In a blog post earlier this month, I advocated for ONC and CMS to adopt a grand scheme to improve patient data access through the SMART on FHIR API. Here, I’ll advocate for a very small scheme that ignores some of the big issues, but aims to patch up one of the most broken aspects of today’s system.
Not to mince words: ONC’s certification program and CMS’s attestation program are out of sync on patient access. As a result, patient portals don’t offer reliable “transmit” capabilities.
2014-certified EHR systems must demonstrate support for portal-based Direct message transmission, but providers don’t need to make these capabilities available for patients in real life. Today, two loopholes prevent patient access:
- CMS’s attestation criteria (Core Measure 7 for EPs) do not require support for Direct messaging. Rather providers can offer “Any means of electronic transmission according to any transport standard(s) (SMTP, FTP, REST, SOAP, etc.)” Providers can effectively “turn off” Direct messaging and offer… something else… instead. In practice, “something else” means zero consistency and very limited verifiability.
- Even when providers offer Direct messaging through patient portals, they’re not required to “trust” patient-designated endpoints. In practice, this means a patient can say “please send my record to email@example.com“, and the portal can say “sorry, I don’t send messages there” (or worse yet, the portal can simply say nothing, and silently fail to deliver the message).
The fix is to coordinate ONC’s certification program with CMS’s attestation program around a unified goal of supporting patients’ right to access. The fix has two components:
- ONC should update the VDT certification criteria to address trust bundles. Specifically, the VDT criteria should add required support for the Direct Project trust bundles specification. This ensures that patient portals can be configured to trust externally-hosted bundles of S/MIME certificates.
- CMS should update the MU attestation criteria to support patients’ right to access. Specifically, the VDT measure should require providers to offer portal-based Direct message transmission for clinical documents (in addition to any other means of transmission that a provider cares to support), and should require providers to configure their portals to “trust” the Blue Button Patient Bundle for outbound patient-requested transmission.
Under this system, when patients sign into a Web portal, they can choose to send their health records to any patient-facing endpoint that’s included in the Blue Button Patient Bundle. They wouldn’t be presented with errors like, “sorry, [your favorite app] isn’t trusted” — and they wouldn’t routinely encounter silent failures. Messages are never sent without the patient’s explicit approval, which should alleviate concerns about sharing data inappropriately. And patient-facing technology developers can easily apply for inclusion in the Blue Button Patient Bundle, which creates a level playing field for all.
The proposal above describes a small, incremental patch-up to a blocking problem in patient data access. It’s based on consensus standards and supports HIPAA-mandated patient rights. I believe this proposal is technically feasible for ONC and CMS (although it would take a demonstration of coordination and will).
Unfortunately, this proposal is positioned against a strong current of “simplification” in the certification and attestation process. Fundamentally, I agree with the notion of simplification — but I would put the express focus on interoperability and access. In my simplified narrative, patients simply have access to their data.