By MATTHEW HOLT

I am dipping into two rumbling controversies that probably only data nerds and chronic care management nerds care about, but as ever they reveal quite a bit about who has power and how the truth can get obfuscated in American health care. 

This piece is about the data nerds but hopefully will help non-nerds understand why this matters. (You’ll have to wait for the one about diabetes & chronic care).

Think about data as a precious resource that drives economies, and then you’ll understand why there’s conflict.

A little history. Back in 1996 a law was passed that was supposed to make it easy to move your health insurance from employer to employer. It was called HIPAA (the first 3 letters stand for Health Insurance Portability–you didn’t know that, did you!). And no it didn’t help make insurance portable.

The “Accountability” (the 1st A, the second one stands for “Act”) part was basically a bunch of admin simplification standards for electronic forms insurers had been asking for. A bunch of privacy legislation got jammed in there too. One part of the “privacy” idea was that you, the patient, were supposed to be able to get a copy of your health data when you asked. As Regina Holliday pointed out in her art and story (73 cents), decades later you couldn’t.

Meanwhile, over the last 30 years America’s venerable community and parochial hospitals merged into large health systems, mostly to be able to stick it to insurers and employers on price. Blake Madden put out a chart of 91 health systems with more than $1bn in revenue this week and there are about 22 with over $10bn in revenue and a bunch more above $5bn. You don’t need me to remind you that many of those systems are guilty with extreme prejudice of monopolistic price gouging, screwing over their clinicians, suing poor people, managing huge hedge funds, and paying dozens of executives like they’re playing for the soon to be ex-Oakland A’s. A few got LA Dodgers’ style money. More than 15 years since Regina picked up her paintbrush to complain about her husband Fred’s treatment and the lack of access to his records, suffice it to say that many big health systems don’t engender much in the way of trust. 

Meanwhile almost all of those systems, which already get 55-65% of their revenue from the taxpayer, received additional huge public subsidies to install electronic medical records which both pissed off their physicians and made several EMR vendors rich. One vendor, Epic Systems, became so wealthy that it has an office complex modeled after a theme park, including an 11,000 seat underground theater that looks like something from a 70’s sci-fi movie. Epic has also been criticized for monopolistic practices and related behavior, in particular limiting what its ex-employees could do and what its users could publicly complain about. Fortune’s Seth Joseph has been hammering away at them, to little avail as its software now manages 45%+ of all encounters with that number still increasing. (Northwell, Intermountain & UPMC are three huge health systems that recently tossed previous vendors to get on Epic).

Meanwhile some regulations did get passed about what was required from those who got those huge public subsidies and they have actually had some effect. The money from the 2009 HITECH act was spent mostly in the 2011-14 period and by the mid teens most hospitals and doctors had EMRs. There was a lot of talk about data exchange between providers but not much action. However, there were three major national networks set up, one mostly working with Epic and its clients called Carequality. Epic meanwhile had pretty successfully set up a client to client exchange called Care Everywhere (remember that).

Then, mostly driven by Joe Biden when he was VP, in 2016 Congress passed the 21st Century Cures Act which among many other things basically said that providers had to make data available in a modern format (i.e. via API). ONC, the bit of HHS that manages this stuff, eventually came up with some regulations and by the early 2020’s data access became real across a series of national networks. However, the access was restricted to data needed for “treatment” even though the law promised several other reasons to get health data.

As you might guess, a bunch of things then happened. First a series of VC-backed tech companies got created that basically extract data from hospital APIs in part via those national networks. These are commonly called “on-ramp” companies. Second, a bunch of companies started trying to use that data for a number of purposes, most ostensibly to deliver services to patients and play with their data outside those 91 big hospital systems.

Which brings us to the last couple of weeks. It became publicly known among the health data nerd crowd that one of the onramp companies, Particle Health, had been cut off from the Carequality Network and thus couldn’t provide its clients with data.

The supposed reason was that they were getting data without a “treatment” reason.

