AHLA's Speaking of Health Law
The American Health Law Association (AHLA) is the largest nonprofit, nonpartisan educational organization devoted to legal issues in the health care field. AHLA's Speaking of Health Law podcasts offer thoughtful analysis and insightful commentary on the legal and policy issues affecting the American health care system.
AHLA's Speaking of Health Law
CMS’ Health Technology Ecosystem: Legal and Policy Implications for Health Care Attorneys
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
CMS’ Health Technology Ecosystem Initiative (HTE) is an ambitious effort announced by the White House and CMS to modernize the nation’s digital health infrastructure and expand data sharing beyond traditional clinical settings into the broader health and wellness ecosystem. At the center of this initiative is the CMS Interoperability Framework, which builds on prior federal interoperability efforts and emphasizes standardized data exchange, defined participant roles, secure and privacy-respecting data sharing, and patient-centric access. Ann Tiffany, Compliance Consultant, Clearwater, speaks with Melissa Soliz, Partner, Coppersmith Brockelman, and David Lee, Principal, Leavitt Partners, about what the HTE means for privacy, data governance, stakeholder obligations, enforcement, and liability risk. An AHLA Bulletin was published that explores this topic. From AHLA’s Health Information and Technology Practice Group. Sponsored by Clearwater.
Watch this episode: https://www.youtube.com/watch?v=Zo336Nt9Tg4
Read the AHLA Bulletin: https://www.americanhealthlaw.org/content-library/publications/bulletins/02d2b6d5-7394-4598-be58-aeead87c363f/Legal-Perspectives-for-Health-Care-Attorneys-on-th
Learn more about AHLA’s Health Information and Technology Practice Group: https://www.americanhealthlaw.org/practice-groups/practice-groups/health-information-and-technology
Learn more about Clearwater: https://clearwatersecurity.com/
Essential Legal Updates, Now in Audio
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Comprehensive members. Get all your health law news from the major media outlets on this podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Stay At the Forefront of Health Legal Education
Learn more about AHLA and the educational resources available to the health law community at https://www.americanhealthlaw.org/.
This episode of AHLA Speaking of Health Law is sponsored by Clearwater. For more information, visit ClearWatersecurity.com.
SPEAKER_03Welcome to the American Health Laws Law Association's Speaking of Health Law podcast. I'm Ann Tiffany, a consultant with Clearwater, and I will be moderating today's discussion. Today we're exploring the CMS Health Technology Ecosystem Initiative, or HTE, an ambitious effort announced by the White House and CMS to modernize the nation's digital health infrastructure and expand data sharing beyond traditional political settings into a broader health and wellness ecosystem. At the center of the initiative is the CMS Interoperability Framework, which builds on prior federal interoperability efforts and emphasizes standardized data exchange, defined participant roles, secure and privacy respecting data sharing, and patient-centric access. For health care attorneys, this initiative raises important questions around privacy, data governance, stakeholder obligations, enforcement, and liability risk. Joining me today are two leaders who bring complementary legal and policy perspectives. First is Melissa Solise, a data privacy, interoperability and technology attorney with Cooper Smith Brockelman and David Lee, a principal with Levit Partners and a nationally recognized expert in health policy and interoperability. Melissa and David, thank you both for being here. To begin our discussion, my first question is to David. From a federal policy perspective, what problem is CMS trying to solve with the HTM initiative?
SPEAKER_02Thanks for having me, and I'm excited for the conversation. I think CMS is trying to solve a number of problems. And some of them have been pervasive and consistent over the last 20 plus years. And some of them are new and going into new areas and new fields. So I think I'll highlight three of the areas where we've heard them talk a lot, both in the context of the health tech ecosystem and what they're asking the public to do and the private sector, as well as what they had taken on themselves. So first is information at the point of care. We talk a lot about clinical interoperability, and uh we spent a lot of time over the last several years in HIPAA TPO and different initiatives to get more data to clinicians at different places and to healthcare organizations. I think one of the things that we've heard from this administration is a desire to see more information, more usable information at the point of care. And so, you know, one of the things that they did is in addition to standing up the health tech ecosystem, is say there's five or six things that CMS is going to do itself. The national provider directory, we're going to build that for use. We're going to expand data at the point of care pilot to be a national thing. And trying to set up systems and networks where data can flow more easily and update those to modern infrastructures. And we'll talk about fire later, where you're getting more actionable information into patient, clinician, uh, payer hands is really important. And doing that at point of care, uh, I think is one of the major things that you know spans this and other initiatives within CMS. Number two is really the consumerization of healthcare. And there is a huge desire from this administration, but it's it's gone back a number of years to say, let's get consumers and patients better information. Right? HIPAA has the individual right of access. And as a consumer, I'm entitled to view, download, access my information in a tool that I choose. And they are really doubling down on that out of the initial pledge categories. Uh, three of them were focused on consumer use cases. And they really want to see consumers take control of their care, whether that's choosing a specific PHR or a digital therapeutic, using it in the context of conversational AI, being able to present at point of care with my personal health record and share what I want to share. That is a huge piece of this. And we've heard Amy Gleason, who's leading this effort, talk a lot about her daughter's experience. And Morgan has is somebody that we worked with in the context of the Cairn Alliance at Levitt Partners to say, how can we get better access to our data? You know, Morgan has multiple chronic conditions, she's got 27 some odd providers, nearly 40 portals, uh, and there's frustration about how much time and effort it takes to get all of her information. And I think that from price transparency or people with multiple chronic conditions, or, you know, just the parent trying to get immunization records for their kid to enroll them in school, there is a huge effort here to try to advance consumer dynamics within healthcare. And then I think third is the affordability piece that we've heard them talk a lot about. And obviously CMS0057 goes live uh in January, but some of the administrative functions within this, in the health tech, excuse me, in the the network space, bringing payers into this, trying to advance and make sure that people are ready for things like ePryoroth or better uh data exchange between payers and providers is certainly a point of emphasis here.
