The University of Colorado’s Silicon Flatirons Center for Law, Technology and Entrepreneurship on April 6 hosted a “mid-stream” update on the 21st Century Cures Act. Congress signed the Cures Act into law in 2016. The act was created to institute a national health information network that can be used for health data exchanges and to improve and regulate the operation, quality and use of electronic health records nationwide. The act also promotes the use of application programming interfaces and related devices so patients, in addition to providers, are able to use EHRs.
The $6.3 billion law covers a range of activities, from cancer research funding to battling the opioid epidemic. The FDA received substantial support in the act, which includes advancing telehealth services and promoting increased use of electronic health records.
“The vision is a learning health system where individuals are at the center of their care; where providers have a seamless ability to securely access and use health information from different sources,” the Office of the National Coordinator for Health Information Technology said. The system will allow a person’s health records and information to be shared between different sources across the nation, which provides a “longitudinal picture of their health, not just episodes of care.”
The act is regulated at two levels, the “micro level” and a “macro level,” Craig Konnoth, associate professor at the University of Colorado Law School and director of the Health Data and Technology Initiative said. The macro level requires the U.S. Department for Health and Human Services (HHS) to engage in developing a national health information network. “It is along this national superhighway that patient information can hopefully travel no matter the source and destination,” he said.
Over the past year, the HHS developed a “trusted exchange framework and common agreement,” TEFCA for short, which will provide the framework and rules for this nationwide network, Konnoth said.
The agreement looks to create a baseline of technical and legal requirements for sharing electronic health information nationally across disparate networks, the HHS said. These include high-level goals of providing a single “on-ramp” to nationwide connectivity, ensuring electronic information securely follows patients and support for nationwide scalability of network connectivity.
However, Konnoth noted that the program is still voluntary for health organizations to join. Now, the act faces challenges such as attracting organizations to join the voluntary program and taking time to craft rules.
In order for the Cures Act to work, a nationwide framework must be built and implemented. Elise Anthony, executive director of the Office of Policy at the Office of the National Coordinator for Health Information Technology (ONC), said the act requires a network-to-network exchange, and progress is not been where it should be, according to Anthony.
Anthony said one of the main challenges thus far has been building that voluntary system where health organizations trust one another. In some situations, information can move simply and quickly. However, in some instances, such as if one organization has concerns about another’s security, the information does not flow, and the information does not reach patients and providers.
Bill Howard, principal at Audacious Inquiry, said many different organizations are sharing information around the country, and “a lot of the exchange is built on trust.” The way in which the trust is built between organizations is in constraining the number of participants involved in those information shares, he said. In this sense, a small group of organizations have access to the information, which in turn helps with privacy and security and mitigates risks. He added that in the current framework, a large part of that will need to be expanded.
One of the other challenges currently, in Howard’s opinion, is that it is hard to see exactly what “carrots and sticks are going to be require[d] to get this prioritized at the right level.” Some other challenges include incentives to join TEFCA and financial risks of joining the program across the nation.
Annie Harrington, the chief legal officer at the Colorado Regional Health Information Organization, said many on her teams were working on what the implications of TEFCA might be for health information exchanges. Harrington said there are currently 7.3 million individuals whose information has flowed through health information exchanges in Colorado.
She added that 77 hospitals were in her group, of which 66 submitted data, and 6,600 providers sign in to the program. She said it would be burdensome to amend hundreds or thousands of participation agreements to come into compliance with TEFCA.
She also felt that from looking at the voluntary nature of TEFCA, and how to incentivize health care organizations, it was clear that participation was critical.
She wondered how one could balance the desire to have information access wherever needed with the “business realities that there’s nothing in particular that we have seen to date that would incentivize individuals to build the infrastructure that would be required to participate.”
Konnoth added that TEFCA’s goal is a nationwide information sharing health network, however, the program is voluntary. In a draft, a “safe harbor” provision was included.
In that provision, there was a proposal that individuals would be limited or exempted from information blocking claims if they joined TEFCA, and in the final rule “we don’t even have that.”
Anthony said in the proposed rule, a request for comment was included and received over 2,000 comment submissions. ONC is focused on creating a network in which organizations can fit into other levels of a separate framework.
In order to comfort all the possible members of this national health information exchange infrastructure, a very broad baseline of privacy and security must be reached, Harrington said. This came after many comments and reviews by ONC. As a result of this, every organization must be held accountable to robust baseline requirements.
This sort of concept should be familiar to the creation of HIEs, based on privacy law and rely on the “trust community” which highlights the reliability, truth, consistency and confidence in how data is exchanged, she added. To establish this sort of process for the nationwide program would require contractual agreements, which had been successful in other contexts.
Harrington hoped to see more clarity on whether the baseline requirements were in line with HIPPA and a little more explanation for users, such as tech companies and app developers “who aren’t used to participating usually in the HIPPA environments.”
— Avery Martinez