Close this search box.

How will the 21st Century Cures Act Impact the Healthcare IT Space?

Share Podcast

In March, The ONC and the CMS released final rules on interoperability, information blocking, and more as a part of the 21st Century Cures Act. Does this mean an actual change is coming to the healthcare ecosystem? Will accessible information exchange and data interoperability finally come to be the industry standard?


What is the purpose of the 21st Century Cures Act?

Ultimately, the ONC final rule has the potential to enhance the patient experience, optimize the workflow for health workers, and dramatically improve clinical health outcomes; a win-win-win. The act also aims to promote competition between vendors and digital health companies. However, these changes prove to be a tall order for health organizations and health IT companies. In order for true interoperability to exist, payers, providers, EHR Vendors, digital health brands, and all other relevant stakeholders need some sort of common denominator. Not to mention, there are some pretty serious data privacy and cybersecurity implications. Will the HIPAA regulations we have in place today be enough to protect patient data if data sharing is in and informational blocking is out?

Point-of-Care Partners (POCP) is a Health IT consulting company that helps health organizations implement information management strategies. POCP’s Health IT Consultant and Practice Lead Kenneth Kleinberg and their PBM Practice Lead Pooja Babbrah, will discuss what the 21st Century Cures Act is and how it may upgrade the healthcare industry for good. Arcweb Head of Engineering Shahrukh Tarapore will also be joining us to highlight the challenges that come with the new regulations and help advise companies on how they may strategize around them. The podcast will focus on these major questions:

Continuing the “Engineering Healthcare” theme, in this episode, we’re discussing the implications of the 21st Century Cures Act for health IT developers and providers. Shahrukh Tarapore, our Head of Engineering returns to discuss the final ruling along with a couple of thought leaders from Point-of-Care Partners (POCP), a leading health IT management consulting firm. Our guests are POCP PBM Practice Lead Pooja Babbrah, and POCP Practice Lead and Health IT Consultant Kenneth Kleinberg. The group will deep dive into what the CMS and ONC final rulings actually mean and why the regulations are so important for the future of the healthcare industry.


The LinkedIn page for Kurt Schiller, Head of Marketing at Arcweb Technologies.
Kurt Schiller | Head of Marketing
The LinkedIn page for Shahrukh Tarapore, Head of Engineering at Arcweb Technologies.
Shahrukh Tarapore | Head of Engineering
Pooja Babbrah, PNB Practice Lead at Point-of-Care Partners.
Pooja Babbrah | PBM Practice Lead at Point-of-Care Partners 
Kenneth Kleinberg, Health IT consultant and Practice Lead at Point-of-Care Partners.
Kenneth Kleinberg | Practice Lead & Health IT Consultant at Point-of-Care Partners











Kurt Schiller [00:00:00]: Hello, and welcome to Product Hacker and to the third episode of our “Engineering Healthcare” series, where we’re talking about the relationship between technology, healthcare and patient experience. I am your host, Kurt Schiller and today we’ll be talking about a pretty significant development in the world of digital health, the 21st Century Cures Act. The piece of legislation that was passed way back in 2016 and is having and is was about to have far-reaching consequences for the way that we handle patient data, interoperability, digital healthcare experiences and a whole slew of other things. And to help us navigate this discussion, we’re joined today by three guests. 

Kurt Schiller [00:00:35]: The first two of which being Pooja Babbrah and Ken Kleinberg of Point-of-Care Partners they’re a health I.T. consulting firm that works with really every possible type of healthcare organization you can imagine whether that’s providers, payers, even some government agencies to improve quality of care and efficiency. And Pooja is there a PBM services practice lead and Ken is the lead for their innovative technologies practice. And both of them have a really deep experience and have spoken at hundreds of industry conferences and authored, I don’t know, dozens, hundreds of articles. Pooja and Ken, welcome to the show. 

Pooja Babbrah [00:01:06]: Thank you. 

Kurt Schiller [00:01:08]: And we’re also joined today by my colleague Shahrukh Tarapore. Arcweb’s Head of Engineering. Shahrukh manages our team of software developers and architects, and he helps advise the health tech organizations that we work with on high-level technology and software strategy. Welcome, Shahrukh. Welcome back–– I should say. 

Shahrukh Tarapore [00:01:24]: Thank you. Always good to be here. 

Kurt Schiller [00:01:25]: Some of you may remember–– long-time Product Hacker listeners may remember Shahrukh from, I believe, our very first episode where we had kind of a new technology roundtable and it was new technologies two years ago. We should definitely do a check-in episode at some point and see how our predictions have come to pass. 

Shahrukh Tarapore [00:01:44]: My fingers are virtually crossed. 

Kurt Schiller [00:01:47]: So back to the topic at hand. We’ve covered the Cures Act, the 21st Century Cures Act a few times on this podcast. But just to catch people up– I think the first thing to talk about is probably kind of where we are and how did we get here, sort of overview. And, you know, if I think back to my Schoolhouse Rock listening as a kid where they talk about how a bill becomes a law, you know, the 21st Century Cures Act was a bill and it became a law. But, you know, my understanding, Ken and Pooja, is that you know, we’re really only part of the way through the process so far. So I don’t know– can you catch us up on kind of where we are and what lies ahead still?