SPEAKER_03Thank you for providing it back on. So in AHLA Bulletin was published this past October, and it describes the HTE as CMS's effort to move beyond traditional clinical data exchange and expanding to wellness and digital health sectors. How significant is that shift in terms of federal health by two policy?
SPEAKER_02So I think that for us, we view it not so much as a shift, but more of as an acceleration, right? The speed and scope here is what's notable to us. You you look back going uh all the way back to the Bush administration and the establishment of ONC first as a presidential directive and then as um uh uh you know part of ARA, they they really there there have been these inflection points to say we want to digitize medicine and we want to empower consumers. So some of those same themes that we've seen really uh for 20 plus years. Uh I think the big shift here is the scope, uh, starting to pull in some of the new technologies. And again, you look at the pledge categories of the initial four categories of pledge participants. Uh you expand the patient component out, consumer-facing uh conversational AI for health, uh, kill the clipboard personal health record with a digital insurance card that you can present at your uh primary care or other provider. Um, and then diabetes and obesity through digital therapeutics, right? We are really now leaning into digital tools as care delivery, uh as consumer empowerment, as reducing administrative uh friction for the consumer, patient, and on the other side. And so that scope to say, all right, we're now a little bit more comfortable, maybe with technology being the delivery methodology. Uh you look at the access model that's adjacent to but connected um with the health tech ecosystem. And now we're going to start paying for outcomes based on technologies, whether wearables or digital therapeutics, uh, that can bend the cost curve for specific chronic conditions. And so I think for this administration, the big thing that has changed or accelerated here different than the Bush administration, the Obama administration, Trump won, Biden are now, is really leaning into that concept of technology as a as a delivery methodology and you know, liberating as much, as we said, wellness uh tools that haven't historically been part of a medical delivery into some of those paradigms.
SPEAKER_03Over to you from a legal standpoint, how should healthcare attorneys think about this initiative differently than prior interoperability rules?
SPEAKER_01Well, I think attorneys need to shift their thinking about interoperability as a set of discrete regulatory requirements and start thinking about it as an ecosystem governance problem. So historically, on the legal side, we've been really focused on specific obligations like API requirements, certification criteria, information blocking rules, CMS interoperability mandates, and these laws, these regulations all apply to different actors like providers, certified EHR vendors, to payers. And as we were just talking about, HTE is different. CMS is intentionally broadening the field to include patient-facing apps, digital wellness apps, um, networks, identity solutions, many of which don't fit neatly into traditional HIPAA-regulated roles. So the legal analysis kind of expands from, you know, asking the question, is my client compliant with this specific rule? To is this entire data sharing environment governed in a way that's legally defensible and operationally safe for my client to participate in? And that includes things like understanding the contracts that are involved, the type of identity verification that's being done, um, how the data is being used, auditability, um, how patient-directed access actually functions in practice, and having attorneys understand how the technology works and what's being being asserted technically across these systems. So, you know, I think the other key difference here is that this is also largely being rolled out as voluntary. This is not mandatory, right? It's a self-attested framework. But for attorneys, you know, that doesn't reduce the legal risk for our clients. It just shifts where that risk is gonna show up. So what it means, I think, is that instead of enforcement for this new ecosystem being driven primarily by regulators, where we're gonna see it show up is we're gonna see it show up in contracts, representations to partners and consumers, and potentially, you know, in some real liability exposure when something breaks or somebody's hurt in the ecosystem. In fact, we're already seeing a big uptick in interoperability litigation as patients and interoperability partners challenge each other on whether their requests and disclosures for patient records are generally for treatment at the point of care or really at the direction of the individual, or if they're for something else, like improper commercialization.
