Dispatches from ONC’s annual meeting

By DARIUS TAHIR 

Updated

With help from Arthur Allen (@arthurallen202) and Mohana Ravindranath (@ravindranize)

Editor’s Note: This edition of Morning eHealth is published Mondays, Wednesdays and Fridays at 10 a.m. POLITICO Pro eHealth subscribers hold exclusive early access to the newsletter each morning at 6 a.m. Learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services at politicopro.com.

Quick Fix

— Dispatches from ONC’s annual meeting: The privacy and access debate around forthcoming interop rules was on everyone’s mind at this year’s ONC meeting.

— Practice Fusion settles multiple criminal, civil charges: EHR developer Practice Fusion has settled multiple charges — one criminal — with the federal government for $145 million over the firm’s sponsored clinical decision support software programs.

Judge says no-can-do on HIPAA rules: A federal judge on Tuesday night said much of HHS’ recent round of HIPAA work is statutorily impermissible, invalidating major sections of the regulations intended to facilitate patient access to their data.

eHealth tweet of the day: Dan O’Neill @dp_oneill [on the Practice Fusion charges] “…[O]nce you choose that ad-driven path, commercial gravity tugs in the direction of selling more ad inventory, and creating more effective advertising tools (See: Facebook). All the more so, perhaps, if the company is venture-backed and trying to reach breakeven.”

WEDNESDAY: Who’ve you got in the Super Bowl on Sunday? Your correspondent, being a Bay Area guy at heart, is hoping for the 49ers but betting on the Chiefs. Share football takes by email at [email protected]. Discuss football socially @arthurallen202, @dariustahir, @ravindranize, @POLITICOPro and @Morning_eHealth.

Driving the Day

ONC ANNUAL MEETING DISPATCH — The din around ONC’s forthcoming (we think) interoperability rule got all the louder this week at the agency’s annual meeting:

— Privacy and access debate: HHS officials doubled down on their commitment to freeing up patient data and maintained that privacy concerns shouldn’t delay the rules. On Monday, HHS Secretary Alex Azar made a veiled reference to EHR giant Epic’s campaign against the upcoming data sharing rules.

“Unfortunately, some are defending the balkanized, outdated status quo and are fighting our proposals fiercely,” Azar said during a keynote. He added later that “scare tactics are not going to stop the reforms we need.”

Azar’s jibe was echoed by his colleague, ONC chief Don Rucker, who warned of a “huge marketing campaign on the risks of this data.”

“I don’t think we can let the risks that are real prevent all of us as citizens and members of the United States from having all of our data for the next couple of years,” he said.

But there are plenty of groups arguing for more privacy protections. Rucker’s comment drew criticism from AMA’s Laura Hoffman; the nation’s largest association of physicians has urged ONC to incorporate more privacy protections into the draft versions of the rule before finalizing.

“Let’s not forget the huge journalism ‘campaign’ documenting apps selling pt data w/o a patient’s knowledge & in violation of privacy policies on a daily basis,” she tweeted. “ONC can & should give patients health data AND privacy info. Stop pretending it has to be one or the other.”

Partly in response to privacy concerns, Rucker emphasized ONC’s commitment to the OAuth2.0 authentication protocol, which he says could incorporate some informed consent disclosures into apps. We’ve previously noted that this is a tack ONC is seeking to emphasize, as it opens the door for the Federal Trade Commission and state attorneys general to litigate deceptive privacy practices with some apps.

Not everybody’s on board with that strategy: “Gonna be blunt (when am I not) but OAuth 2.0 does not provide privacy protections. It is a security protocol for reuse of credentials. It in no way sets, dictates, or creates privacy protections/rules. It certainly doesn’t prevent non [covered entities/business associates] from selling health data,” former ONC official Genevieve Morris tweeted last week.

— Other tidbits on the rule: Though he couldn’t share much detail because the rules are under OMB review, Rucker clarified that they don’t yet address information blocking penalties for providers — only for EHR vendors, health information exchanges and networks.

PRACTICE FUSION SETTLES CHARGES FOR $145M — Practice Fusion, the free EHR developer, settled federal criminal and civil charges for $145 million with the federal government on Monday.

The developer took kickbacks from pharmaceutical companies to create 14 CDS alerts aimed at juicing drug sales; one alert, which drew the criminal charges, promoted opioid sales.

The announcement — the third kickbacks case against an EHR developer — drew loud and sustained reactions.

