In the world of healthcare policy, it doesn’t rain – it pours. Such was the case last week, when HHS released the long-awaiting proposed rule on data blocking (packaged in a monster, a 724-page document), and CMS issued its own rule. This came less than two months after the Office of the Civil Rights published a request for information on HIPAA, to which CHIME recently sent a response.
And as if that’s not enough, it happened during the HIMSS annual conference.
It was enough to have most organizations spinning its wheels; but for CHIME’s Policy Team, it was par for the course, according to Mari Savickis, who has served as VP of Federal Affairs since 2015. During HIMSS19, healthsystemCIO had the opportunity to speak with Savickis about where CHIME stands on these recent developments, how they will affect CIOs and other leaders, and what she hopes to see going forward.
Gamble: The HHS proposed is, literally, hot off the press, and so I realize you haven’t had time to review all of it, but what are your initial thoughts?
Savickis: As you can see, there’s a lot to unpack here. Our initial reaction is that it’s really nice to see it includes a request for information (RFI) on patient matching. That’s really promising. And really, it’s the result of years of advocacy, mostly by [Leslie Krigstein, CHIME’s VP of Congressional Affairs] to try to deconstruct the ban that has been in place.
As you can imagine, undoing that piece has not been easy. But through her efforts, Leslie has been able to successfully get language into the appropriations bill around the government working with the industry to fix the patient matching issue. That’s so important. At CHIME, it’s been our battle cry for years. One of the biggest pain points for providers has been the inability to be able to match patients, so it’s really refreshing to see that.
There’s also an RFI around long-term post-acute care (LTPAC). We’re so pleased that the government understands the importance of connecting the dots between the acute care and post-acute, long-term care settings. We fail to understand how you’ll achieve value without enabling data exchange across the care continuum – not just between doctors and hospitals.
Those two things were very encouraging to see.
There’s also a lot of focus on health plans. The administration is putting a premium on the role of the payer, going beyond Medicare. We knew it was coming — [CMS Administrator] Seema Verma hinted last August that something was coming with payers, and so we’re going to pull every policy lever. I think they want to go even further, but we’ve learned that if you go too far, you run that risk that it will be too much to digest all at once. We’ve been down that road before.
But we’ll go through all of this with a fine-toothed comb. We’ll put together a work group and create a response, like we always do.
Gamble: Let’s talk about HIPAA. The OCR published a “Request for Information on Modifying HIPAA Rules to Improve Coordinated Care” late last year. What was CHIME’s take on that?
Savickis: Sure. This is all part of a regulatory sprint toward care coordination — it’s all synchronized. What happens if you can’t share information or if you have policy barriers in the way around sensitive health information? How is that going to work around data blocking? There’s a lot to unpack here. There are questions around accounting for disclosures, notice of privacy practices, hybrid entities, cloud providers, and breaches.
And I have to say, reopening HIPAA is a big deal. It was a 20-page RFI with more than 50 questions — with subsets to many of those questions, and we answered a fair amount of them in our response. And obviously, we’re looking at everything from a lens of security and protecting patient data. We’ve put a premium on that.
One thing we were really glad to see was that they asked what else can be done to relieve the regulatory burden. We identified a few things that we’ve been mulling over, one of which is the punitive way in which providers are treated with respect to breaches, so we suggested some changes around how that’s defined. We’d like to see more flexibility and discretion around enforcement. There has to less criminalization with providers. We’re also asking for some changes around cloud computing and hybrid entities, who are having trouble sharing data internally.
There’s just so much. Unpacking HIPAA is a big deal. Somehow it got lost in the shuffle — it came out in late December, so between the holidays and the government shutdown, it didn’t get the attention it deserved, but it’s been a big focus for us. We need to pay attention to it.
Gamble: Going back to HHS’ proposed rule, I’m sure that with anything involving interoperability and data blocking, you want to be able to provide answers as soon as possible.
Savickis: Absolutely. People were chomping at the bit. Our members are already attesting that they’re not blocking data, so we have to package that and figure out what it means. We’re already going forward without a full understanding of what the government means by that, and so we’ll go through this with a fine-toothed comb.
One thing that came up a lot in HHS’ proposed rule are APIs. All you have to do is pick up the trade press, or even the NY Times, to read about the weakness of security built into APIs. But to discount them outright isn’t the right answer. And so, while I haven’t had a chance to go through all of it, I do see mentions of cybersecurity issues, which is in no small part due to our members consistently weighing in. The first step is to acknowledge there’s a problem, and we’re encouraged to see that being acknowledged.
Gamble: Sure. Now, as part of the rule, providers and health plans would be required to implement open data-sharing technologies. What are you hearing on that?
Savickis: Again, these are proposed rules. Some of it builds on statements that have been made by the administration, some formally through requests for information. For instance, every payment rule that came out of CMS last year, starting with the IPPS, had an RFI around interoperability. And they got some pushback; we didn’t support putting in requirements around the conditions for participation that would mandate certain things like interoperability. You need to solve some of the root cause issues like patient identity standards. You’re not going to achieve interoperability just by telling a hospital they have to do something, when they’re already trying to do it, but are struggling for reasons that are, in some cases, outside of their control. We’ll deconstruct all of that.
Gamble: You mentioned long-term post-acute care. I can imagine it was validating to see that included.
Savickis: We’re part of a LTPAC collaborative, and so we were delighted to see that.
There’s a comment early on in the document acknowledged LTPAC that really stood out: ‘We believe patients should have the ability to move from health plan to health plan and provider to provider and have their clinical and administrative information travel with them throughout their journey. When a patient receives care from a new provider, a complete record of their information should be readily available to that provider, regardless of where care was previously provided. When a patient is discharged from a hospital to a post-acute setting, there’s no question as to how, when, or where their data will be exchanged.’
I think the challenge with post-acute care is that the policy levers that were put into place for Meaningful Use didn’t include this setting, so they were pushing the industry to exchange data within a certain segment. It marginalized an entire sector — one that makes up a substantial portion of the Medicare spend. For the most part, patients aren’t in the hospital for an extended period of time. They get treated, and then they go home, or to skilled nursing facilities. There’s a whole care continuum that needs to be considered with rules and regulations.
But it’s really great to see this. We’ve been talking about it for years, so to finally see it is encouraging.
They’re trying to be more systematic in terms of how they address it. We sent a letter to CMS last year laying out a series of steps. We believe there needs to be an agreed-upon set of data. And it may differ by LTPAC setting; for instance, home health may be different from SNF. But it needs to be systemically identified and exchanged in a standard manner. That conversation has never fully coalesced, so that would be a positive step going forward.
Gamble: So obviously you’re dealing with quite a lot, but it seems like most of it is positive.
Savickis: It is. It’s an exciting time.