. On one hand, opening access to the patient to control his/her medical information is the panacea we have always wanted. However, on the other hand, you don’t have to be a conspiracy theorist to identify serious privacy concerns, especially as a

provider. After all, the health system still carries the liability and, in fact, that liability has expanded from protecting patient privacy to also not information blocking.

As an HIM leader, it is critical to take an active role in engaging with Compliance and IT to design the right system and processes for a digitally transformed HIM and ROI world. Don’t get left out of the exciting opportunities created by digital transformation or leave your patients to fend for themselves. HIM leaders should be working cross-functionally to ensure full compliance with HIPAA and interoperability. New systems and processes must be able to account for the expected rise in API calls for patient information. Additionally, you should become very familiar with the 21st Century Cures Act and how it potentially impacts ROI. While the patient is and should be entitled to access of his/her medical information, the addition and increased frequency of third parties in accessing patient data should be considered carefully. Questions to consider include the following:

Collaboration in Design

  • Does your health system have a committee with active members from Compliance, HIM, IT and other administrative departments focused on how your organization will plan and execute around the new interoperability rules?
  • Does your health system have a trusted vetting process for the spectrum of API venders you can expect to approach you?
  • Are you teaming up with your ROI vendor as a critical partner to ensure privacy and security around medical information released by your system?

Refinements in Processes

  • Do you have a dependable system that fully captures all disclosures of personal information across relevant systems for potential liability protection?
  • What validation process will be in place to ensure that the patient is the actual individual requesting the information (e.g., unique patient identifiers)?
  • Are you ensuring that only minimum necessary standards are being applied to information released in cases where such rules apply?
  • When information is being transferred from one entity to the next, are you sure that the most up-to-date information is being transferred (i.e., is outside documentation that was utilized in the care of the patient relevant and/or up to date)?

Patients at the Center

  • How are you helping patients understand their health data rights and the limitations when third parties that are not subject to HIPAA are involved?
  • How are you ensuring that the patient has power over their data? (e.g., can the patient tailor the type of information that is shared with the type of requestor)

There is much good to likely emerge from this new legislation, but HIM professionals must be highly alert to this advanced, evolving marketplace. It’s up to HIM professionals and their partners to do our part to ensure a successful launch and execution of the interoperability rules. It’s reasonable to be measured and thoughtful as we move forward on this new ground and view this as an evolution rather than a revolution. We are all in this together as partners for a better healthcare system. Failure is not as option!


Ciox Health, a leading health technology company, is improving patient health by transforming clinical data into actionable insights. Combined with an unmatched network offering ubiquitous access to healthcare data, Ciox’s expertise, relationships, technology and scale make a difference for healthcare stakeholders and empower greater health for patients. To learn more: www.cioxhealth.com.