Patient data is central to a functioning healthcare system. It is through data that physicians make diagnoses, and patients can choose the care that is right for them. It is also through data that insurers and other healthcare payers can make strategic decisions for their own business.
A new federal rule relating to healthcare data, the Interoperability and Patient Access final rule (the final rule) was confirmed on April 21, 2020. Note, the final rule has a six-month delay in implementation due to the COVID-19 crisis.
In this article, I set out what the new rule means, and how this might impact discovery proceedings and procedures.
Healthcare data is often ‘silo-ed’. An individual’s data can be distributed among various physicians, providers, and payers, and therefore is not readily accessible to the patient. Even though most healthcare data is now held electronically, there is insufficient consistency in the way that it is captured and stored to provide an easily portable ‘packet’ of information.
Several initiatives over the last few years have sought to remedy this issue:
Fast Healthcare Interoperability Resources (‘FHIR’). This is a technical framework setting common standards for exchanging healthcare information via ‘Application Programming Interfaces (‘APIs’). Among other things, it ensures that that key healthcare concepts (e.g., patient, practitioner, and financial information), have a common definition;
The 21st Century Cures Act. This federal law, enacted in 2016, gives the Office of the National Coordinator for Health IT (ONC) and the Centre for Medicare and Medicaid Services (CMS) the power to enact policies that will better encourage data sharing and exchange;
MyHeathEData. This federal government initiative, introduced in 2018, is aimed at empowering patients through data, enhancing competition in the healthcare market and facilitating innovation. To date, this has been focused on voluntary mechanisms.
The final rule, enabled by the 21st Century Cures Act, is designed to enhance access to health data through use of FHIR. Key elements of this rule include:
The Patient Access API (applicable from January 1, 2021, but delayed due to COVID-19). This will require payers who are regulated by the CMS, to provide access to identification, cost, and financial information to patients;
Payer-to-payer data exchange (applicable from January 1, 2022, but delayed due to COVID-19). This will require payers who are regulated by CMS, to exchange information with other payers, where the patient asks them to do so.
The increased accessibility of healthcare data will mean that more individuals, companies, and organizations have access to healthcare data than ever before. Given the quantity of medical malpractice and product liability litigation in the United States, this means an increased chance of health information disclosure through discovery proceedings.
Doctor-patient privilege (sometimes called ‘physician-client’ or ‘medical’ privilege), is a legal protection which bars the release of patient information to which an expectation of confidence applies, from disclosure in legal proceedings.
The precise bounds of this privilege vary from state to state. This privilege can be waived in some cases: For example, where the individual in question makes a claim of medical malpractice against their own doctor. However, in many cases it will protect from discovery, health information relating to patients who are not parties to the litigation.
eDiscovery processes need to have a mechanism in place for flagging any potential health information for doctor-patient privilege. The final rule, by increasing the proliferation of this data (for example, insurers will now hold more information about patients than ever before), increases the risk of inadvertent disclosure of privileged information.
Note, however, that this does not mean that all new healthcare data will be privileged. For example, privilege does not usually apply to information unrelated to the patient’s care: How long the patient waited in triage before being treated may not be privileged.
Note also that the final rule only applies to healthcare which is regulated by CMS. However, it would not be surprising if we see an increased occurrence of information sharing by other providers, voluntarily.