Now if you really want to understand all this in detail, go read Brendan Keeler’s excellent piece “Epic v Particle”. Basically Particle cried foul and unusually both Michael Marchant, a UC Davis Health employee & the Chair of the big health systems on the ”Care Everywhere Committee” (remember that from earlier?) and then Epic itself responded. Particle’s founder Troy Bannister in a linkedin post and an official release from Particle said that they had not received notice or any evidence of what they’d done wrong. Michael said they had. I started quoting the Dire Straits line “two men say they’re Jesus, one of them must be wrong.” (FD. Troy was briefly an intern at Health 2.0 long, long ago).

Then Epic publicly released a letter to its clients explaining that, contrary to what Troy & Particle said, it had been discussing this with Particle for months and had had several meetings before and after it cut them off. So unless Particle’s legal counsel was parsing its words very very carefully, they knew Epic and its clients were unhappy, and it was unlikely Troy was Jesus. Michael might still be, of course. (Update: as of 4/15/23 Particle says only some feeds were cut off not all of them as Epic suggested)

In the letter Epic named 4 companies who were using Particle’s data in a way it didn’t like– Reveleer and MDPortals (who are one not two companies as they merged in 2023 before this issue started), Novellia and Integritort. 

So what do they do with the data. Reveleer says that “leveraging our AI-enabled platform with NLP and MDPortals’ sophisticated interoperability allows us to deliver providers a pre-encounter clinical summary of patients within their EHR workflow at the point of care.” Sounds like treatment to me. But Reveleer also does analysis for health plans. You can see why hospitals might not like them.

Novellia is a PHR company, presumably using “treatment” to enable consumers to access their data to manage their own care. This was EXACTLY what Joe Biden wanted the 21st  Century Cures Act to give patients the right to do and what Epic CEO Judy Faulkner told him he shouldn’t want (depending exactly who you believe about that conversation). But it’s probably not a particular “treatment” under HIPAA, because who believes patients can treat themselves or need to know about their own data anyway? (I’ll just lock you all in a room with Dave deBronkart, Susannah Fox and Regina Holliday if you want the real answer). This is apparently the line where ONC folded in its ruling to the vested interests that providers (and their EMR vendors) didn’t have to provide data to patient requests.

Finally, Integritort does sound like it’s looking for records so it (or its law firm customers) can sue someone for bad treatment (or as it turns out defend them for it). Is that “treatment” under the HIPAA definition?  Almost certainly not. On the other hand, do the providers cutting them off have a vested interest in making sure no outside expert can review what they’ve been up to? I think we all know the answer to that question. 

But anyway it looks like Particle switched off Integritort’s access to Carequality on March 22nd before Particle was entirely switched off by Carequality sometime around April 1.

What is not answered in the letter is why, if Carequality can identify who these records are going to, it needed to switch all Particle’s access off. Additionally, you would think that Particle’s path of least resistance would be to cut off the named clients Epic/Carequality was concerned about and try to sort through things while keeping its system running–which it seems it did with Integritort. Whatever happened, instead of this negotiation continuing behind the scenes, we all got to witness a major power play–with clearly Epic & its big customers winning for now.

I think most people who are interested in getting access to data for patients are all agreed on the need for new “paths” which were already defined in the regulations but not implemented, and also presumably for agreed standards (with associated liability) of “know your customer laws” for the onramps like Particle to make sure that the clients using them are doing the right things vis a vis confirming patient identity et al. 

Slight digression: I am confused about why identity proofing is such a big deal. In recent weeks I have had to prove my identity for the IRS, for a credit union, and for the TSA. Not to mention for lots of other websites. There are companies like IDme, Clear and many others that do exactly this. I don’t see anything so specific about health care that is different from credit cards, bank accounts, airport safety, etc. Why can those agencies/organizations access all that data online but for some reason it’s a bridge too far for health care?

However you can see where the fault lines are being drawn. There are a lot of organizations, many backed by rich VCs or huge quasi-tech corporations, that think they can do a much better job of caring for Americans than the current incumbents do. (Whether they can or not is another matter, but remember we are spending 18% of GDP when everyone else spends 10-12%). Those organizations, which include huge health plans, tech cos, retail clinics, startup virtual care clinics, and a whole lot more, need data. Not everything they or the intermediaries they do will fit the “treatment” definition the current holders of that data want to use. On the other hand, the current incumbents and their vendors are extremely uninterested in any changes to their business model.

