Patient-centeredness is about to finally move from the domains of aspirational user experience and marketing buzz into reality because of the 21st Century Cures Act Final Rule (“21CCA”). The 21CCA does a few important things, including:
- The rule is designed to give patients and their healthcare providers secure access to health information.
- The rule includes a provision that patients can electronically access all their electronic health information (EHI) at no cost.
- The rule implements information blocking provisions designed to prevent organizations from interfering with a patient’s ability to access, exchange, or use their EHI.
While the past 25 years of healthcare interoperability have been largely driven by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the next few decades will become a reflection of the 21CCA. While HIPAA mandated portability of protected health information, as long as individuals lacked the ability to practically take their health information with them (there weren’t smartphones or data plans in 1996), organizations needed to store and share patient information between them on an individual’s behalf. But true portability is possible in the modern era, and the 21CCA supports the idea of a patient’s ability to store and control their own health information.
A few months ago, while sharing this new pattern of patient-intermediated information exchange with a colleague, he replied, “you can’t do that because of HIPAA” and I realized how important it was to get to the bottom of that particular objection.
So, we dug in. We worked with industry leading legal experts on HIPAA, consulted with regulatory and compliance leaders, and confirmed that HIPAA is not implicated in patient centered information exchange . We are working on publishing a more thorough description of our findings and how the Lumedic software provides a patient-intermediated information exchange without violating HIPAA rules, but the short story is this (and it’s ridiculously simple): HIPAA provides guidance for information exchange between organizations, usually classified as either Covered Entities (ie. a payer or provider), Business Associates (ie. firms working on behalf of Covered Entities), or Clearinghouses. HIPAA is not implicated when exchanging information with an individual to whom that information pertains. An individual’s personal health information is not considered “protected health information” (PHI) when the individual is controlling it. This means that you and I can request, obtain, store, and share our health information without causing Covered Entities or Business Associates to violate HIPAA.
This is a very exciting time. With the passage of the 21CCA, we are finally able to deliver patient-centricity in a literal way, which has the potential to reduce administrative complexity and cost while improving an individual’s access to, and control of, their own healthcare information. And in a country where we waste hundreds of billions of dollars per year in healthcare administration, and still confuse and frustrate patients, it’s a good time for a change.