Do health IT and privacy rules need a refresh?

Training and definitions may prove the modest start of national health IT improvement, though lawmakers signaled skepticism even as they acknowledged problems in the current regime.

"We haven't realized the full potential of health IT for every person in this country," acknowledged National Coordinator for Health Information Technology Dr. Karen DeSalvo, speaking of electronic health records at a March 22 hearing of the House Oversight and Government Reform Subcommittee on IT.

Health data does not always flow freely between proprietary health records systems, testified DeSalvo, who also serves as the Department of Health and Human Services' acting Assistant Secretary for Health. This lack of interoperability is a central piece of the larger technological challenge facing the U.S. healthcare industry. Sometimes a health IT vendors assess fees for data transfer as a business practice.

HHS has requested an additional $22 million for the Office of the National Coordinator in fiscal 2017 to combat data blocking. The agency hopes to begin by hashing out a solid definition of what "data blocking" actually is. Some data blocking is inadvertent, as when doctors misunderstand the restrictions that the Health Insurance Portability and Accountability Act places on them, DeSalvo noted.

"We're not really well trained in it in medical school," she said, noting that doctors will cite HIPAA as they refuse to share records with another provider, despite the law having no such prohibition. "It is, in essence, a form of blocking."

DeSalvo asked the subcommittee to consider data blocking and the prohibition of gag clauses, which vendors sometimes deploy to prevent providers from discussing contracts, for future legislation.

"We regulate blood supply for safety," said Rep. Gerry Connolly (D-Va.). "Well, electronic record keeping isn't just a nice thing to have in the digital age; it may be very critical to someone's healthcare, especially in an emergency situation."

The House passed legislation that included a prohibition on EHR blocking last summer, but the measure has stalled in the Senate.

Jessica Rich, director of consumer protection at the Federal Trade Commission, bemoaned the limits on agencies' regulatory authority as an "explosion" of new health IT apps brings new capabilities and risk to American citizens.

"There ought to be a regulation that protects the privacy and data security for the information collected by the entities [such as health apps like FitBit] that collect directly from consumers," she said.

The Food and Drug Administration has some oversight over health apps, Rich noted, but FDA generally is only concerned with whether the apps do what they claim to do.  And on the data security side, the FTC lacks the authority to fine companies for mishandling sensitive health data. Such authority is "something we seriously need," she said.

The importance of securing health data has been highlighted by a recent spate of ransomware attacks against hospitals, Rep. Ted Lieu (D-Calif.) noted.

Some lawmakers, however, remained unconvinced.

House Republicans have pushed against heath IT mandates in the past, and in the March 22 hearing, subcommittee Chairman Will Hurd (R-Texas) questioned whether more government intervention would snuff out the fires of innovation.

"So if it's a HIPAA violation, that's [the Office of the National Coordinator]'s jurisdiction, if it's something else it may be you [the FTC], it may be FDA, it may be [Substance Abuse and Mental Health Services Administration] or Patient Protection- PPACA," Hurd said, recapping Rich's testimony. "There's so many of these different regulatory bodies, and my fear is that it's hurting innovation, it's hurting the proverbial two guys or two gals in the garage from creating something that can change the way that we deliver healthcare."