SPEAKER_03Um, wanting to delve a little bit more into the um interoperability framework and sort of the legal architection of how that leads to you. Uh in the bulletin I mentioned earlier identifies uh the CMS interoperability framework as the foundation of HTE and it highlights four core elements. They are the standardized data exchange using fast healthcare interoperability resources or for FHIR, defined participant roles, secure and privacy respecting data sharing, and patient-centric data access. So, Melissa, what are the most important legal indications of standardizing around the FHIR based exchange?
SPEAKER_01Well, I think standardizing around fire does two main things from a legal standpoint. So, first, it's gonna reduce ambiguity because we're gonna have standardization, but that's really a double-edged sword. When data exchange was inconsistent or technically difficult, there was really more room to explain gaps as interoperability limitations, right? I wasn't able to do this because of the technological issues and the lack of standardization. Well, FIRE changes that in a lot of ways. If the expectation is that data can be exchanged in a standardized and predictable way, then failures to provide it in a complete, timely, and usable data stack really starts to look less like a technical barrier and more like a governance or compliance issue. And the second point is it really raises the baseline for what organizations are implicitly representing. So if you're participating in a fire-based ecosystem and you're signaling by doing that, that your data is accessible and structured and usable by others in this very specific way, it's fire ready. And that has real implications for things like accuracy, completeness, timeliness, and even how our downstream recipients rely on that data in their clinical or operational decision making. And I think it's important to kind of emphasize in this conversation that CMS isn't just limiting this to the clean and structured data elements for FIRE. The framework also contemplates broader data availability in the form of unstructured content, like unstructured clinical notes or reports, and that being exchanged through this standardized mechanism that's known as FIRE. So that actually introduces additional legal considerations around, you know, minimum necessary, sensitive data handling, and what happens when we get this more context-rich, unstructured data where we might not know exactly what's in it, and it's becoming more widely accessible. So I think what I'm saying is the shift to fire is just not a technical consideration. It doesn't just standardize the data. Um, attorneys need to be aware of it and its implication because it almost creates this like technical standard of care, and that can raise the legal stakes.
SPEAKER_03Um addition, where do you see tension between innovation and fibro compliance in this expanded enforced system?
SPEAKER_01There's definitely a tension. Um, and I think it shows up mainly in two places. Uh, and and first, it's it's it's not just a HIPAA issue. Um, it's a much broader prova privacy landscape. It's really easy to try to simplify this and make it about HIPAA and interoperability. It's really much, much more complex than that. You have HIPAA, you have 42 CFR Part 2, you have um the Medicaid Confidentiality Regulation, you have the Federal Privacy Act, you have Title X, you have an increasingly complex patchwork of state and privacy laws, both on the health side and on the consumer data side, some of which all are much more restrictive, or even if they're not more restrictive, they operate very differently than HIPAA. So we have all of that going on in the privacy space. And at the same time, the policy direction here is very clearly share, share, share, share, share, more access points, more participants, faster, faster exchange, and more patient directed flows across the ecosystem. And those two things don't always align. So the the legal framework on the privacy side is built around very careful role definitions, purpose limitations, and honestly, in many constraints, in many cases, I'm sorry, constraints on redisclosure. And the ecosystem model that CMS is advancing, by contrast, is really built around fluidity and scale. And bridging the gap between those two things is not trivial. It is going to be really, really hard to do. And second, and more practically, we're starting to see this tension show up in real interoperability disputes. Uh, one of the recurring concerns that we're seeing is that when you rely on voluntary frameworks and self-attestations, you don't always have consistent enforcement of all these different privacy requirements across the participants. And that raises real questions about whether data is being used, disclosed, and protected in ways that fully comply with all these different laws and consumer expectations. So what I'm saying from a legal standpoint is that all of this risk isn't just theoretical, all the tension that this causes. It's that innovation, I think, is moving faster as often is the case than the mechanisms we have to verify compliance across this distributed ecosystem. And that's where I think, you know, attorneys, we have an opportunity to step in and not just interpret rules that are given to us, but to be part of this, to build the guardrails through contracts, governance structures, and accountability mechanisms that the framework itself doesn't fully supply. So I see it as an opportunity.
SPEAKER_03That's great because the concepts are almost philosophically diametrically opposed to each other. And uh it's going to take a different way of thinking to make, I think, everyone comfortable with that mission. David, over to you. Um wanted to ask, how does CMS's reliance on self-attestation and volunteer participation affect how attorneys should think about enforceability and oversight? And when would that voice respond, just referring to that?