Jacob Reider, a former ONC official, offered one interesting take in his blog. Reider said he’d met with Practice Fusion in an official capacity to talk certification with the developer: “I asked Ryan [Howard, the company co-founder] if he was concerned that there might be an ad that a doc sees some day that makes her change her mind about a prescription, and the drug in the ad causes a 1:1,000,000 allergic reaction and kills someone,” Reider wrote. “Did he worry about this? Did it keep him up at night?”

“He wasn’t concerned,” Reider concluded. “’It’s still the clinician’s decision. It’s on them. If it’s not the right drug, then don’t prescribe it. Same as advertisements in the pages of JAMA or NEJM.’”

The meeting in question occurred before the bulk of the criminal activity alleged in the complaint. “I was not contacted as part of the investigation and during my tenure Practice Fusion *never* leveraged its Clinical Decision Support feature to promote opioids or any questionable treatment,” Howard told us. Reider updated his blog post to reflect his belief that Howard was not involved.

JUDGE SAYS NO-CAN-DO ON HIPAA RULES — Major sections of HHS’ work to facilitate cheaper access for patients to their data are not permissible under the Administrative Procedure Act, a federal judge ruled late Tuesday night.

The HHS actions, which allowed third parties like insurers and law firms to make record requests on patients’ behalf and separately capped allowable fees for retrieving records, had been opposed by record-retrieval firm Ciox Health, which had sued the federal government.

As we noted last year, the moves are a one-two punch on Ciox’s bottom line: The rule allowing for third-party requests meant Ciox couldn’t charge those entities higher rates for retrievals; the new payment formula’s effects speak for themselves.

Ciox argued in its lawsuit that the government had overstepped the bounds of its authority by going beyond the language of the 2009 HITECH law, and by using guidance as a crutch for formal rulemaking.

In a complex, 55-page opinion, D.C. District Court Judge Amit Mehta, a Barack Obama appointee, largely agreed, ruling that the federal government’s 2013 rule allowing for third-party requests for patient records beyond what’s contained in an EHR and its guidance setting forth a payment formula don’t pass muster under the Administrative Procedure Act.

The decision is a blow for the federal government’s attempts to ease and extend patient access to their records. (Ciox is also not particularly fond of the forthcoming interoperability rules.) But HIPAA lawyers aren’t yet offering definitive opinions about the importance of the decision.

WARREN’S PANDEMIC PLAN: OPEN THE SCIENCEThe Democratic presidential hopeful has a new plan on how to deal with pandemics, our colleague Brianna Ehley reports, and longtime digital health policy watchers won’t be surprised with one of her ideas: making sure science is open.

“We must encourage sharing of specimens and data between researchers and public health officials, urge transparency from foreign governments, and increase support for data sharing platforms,” Warren writes. “During a public health emergency, publishers should not use paywalls to hide important data or force authors to keep data embargoed until publication.”

The comments are in line with longtime commitments from Warren, who wrote an August 2016 New England Journal of Medicine article advocating for data-sharing in research.

She’s not alone in making this call: The Journal itself has said it expects any data underlying research on the coronavirus to be shared with public health authorities and other academics.

Warren’s plan also supports modernizing public health informatics systems, a project that past appropriations bills have included cash for.

HOW MIGHT REDUCING PRICE VARIATION DRIVE DOWN COSTS? — Several federal rules, including CMS’ chargemaster requirement for hospitals, aim to reduce price variation by making costs more transparent. But we don’t know much about how reducing variation affects health care spending, a new Health Care Cost Institute analysis suggests.

The “direction and magnitude in which price variation may be reduced (if at all) by potential price transparency policies is unclear,” Kevin Kennedy, Bill Johnson and John Hargraves write. It’s possible that such will policies force the lowest price claims upward, raising overall spending, for instance.

Still, after analyzing more than 400 million claims in 2017, the group concluded that minimally reducing the most expensive claims results in greater savings than the increased spending that would result from pushing lower-priced claims upward.

DIRECTTRUST REPORTS STRONG GROWTH — DirectTrust said the number of secure messages sent over its network nearly tripled in 2019, going from 274 million the year before to 811 million in 2019. The growth in volume came in part because of the number or organizations on DirectTrust surged by nearly 72 percent last year.

What We're Reading

The FT reports on pharma’s data and AI plans.

Health Affairs has a blog post on modernizing health IT for American Indians and Alaska Natives.

How DNA sleuths are studying the coronavirus, in Stat.

EDITOR’S NOTE: Jacob Reider’s blog post about Practice Fusion was later twice updated, first to reflect his belief that Ryan Howard was not directly involved with the activity alleged in the Practice Fusion complaint, and then to remove some references to Howard, who had left the company before the activity in question. Reider clarified to POLITICO that the references were “clumsily delivered” as he tried to make a bigger point about start-up culture.