Data may be the new oil but, like oil, data needs refining to power economies and power health care services. We spent much of the last century fighting about access to oil, and we’re going to spend a lot of this one fighting about data. Health care will be no exception.

Matthew Holt is the publisher of The Health Care Blog

Particle Health’s CEO Troy Bannister stops by to not only talk about the API platform company’s $25M Series B, but to also explain exactly what’s going on in that patient data ‘exchange-standardize-and-aggregate’ space that, these days, looks poised to pop as the 21st Century Cures Act Information Blocking Rule stands ready to make hospitals share data like never before.

Troy calls Particle a “network of networks” and what that means is that their API pulls patient records from organizations and businesses that are already aggregating them (so aggregating the aggregators) to get all the lab data and medical data a clinician would want to in order to have a more complete picture of their patient. For clients like One Medical or Omada Health, who deliver value-based care and take on risk, having such a robust historic data set on patients – along with a more complete picture of their comorbidities – helps improve decision making and outcomes.

So, how is Particle Health working now – and what will change – as the Information Blocking Rule gets implemented? Troy’s written about this for Forbes, and explains what has him fired up here too. Turns out their model has room to accommodate a big pivot: giving patients access to their own ‘network of networks’ record. Find out what sets Particle off in this new B2B2C direction and how they will be using that Series B funding to build out deeper analytical tools to help everyone make better sense of what the data in all those records can show us.

Link to Troy’s Forbes piece on Anti Information Blocking Rules

Link to Jess’s chat with Micky Tripathi, the National Coordinator for Health Information Technology at HHS, on Anti Information Blocking & TEFCA:

By ADRIAN GROPPER, MD

The HHS Office of National Coordinator (ONC) hosted a well-attended Annual Meeting this week. It’s a critical time for HHS because regulations authorized under the almost unanimous bi-partisan 21stC Cures Act, three and a half years in the making, are now facing intense political pressure for further delay or outright nullification. HHS pulled out all of the stops to promote their as yet unseen work product.

Myself and other patient advocates benefited from the all-out push by ONC. We were given prominent spots on the plenary panels, for which we are grateful to ONC. This post summarizes my impressions on three topics discussed both on-stage and off:

• Patient Matching and Unique Patient Identifiers (UPI)
• Reaction to Judy Faulkner’s Threats
• Consumer App Access and Safety

Each of these represents a different aspect of the strategic interests at work to sideline patient-centered practices that might threaten the current $Trillion of waste. 

The patient ID plenary panel opened the meeting. It was a well designed opportunity for experts to present their perspectives on a seemingly endless debate. Here’s a brief report. My comments were a privacy perspective on patient matching, UPI, and the potential role of self-sovereign identity (SSI) as a new UPI technology. The questions and Twitter about my comments after the panel showed specific interest in:

• The similarity of “enhanced” surveillance for patient matching to the Chinese social credit scoring system.
• The suggestion that we already have very useful UPIs in the form of email address and mobile phone numbers that could have been adopted in the marketplace, but are not, for what I euphemistically called “strategic interests”.
• The promise of SSI as better and more privacy preserving UPIs that might still be ignored by the same strategic interests.
• The observation that a consent-based health information exchange does not need either patient matching or UPIs.

It seems inconceivable to me that the TEFCA national health information network can be built on coercive surveillance instead of some combination of consent and UPIs. HHS controls TEFCA and they will have to deal with this in 2020.

Second, there was fierce reaction from patient advocates, activist patients, and academics to Judy Faulkner’s threat to sue HHS if the final regulations look like the most decent drafts. All three of these perspectives are very much worth reading. All three ask ONC to push for the strongest information blocking rules without delay and I agree.

However, the reaction from the academics, the proud architects of SMART on FHIR, doesn’t acknowledge the pact they made with Epic years ago. Neither the big academic hospitals that drove SMART nor the big hospital EHR vendors like Epic were interested in designing a patient-centered system. SMART on FHIR is conceived as apps that must run in the EHR and under the control of the hospital. SMART is a hospital-centered design, not a patient-centered design. This reflects the shared strategic interest of the EHR vendors and their big hospital customers. My pleas to the SMART and HL7 designers to enable patient-directed access were and still are quietly ignored.