SPEAKER_02Yeah, I I think that to maybe to Melissa's point, um, and and I'll caveat this by saying I'm a lawyer and a lobbyist. And so uh I I tend to go in in one direction. I I think it's a great opportunity for people to get involved in in pushing in specific directions how things need to be interpreted. Um you know, as we talk about HIPAA and agree with Melissa, there are a number of other pieces here. Um, you know, FTC is more and more involved all the time uh because of the health breach notification rule and because of the PHR governance and some of the things that they've done there. Um but we really need more clarity, I think, from from OCR and from regulators on how these things apply in new contexts, right? Because a lot of this feels like it should work, right? The individual access model and the individual right of access was written in original HIPAA, right? Consumer should have access. This is an example, this isn't all the use cases. Consumers should have access to get their information when they want it and in the form and format that they want it. And it causes a lot of consternation when we introduce network dynamics into the exchange, right? We we talked about the identity components, right? If I've been identity proofed by Clear or IDME or one of the others, and I'm trying to use a consumer-facing app, but I've got to go through two different Q hins, and then they've got to make a query to that provider, and the provider ultimately has the HIPAA risk. And are they sure that it's this David Lee and they're sending the right David Lee's record, and we don't have a low probability of compromise if they send the wrong record? You know, you don't have that safe harbor for an IES query like you do for a treatment query, right? That that's a problem. And so I think that it's it's less that we have uh misaligned objectives or misaligned hopes, and more that we don't have enough guidance to make everybody feel comfortable with with what they need. And and I think in this case, uh CMS uh is way out in front, right? We, you know, people may be familiar with a uh a blog post that one of the assistants at at ASTP ONC wrote, Steve Posnak, about speed boats and and the tide, right? CMS are the speed boats that are trying to go, and ASTP is kind of the tides that's lifting everybody up. We need OCR involved because the the tide can't raise everybody to where it needs to be, and the speed boats can't go as fast if people don't have assurance and trust. So I think that that's a a big piece. On the voluntary versus oversight question, Melissa talked about this before. Right now it's voluntary, right? And Amy has been very, very clear in public statements. Once you pledge, we're going to push you to get to your MVP. There's things that you have committed to do that we want to see everybody do. But if you don't make it there by a deadline or you don't make it there at all, but you made a good faith effort, there's not going to be a naughty list, right? This is not, you know, a HIPAA security breached wall of shame. This is, all right, not everybody made it there, but some people did, and we're we're going to try uh to celebrate that. And they've noted that they'll have you know different events where you know they can celebrate the victories that occurred here. So right now, very much a voluntary activity to see how far we can get in advancing these things within the current constructs. With that said, uh, we've also heard from Steve in that blog post or for ASCPONC National Coordinator, Assistant Secretary Tom Keene. Um, they intend to do additional rulemaking, right? This was in the HTI 5 um NPRM. They said, we want to have your feedback on this as we consider future rulemaking. Uh he said, you know, he said similar things uh in other places. And so while obviously trying to follow as much of APA as they are. Supposed to, I think that they are still anticipating that either through TEFCA SOPs or through HTI6 rulemaking or through other mechanisms, that some of the advances that we've seen through the health tech ecosystem and some of the voluntary things that people have stood up and the way that they've organized themselves will be pulled through. But for right now, as we've noted, it's entirely voluntary and people are going as fast as far as they can to see where we can get in this in this construct.
SPEAKER_03The voluntary aspect of it is very interesting. I'd like to now focus on the categories of stakeholders. And the new responsibilities of sort of profile. So the um current categories are CMS aligned networks, PHRs and providers, payers, patient basic apps, friends of the ecosystem that includes individuals and organizations, patient and/or caregiver, and state. So David, from a policy standpoint, why does CMS structure participation in this way? And what is the signal about the where the ecosystem is headed?
SPEAKER_02Yeah, so I'll maybe start at the beginning when we only have four categories and why they expanded to seven and what it means, kind of the difference between. So the first four uh general categories that they had were the networks, payers, and payers, providers and EHRs, and the consumer-facing applications. And even under the consumer-facing applications, there are three separate categories, right? Digital therapeutics around diabetes and obesity, the conversational AI, and then kind of the more historical personal health record apps. And it was really those four that they needed to bring together because you've got covered entities basically that have the data. You've got the networks that were trying to facilitate or help facilitate the exchange. And then for a number of the initial activities, you have the consumer-facing apps that were going to be interfacing with the end user. And so with each of those, right, there's going to be responsibilities and things that they were going to ask to do again within HIPAA. And there's no specific waiver to say if you're participating in the health tech ecosystem, this is not CMMI, right? Where you can get some waivers. This is everybody still has to follow all the rules, but we're going to see how far we can go within those constructs with HIPAA and cures and info blocking and all the subsequent regulation. And so those were really the areas where they focused on when they had the 60 initial pledges to say, all right, this is what we're going to do, this is how fast we're going to go. We really want people who are going to lean in, and these are going to be the innovators and the first movers. After that, there was so much groundswell to say, hey, this is really cool. We want to participate. And some of that was in that first four categories. And some of it was, all right, we're a state, we want to be part of this, but we're a regulator and a provider, and sometimes a payer in the Medicaid context, and we don't really fit everywhere. And so they made that separate category. Friends of the ecosystem is really a all right, we're a tech vendor for payers, we're not the payer, but we want to be at the table and we want to help. Uh all right, we're a trade association that represents payers, providers, other it we're not ultimately responsible, but we have a lot of institutional expertise. Can we come to the table? And so we've seen that expand. And then again, in the context of we want to hear from patients and caregivers, what do you need? Right. And I think this is a really important point because uh we we sometimes talk about patients as a monolithic thing. Um, and you know, the privacy profile that I have may be very different than the privacy profile that Melissa has. My risk tolerance may be much higher. My risk tolerance may be much lower. The the tool that I want to use may be a a bank vault PHR that stores everything on my phone and nobody ever sees it. My privacy preference may be a really liberal PHR that I can send my data to uh life sciences for research, or I can sign up for clinical trials, or I can monetize my data in some way, right? And and we need to be able to hear from everyone what their different profiles are and understand okay, how how do we flex so that within this voluntary framework with a lot of best practices and codes of conduct, we are allowing tools that let me choose to send my data everywhere or keep all my data locally and everything in between and have that heard. So I think that they have structured it that way to get kind of the full array of opinions and get as many stakeholders with a vested interest at the table as they can.
