Healthcare has been waiting with bated breath for the Office of the National Coordinator’s rule on information blocking, as part of the 21st Century Cures Act. As the former ONC Privacy Officer, Lucia Savage worked closely on that rule during her tenure.
I sat down with Savage after Academy Health’s inaugural Health Data Policy and Strategy Organization meeting in Washington, D.C. Savage, who is now Omada Health’s Chief Privacy and Regulatory Officer shared her insights on the state of the industry when it comes to data sharing and policy.
We also discussed interoperability hurdles, the promise of open APIs, exactly who should own patient data and her take on the best way to really move healthcare forward.
Are any closer to achieving interoperability?
“I don’t know,” said Savage. “I can tell you in the run up to Cures, I had numerous conversations on the Hill where people would say, can you imagine a world in which your iPhone can’t call your Android phone? We can’t imagine that world.”
“Some of us are old enough to remember when, if you worked on a PC, it wouldn’t translate to a Mac,” she continued. “But they figured that out because business needed it.”
To Savage, it seems like the industry feels pressured to quickly get things done, as HITECH was passed 9 years ago. And perhaps with unlimited time, we could “start teasing apart what are the true issues.”
For example, during her ONC tenure, Savage said her team attempted to tackle whether or not HIPAA was, in fact, a barrier to exchange.
“You saw us produce a lot of information, in conjunction with the Office of Civil Rights, to basically underscore, highlight, put in flashing lights: No, it’s not a HIPAA problem,” Savage said. “So maybe we’ve started to solve that.”
“Hopefully Cures and [the info blocking] rule that’s coming … maybe there’s something in there that will tackle another domain,” she added.
To Savage, there are issues that have yet to be discovered in terms of getting to perfect interoperability, which could be as simple as a lack of broadband or providers who don’t use electronic billing.
State and federal hurdles
But part of those issues -- and Savage’s concerns -- stem from the complicated environment between state and federal laws. While the continued conversations around data sharing and privacy give her hope -- there’s still a lot of work to get the industry where it needs to be.
It’s a complicated environment, “for innovators in particular,” as there are 56 territories, which come with 56 different laws on disclosure, security and breach notifications that create a “real challenge for planning,” she explained.
“Because it means you have to figure out how you standardize or not, or how do you modify it,” Savage said. “And it definitely puts a bit of a chilling effect on innovation. And I can only imagine for a really big business -- how much resources are spent mastering it?”
“When the policy goals are all the same, it’s just the details in how those goals are achieved that vary,” she continued. “And I think that’s a very important for us to have as a country, whether we’re thinking about collection of data, about data outside of healthcare.”
Prescription drug monitoring programs highlight the issues of disjointed laws. Although they can technically interoperate to some degree, Savage explained that each state has its own rules and requirements for providers who use them and even how the data is tabbed.
It’s going to take some hard political conversations to move the needle, she explained. But the trouble is that politicians aren’t as good as they used to be 40 years ago at “reaching compromises, so that we flesh out the issues, and we decide which of the ones we can agree on and move toward one.”
Could open APIs move the needle?
“There are days where I’m super optimistic. And days where I’m super cynical,” she said. “When I participate in a really high-level discussion like we’re having here today, and then go to my doctor’s office and I can’t get my two portals to combine because of system configuration?”
Will the info blocking rule solve the problem?
“I don’t know. I think the million dollars that’s for the software developers is potentially a really big stick,” Savage said. “But I’ve also seen some feedback on Twitter from developers who are not the mega EHR company, but the little guy, working on something new in his spare time, who’s like, ‘Oh, I’m never going to go near healthcare because I don’t want to bear a $1 million fine.’”
“So we have to strike a balance between de-incenting and not having those incentives squash innovation,” she added.
Is there a monetary reason to share data?
“Yes and no: We’ve spent almost $40 billion on the Meaningful Use program and HITECH incentives, plus, that didn’t even account for star ratings and all the benefits that go to the plans who publish results from acquired data,” she said.
“A lot of taxpayer money has been spent to get people to share, measure and be transparent,” she added. “And I don’t know when enough is enough…. What Cures was saying is, ‘We’re done with incenting you positively and now we’re going to put some sticks into play and see what happens.’”
Who owns the data?
There are many issues when it comes to data sharing, including contractual data blocking by vendors. It’s understudied, but Savage explained that it’s likely more prevalent than imagined. Health data is like “intellectual oil” powering an “idea economy.”
“So the person who has the data feels like they have something special. And there are a lot of pieces on how that gets played out,” she said. For example, an EHR vendor may take a blood sugar reading and how they display it is their intellectual property.
“But what your blood sugar was, is what your blood sugar was: It’s just PHI,” she continued. “We don’t have very refined rules for separating those things out. … People are sort of asserting a property or proprietary interest over data that comes from the natural process of being a human being.”
Another issue is the way ideas and inventions interact within healthcare, such as a device. Savage explained devices aren’t necessarily covered by HIPAA, so the manufacturer isn’t directly subject to those rules that “let you get your own data.”
Only once the data has flowed into the EHR can the patient get it, she explained. “But the device manufacturer just is collecting data and analyzing it on their servers. And it literally is physically and legally their property.”
“And so we end up having these very detailed rules about who’s got what property and the overall good to society may not be in the forefront those actors’ minds or the two parties may not have leverage to change those rules,” said Savage.
So just how do we move the needle?
At the end of the day, leaders need to ask what they’re teaching their staff about data sharing, as those policies can become a massive roadblock.
In Savage’s own life, just the very act of attempting to obtain the notes from a doctor’s appointment to send to the insurance company proved trying. While the insurance company was willing to take the notes in any format, Savage’s doctor wouldn’t send them by request or paste them into a patient portal.
“We have these highfalutin rules,” she continued. “But what’s happening at the registration desk? What’s happening in the billing office? What’s happening in the office that actually handles the manila folder, or actual X-ray films? Are we, as people who are leaders in our institutions, walking the walk or talking the talk?”
Compared to her role at Omada, where patients have direct access and control over with whom they share the data, “letting them do what they want with the information themselves,” she explained.
“I think the biggest gap is connecting what the policy goals are to what’s happening on an implemented basis within the institutions,” Savage said. “If it’s a responsibility that lays squarely with the EHR vendor, let’s lay it there. If it’s a responsibility that lies squarely with the policies and procedures that an institution has put in place or the capital decisions they’ve made, let’s lay it there.”
“If it lays squarely at the feet of the legislature, let’s put it there. But let’s put the problems in the right place, so we can solve them in the right way,” she added. “Make sure that the problem is placed in the right part of the system before you come up with a solution. Don’t misdiagnose the problem.”