Pub. L. 111-5 (February 17, 2009), 42 U.S.C. § 300jj et seq.
4.
Office of the National Coordinator for Health Information Technology, Health IT Dashboard, “Office-based Physician Health IT Adoption: State Rates of Physician EHR Adoption, Health Information Exchange and Interoperability, and Patient Engagement (2015),”available at <https://dashboard.healthit.gov/apps/physician-health-it-adoption.php> (last visited November 18, 2019).
5.
Office of the National Coordinator for Health Information Technology, Health IT Dashboard, “Non-federal Acute Care Hospital Health IT Adoption and Use: State Rates of Non-federal Acute Care Hospital EHR Adoption, Health Information Exchange and Interoperability, and Patient Engagement (2015), available at <https://dashboard.healthit.gov/apps/hospital-health-it-adoption.php> (last visited November 18, 2019).
6.
Centers for Medicare and Medicaid Services, Department of Health and Human Services, Proposed Rule, 84 Fed. Reg. 7610-7680 (March 4, 2019).
7.
Interoperability and Patient Access for Medicare Advantage Organization and Medicaid Managed Care Plans, State Medicaid Agencies, CHIP Agencies and CHIP Managed Care Entities, Issuers of Qualified Health Plans in the Federally-Facilitated Exchanges and Health Care Providers, 84 Fed. Reg. 7610, 7610-7680 (proposed Mar. 4, 2019) (to be codified at 42 C.F.R. Parts 406, 407, 422, 423, 431, 438, 457, 482, and 485; and 45 C.F.R. Part 156) [hereinafter Proposed Rule].
8.
84 Fed. Reg.. at 7618-7639 (preamble discussion of the proposed API requirement).
9.
Id. at 7642-7643 (preamble discussion of the proposed trust network participation requirement).
10.
Id. at 7643-7645 (preamble discussion regarding the frequency of federal-state data exchanges).
11.
Id. at 7645-7648 (preamble discussion of the proposed public reporting of providers' negative attestations to the prevention of information blocking); id. at 7647 (“We believe … the Affordable Care Act provides the statutory authority to publicly report certain data about the prevention of information blocking attestation statements as an assessment of care coordination …”; id. at 7618 (“[W]e are proposing to publicly post information about negative attestations on appropriate CMS websites.”).
12.
Id. at 7648-7649 (preamble discussion of the proposed public reporting of missing provider digital contact information).
13.
Id. at 7650 (“Electronic patient event notifications from hospitals, or clinical event notifications, are one type of health information exchange intervention that has been increasingly recognized as an effective and scalable tool for improving care coordination across settings, especially for patients at discharge”).
14.
Id. at 7649-7653 (preamble discussion of the proposed revisions to the Medicare Conditions of Participation applicable to hospitals, psychiatric hospitals, and critical access hospitals relating to electronic patient event notifications of a patient's admission, discharge, and/or transfer to another health care facility or another health care provider).
15.
Id. at 7653-7655 (preamble discussion of, and solicitation of comments regarding, the advance of interoper-ability between and among post-acute care (PAC), long term, behavioral health, and home and community-based service providers).
16.
Id. at 7655-7656 (preamble discussion of, and solicitation of comments regarding, the advance of interoper-ability through innovative models).
17.
Id. at 7656-7657 (preamble request for information regarding how CMS can leverage its authority to improve patient identification through improved patient matching).
18.
Id. at 7626 (discussing the 2010 Medicare Blue Button initiative).
19.
Centers for Medicare and Medicaid Services, Blue Button 2.0, available at <https://bluebutton.cms.gov/> (last visited November 18, 2019) [hereinafter Blue Button 2.0].
20.
Proposed Rule, supra note 7, at 7626.
21.
Id (“One benefit of making records available via an API is that it enables a beneficiary to pull Medicare health information along with other heath information into a single application not dictated by any specific health plan, provider, or portal.”).
22.
Id.
23.