The third topic of interest from a patient-centered perspective was evident in the plenary panel about consumer apps and the privacy risks from their lack of HIPAA protection. The strategic interests were in full display, all asking for convenient access to health records on behalf of patients. One panelist described their success in pulling up a patient record on their smartphone and handing it to a doctor that would otherwise have had no way to see them. The commercial interests were eager for the new regulations to create a market for their solutions.

The problem with these consumer apps is that very few doctors can or will access them in the normal course of events. The apps all present different and unfamiliar interfaces, are not accessible unless the patient is in the room, and cannot easily transfer information into whatever EHR the clinician is using. One of the leading proponents of this patient access ghetto strategy is the CARIN Alliance lobby. It goes as far as to declare that their best practices will not support patient-to-provider communications.

What was entirely missing from the consumer access panel and, as far as I can tell, from the entire ONC Annual Meeting agenda, is any discussion of a longitudinal health record, a patient-centered health record that hospitals, physicians, as well as family caregivers could all access and update to ensure that everyone was on the same page. A cynic might ask: where’s the money or strategic interest for that?

Adrian Gropper, MD, is the CTO of Patient Privacy Rights, a national organization representing 10.3 million patients and among the foremost open data advocates in the country. This post originally appeared on Bill of Health here.

By KENNETH D. MANDL, MD, MPH, DAN GOTTLIEB, MPA, and JOSHUA MANDEL, MD

This piece is part of the series “The Health Data Goldilocks Dilemma: Sharing? Privacy? Both?” which explores whether it’s possible to advance interoperability while maintaining privacy. Check out other pieces in the series here.

A patient can, under the Health Insurance Portability and Accountability Act (HIPAA), request a copy of her medical records in a “form and format” of her choice “if it is readily producible.” However, patient advocates have long complained about a process which is onerous, inefficient, at times expensive, and almost always on paper. The patient-driven healthcare movement advocates for turnkey electronic provisioning of medical record data to improve care and accelerate cures.

There is recent progress. The 21st Century Cures Act requires that certified health information technology provide access to all data elements of a patient’s record, via published digital connection points, known as application programming interfaces (APIs), that enable healthcare information “to be accessed, exchanged, and used without special effort.”  The Office of the National Coordinator of Health Information Technology (ONC) has proposed a rule that will facilitate a standard way for any patient to connect an app of her choice to her provider’s electronic health record (EHR).  With these easily added or deleted (“substitutable”) apps, she should be able to obtain a copy of her data, share it with health care providers and apps that help her make decisions and navigate her care journeys, or contribute data to research. Because the rule mandates the ”SMART on FHIR” API (an open standard for launching apps now part of the Fast Healthcare Interoperability Resources ANSI Standard), these apps will run anywhere in the health system.

Apple recently advanced an apps-based information economy, by connecting its native “Health app” via SMART on FHIR, to hundreds of health systems, so patients can download copies of their data to their iPhones. The impending rule will no doubt spark the development of a substantial number of additional apps.

Policymakers are grappling with concerns that data crossing the API and leaving a HIPAA covered entity are no longer governed by HIPAA. Instead, consumer apps and the data therein fall under oversight of the Federal Trade Commission (FTC). When a patient obtains her data via an app, she will likely have agreed to the terms and the privacy policy for that app, or at least clicked through an agreement no matter how lengthy or opaque the language.  For commercial apps in particular, these are often poorly protective. As with consumer behavior in the non-healthcare apps and services marketplace, we expect that many patients will broadly share their data with apps, unwittingly giving up control over the uses of those data by third parties.

Some patients may wish to explore the nascent emerging marketplace offering options to monetize their data. “Information altruists” and self-assembling patient groups will donate data to speed social and direct benefit through innovation and research. Notably, the monetary value of an individual record is generally low, with exceptions for patients having rare or complex conditions and histories.

How do we support a patient’s autonomy to use tools of her choice to improve her health and contribute to research, provide her with options to share in the monetary value from downstream uses of her data, while also protecting her from predatory practices?

