Expanded data sharing in healthcare: Three real-world considerations | Viewpoint

The secure exchange of sensitive patient data is a top priority for healthcare organizations.

Angela Rose

2024 exposed healthcare’s privacy and security vulnerabilities with three of the nation’s largest data breaches to date: Change Healthcare, Ascension and Kaiser Permanente. And last year, patient safety and quality ranked 5.9 out of 11 in the list of health system executives’ concerns.

Alongside these realities come new requirements for advanced data sharing including CUREs ACT interoperability rules, expansion of Quality Health Information Networks (QHINs), and adoption of the Trusted Exchange Framework and Common Agreement (TEFCA). Health plans and payers are particularly interested in sharing data with healthcare organizations to process claims, conduct audits, and comply with quality reporting requirements.

One thing is certain in the year ahead. Sharing your patients’ data will be more essential and more challenging.

In a roundtable discussion at the recent Healthcare Financial Management Association (HFMA) National Convention, MRO brought together numerous HCO leaders to discuss data sharing and payer access to electronic health records (EHRs). The company also partnered with the College of Health Information Management Executives (CHIME) earlier in 2024 to conduct an industry survey on clinical data exchange between providers and payers. This article summarizes the positive, negative, and cautionary insights across those two events.

Real-world insights define current state

While responses varied by organization, a common theme among the groups was finding new ways to monitor data sharing and manage payer access to EHRs more closely to ensure access is only for the intended purpose. The CHIME survey revealed that over 52% of respondents’ organizations tap modules within their EHR systems to grant payers direct access to patient data. However, those organizations have not experienced cost or time savings thus far using this approach.

If your organization is considering granting payers direct access to your EHR, below are three real-world insights to note and important safeguards to put in place.

Insight #1: There are benefits to consider

Allowing payers direct access to your EHR system has the potential to streamline operational processes in business office, health information management, and other revenue cycle areas. However, data sharing agreements must be negotiated, implemented, and managed properly. Here are additional benefits for health executives to consider.

Relieve administrative burden: Direct access simplifies use cases such as prior authorization, risk adjustment, quality submissions, claims adjudication and appeals, and payment integrity audits. Allowing the payer to directly extract records and relieves one-by-one transactions.

Reduce abrasion in payer-provider relationships: Data access improves collaboration and communication between payers and providers. Better communication offers providers a strategic advantage in contract negotiations.

Lower operational costs: As payers access records directly, organizations may see decreased administrative overhead and improved overall efficiency.

Insight #2: Privacy risks remain and new financial risks surface

While the benefits of giving your payers direct access to your EHR are promising, organizations must be aware of the risks related to that decision.

Increased HIPAA risk: As healthcare organizations open access to their EHRs, there is increased exposure to potential data breaches and unauthorized access. Third parties, either inadvertently or due to lax controls, could gain unplanned access to protected health information.

Wavered compliance: Protecting patient information under HIPAA and other regulatory requirements becomes more complex as access expands.

Other direct access concerns: Payers could exploit access to retrieve more information from the EHR than healthcare organizations intended to share. For example, payers may view additional cases or encounters unrelated to the current episode or specific task.

Some HFMA roundtable members raised concerns that payers might “fish” for other cases to audit or dollars to deny once they are given expanded access to clinical data within the EHR. This could result in additional cases or encounters being viewed that were not originally intended to be viewed, which could lead to broader audits or claim denials.

Lost revenue: Up to 30% of payer requests still require manual intervention due to patient matching errors, counteracting the expected efficiency gains. Additionally, the anticipated reduction in payer requests has not been realized. High volumes of payer requests still occur. Healthcare organizations should carefully evaluate the potential for revenue loss before granting payers direct access to their EHRs. Payers previously reimbursed providers up to $1 million annually for access to records.

Insight #3: Guardrails and oversight must be established

While most payer direct access use cases are allowable within HIPAA’s TPO guidelines, not every healthcare organization has established the necessary guardrails to prevent payer access to more information than necessary or approved. Executives and operational teams must fully understand the rules of payer access to the EHR.

The following best practices are recommended to promote safe clinical data exchange, protect patient information, and ensure necessary compliance.

Evaluate contracts: Review contracts with payers in detail to ensure they are mutually beneficial. Address key issues such as denial rates and negotiation improvements. Don’t be afraid to speak up. For example, consider adding a clause that specifically protects your organization from denial increases and HIPAA breaches.

Weigh pros and cons: Again, make sure you are not leaving money on the table. Weigh the potential loss of reimbursement revenue against the operational efficiencies gained by granting payers direct access. Direct access may be preferred if the process sends payer requests out the door faster, accelerates revenue, and builds market share. No matter the outcome, make sure your decision is thoroughly informed and options are weighed.

Establish and monitor access: Roundtable attendees agreed that additional staff and workflow must be employed to establish and audit payer access to provider EHRs. For example, EHR templates must be built for each direct access use case and authorizations subsequently granted for each. Within each template, specific data elements are defined and only these data elements should be available for access by the payer.

Frequent monitoring of payer access might include such items as:

• What use cases are involved
• Which patients and encounters are viewed
• Alerts to identify when duplicate or second requests are made following direct access to the same information. Organizations should experience a decrease in the volume of requests from payers over time.
• How many payer staff are accessing records

Looking ahead: 2025 requirements push payers to ask for access

Upcoming regulations require payers to process prior authorization requests within 72 hours using a prior authorization API workflow. This new rule, and others like it, will continually push payers to ask healthcare organizations for open access to EHR data. MRO participates in, and applauds, this type of interoperability and efficiency progress. However, it must be balanced with patient privacy protections.

As leaders navigate the complexities of granting direct access to EHRs, they must carefully consider both the benefits and risks, ensuring the decision is made solely for what is best for their organization and ultimately the patient. The checks, balances, and safeguards mentioned above will be essential for maintaining compliance and protecting patient data, while reaping potential operational efficiencies.

Angela Rose is vice president of client success for MRO.