SPEAKER_03It's definitely not going to be a one-size-fits-all type of uh framework. Absolutely. Very specific to being scientist. Um so Melissa, let's look at risk exposure around these categories. For EHRs and providers, what new liability considerations arise around data exchange and EH?
SPEAKER_01Well, for providers and EHRs, I think the liability profile expands in really three meaningful ways. And one is one we already talked about, and that has to do with the data completeness and the timeliness risk. So again, this is a standardized ecosystem based on fire, right? So there's a growing expectation that the data is going to be available, accurate, and delivered quickly. So if something is missing or delayed or inconsistent, as we were talking about earlier, that can really move quickly from, oh, this is a technical issue into one with legal implications, especially if downstream providers are relying on that data to then go forward and make care decisions for these patients. And I think the second one that we haven't really talked about much yet is expanded breach exposure. And this one's real. So the more endpoints you connect to, the larger your attack surface becomes for the bad guys. Um, and when something goes wrong, you're no longer dealing with this kind of like contained HIPAA incident where it was just my system that got hacked. What you're dealing with is you're dealing with multi-party environments where faults and notice obligations and liability allegations or and allocations can get complicated very, very quickly. And I don't have a good answer for this one other than to say, you know, there is really expanded breach exposure here. Um, the third one is I think a question of reliance and provenance risk. So as we see data flowing more freely across these networks, providers are going to get a lot more information that they didn't generate, right? That they didn't have control over the quality of that data. And I don't mean from a technical standpoint, I mean from, you know, is it accurate factually? And that raises real questions about with what's getting ingested or used, uh, questions about the data accuracy, um, the context in which that data uh arose and came from, and from the patient perspective, you know, whether there's restrictions or consent requirements that maybe weren't getting communicated as this piece of data moved across the ecosystem or where it was asserted one place but not asserted another place, right? So attorneys really need to think about this not just from the access standpoint and getting the data, but once we have the data, how are organizations going to choose to validate, qualify, and document the data that they're using? What becomes part of their records?
SPEAKER_03Thank you. And how about for payers? How do claims data sharing obligations intersect with federal and state privacy laws?
SPEAKER_01Well, you know, for payers, they're really similarly situated to providers. They're facing a lot of the same issues. I just think it's even trickier for payers, um, especially those who are exchanging Medicaid data and Medicare and Medicare Advantage data because of the complexity of the privacy regulations and state-based Medicaid contract requirements that apply to the exchange of that claims data in particular. So we were talking earlier about how complex all the privacy laws are, right? They get more complex for the payers because there's all of these additional federal and state Medicaid requirements and interpretations of those laws that can make it really challenging to share the claims data. Um, it's also often more challenging for payers to understand the data that is part of that claims data or part of the clinical data that they have, because they have clinical data as well, that might be subject to heightened privacy protections under, again, state or federal laws. And they might not have the same level of access to the patient as the provider does. And that matters because it might be harder for the payer to go and get that consent or that authorization from the patient that might be necessary to share that data with third parties. And I think it bears emphasizing here that even though a huge focus of this initiative is on the patient right of access, we're talking about a whole host of other use cases where third parties are in the mix and there's sometimes big questions over is the individual the one who's actually directing it, or is this really a third party who is trying to get access to the data? Um, and last on the payer side, I would be remiss if I don't say that it is often really overlooked that these CMS interoperability mandates that the expanded ones that are supposed to go live at the beginning of January 2027 for like provider access API and payer access API. Now, those are actually in the regulations and they come along with a lot of technical and operational requirements that are not answered or solved by this new interoperability framework. So what that means for our payer community is boy, you know, the payers are left hoping that their vendors are going to invest, I think, the time and resources to figure this out and then develop the solutions that will meet all of these really complex requirements. So I think what I'm saying is just because um the claims data should be accessible as far part of this new ecosystem, it doesn't mean that it's less frictionless from a legal standpoint. Um, all the complexity remains.