The History and Behind the 21st Century Cures Act

Ken Kleinberg [00:02:26]: All right, it’s Ken here, I’ll go first. I’ve been in healthcare a couple of decades, and I think back to where the major legislation and impacts have been, where, you know, decades from when HIPPA was launched– and the “P” in HIPPA standed for “portability”. So they were thinking about moving data around, you know, that long ago. We had the Office of the National Coordinator created in 2004. Then meaningful use as part of high-tech an era, you know, the EHR incentive program– that was 2009. That’s already more than 10 years ago. It was 2015 that we had MACRA aiming at value-based care. And then shortly after that, right at the end of the Obama administration, this bipartisan 21st cures– 21st century cures was finalized and it didn’t really tell people what to do. 

Ken Kleinberg [00:03:20]: It went to CMS and ONC and said, “You figure out what to tell people what to do.” And now a couple of years later, it’s finalized. And I think the major impact or the major goal was to drive greater consumerism and greater competition. And it’s doing that primarily through information access or the prevention of information blocking. And this is specially oriented towards patients so they can get hold of their data and they can use that data to switch payers or switch providers readily and also for providers to be able to switch their EHR vendors. So those are really all game-changing events for our industry. 

Pooja Babbrah [00:04:07]: So this is Pooja, so you know– and just to add to that, I mean, I’m coming from it from a kind of ex-product manager in the EHR space. And, you know, the other way to think about it is there are number of federal initiatives really to promote quality adoption of electronic health records and value-based payments. And so when you look back at meaningful use, you know, really the goal was to get doctors to use their EHRs in a meaningful way. And what we found over time is that really ended up putting up these you know, we kind of call them walled gardens, right– with limited interoperability. So doctors were using their EHRs, but they weren’t actually sharing information back and forth. And I think that’s when you saw that Cures act come into place to say, “OK, we put these incentive programs in place. We have the doctors that are using the EHRs, but it’s not really getting us to that quality and that value-based care that the federal government has focused on and that’s where you’re starting to now see that being pushed a little bit. 

Kurt Schiller [00:05:05]: The interoperability angle– and I’m glad that you mentioned the walled garden is huge because that’s something that we’ve definitely talked about before on the show, that the analogy that I often used to explain to people who are less familiar with kind of the patient data space is, you know, if you want to go purchase something off of a website and you go to put in your credit card information, it really doesn’t matter. You know, what bank you use, it doesn’t really matter what bank the store uses. It doesn’t matter whether you have Visa or MasterCard. It’s just kind of agreed upon standards for all these different companies that are competing. And it’s become relatively seamless for the end-user. And that is not the case with patient data. Not just the rules and requirements for sharingand managing that data can vary greatly from vendor to vendor but even what data is captured, the format of the data, and it seems like a big focus of this act, is to kind of smooth some of that out. And if not, make it invisible, at least make it less burdensome to go from one system to another.


What role does interoperability play in the ONC Final Rule?

Pooja Babbrah [00:06:04]: Exactly at Point-of-care partners we kind of call it “The new rails”, right? I mean, what you’re doing is you’re sharing– you’re sharing data that has always been available in the EHR. But what the interoperability rules focused on was that U.S. core data. So the USCDI and that’s, you know, what’s codified, what standardized today. And so that was kind of the initial focus is how do we take that set of data and then be able to share it across systems? You know, there’s lots to come still from that interoperability rules. You know, this isn’t going to be a final thing. But, you know, it is important to recognize that people are doing this in other industries today. I mean, to your point, with the financial industry, you know, we all look back to that and say, you know, why can’t we do that and set something similar in healthcare? And I think this is our first step to try to get there. 

Ken Kleinberg [00:06:53]: Yeah, it’s Ken. I would say there are a lot of reasons that people didn’t want to share data for reasons of competition, for example, privacy. But there are more reasons, I think, that we do want to share it. So I think this legislation, even though there’s some pushback from certain sectors, is generally very, very positive. 

Kurt Schiller [00:07:12]: So can you mentioned before that? One of the main goals of this was to increase competition is that competition between EHR vendors, between consumer device vendors, who is the competition or where is the competition supposed to be increased by this?


How are the regulations creating a better space for competition in the healthcare industry?

Ken Kleinberg [00:07:29]: Yeah, I think it’s all across the board there. Consumers want to be able to compare the care that they’re getting from providers. They want to compare the coverage they have and the networks that are available to them from their payers. And they effectively want to have a longitudinal history they can use when they move from one payer to another or from one provider to the next. Third parties, a whole group of literally thousands of new vendors entering the space here on behalf of consumers will gain access to this information. And in this new app economy for patients, the way this information could be presented and the way it can be compared will be far beyond what patients have seen with the portals that they’ve been using over these last years.


