Today, legislation designed to promote secure data sharing in the US healthcare system comes into force. The 21st Century Cures Act allows patients to access their medical data upon request and, as of 2022, will allow third parties to access that data through APIs. Like open banking legislation has done in Europe, the law is expected to give rise to a healthcare app ecosystem that could disrupt the incumbent providers. However, those providers are unlikely to give up the data without a fight.
The US spends more per capita on healthcare than any other country in the world, despite lagging behind its peers in life expectancy. According to a study by the American Medical Association, this high cost of healthcare is due, in part, to over-treatment – the provision of unnecessary healthcare services. In a survey of 2,000 US physicians, 38% said that difficulty in accessing patient records was one reason for this over-treatment.
Before the so-called Cures Act, US patient data could only be shared if it was for the explicit purpose of treatment, explains Troy Bannister CEO and co-founder of Particle Health, a US start-up that sells an API platform for healthcare data. “Within the bounds of the HIPAA (Health Insurance Portability and Accountability Act) [healthcare data] has to be used explicitly by a physician or a provider and it has to be used explicitly for the purpose of direct treatment of the patient, and that’s a very narrow scope.”
This is exacerbated by the complexity of the US healthcare system, in which insurance providers manage a network of providers, explains Dr Saira Ghafur, digital health lead at the Institute of Global Health Innovation at Imperial College London. “You’ve got lots of different providers that might be in or out of network for any given insurer.” This means there is no single entity that is responsible for looking after a given patient’s records.
As of today, however, the 21st Century Cures Act requires healthcare providers to share clinical notes, including consultation notes and lab reports, with their patients upon request. And from 6 October 2022, they will also have to comply with requests from third parties, such as medtech apps.
Failure to comply with legitimate requests can result in fines of up to $1m. However, there are eight ‘exceptions’ that allow healthcare providers to turn down requests or place conditions on their response. These are if they need to refuse the request to prevent harm to the patient or to protect their privacy; if the request is technically infeasible; they are permitted to place reasonable limits on their response as long as certain conditions are met; they may charge fees for the data; and they may apply a licence and charge royalty fees for ‘interoperability elements’ of their systems to be used.
Eventually, the act will require healthcare providers to make the data available through secure APIs, that can then be used by certified technology providers. This, it is hoped, will give rise to an “app economy that provides patients, physicians, hospitals, payers, and employers with innovation and choice,” according to the Office of the National Coordinator for Health Information Technology (HealthIT). This is akin to the fintech app ecosystem that has sprung up, in part, thanks to open banking legislation in Europe.
The impact of the Cures Act
The Cures Act unlocks the potential for valuable digital services that have to date been impossible, explains Bannister. “What if you could use your medical records to pick a doctor where some kind of algorithm could take the fact that you have diabetes and you’re taking these medications, and find the best three doctors in your area that specialise in this type of condition? That’s just not possible today.”
It could also significantly reduce the cost of healthcare, Bannister believes. Currently, he says, “you have to go to your insurance company to figure out which doctors are in your network, create an appointment, and then go and see that doctor for $500 to $1,000,” says Bannister. The Cures act could enable apps that connect patients to a doctor “in seconds, for ten dollars,” he says. “That’s the hope.”
Ghafur agrees that the benefits will be far-reaching. “It’s across the board,” she says. “It’s going to improve patient care, it’s going to improve the system processes, improve any healthcare professional using tech or technical services.”
Healthcare data is among the most sensitive personal information collected, and some patients may be uneasy about it being shared with app developers. The Covid-19 pandemic has increased US consumers’ willingness to share their health data, however, according to a study by Deloitte. It also boosted the uptake of digital healthcare tools: 28% of US consumers had participated in virtual healthcare consultations by April 2020, up from 15% in 2019, the same survey found.
But the transition to ‘open healthcare’ will not be instantaneous or easy, Bannister predicts. “The data seekers – the apps and developers – are going to try to get access to data and I think they’re going to have a hard time,” he says. “That’s then going to cause a wave of lawsuits and government inquiries into why it’s not being shared. And that will all boil down to those eight exceptions that were listed under the blocking rules.”
Nevertheless, the Act is a significant step in the journey towards a more open, digitised healthcare ecosystem in the US and, hopefully, better healthcare outcomes for Americans. “It’s the beginning of a journey,” says Bannister. “It’s not an if anymore, it’s a when.”