SPEAKER_03So lastly, um for patient-facing apps, what are the most significant compliance risks, particularly um when apps may operate outside traditional cover education boundaries?
SPEAKER_01You know, I think the biggest risk here uh is really a mismatch between consumer expectations and actual legal perspective protections. Um, you know, patients often assume that if their data is coming from a healthcare provider or, you know, a Medicare or a Medicaid connected system, it carries the same protections wherever it goes, right? But we all know as attorneys, once the data moves into a wellness app or other patient-facing app, that app may very well not be a covered entity or business associate for all its functions. You know, to make it even more complex, sometimes that same app, depending on who they're providing that app for, might be a HIPAA-regulated entity and might not. So talk about really confusing to the patients. And this confusion creates risks on all sides, right? Uh, first, there's a transparency risk, right? Are the app's disclosures actually clear about how the app is going to use the data and what laws regulate that data? Um, are they going to monetize that data? You know, second, there is this kind of like secondary use risk. Once they get the data for this proper purpose, I mean, how is it going to be reused? Is it going to be reused to train AI models? You know, that's one of the initiatives here. Is it going to be used to commercialize products? Um, and that may go beyond what the patient is reasonably expecting. They might not be realizing that that's the case. And I think third is the security and vendor risk. And what I mean by that is oftentimes these application companies is not just the application companies behind them, is a whole multi-layer of downstream service providers who are also having access to and hosting the data. What's happening there? So CMS is trying to build trust through things like app vetting, identity verification, and participation frameworks and signing off on codes of conduct, which is all incredibly helpful and very important. But I will say, from a legal perspective, you know, those are guardrails. They're not full regulatory coverage. I can't go and say to anybody, you're you're guaranteed, right, not to have liability. We just cannot do that. So the burden I think really falls on all of us in this ecosystem to be above board, to be transparent with our practices, disclosures, and controls, and to make sure that we're aligning everything with both the law and user expectations.
SPEAKER_02Yeah, and maybe Melissa, I can jump in there too, because I think that it's a really important point, right? Because again, going back to the HIPAA individual right of access, we're spending a lot of time on individual right of access. And to Melissa's point, there's a lot of broader things. But I think this is a really important one because I think it's a a primary driver in what they're trying to do. The individual right of access has existed since HIPAA began, right? And the expectation is that we collectively, CMS as a regular, is not going to be paternalistic about my privacy choices, right? But to Melissa's point, we have to be transparent about those privacy choices. And I think that that's why they're trying to lean in on things like the codes of conduct, you know, shameless plug for care and code of conduct, but to say, look, you have to get separate proactive informed consent if you're going to deviate from reasonable user expectations. If you're going to sell the data for any reason, you have to get separate proactive informed consent. If you're going to use it to train AI either as yourself or for somebody else, you have to get separate proactive informed consent. And, you know, I think that that's where, you know, and again, I think some OCR clarity here on the liability on the provider, because once the provider fulfills that individual right of access request, the liability's gone, right? They they have said that they they need to be more clear about that. They need to be more clear about that in the context of networks and health tech ecosystem and TEFCA. Um, because I think that there's so much concern that providers often don't respond to those queries over networks because of the liability risk of sending the wrong record or doing the wrong thing. Uh, and then you've got the hammer hanging out over here of, oh, wait, you didn't respond to a valid individual access request. We're gonna come in and hit you there. So I think that more clarity is really, really important at the same time as saying we need transparency, we need to respect consent, and and we need to make sure that everybody knows where their roles are and and move forward the best we can collectively uh so that we're not punishing providers when they're trying to do the right thing, but we're facilitating the for as frictionless as we can exchange for consumers.
SPEAKER_03Yeah, that's what as I said before, it's so very different in the way we're thinking about what we provide and how it's provided, and it will be a learning code for sure. Um I wanted to now, I know we've talked about privacy enforcement and contractual risk quite a bit throughout our discussion, but to kind of um focus on what the bulletin emphasized for attorneys as areas of focus, including contractual agreements and data sharing responsibilities, enforceability mechanisms and liability risks for breach, misuse, or noncompliance. Um Melissa, I'm starting with you, can't attorneys rethink data use agreements and business associate agreements in light of uh the broader data of exchange goals.