Download our Engineering the Modern Patient Experience white paper


Pooja Babbrah [00:08:18]: Yeah. Just to add to that, you know, when we think about the EHR and health information technology vendors, I think part of the pushback on this was now we’re going to have these standard open APIs, right. And that’s been their business model in the past. So how do you come into this new environment and its complete change for payers, for health I.T. vendors. Payers are trying to figure this out and how they can now compete, right– to get those patients. You know, having this open data, this open information enables for patients to see how much their out-of-pocket costs is going to be–– things like that. Can potentially be a huge competitive advantage for payers. But then EHRs and health IT vendors, you know, they’re going to have to come up with some new business models, right. But there’s a lot of opportunities for them to be able to say, you know, here’s opening up healthcare app marketplaces, for example, right and being able to give that information. You know, partnerships with people, population health vendors, folks like that’s, so that, you know, EHRs can be partnering with. I just feel like we’re seeing this is really going to shift also from healthcare, economy, business model standpoint for all stakeholders. I think in our industry. 

Kurt Schiller [00:09:24]: Moving a little bit more towards, I guess, the technology side. I want to throw something over to Shahrukh because you have the experience of kind of working with the actual implementation and use of this data. How big of a problem or limitation would you say it’s been that the patient data or healthcare data ecosystem has been the way it is if you’re trying to build software or develop a product that’s supposed to work with this data? Like how big has the burden been there?


What is the burden of the current healthcare data ecosystem on software developers?

Shahrukh Tarapore [00:09:54]: You queued me up perfectly. I actually wanted to double down on what Pooja said. And I think aside from the pushback that I think the EHR vendors have provided because of the standards-based APIs, there’s also just an inherent technology data model that lives in these EHRs that are different from EHR to EHR. And the reason why they’re different is not because they wanna be proprietary for the sake of being proprietary, but because they really make their value proposition to hospital systems based on their customized ability to their business processes into their clinical processes. And when a client hospital systems processes differ and that customization becomes critical, the data models change, the vocabulary changes, the terminology changes, the, you know, how it affects billing, how it affects clinical care, how it affects revenue. All change, and it becomes these necessary stovepipes. 

Shahrukh Tarapore [00:10:45]: And I think the EHR vendors have moved their products in a way that emphasized that customized ability for the individual healthcare system at the risk of–– not the risk, at the detriment of greater interoperability. So I think the standards-based APIs are critical here, but this may be a necessary upheaval in the in just the way that internally away from interoperability, how data is represented in the individual EHRs and defining the way you translate between one information model and another information model, because two different hospital systems think about and have different processes for how they conduct care for their patients. 

Kurt Schiller [00:11:22]: Yeah, I think something that’s always interesting in, you know, when we’re having early conversations with, say, someone who’s developing a consumer app that they want to do some level of EHR integration. They usually are initially thinking about it in terms of, well, how do I integrate with a platform like Salesforce? Like Salesforce is the thing. It’s a known quantity. Once you’ve done it, it’s integrated. There’s some kind of a plug-in. And EHRs aren’t really like that to varying degrees, but a lot of the really popular ones, you know, you literally would have to go hospital by hospital to do the implementation. 

Kurt Schiller [00:11:54]: A lot of times they’ll talk about their app exchanges or app stores in app store-terms as if it is, you know, you click a button and then the app is installed. And that’s really not the case. There’s, I don’t know, dozens, hundreds of person-hours that would have to go into the actual implementation. And that’s even assuming that you have already built out your side of the product to be able to integrate. 

Kurt Schiller [00:12:17]: I want to poke a little bit at some of the specifics of the regulations because like I think Ken and Pooja both alluded to there’s a lot that seems to be packed into here. It’s been turned into a lot. And some of the ones that come to mind for me are there is explicit adoption of specific standards like HL7 seems to be part of it. There is a few very specific notifications and functionalities that have to be included. Specific types of APIs and access that has to be provided. I know that ADT notification, admission, discharge and transfer notifications has to be provided within some criteria. So I guess to throw it back to Ken and Pooja, what do you see as kind of some of the high-level bullet points of the requirements or big focuses of the regulation or the rule at this point, I guess?


What are the focal points of the 21st Century Cures Act right now?

Pooja Babbrah [00:13:05]: Yeah, this is Pooja. I can take that one. So we break it down by stakeholders. When we look at it from Point-of-Care Partners, so kind of starting with the payers, right. The big ones are, you know, the patient access, right. So allowing patients to actually get access to their records. And that’s a big one, right? That’s really one of the biggest push out of all of this is, you know, how difficult it is for patients if they’re trying to get their own medical record, how hard it is to get that. And I think that’s one of the big ones. The payer-to-payer transfer. And, you know, we always think of it. I mean, we’re clearly talking product and data and everything but, you know, it’s also a business problem. 

Pooja Babbrah [00:13:44]: So today, if you’re going from one plan to another, say, on January 1st, you know, another way to think about it is payers, you know, they’re wanting to make sure that they–– enyone that’s signing up for their plan, you know, they want to make sure that they have their information for those patients. They want to be able to, for example, enroll them, pre-enroll them into a population health program they may have looking at it from that aspect. When you unpack it, there’s a lot of really good things that will come out of this. Also, from a cost savings perspective, health systems, again, the patient access. You mentioned the ADT notifications. So being able to inform, right. So if you’re in a ACO contract a value-based care contract; patient ends up in the hospital, you immediately can inform the care team with their getting discharge. Right. 