HIPAA does not adequately address the issue. While it does allow an app developer to become a business associate of a covered entity (such as a provider or healthcare institution) this arrangement only applies when an app is managing health information on behalf of the covered entity — whereas in a consumer-centric ecosystem, many apps will choose to have a relationship with a consumer directly.  Importantly, the covered entity itself may be a conflicted party when the patient wishes to use an app that either (1) shares data with a competing health care provider or (2) competes with the functionality of the entity’s EHR. These conflicts could limit data flow across institutions, and raise the barrier to entry for new, innovative apps.

Further, the HIPAA business associate framework does not prevent commercial use of patient’s data without consent. Patient data in de-identified format are already shared widely in healthcare on hundreds of millions of patients, generally in ways that are opaque and not reported to the patients whose data have oft times been aggregated sold, and used for profit, and sometimes in ways that enable downstream re-identification.

A federal taskforce recognized that enabling patient autonomy to share data comes with inherent risk, and largely left these trade-offs in the patient’s hands. We propose strengthening the federal role in protecting health data under patient-mediated data exchange, while maintaining patient choice.

• Require the EHR, upon exposing data across the API to a patient, to provide a standardized summary, at a sixth-grade reading level, of an app’s privacy policy and terms of service, highlighting risks for consumers (such as the ONC model privacy notice), and summarizing with an indication of whether they meet some specific bar (such as the CARIN code of conduct or a professional society or patient organization endorsement).
• Establish best practices and federal standards for privacy policies and terms and conditions, relying on user-centered design as in large-scale federally funded research studies. Consider multimedia and semi-structured questionnaires (quizzes) to promote and confirm comprehension. Methods used to de-identify or aggregate data and their re-identification risk should be transparent, as should be intentions to commercialize the data.
• Define a robust auditing process with oversight authority by either the Department of Health and Human Office for Civil Rights (OCR) or the FTC regardless of how the data are obtained.
• Define penalties for violation of the terms of service and demonstrate strong and public federal enforcement.
• Develop a consumer hotline and website for complaints to the OCR or the FTC, and publicize those complaints.
• Introduce legislation to protect patients from predatory uses of their health data. Consider as model the Genetic Information Nondiscrimination Act of 2008, which prevents discrimination on the basis of genetic information in both health insurance and employment.

There are promising approaches available to protect a patient’s health data without limiting choice or creating a bottleneck to innovation by new and smaller entrants into the Health IT ecosystem. Now is the time to consider these carefully.

Kenneth D. Mandl, MD, MPH is director of the Computational Health Informatics Program at Boston Children’s Hospital and the Donald A.B. Lindberg Professor of Pediatrics and Professor of Biomedical Informatics at Harvard Medical School.

Dan Gottlieb, MPA is a clinical informaticist and software consultant working with the Harvard Medical School Department of Biomedical Informatics and Boston Children’s Hospital Computational Health Informatics Program on tools to empower patients and researchers.

Joshua C. Mandel, MD is a physician and software developer working to fuel an ecosystem of health apps with access to clinical and research data.

By ADRIAN GROPPER, MD and DEBORAH C. PEEL, MD

Electronic health records (EHRs) are a polarizing issue in health reform. In their current form, they are frustrating to many physicians and have failed to support cost improvements. The current round of federal intervention is proposed rulemaking pursuant to the 21st Century Cures Act calls for penalties for “information blocking” and for technology that physicians and patients could use “without special effort.”

The proposed rules are over one thousand pages of technical jargon that aims to govern how one machine communicates with another when the content of the communication is personal and very valuable information about an individual. Healthcare is a challenging and unique industry when it comes to interoperability. Hospitals spend lavishly on EHRs and pursue information blocking as a means to manipulate the physicians and patients who might otherwise bypass the hospital on the way to health reform. The result is a broken market where physicians and patients directly control trillions of dollars in spending but have virtually zero market power over the technology that hospitals and payers operate as information brokers.

What follows below are comments by Patient Privacy Rights on the proposed rule. The common thread of our comments is the need to treat patients and physicians, not the data brokers, as the real stakeholders.

