Interoperability Legal Issues

Interoperability is everywhere. The types of interoperability we want to promote – new stable interfaces to large platforms via mandates and new competitive compatibility through better legislation – should both sound familiar. A more positive legal regime at ComCom would mean that Facebook cannot file a complaint against CFAA data brokers simply because they scrape data brokers or block extensions that collect Facebook users` data. Is this an acceptable compromise? In August 2020, CMS issued a letter to state health officials outlining how federal Medicaid agencies should implement the CMS`s final interoperability and patient access rule in a manner consistent with existing guidelines. There are many provisions in this regulation that affect Medicaid and CHIP Fee-For-Service (FFS) programs, Medicaid-managed care plans, and CHIP-managed care companies, and this letter addresses these issues. In addition, this letter advises states to be aware of the ONC`s final regulation of the 21st Century Remedies Act on information blocking. The link for the letter is: HIE is the process of electronically sharing identifiable patient health information between provider organizations to support treatment and related needs such as quality measurement and care coordination. HIE can occur at different levels. Two organizations can set up HIE with each other, or HIE can be set up in a way that allows exchanges between a large group of vendors, based on geographic location, a common EHR provider, strategic alignment, or another boundary.

HIE on a larger scale typically involves a third-party vendor that determines the technical infrastructure and governance approach. While there are many types of exchange of information agreements,13 they face similar legal barriers. In summary, while some legal barriers to HIE remain, many have been improved – in some cases, simply by clarifying what the law actually requires. HIPAA creates no barriers to sharing PHI for processing and operational purposes, and assumes no responsibility for downstream data breaches for disclosure by policy-abiding companies. There can be no real disagreement on these points, given the government`s recent fact sheets.41, 42 The development of an IPU has not yet taken place, but steps are being taken under the Cures Act to address the problem of inaccurate matching of patient records.1 The Cures Act also created the legal architecture to combat information blocking.1 Its provisions regarding blocking by Providers are is likely to be a high priority given the attention the issue has generated.73 It is less clear whether the government will take vigorous action in response to information blocking by health care providers if the law gives HHS greater discretion. However, providers tend to be very opposed to even modest legal risks that can act as a deterrent. Our analysis concluded that while interoperability creates new privacy risks (e.g., a new company could misuse user data under the guise of helping users move from a dominant service to a new competitor), these risks can be largely mitigated by thoughtful regulation and strict enforcement. More importantly, interoperability also brings new privacy benefits because it makes it easier to exit a service with inappropriate privacy policies, and because it has resulted in real costs for dominant companies that don`t respect their users` privacy: namely, an easy way for those users to express their dissatisfaction by leaving the service. All of this is unlikely to happen without outside incentives; It`s simply not in Facebook`s best interest to work with potential competitors. Facebook is more likely to introduce strong interoperability simply because of a legal mandate – or as part of a deal to avoid worse consequences like structural disruption. The legal requirements – especially for back-end interoperability – should outline the features Facebook must support and govern how the company can moderate access to its new interfaces. A back-end interoperability mandate would require platforms to allow competitors to work with their internal systems on behalf of users whose data is stored elsewhere.

The fundamental principle of the mandate would be that any service operated by the platform that allows users to communicate with each other, whether through direct messages, public or semi-public posts, comments or reactions, should allow users who are not connected to the service to participate in the same types of communication. We need clear rules and safeguards to ensure that platform interfaces meet interoperability requirements while protecting the data that passes through these interfaces. This applies to both client-side interfaces (created for delegability) and back-end interfaces (for federation). Neither platforms subject to new requirements nor the undertakings using them should collect more data than necessary for interoperability purposes.