SPEAKER_01Yeah, I think we need to start thinking about them. And I think a lot of attorneys already are. Um, we're thinking about data use agreements and BAAs as part of a much broader governance structure because we have to. Um, and they still matter. BAAs still matter, especially where CMS is contemplating delegated vendors acting on behalf of providers. But you know, in this ecosystem, as we've been talking about, data isn't just moving between a covered entity and a single business associate. It's moving across, you know, distributed networks, APIs, apps, and downstream actors who all have very different roles and legal statuses under the law. So the legal work has to expand beyond the traditional privacy constructs. So attorneys, we now have to balance both privacy obligations and information blocking requirements. So we need to be asking when we're working with clients, you know, yes, are we protecting the data appropriately? Uh, but also we need to be asking, are we enabling that access in a way that is timely, complete, and compliant with things like the information blocking rules and meeting our pledges under these different ecosystem uh agreements. So that creates, again, real tension in how things are structured. And in the contracts and the data use agreements that we all create to kind of set the rules of the road for how this ecosystem is going to be operating, we're gonna have to get into the nitty-gritty. We're gonna have to address what are the permitted purposes for requesting and disclosing data. How are we doing identity verification and authority verification and communicating it? What are audit rights? How are we going to track all of this? Who's enforcing what? Incident response. How are we gonna let know let everybody know when something does happen? Um, and we also need to do this again with not doing what we've done in the past and creating these barriers that could be viewed as impermissible interference with the access exchange or use of electronic health information, right? We still need it to flow. And I think with CMS emphasizing things like patient-directed access, consent preferences, and auditability, um, if our agreements aren't operationalizing those concepts, then they're just not going to be aligned with the where the ecosystem is going. So it's hard, um, but hard things are worth doing and they are doable.
SPEAKER_03Do you, David, what role do you see federal oversight playing if participation remains largely voluntary? Do you anticipate future role making to formalize these expectations?
SPEAKER_02So maybe I'll answer the second one first. I I do uh think that there will be some follow-on. Um, I think it'll be more limited than a lot of folks think. Uh, right, this is a deregulatory administration. I don't think that they want to come in with a bunch of heavy-handed things. I think they want to say where appropriate and where smart and where to make markets function the way we believe markets should function, uh, we're gonna come in and regulate. And so, you know, HTI5 was predominant, well, and it hasn't been finalized yet. We expect the finalized rule to be very close to the proposed rule and be very deregulatory in nature. I think HTI6 is going to set some new expectations for certified electronic health record technology, and that'll flow down to providers, right? Uh, I would anticipate significantly more focus, as we've talked about, on API functionality, on data availability, and how well your system exchanges data instead of the internal functions of your system. Um, I think for CMS as they move forward, right? We've already got 0057 and a compliance deadline in in January. I think we could anticipate seeing more of that. You know, there's an e-prior off for for medical drugs that's uh rule that's been at OMB for a while. I we can see some of that continue um moving forward. I I don't think it's going to be as regulatory. We're not going to take all of the best practices and learning from this, and there's going to be some new mega rule uh following, but I I do think that they will have some targeted uh updates and changes on the regulatory side.
SPEAKER_03National organizations prepare for potential evolution from that voluntary line to the formal regulatory mandate.
SPEAKER_02So I I think as as Melissa has noted a few times, kind of a a viewpoint shift to say instead of Very insular specific activities around compliance, we need to take a totality of the circumstance viewpoint of what are we being expected to keep safe while making as much data available as we need to to other providers, to other payers, to consumers. We haven't even talked about public health and some of the data modernization initiative activities that have largely sunset but are still out there. And so that that kind of totality of the circumstance, it can't just be all right, if we check this box and this box and this box, we're good. It's how does this box interface with this box, interface with this box? And how do we set up a overarching governance structure that's going to keep us safe and secure and private when we need to be, but fulfill all of our new obligations under info blocking and data sharing that we also have now?
SPEAKER_03And just the structure, I wanted to just go over a little bit of practical guidance for healthcare attorneys. And so if you were advising a hospital general counsel, a career compliance officer or digital health startup today, what immediate steps would should they take to um assess their readiness with HT?
SPEAKER_02And maybe I'll start and then Melissa, I'll go to you. Um to me, the biggest piece of it is again, how does this fit in a broader business dynamic? Right? We talk a lot about, and rightfully so, the compliance components and and for the folks that you just mentioned, their main job is the compliance pieces. But as we work with with clients, one of the biggest pieces that they are trying to look at is how can this be a strategic advantage for our organization? As we have fewer providers, you know, if you're a big IDN, we don't have as many providers as we used to. How can we automate workflow? How can we use technology as a care extension? What is the what are the roles of these new technologies in managing at-risk populations, you know, populations that are in at-risk payment uh contracts, payers, it's the same thing. What how are we going to deploy these things? What new opportunities do we have in again the consumerization of healthcare to go there? So I would say uh not just from a compliance lens and not just from an HTE lens, but as organizations continue on their digital transformation, how can I support making sure, again, we are fully compliant, but that compliance does not become an impediment to the broader things that we are trying to do in advancing some of these things. Um, because I I think sometimes we can we can dig heels in uh in ways that conform to how we were using data 15 years ago and isn't consistent with where the government wants to go and isn't consistent with where organizational leadership needs to go from a business perspective.