Pooja Babbrah [00:14:32]: So that care team can pick up that patient right away and say, “OK, what do we need to do?” EHR and health IT vendors–– again, the patient access piece of that, but also, you know, the whole thing around data blocking and making sure that they are not holding back information. And that’s really an interesting one to me, because, you know, there was a lot of discussion when the rules came out of how is an EHR going to handle if a patient or even a provider, right. If the patient comes up to their provider and says, “I want you to share my medical record” with this random application am I going to get, you know, fined for that? Is that information blocking? Even if the doctor may know that that’s not an application that they should be sharing the data with? So lots of discussion around that. 

Pooja Babbrah [00:15:17]: But I think that’s also another kind of one that needs to be unpacked a little bit more, because really it’s up to the patient, right, to say here’s where I want you to share my data and the provider can’t really stop that. So, you know, lots of intricacies when it comes to kind of all the different rules around that. 

Ken Kleinberg [00:15:35]: Just to tie together some of what we just heard. Take it from a standards perspective. Think of three phases here in the current phase, basically, a payer or provider could make available access to their data if they wanted to in their proprietary format. They could publish that to any third party if they wanted to. They had that discretion with information blocking in the first phase of this, they can’t say no. So they have to make it available. But the format that they make it available is still not specified. When we go into the last phase––  the third part of this. Now you’ve got to use these new FHIR APIs. It’s a standard approach so that a third party wouldn’t, for example, have to develop a different interface to every payer or to every provider that they were looking to access. And that’s huge.

Kurt Schiller [00:16:29]: There’s a lot of good stuff from both of you to dig into there. One of the questions that I’ve had about these regulations, as I’ve been keeping up with them, is exactly what they mean by API, for instance. And, you know, also like where will the burden of this fall? I mean, do either of you have a sense of is this something that you feel like providers will need to implement on their own? Is this something that vendors are going to just have to make kind of standard within their platform? Like where do you feel the burden of the actual implementation is going to fall of some of these aspects of the regulation?


What are the main technical challenges that will come with this movement?

Ken Kleinberg [00:17:07]: Well, I could start by saying that the providers have, by and large been more dependent on their vendors than the payers who have done a lot of self-development. So from the provider side, we have the EHR vendors, the enterprise EHR vendors, and they’re actually capable of developing these APIs. The payers have IT teams of course. This will be a little newer to them, but they’re still capable of it. And there are many, many third parties that have played a role in integration, the so-called interface engines or integration brokers. Many of those players now see this as a new opportunity, especially some of these newer companies that have basically formed around this FHIR standard. 

Ken Kleinberg [00:17:50]: I think one of the challenges here for the payers, let’s look at them, is it’s one thing to say that you’ve got the APIs, that you’ve developed the APIs, but you’ve got to connect them to your backend data systems. And that’s really a challenge to these older legacy systems. I think that’s going to be less difficult for the providers to do and their EHR vendors are basically in a great position to do that. 

Kurt Schiller [00:18:13]: You mentioned integration and I saw Shahrukh kind of nodding along there. Shahrukh, how difficult is that sort of–– that sort of interconnection between legacy systems? Because I think that Ken’s point was great, that there are a lot of these, you know, integration engines or integration platforms that are out there that if you read just the marketing material, which is more my domain, you know, it sounds like done! One and done, awesome. How big is that the actual challenge of implementing something like that, even if there is an off-the-shelf solution for it? 

Shahrukh Tarapore [00:18:44]: Yeah, I wish there was a slick answer to this, but there’s many dimensions, right. So the complexity resides at a couple of different levels, right. So one of them is like–– new modern system talking to legacy system. defining APIs and building APIs. These are common technology problems that reside in all industries. And for the most part, I would say they’ve been solved repeatedly and there’s not a lot of nuance to solving them in a healthcare context. Where the nuance really comes in is in what I was referring to earlier: the information model. So rather than think about the legacy system with a new system, think of like the legacy information model with a new information model. 

Shahrukh Tarapore [00:19:24]: So yes, we have FHIR and FHIR is great. And I think from the perspective of does it represent patient data comprehensively? The answer is yes. Does it represent patient data in a way that lets all these other representations that EHR vendors have, the health systems have, that payers have, map one-to-one to FHIR? The answer is no, and that’s a huge, huge problem. That’s–– so it’s a huge technical problem. It’s also a huge business problem, a huge clinical problem. And where I hear a lot of debate and consternation come up when talking about the applicability of standards-based APIs and starting to conform to some of the regulations that are coming through, you know, the Cures Act, it’s around–– everyone agrees we need standards-based APIs. 

Shahrukh Tarapore [00:20:11]: You know, we’ve got FHIR. All those things are great. But how do you actually map that to hospital system A is using the EHR “X” hospital system “B” is using EHR “Y”. Now, you need to have a common way of talking to each other, common language that you speak both technically and clinically. Yes, FHIR and other standards present a solution, but translating to that solution and away from that solution is an unsolved problem and going to be a colossal thing to have to solve for. And that’s where a tremendous amount of complexity resides still. 

