Response to TEFCA “Elements of the Common Agreement” Feedback Form
On 20 September 2021, the TEFCA RCE released a draft summary of the Common Agreement [1], and requested community feedback [2].
TEFCA must support individual HIPAA rights, including the individual right of access. A right is hollow if it does not evolve with technology, and TEFCA is the likely future of networked exchange. Unfortunately, the Common Agreement draft, makes individual access an optional second-class citizen.
First, I commend the progress that the TEFCA RCE has made on the Common Agreement. Interoperability in Health IT is cat herding, and in some respects more art than science.
Second, I recognize, as an axiom of policy, that concentrated interest almost always defeat diffuse interest. Even if, as is the case with health, those diffuse interest are orders or magnitude greater than concentrated interest. Feedback mechanism, though valuable, are yet another way for concentrated interests to bend the regulatory agenda to their will.
I implore the TEFCA RCE to examine every comment from concentrated interest through the lens of “what does this mean for patients?” Let the patient continue to be your north star.¹
Detailed comments
Exchange Purposes
Clarification: Do the six exemptions to TEFCA mandatory TEFCA responses (Elements of the Common Agreement, September 20 2021, pg 4) apply to all Actors (QHINs, Participants, Sub-participants) or just Participants and Sub-participants [4]? For example, could a Public Health QHIN use its exemption to treat all requests as optional, or only respond to requests with Public Health exchange purposes?
Opinion: I think that only Participants should be allowed exception. QHINs should be general purpose, supporting all six exchange purposes without exception (at the QHIN level).
TEFCA Information and Required Information
Requiring non-HIPAA Participants and Sub-participants to abide by HIPAA using TEFCA contractual language instead of HIPAA language (for which TEFCA and the RCE doesn’t have authority) is clever. A network in which some actors (e.g. non-HIPAA Sub-Participants) can skirt the privacy and security rule, while other cannot, is asking for an unreported breach. Indeed, the “thou shall follow HIPAA” should be inclusive of breach notification to HHS OCR.
RCE Directory Service
Clarification: What portion of the RCE Directory Service will be public? The names, registered business address, business and technical contact? The allowed (request) exchange categories for each Actor?
Opinion: The litmus for public disclosure of the RCE Direcory Service should be default to public. This means name, registered business address, business and technical contact, and allowed (request) exchange categories for each QHIN, Participant AND Sub-Participant. The ethos of QHIN-to-QHIN exchange is transparency in exchange; this should extend to the RCE Directory Service.
Individual Access Services
I am not a fan of the cart blanch exemption to servicing Individual Access requests. I question the need for a separate IAS Provider category because IAS should be a first-class citizen of TEFCA.
The HIPAA right of access should i) have “teeth”, and ii) include updates in technology to remain meaningful. Faxes yesterday; TEFCA tomorrow. As written, individuals will have to pay Non-HIPAA Entity providers of Individual Access Services to exercise their HIPAA rights. Further, the payments and fees by individuals don’t appear to be restricted, like they are under a non-TEFCA request.
The HIPAA right of access should extend to TEFCA. Patients, especially those seeing many different providers (e.g. childhood rare diseases), already experience an enormous undue burden in retrieving and if necessary correcting, their medical records. TEFCA should move the ball forwards, not backwards. Put bluntly, allowing Actors to opt-in to IAS is a cop-out. IAS should be required. Any waivers to IAS should be opt-out and temporary.
The CMS rule (Patient Access API) is a step in the right direction towards allowing individuals to delegate their HIPAA right of access to a third party, which acts on their behalf. Third-party apps which meet Actor requirements should be able to make requests on behalf of an individual, and those requests should be services subject to non-discrimination, i.e. no QoS (quality of service) for either direct individual access request or third-party mediated individual access requests.
Privacy and Security
Clarification: Will individuals be able to opt-out of TEFCA exchanges that do not expressly override individual opt-out by law (e.g. certain Federal Opiod reporting mandates)?
Opinion: In practice, most TEFCA requests will be for B2B administration between Covered Entities. HIPAA already enumerates permitted uses for Health Care Operations and Exchanges for Treatment. Therefore, I believe only requiring an express patient consent for Individual Access Requests is justifiable (by definition, the patient must have initiated the request). However, a permitted use by a covered entity is a privilege, not a right. In the same way that Individuals can opt-out of most (but not all) permitted uses, TEFCA should provide a patient opt-out mechanism. The opt-out will bar all exchanges not expressly overridden by law (e.g. certain Federal Opiod reporting). Further, Actors should be prohibited from discriminating against individuals who choose to opt-out of TEFCA exchange.
Special Requirements (including Consent)
The Common Agreement would require IAS Providers to obtain express consent from Individuals for, among other things, how the Individual’s information may be accessed, exchanged, Used, and/or Disclosed, including whether that information may be sold
Actors, including IAS Providers, should be barred from selling or reselling patient data. To quote Okun, “Everyone but an economist knows without asking why money shouldn’t be able to buy some things.” A patients most sensitive information, a digitization of their very bodily autonomy, should not be for sale. Privacy should not be a feature attainable only by the wealthy, and be extension the the poor or unsuspecting should not have to pay for TEFCA access with their private health information.
Fees
I would prefer if QHINs, Participants and Sub-Participants were barred from charging for individual right of access request. This includes both individuals requesting directly, and individuals requesting (with express consent) via a third-party. At a bare minimum, fees should not exceed allowable papers fees (at cost). Fees to individuals and third-party designees of individuals shold be temporary, subject to phase-out or sunset, such that individual access request are ultimately available at no cost to individuals.
About / Disclaimer
Ryan is a a health IT developer and early technical advisor to Savvy, the patient-empowerment cooperative. He is employed by Amida Technology Solutions, an open-source health data interoperability consultancy. The statements represented here are his and his alone, and do not necessary reflect the views of Amida.
Footnotes
¹ A previous version of this document read, “Let the patient be your north star, and you will find that your individual access provisions are left wanting.” I removed the (excessive) rhetorical flourish.