SPEAKER_01Yeah, I was about to say like that's a great way to get ready for HT readiness. Like that's your mindset, right? How is this going to be beneficial to my organization and how are we going to you know rise to the occasion? So when I'm working with clients on this, we usually do um five steps. We start with first figuring out where that particular client sits in the ecosystem. You know, or are you a provider, a payer, an app, or a network? And you know, interestingly, with all this consolidation among entities, you can be working with a single entity that falls into multiple different buckets. And you need to kind of understand where you're sitting in that ecosystem because things like expectations and laws and risk profiles are going to change depending on where you sit in the ecosystem. A second thing we do is we map our data flows. Um, what data are you ready to share with whom and how? So a lot of organizations haven't fully visualized how far their data is going to travel in this model or what their tech stack can support, or the various and myriad of different use cases, depending on who's requesting what for what purpose and so on. So data mapping is key. Third is we start evaluating things like access and identity controls. So, as we've talked about, CMS is placing real emphasis on verified identity, authentication, and auditability, which is great. But if we can't confidently answer who is accessing data and why, you know, that's a potential gap. So it gets more complex when we add proxies into the mix too. We've been talking a lot about one-on-one with patients accessing their own records, but what about parents accessing the records of their children? Um, we also need to do things like verify authority in those instances. And quite frankly, there just isn't the technical tools on the market today to do that. So I am flagging this as this is a very important step in this five-step process. Um, after that is uh stress testing or contracts and governance structures. I mean, do we have those contracts that we need in place? Um, and do they hold up? And fifth is I think pressure testing, both your privacy posture against real world use cases. And what do you do if somebody knocks on the door later and says, Oh, you thought you were disposing that for treatment? Well, you weren't. It was a bad actor. Now you're on the hook. You know, how are we going to deal with these issues when they when they do come up?
SPEAKER_03Another question always thinking when I'm starting, but like to hear from 50. What is the biggest blind spot in seeing how stakeholders profit?
SPEAKER_01You know, I think the biggest blind spot is a lot of organizations are still thinking in silos. Um, privacy teams are focused on HIPAA and state data privacy laws, and tech teams are focused on the APIs, and the business teams are focused on growth. But HTE assumes that all of these pieces are working together as a single system, as a single unit. And I think oftentimes where organizations end up missing the mark is they don't have that master architect that can see the big picture across the disciplines and bring everybody to the table because we need everybody at the table to make it work. Because otherwise, sometimes we end up with like technically compliant APIs and legally compliant contracts, and then there is still a breakdown on how the data is access, used, or understood across the ecosystem. So we need everybody at the table.
SPEAKER_02Yeah, I'd I'd go again the policy-political route a little bit. Um, I think that there's a lot of folks that believe that this is, you know, a Dr. Oz and Amy activity and a Tom Keene activity, and it's not going to persist, right? Uh we're, you know, uh given the administration life cycle and and all the things that this isn't going to continue. I I for those folks, I would just point out Bush to Obama, an amazing amount of continuity on digital health and on prioritization. Cures Act was signed under uh President Obama. It's been pushed forward. The CMS0057 rule initially proposed during Trump one, finalized during Biden, um expanded, and then you know, all implementation factors say we're gonna continue on this in Trump 2. So uh notwithstanding the fact that they have pressed on the gas pedal during this administration, there is amazing continuity in prioritization of the consumerization of healthcare, the digitization of healthcare, and and the ability to use some of these new methodologies and tools to advance access for everybody, right? Information at point of care, consumer dynamics, better data to payers so that we can drop premiums, all of the use cases. And it's been really consistent across the the these administrations uh for 25 years. And so I would just say we can try to wait it out, and there may be a little bit of a different posture next time, but there is, I think that the the okay, let's not do this ever is is out of the barn and and it's not going back in. So uh lean in as much as you can. And and to Melissa's point, take a macro perspective on that and and lean in as much as you can, because uh I think the winners here are gonna be the ones that are first movers and not the laggards that wait to see how it all shakes out.
SPEAKER_03So Melissa and Dave would like to thank you both for such a thoughtful and practical discussion today. And a few key themes stand out. First, the CMS health technology ecosystem represents more than incremental interoperability. It signals a broader real imagining of how health data moves across clinical, payer, and consumer platforms. Second, while participation may begin as voluntary and self-test as attested, illegal and contraction implications are very real. Attorneys will play a critical role in shaping governance structures, drafting data sharing agreements, and managing liability exposure. And finally, patient-directed access and digital innovation create opportunity but also meaningful privacy, enforcement, and reputational risk that organizations must proactively address. On behalf of the American Health Law Association, thank you for joining us today for this episode of Speaking of Health Law.
SPEAKER_00If you enjoyed this episode, be sure to subscribe to AHLA Speaking of Health Law wherever you get your podcast. For more information about AHLA and the educational resources available to the health law community, visit American Health Law.org and stay updated on breaking healthcare industry news from the major media outlets with AHLA's Health Law Daily Podcast, exclusively for AHLA comprehensive members. To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org slash daily podcast.