Id. at 7674-7680 (proposing new API regulations to be codified within 42 C.F.R. Parts 422, 431, and 457 as well as within 45 C.F.R. Part 156).
24.
45 C.F.R. § 164.524(a)(1) (2018) (“[A] n individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set …”).
25.
Proposed Rule, supra note 7, at 7627-7628 (“The API would allow enrollees and beneficiaries … to exercise electronically their HIPAA right of access to certain health information specific to their plan, through the use of common technologies and without special effort.”).
26.
See, e.g., id. at 7628 (preamble discussion thereof); id. at 7675 (proposing new 42 C.F.R. § 431.60(b)) (listing these required content elements).
27.
See, e.g., id. at 7642-7643 (preamble discussion of the proposed trust network participation requirement); id. at 7675 (proposing new 42 C.F.R. § 422.119(f)(2) applicable to MA plans); id. at 7676 (proposing new 42 C.F.R. § 438.242(b)(5) applicable to Medicaid and CHIP managed care plans); id. at 7680 (proposing new 45 C.F.R. § 156.221(f)(2) applicable to QHPs in FFEs).
28.
Id. at 7642.
29.
Id. at 7675 (proposing new 42 C.F.R. § 422.119(f)(2)(i)-(iii)); id. at 7676 (proposing new 42 C.F.R. § 438.242(b)(5) (i)-(iii)); and id. at 7680 (proposing new 45 C.F.R. § 156.221(f)(2)(i)-(iii)).
30.
Id. at 7643.
31.
Id.
32.
Id.
33.
Id.
34.
Id.
35.
Id. at 7618 (explaining that “buy-in” data are data showing who is enrolled in Medicare and who is liable for paying for a dual eligible beneficiary's Medicare Part A and Part B premiums; further explaining that buy-in data exchanges support state, CMS, and Social Security Administration premium accounting, collections, and enrollment functions).
36.
Id. at 7643.
37.
Id.
38.
The Medicare Conditions of Participation applicable to hospitals, psychiatric hospitals, and critical access hospitals are codified at 42 C.F.R. Parts 482 and 485.
Id. at 7618 (discussing electronic patient event notifications).
41.
Proposed Rule, supra note 7, at 7678 (proposing new 42 C.F.R. §§ 482.24(d) and 482.61(f)); id. at 7679 (proposing new 42 C.F.R. § 485.638(d)).
42.
Id.
43.
Id. at 7615.
44.
Id.
45.
Id. at 7654.
46.
Id.
47.
Id.
48.
Id.
49.
Id. at 7655.
50.
“Access control” refers to policies and procedures that allow ePHI access only to those persons or software programs that have been granted access rights. See, e.g., 45 C.F.R. § 164.312(a).
51.
Proposed Rule, supra note 7, at 7615.
52.
Id. at 7635.
53.
See, e.g., id. at 7674 (proposing new 42 C.F.R. § 422.119(c)(2)).
National Committee on Vital and Health Statistics, available at <www.ncvhs.hhs.gov> (last visited November 18, 2019).
58.
Co-author Mark A. Rothstein was a member of the NCVHS from 1999-2008 and chaired its Subcommittee on Privacy and Confidentiality, which conducted the hearings and wrote the initial drafts of the letters described. Because his term ended in 2008, he did not take part in drafting the 2010 letter.
59.
National Committee on Vital and Health Statistics, Letter to Michael O. Levitt, Secretary of Health and Human Services, February20, 2008, at 3, available at <https://ncvhs.hhs.gov/wp-content/uploads/2014/05/080220lt.pdf> (last visited November 18, 2019).
M.A.Rothstein, “Health Privacy in the Electronic Age,”Journal of Legal Medicine28, no. 2 (2007): 487-501, 496-497.
66.
SeeM.A.Rothsteinet al., “Unregulated Health Research Using Mobile Devices: Ethical Considerations and Policy Recommendations,”Journal of Law, Medicine & Ethics48, no. 1 (Supp.) (2020): forthcoming.