Kurt Schiller [00:20:44]: In terms of, I guess, making that decision about, you know, how much do you leverage a platform versus how, you know, how much do you try and build something yourself? Do you feel like there’s any kind of question that these organizations need to be asking themselves to determine whether they should be trying to build something themselves versus, you know, maybe look to their vendors to solve it for them? 

Shahrukh Tarapore [00:21:07]: I would say, by and large, most hospital systems are not really organizationally prepared to take that level of work up. And they’re gonna be dependent on their vendors, not just the EHR vendor, but their other vendor sources as well. I actually feel like that’s going to change. Because of the rules and just because–– I personally feel like hospital systems are going to become technology companies. Being technologically savvy as an organization is going to be just as important as being cutting edge in the clinical space. I foresee a ramp-up of kind of technical maturity and software development maturity and product maturity within hospital systems to address a gap and to–– that they currently look to their vendors to solve for. And eventually they’ll be able to overcome that, you know, organically. But in the meantime, that’s not gonna happen overnight. In the meantime, I think they’re gonna look to their EHR vendors and on one hand the EHR vendors have a vested interest in not solving that problem universally. And on the other hand it’s really hard, even if they’re if they were fully intent on doing that immediately. 

Shahrukh Tarapore [00:22:11]: So, you know, I think remains to be seen whether or not that can happen kind of full-scale universally or whether the system-by-system basis solved for with specific integrations that wanna do with, you know, third-parties or payers or whoever it may be. 

Ken Kleinberg [00:22:25]: I would just modify that a little bit to say there are certainly leading health systems that are working very closely with their EHR vendors and doing joint development. I mean, just as an example to your point, Shahrukh, about these data models, if I could be specific, when Partners Healthcare [now known as Mass General Brigham], which is one of the leading systems in the country and had done a tremendous amount about patient-developed data, went to using Epic. Epic had their data model and both these organizations were involved with Apple Health

Ken Kleinberg [00:22:54]: They had their data model. Now the regulations for USCDI are talking about a core for the first couple of years, but then that will open up to all EHI. And as we move through this pandemic, for example, we have new types of data elements being added. When you look at genetic health and precision medicine, there are new aspects to the data model there. So this is going to continually evolve. And I think it will be a partnership between the vendor community, especially the academic medical centers and pharmaceutical companies. There’s a path forward for this, and the regulations do allow for it in how the course standard will expand over time.


How can longitudinal patient records be implemented and why is it important?

Kurt Schiller [00:23:33]: Jumping back a little bit; something that I remember–– and I don’t remember if it was Ken or Pooja who noted this in kind of our pre-show discussion. But in terms of the drivers or one of the focuses of the Cures Act and its subsequent implementation, you mentioned that part of the goal was to move towards a longitudinal view of patient data or clinical data between hospitals and payers. And I thought that was really interesting because, again, I think that people who are building software for this kind of data space sometimes maybe assume that it’s already that way. So could you speak a little bit more towards what would that look like and how is it not like that now I guess. 

Ken Kleinberg [00:24:16]: OK, I can take that one on at least to start. You know, there was originally the term electronic medical record and over time it moved towards electronic health record, a distinction there would be are you taking information that was entered just in one system, for example, the hospital system or now are you combining it with information from X number of ambulatory systems? And you could extend this now across different EHR providers, across different payers if you’re mixing in data with claims data, for example. And long-term care across this whole care continuum, and you’re basically building up the so-called longitudinal record that sorts everything by time and date, removes duplicates and lets you do more of an apples-to-apples comparison as to how your health is progressing over time. That’s absolutely a goal here. And I think it’s well supported by these new CMS and ONC rules. 

Kurt Schiller [00:25:15]: You mentioned clinical data, and I know that originally we’d been talking a little bit about kind of including the payers in that. Is claims data included kind of in that longitudinal view, or is it more the health aspect of it? 

Ken Kleinberg [00:25:28]: Yeah, I think there’s always been an interesting discussion about when you’re looking at a longitudinal view, what’s more valuable, the clinical data or the claims data? And of course, they’re complementary to each other.  I think you’d like both. Now, the CMS rules are oriented towards what payers need to provide, and the ONC rules, for the most part, are oriented towards what providers and their EHR vendors need to address. But there really is some overlap there. And the standards that ONC has developed or pushing forward with FHIR, for example, are also going to be required for payers to use. So these third-party apps will be able to use APIs to go into payer systems and into provider systems to pull this longitudinal record together. And they’ll be able to develop this resource for other organizations such as pharma or medical device companies. And I think this is also going to really help advance the industry. 

Pooja Babbrah [00:26:27]: Just to add to the discussion around the longitudinal record–– kind of zooming back out again. Really, these rules and the reason they’re put in place was to support more of an outcomes-based payment model and outcomes-based care, right. And so when you think about the way records and payments and everything was done before it was on, you know, you’d go to your doctor, you would have an episode and they would bill for that and you have that part of your medical record. But now we’re really going into that support of the value-based care payments where you really have to be looking at the whole person, everything that’s happened in their history. And the only way to do that, right, is to create these longitudinal records. So, you know, having that information to be able to share, as Ken mentioned, from, you know, long-term care setting to ambulatory settings. That’s the piece I think that’s really important out of all of this.