Comments to the ONC Rule

Overview: 21st Century health care innovation, policy, and practice is increasingly dependent on personal information. This is obvious with respect to machine learning and risk adjustment, but personal information is now central to the competitive strategy for most of the health care economy, clinical as well as research. ONC’s drafting of this rule reflects the importance of competition to innovation and cost containment.

The Proposed Rule skillfully addresses the pro-competitive essentials but it leaves too much open to interpretation and delay by very wealthy and well-organized incumbents. The Patient Privacy Rights comments below endorse the structure and details of the Rule while pointing out ways to ensure that access to competitive services by clinicians on behalf of our patients must be “without special effort” on the part of either the clinician or the patient, ASAP.

We state clearly and emphatically that the Rule should be largely left intact in its spirit and in most of its details

Summary of Priority Goal: Clarify the scope and process of patient-directed interoperability

The common thread through almost all of PPR’s comments is to support and encourage patient-directed sharing via the mandated API as the foundation for meeting the pro-competitive goals of the 21st Century Cures Act “without special effort”. Patient-directed exchange inherently solves very difficult problems in patient matching, consent, and integration of sensitive information that cannot be shared under the HIPAA rules. Patient-directed exchange helps address the need for a patient-centered longitudinal patient record and provides a critical relief valve for both physicians who simply need “the data to follow the patient”. Patient-directed exchange also informs how we will implement TEFCA and various registries that can provide essential public health and health care innovation benefits.

Early versions of patient-directed sharing via API can make a visible and welcome impact for physicians and patients within 6 months of adoption of the final Regulation. That technical capability is already voluntarily enabled by some API Technology Suppliers and just needs to be mandated for adoption by API Data Providers. The timelines for standards development are long but when standards already exist for Dynamic Client Registration, Refresh Tokens, and User Managed Access, the adoption of these standards can begin immediately by new competitors and early adoption by CMS, VA, and other customers in the Federal Health Architecture can drive a competitive strategy.

Summary of Other Considerations:

21st Century health care innovation, policy, and practice is increasingly dependent on personal information and the rate of progress is increasingly limited by privacy and human dignity in how personal data is used. This is obvious with respect to machine learning and risk adjustment, but personal information is now central to the competitive strategy for most of the health care economy. Privacy now dominates the rate at which technology and policy can progress.

The cost and burden of interoperability at scale are both reduced if we approach the problems from the patient and clinician perspective rather than the institutional:

• Patient matching is a non-issue when information is shared with patient consent and transparency. Modern-day automated bank transaction APIs are a good example. Once set-up by the customer, money can flow automatically and on-demand without further customer action. Email and text messages are used to notify of transactions. All transactions are logged and accessible to the customer online. The costs are lower with the API and transactions process faster.
• HIPAA is a floor but Not Sufficient because it doesn’t cover the data originating in behavioral health practices on the sensitive end and data originating in consumer mobile devices and wearables which can also be quite sensitive. To avoid the limitations of HIPAA, we urge CMS to design interoperability on the basis of patient consent with full transparency to the patient. That also means patient notice and on-line accessible logs for all transactions including treatment, payment, and operations. HIPAA’s exclusion of T/P/O transparency is not justified with modern Open APIs and adds unacceptable security risks as we expand the scope and scale of interoperability.
• Designation of Providers should be without special effort for both the patient and the providers using the Open API. That means accelerating and enforcing the need for providers to include voluntary digital contact addresses in their NPI and Physician Compare files. Patients can automatically link the digital contact info to their consent. Providers can use their digital credentials to automatically register their API client without special effort. It is easier and less burdensome to drive interoperability on the basis of the HIPAA patient right to designate recipients.
• Competition for Authorization Services would be the ultimate cost and burden reduction for large-scale interoperability. The Open API, including FHIR, can be configured to allow the patient to specify the authorization server to the API Data Provider. (See User Managed Access standard in 2019 ISA). Current FHIR API practice forces patients to use a separate authorization server for each API Data Provider. Managing consent at a dozen or more patient portals requires undue effort on the part of patients. Allowing the patient to specify the authorization server would give patients market power to choose their consent service competitively and provide a competitive basis for health information network providers that want to serve the patient.

