Health Information Sharing Is More Critical Than Ever in the Wake of COVID-19

Delivery System Reform Population Health Telehealth COVID-19

On March 9, the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS) released long-awaited final regulations aimed at enabling more widespread sharing of health information by health care providers and health plans to improve treatment, care coordination, public health, and more. Both rules also emphasized sharing health information with patients.

Just four days later, President Trump announced a national state of emergency in response to the COVID-19 pandemic. Discussions about the rules quickly took a back seat to news of the rapid spread of COVID-19 in the United States. Health care providers and plans urged ONC and CMS to delay the effective date of the rules, and last week both agencies extended the compliance deadlines. But ensuring the flow of health information is critical to meeting the challenges of COVID-19—for example, by facilitating telehealth and reporting of data related to the pandemic—so there should be no further delays in implementing these rules.

New Federal Rules Require Information Sharing

ONC first proposed its rules in February 2019 in response to mandates established by Congress in the 21st Century Cures Act, enacted in December 2016, to prohibit practices that were likely to “interfere with, prevent, or materially discourage” the exchange of electronic health information. ONC’s rules clarify the definition of “information blocking” and specify actions that might impede health information exchange but are not “information blocking,” such as refusing to share information when the patient declines to consent to such sharing. ONC’s rules also make information sharing easier for providers by requiring that certified electronic health records (EHRs) enable health data exchange among providers and with patients through open, standard application programming interfaces (APIs).

CMS used its existing legal authorities to similarly require information sharing by health plans with patients using the same open, standard APIs. CMS’s rule also requires hospitals to send alerts to physicians when patients are admitted to or discharged from a hospital.

ONC gave entities covered by its certification rules an additional three months to get into compliance or risk an enforcement action. Specifically, the rules establishing new API EHR certification requirements will be enforced in two years—plus an additional three months—after official publication of the regulations in the Federal Register on May 1. ONC’s “information blocking” standards will go into effect six months after May 1 (projected to be November 2, 2020); however, those rules will not be enforced with penalties until some after newly proposed rules on penalties (issued by the HHS Office of the Inspector General) are finalized. CMS rules requiring patient access to health plan data through APIs will be enforced starting July 1, 2021 (an additional six months beyond the initial effective date); new rules requiring hospitals to send alerts to physicians will go into effect on May 1, 2021 (an initial 12 months beyond the initial effective date).

A short delay to allow health providers, particularly hospitals, to get into compliance with these new rules arguably was needed in many areas of the country to focus resources on fighting the epidemic and keeping people alive. In a recent survey of hospitals, the Department of Health and Human Services’ (HHS) Office of the Inspector General found that top concerns were procuring personal protective equipment, medical equipment, and supplies; dealing with staffing shortages; managing facility capacity; and financial worries. No doubt, these are urgent needs requiring immediate attention.

However, it makes sense for these delays to be short and for ONC and CMS to maintain these new deadlines even in the face of likely future pressure to push them back further. Information sharing has always been critical to patient care and to public health—and the lack of such sharing is handicapping our response to the pandemic. According to one 2019 report, less than 50% of nonfederal, acute care hospitals could send, receive, query, and integrate patient health information. Less than 25% consistently used health information from other providers while treating patients.

COVID-19 Reporting and Telemedicine Require Robust Information Sharing

Effectively meeting the challenges posed by COVID-19 will require the kind of robust information sharing that the rules were intended to facilitate. For example, ONC’s requirements for open, standard APIs will help facilitate the use and sharing of information among providers and to meet public health reporting needs. Without a technical infrastructure in place to enable rapid collection and sharing of digital data, we are scrambling to gather the information needed to respond to and get ahead of the pandemic.

On March 29, the Administration sent a letter to all US hospitals requesting submission of daily reports to the Centers for Disease Control and Prevention on COVID-19 test results. These daily reports require hospitals to enter data onto an excel spreadsheet and e-mail it to federal authorities. Despite these efforts, US health authorities still don’t know how many people are in the hospital with COVID-19, given inconsistent reporting. The White House is turning to tech companies to provide data to help fight the pandemic, including data on health care system response to COVID-19.

The new rules will also help health providers effectively deliver care virtually. Individuals without severe symptoms of COVID-19 have been encouraged—and in some cases required—to rely on “virtual visits” or other tools of telemedicine for care. To promote greater use of telemedicine, CMS has relaxed reimbursement rules to enable payment for virtual visits, at least during the duration of the COVID-19 national emergency. Further, the HHS Office for Civil Rights, which enforces the Health Insurance Portability and Accountability ACT (HIPAA), released guidance to enable providers to use readily available telecommunications tools that today might not be fully compliant with HIPAA’s Security Rule. Likewise The Food and Drug Administration is encouraging sponsors of clinical trials, where possible, to conduct clinical trials virtually.

All of these measures are designed to enable patients to continue to receive care or obtain lifesaving treatments safely at home, yet none of them are possible without access to information. Patients need access to their data to ensure that a virtual visit with a new provider is informed by a complete picture of the patient’s health information. Patients seeking access to virtual clinical trials will need their data to determine if they are eligible for the trial.

The United States has spent billions of taxpayer dollars on a digital health infrastructure that facilitates better care for individuals and populations. The slow pace of achieving the interoperability of digital health data left us underprepared to effectively respond to the pandemic. Putting the interoperability rules into effect should be part of the national response to COVID-19. Further delays in implementing them undermine our efforts to meet the needs of patients and respond to COVID-19—and be better prepared for the next public health emergency.

Deven McGraw is the Chief Regulatory Officer for Ciitizen, a health technology start-up.  Previously she served as Deputy Director, Health Information Privacy at the HHS Office for Civil Rights and Chief Privacy Officer (Acting) of the Office of the National Coordinator for Health IT.