Will privacy standards need to change along with the regulations?

Kurt Schiller [00:27:18]: Ken earlier on mentioned patient choice and patient empowerment. I always try to include the patient perspective as much as possible in these discussions. So I guess my question about that is, is there a patient privacy ramification to some of this data availability? Because, you know, I’m sometimes a very suspicious person when it comes to medical data, as I think most people should be. I certainly have some questions about my insurer’s level of access to my healthcare data. So is that something that was considered in the structure of these regulations? 

Ken Kleinberg [00:27:52]: Oh boy, are you right on with the topic here. HIPPA right at the very beginning of know the history of health care IT and although the goal was to be able to make information portable, there was a recognition that security privacy was so important. And of course, we’ve been living with HIPPA and these business associate agreements for all these decades. What’s especially valuable, but also concerning about these CMS and ONC regs is the protections of this data once they’ve been requested by a patient. So once you have your third party app, request your payer data or your provider data, it’s no longer protected by HIPPA. And although the providers and the payers are asked to warn patients whenever they request this data that’s out of these protections, if you’re a patient and you’re looking at the consent agreement for this third party app, are you really going to read all those pages and the updates? And do you know what’s going to happen with that data? Once this third party has it? How are they going to use it? 

Ken Kleinberg [00:29:00]: There is the protection by the Federal Trade Commission, the FTC for privacy and so forth but, you know, once this data is out of the bag, if you will, then there’s there’s no putting it back in. Frankly, one of the reasons that there was some pushback to these final rules by some of the larger EHR companies and others, they were really concerned about patient privacy and security. And I think CMS and ONC did add enough into the regs so that there are some reasonable protections there. 

Pooja Babbrah [00:29:29]: Yeah. And I would just add to that, you know, this is the reason that we feel that this is not the end, right. I mean, there’s a lot of things that we’re missing in these regulations, including how are you going to manage, right, all of a sudden, you’re going to have all these mobile applications, applications that patients can share their data with. Who’s covering the privacy policies? Who’s making sure the consumer is protected? And that’s work that still needs to be done. And, you know, there’s folks in the industry I work with the CARIN Alliance. They’re a group that’s working, you know, really focused on kind of how to manage opening up the patient data. And they have this, you know, kind of agreement, a mobile app agreement, you know, this CARIN Alliance code of conduct is what they call it. 

Pooja Babbrah [00:30:09]: You know, if you’re going to be a mobile app playing in the space, you have to agree to certain rules. They’re going to put out their official stamp on that. But it’s so wide open right now, and that is a big concern as folks are getting into this. And, you know, if you’re a patient, you’ve just been diagnosed with something, you know, someone comes to you and says, “Share your data with us; we can help you”. You know, who’s going to actually say, OK, do not be sharing this data with that particular vendor. 

Shahrukh Tarapore [00:30:35]: Something both of you said that was really interesting to me–– and I actually have a question now, is the time between HIPPA and Cures (Act). There was like this thought shift that occurred that, like, patients actually own their data and they should have some insight to it and control of where it lives in and how it’s used. And I get that a lot of that is baked into the regulation in align for greater interoperability, but something we just discussed made me think like when the shift goes from HIPPA to FTC and patients have shared their data with a third party application, what are the rules of the road for like ownership of that data by the third party versus the patient? And if the patient is done with whatever service offering that app provides or no longer wants it like are there rules for how that data is expunged? Or is it owned by the third party and in perpetuity? Or it sounded like maybe those things that seem to be worked out. But like, is there a baseline right now for what people should be expecting? 

Ken Kleinberg [00:31:34]: That’s actually the right question to be asking. And sadly, I think you already know the answer. There really are not a lot of protections there. 

Shahrukh Tarapore [00:31:41]: Right. 

Ken Kleinberg [00:31:42]: Just imagine how that kind of information could be sold or misused for years to come. It’s something to be concerned about. 

Shahrukh Tarapore [00:31:50]: There’s almost like a data hygiene problem that we’re kind of walking into over the next several decades that will have to be addressed. I’m not suggesting that it needs to be–– I’m not suggesting that it could have been dealt with all in one set of regulations, but definitely something that could prevent challenges in the future. 

Ken Kleinberg [00:32:08]: I could think about the efforts by these giant tech companies like Amazon or Facebook, Google, Apple. How much do people trust them with their health information? Some more than others. Is the government able to protect consumers? To some degree, yes. But we’re seeing this battle fought out every day in our government with the media. 

Kurt Schiller [00:32:31]: Yeah, it’s such an interesting question that I feel like we haven’t even really fully come to grips with the question of “what is health data”? The example that I always put to people when I’m talking about, you know, the privacy of your healthcare data is if you go on Amazon and you suddenly buy a bunch of books about diabetes-management diets, that’s not HIPPA data, that’s not medical data. And I’m doing the air quotes here. But that is data that can be used to determine with probably a pretty high degree of accuracy, a health condition that someone might have. I can’t imagine that all of those questions will be answerable by one piece of legislation, nor should there be. I think it’ll be really interesting to see where things go from here. And also just, you know, the amount of flexibility and wiggle room that people discover within the current regulations. 

