Consumer-directed Exchange

Consumer-directed Exchange:

An approach for a volunteer, trusted, private-sector-led pathway

Background
Carequality has brought together the healthcare industry to overcome the challenge of interoperability by providing a national-level, consensus-built, common interoperability framework to enable exchange between and among health data sharing networks. This framework determines the technical and policy agreements to enable data to flow between and among networks, platforms, and geographies. Carequality provides consumer-facing third-party applications with a voluntary approach to connecting with various data holders via a single, trusted ‘on-ramp’ rather than connecting separately to many disparate systems.

The CARIN Alliance has been working with other interested stakeholders on how to advance the ability for consumers and their authorized caregivers to easily get, use, and share their digital health information when, where, and how they want to achieve their goals. The individual right of access under HIPAA and the ONC and CMS proposed rules have helped to accelerate the ability for consumers to get digital access to their health information. We anticipate the final ONC and CMS rules will help lay the groundwork to continue to advance the ability for consumers to access ‘more data with less friction’ in the years ahead.

The 21^st Century Cures Act, and its proposed implementing rules, have further clarified and advanced a longstanding public policy goal of providing consumers with electronic access to their own health data.  An important element in implementing 21^st Century Cures is the need to ensure that health information is protected as it leaves the control of provider organizations and other entities subject to HIPAA, and enters the world of apps, which have general consumer obligations but no specific healthcare privacy obligations.  21^st Century Cures places certain mandatory obligations on healthcare organizations with respect to consumer access, but efforts are also underway to create a voluntary, private-sector-led pathway to consumer access that will ‘raise the bar’ with respect to privacy, security, and consent.

Today, we want to share how Carequality and the CARIN Alliance are working together to advance these efforts to help protect health information in the consumer space.

Opportunities to improve consumer-directed exchange
Numerous industry-led groups are helping to develop standardized API specifications that will address use cases involving a multitude of clinical and claims-specific data elements.  Much of this work is occurring under the HL7® FHIR® accelerator program. For consumers to realize the full potential of these APIs, however, there are several opportunities that exist for improving consumer access at nationwide scale across the healthcare industry.

Arguably the greatest challenge is one of ensuring consumer identity across systems.  Prior to releasing a patient’s personally identifiable information to an outside party, healthcare organizations have an obligation to “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”[1].  Stated differently, the healthcare organization must accurately ensure that the party requesting information is, in fact, the consumer.

Currently, the approach used to address this challenge is the SMART application launch framework, which in a consumer context relies on the consumer having login credentials, such as to a patient portal,  for the system from which they are accessing data.  While we are supportive of this approach for authenticating users and believe it’s important for providers and health plans to use SMART as the primary means to authenticate users, it requires each patient to register for and remember portal credentials with every provider and health plan with whom they’ve ever had a relationship. Unfortunately, this is a difficult task especially for patients with chronic conditions.  In order to make things more user friendly, we are working with stakeholders to voluntarily implement trusted, person-centric digital identities, rather than organization-specific identities.

In addition, it’s important for the industry to voluntarily agree on a set of principles for consumer-facing applications to protect the privacy, security, and consent preferences of the individual. There remains a general concern for some healthcare organizations that if information gets released and then used in a way the patient didn’t expect or feels harmed by, that it will be the healthcare organization that ultimately will be blamed. This concern is likely to persist until there is some established case law holding the healthcare organization blameless in such cases. As such, there is a need for a stronger way to voluntarily hold applications accountable beyond just attestation.

Opportunities

The CARIN Code of Conduct provides a set of best practices and industry-leading guideline for how consumer applications in the healthcare space should handle consumer consent and data sharing. More than 60 stakeholders participated in the development of the code to improve the privacy, security, and consent preferences for consumers who use an application of their choice. The Carequality Framework provides a mechanism for contractually enforcing the Code of Conduct, and other policy elements, to help voluntarily build trust for consumers and others that consumer-facing applications are going to be good stewards of data.

As such we are proud to announce today the following ways, we are working to improve consumer-directed exchange:

• CARIN is announcing today a common repository of consumer-facing applications called ‘MyHealthApplication,’ which will go live later this month. MyHealthApplication.com will list the consumer-facing applications that are currently connected to covered entities around the country on a vendor and platform agnostic website. Over time, we believe this resource will provide consumers and other interested stakeholders a transparent way to view and select applications they trust by viewing those applications in a single location and being able to easily look up how those applications are using their health data.
• CARIN and Carequality, along with other industry partners, will work to develop a common set of digital identity federation principles and accompanying operational elements. These principles can be implemented as contractually binding terms within the Carequality Framework, which would allow individual users who voluntarily create a person-centric digital identity credential to use that credential across all Carequality Framework participants.
• Carequality will work to incorporate the CARIN code of conduct into the Carequality Framework to provide third-party applications a voluntary, trusted path to access data on behalf of the consumer. While a consumer can still choose any authorized application to access data on their behalf, Carequality’s volunteer trusted pathway will allow applications that go further in helping to protect the data no matter where it resides to have streamlined access, on a nationwide scale, to a broad ecosystem of healthcare organizations.

[1]45 CFR § 164.312 – Technical safeguards (https://www.law.cornell.edu/cfr/text/45/164.312)