Kurt Schiller [00:33:24]: Something that I’ve always noticed when it comes to regulations is there’s the regulations and then there’s kind of the accepted standard of adherence that kind of gets created as you go along by when someone raises a question about, “well, is this allowed?” And they go “Huh. Nobody’s ever asked about that before.” And then you get a decision on it. It’s not necessarily something that is always determined out of the box. And so I’m sure there’ll be a ton of questions that are arising in the next 24 to 48 months and new determinations that are made and revisions that will be made. 

Ken Kleinberg [00:33:54]: Well, you think about where the trust lies in our health care system today. It’s primarily with our primary care physician, less so with our payer. And would a provider recommend certain apps to a patient that they vetted to some degree? I think that’s probably the safest scenario. Third-party app that’s just advertising on Facebook. You know, we can help you control your diabetes, maybe less so just like we make any decisions as consumers. You know, where are we getting our data from? Who are we trusting? I think our industry now is going into a much more competitive scenario than we’ve had in the past. Consumer beware. But let’s have our trusted folks weigh-in for us and help us with this. 

Pooja Babbrah [00:34:40]: So my background, I’ve also been really focused on the pharmacy side of the industry. And what I’m seeing on the pharmacy side is, you know, physicians are now so that you have this whole thing around digital therapeutics, right. And so, you know, things that can be monitored and all of that. And what we’re doing on the pharmacy side is the FDA is approving some of these devices and you can actually prescribe them through like an e-prescribing system. So what would be interesting–– and I know we’ve tried this in the past, right, where physicians can actually prescribe an app. But in a way, it’s almost like bringing that framework back again, right. So a physician, you know, maybe there is a group of trusted apps that we say, “okay, physicians are going to prescribe these or recommend these”. And, you know, you also get some kind of reimbursement, the physician get some kind of reimbursement. I mean, you know, we’ve got to think outside of the box, I think, as we’re starting to move into this new app economy in the healthcare industry. 

Ken Kleinberg [00:35:42]: You know, at Point-of-Care Partners, we’re very focused on what goes on with specialty medications. Pooja is our expert in this area and apps can play a very critical role in the success of these very expensive and very powerful specialty meds. Expecting the physician to be on the phone with you every day, helping you through the use of these meds isn’t realistic. These apps can provide a very crucial bridge to help us there. 

Kurt Schiller [00:36:08]: Awesome, I think there’s some amazing insight there. I think we’ve been having a great discussion and I want to kind of move it into the home stretch. We’ve got three experts here and one guy who talks a lot and tries to learn things and then repeat them. For each of these audiences or for the audience that you feel like you’re the best in tune with, what can you be doing right now if you’re in the provider’s space? If you’re a payer, if you’re a third-party app developer? Like what can you do right now or what should you have already done in terms of preparing for the implementation of these regulations, which, I actually just realized that we haven’t actually said the date. 

Kurt Schiller [00:36:44]: I know that the first of them are this fall I believe and there are some more in January and then there’s kind of a phased-in approach. But what can you do right now and kind of what should you be preparing for over the next, say, 24 to 48 months so that you don’t–– you know, we didn’t really talk about the carrot and stick of these regulations, but there is a pretty big stick that you can get hit with if you’re not in compliance with them. So I’d love to just hear what each of you feel like–– if you’re a stakeholder what should you do.


What steps should stakeholders take to ensure compliance with the 21st Century Cures Act?

Pooja Babbrah [00:37:13]: As consultants, what we’re trying to do–– because we work with all stakeholders, right. Payers, IDMs, pharmacy’s;  we’re even involved, as I mentioned, with, you know, kind of the patient-facing stuff with the CARIN Alliance. I think the biggest thing is kind of taking a step back. These interoperability rules are focused on opening up the data. But it’s really, you know, more of a business need, right. And understanding kind of where you’re at today and saying, “OK, here’s what we’ve got. Here’s the information that’s available. Here’s how you have to meet it”. And, you know, to me, it’s not really a technical problem, it’s also a business problem. And I think stepping back and taking it from that business lens is really important. You know, one thing that we didn’t mention on this is really because our CMS rules, they actually only really apply to payers that have these Medicare Advantage plans.


Need help navigating the new regulations?


Pooja Babbrah [00:38:04]: But knowing that there’s this whole competitive piece of this, right. I mean, all payers are now looking at this. And so whether or not you have a Medicare Advantage plan or not, you need to be looking at your business. You need to be understanding how this is going to impact you. And you need to be looking at it from a member and a patient perspective, I think. And so kind of bringing that lens to everything is important. So taking that step back and looking at it, not necessarily from just a technical perspective, but, you know, doing an overall business view of it, I think is kind of the next step for any stakeholder that’s getting involved with this. 

Ken Kleinberg [00:38:45]: With providers, and I think this is also true of all stakeholders. This increased competition and transparency can be both a plus or it can be a challenge. It can be an opportunity or it can present problems for you. So you have to prepare for more competition. And if you now see that patients can view whether your care looked like it was in line or the right amount or cost a certain amount versus what some other providers in the area might have offered, that means you’ve got to get your act together. You can’t expect to charge more if your value isn’t there because that could surface. So I think you really have to view this as an opportunity to do better so that in a competitive world, you are the one that people are going to want to come to. Thinking of it from a purely technical perspective. 

Shahrukh Tarapore [00:39:35]: What technical stakeholders should have already done is probably be prepared to really beef up plans to support security, privacy, identity, authentication, authorization, other technical solutions in a healthcare environment. A lot of times, more often than not, these aspects of product development, of technology development get bolted on after the fact. And while that may work in certain industries, it’s going to be top of mind in a health care context. And it’s a do not pass go situation if you can’t button that up really tightly. So and those are things that have nothing to do with interoperability even. But going towards interoperability,  I think, being well-read and understanding alot of the standards that come out of HL7, you know, HL7 being, one of them, FHIR being another, is a good place to start because that’s where things are moving towards. 

Shahrukh Tarapore [00:40:25]: And then lastly, like between now and when, those things really do mature, I think getting a good handle and understanding of what data exists within EHRs and what capacity those EHRs have for being able to pull that data out and put data into that model, because there’s a lot of ambiguity there today. And I think that ambiguity will exist for a little while as these things get sorted out. And so I think that successful third parties are going to be the ones who can spot that ambiguity and, you know, either work through it with their health system clients or propose, you know, alternative solutions to them to continue providing a good experience. 

Kurt Schiller [00:41:08]: Awesome, well, Ken and Pooja, thank you so much for joining us today. I want to shout out Point-of-Care Partners has a pretty great podcast called “The Dish on Health IT”. I was just listening to one of the episodes that you all had done with a legal expert discussing, I believe, this very regulation. You’ve also had some terrific content kind of breaking down different aspects of the 21st Century Cures Act even more in-depth than I think we’ve been able to cover here. So I would say if you listen to this and you’re looking to learn more. Definitely go check that out on their website You can also just search for The Dish on Health IT. You’ll find their podcast on, I’m sure, all major podcasting platforms. But Ken, Pooja, is there anything you have upcoming that you wanted to shout out or tease or where people could go to learn more? 

Ken Kleinberg [00:41:53]: Well, I’ll just mention there is a push for nationwide interoperability TEFCA program, a trusted exchange framework and common agreement. And at Point-of-Care Partners, we’ve been looking at that very carefully. This has the potential to help us significantly with what we’re seeing with the pandemic with COVID-19. And as we come through this pandemic, we want to be better prepared for future type pandemics of this source: bioterrorism, natural disasters and so forth. 

Ken Kleinberg [00:42:24]: So a lot of what we’ve talked about here that involve competition and so forth, patient access to data is just one aspect of a larger perspective where our whole nation has to do better, sharing information. 

Pooja Babbrah [00:42:36]: You know, at Point-of-Care Partners at one of my–– one of our colleagues, Jocelyn Keegan, is actually the program manager for The DaVinci program, which is one of the accelerators under HL7. And I know there’s several upcoming just kind of HL7 webinars. There’s a –– coming up and there’s always folks that are there that are talking about kind of what’s happening around all this. And if you go back into interoperability rules, you know, some of the implementation guides did point to some of the DaVinci work, some of the CARIN work. I think that’s really important. Also, just as it is kind of resources. Also to understand what the payers, what the providers, what folks are doing in the marketplace. And, you know, a lot of folks sharing kind of their early learnings from implementing some of these. I think that’s a good resource as well. 

Ken Kleinberg [00:43:22]: Yeah, I mean, the future of our industry really depends on value-based care. And The DaVinci Project is an awesome initiative to bring payers and providers together. That’s an initiative that everyone should be familiar with. 

Kurt Schiller [00:43:34]: Yeah, complete agreement. And just to tag on to something that Pooja mentioned earlier, which is the CARIN Alliance. Arcweb recently became part of both the CARIN Alliance and the HL7 Standards Organization. You know, obviously we are neither a payer nor are we a provider and I think it’s incredibly important for all stakeholders, including third-party developers, agencies, implementers, to get involved with these standards and kind of regulatory development and knowledge base organizations. 

Kurt Schiller [00:44:06]: And also, you know, people like patient advocates. We really need all of the stakeholders, all the different audiences, all the different people who are impacted by this, which really is almost anyone to be involved and to be contributing their viewpoint. And it’s really great to hear all the different viewpoints coming together. And, you know, if you’re someone who’s struggling to grasp all this, I guarantee you that if you start go into those meetings, you will very quickly get up to speed on everything that’s going on. 

Kurt Schiller [00:44:30]: So Ken and Pooja, thank you so much for joining us today. Shahrukh, thanks so much for coming back and joining us again. And thanks everyone for listening to Product Hacker and to continuing to listen to our healthcare engineering series. So thanks, everyone, and cheers. 

Share This Podcast With Your Connections

About The Author(s)

Siara Singleton
Siara Singleton is a Marketing Associate at Arcweb Technologies who writes thought leadership blogs about digital transformation, healthcare technology, and diversity & inclusion in the tech industry.
View All Posts

Recent Podcasts