The draft rules for interoperability, CMS, ONC, TEFCA, USCDI are over a thousand pages. Most of the complexity stems from a design that avoids direct patient direction and transparency the way we expect banking and other automated services. This approach fragments the patient and physician experience and poses privacy and security risks that may never be solved. On the other hand, an interoperability design based on patient-designated sharing with clinicians that voluntarily post their digital contact info (personal, group, or institution) works across the full range of patient data (behavioral, HIPAA, patient-generated) and provides patients and family caregivers the transparency and accountability over health services that we need. Allowing patients to specify their authorization server further simplifies things by enabling competition for the authorization service – a digital concierge – that would give market power to individuals and deliver the pro-competitive benefits the Rule seeks.

Link to the complete comment here.

Adrian Gropper, MD, is the CTO of Patient Privacy Rights, a national organization representing 10.3 million patients and among the foremost open data advocates in the country. 

Deborah C. Peel, MD, is the Founder and President of Patient Privacy Rights.

This post originally appeared on Bill of Health here.

In April 2016, I published guidance, in the form of a mock case study, on how to access a drug before it has been approved by the FDA—what’s known as pre-approval (or expanded or compassionate) access. This is an updated version of that guidance, reflecting multiple important changes in the pre-approval landscape over the past year. In particular, the FDA rolled out a new, streamlined form for single-patient requests, and Congress passed the 21st Century Cures Act, which, among many other things, mandated that certain pharmaceutical companies provide public information about their pre-approval access policies.

Patients (and physicians) trying to access an unapproved drug outside of a clinical trial can feel as though they’re navigating uncharted waters. Many physicians don’t know that the FDA permits the use of unapproved drugs outside of clinical trials; those who do know often have no idea how to access such drugs for their patients. Those physicians who know about pre-approval access are largely specialists in certain areas—often, oncology or rare diseases—and they are generally self-taught: they didn’t learn about pre-approval access in medical school or in their residencies. Thus, while some physicians have become very accustomed to requesting pre-approval access to drugs, the majority lacks this knowledge. In this essay, I use a fictional case to trace the process for requesting access to an unapproved drug. I hope to explode several myths about the process, especially the beliefs that the FDA is the primary decision-maker in granting access to unapproved drugs and that physicians must spend 100 hours or more completing pre-approval access paperwork.

Imagine you are a physician, and you have a pregnant patient who has tested positive for the Zika virus. She is only mildly ill, but she’s terrified that the virus, which has been linked with microcephaly and other abnormalities, will harm her unborn child. She’s so concerned that she is contemplating an abortion, even though she and her husband have been trying to have a child and were overjoyed to learn she was pregnant.

Last night, you saw a news story about a pharmaceutical company with a drug in development that, in theory, could minimize the impact of Zika on fetuses. The story, while focused on the hope of a way to prevent fetal harm from Zika, also discussed the ethical concerns raised by the prospect of testing a new drug on pregnant women and their fetuses. Watching the story, you had thought it might be impossible to ethically test this drug in people, but now, with a distraught patient before you, you wonder if you can find a way for her to try this investigational drug.

In the best-case scenario, you would remember the name of the company developing the drug. After contacting the company, you would learn that it is enrolling participants in a well-designed clinical trial, that your patient is eligible for the trial, and that there is a trial site convenient to her. She would decide to enroll in the trial and have a healthy child — either because of the drug or because the infection did not affect the fetus — and her participation would aid in the development of a drug that may help others who find themselves in her situation. There are numerous reasons, however, why this best-case scenario may not come to pass. For example, you may be unable to recall or figure out which company is developing the drug you heard about; your patient may be uninterested in participating in a clinical trial; or she may be interested but is ineligible because of medical or geographic factors.

For the purposes of this essay, imagine that you cannot remember the name of the pharmaceutical company. So, you go to ClinicalTrials.gov and search the trials listed there using the keyword “Zika.” You look through the various trials listed, but, unfortunately, none of them will work for your patient because they have already completed enrollment or because she matches certain exclusion criteria or is unable to travel to a clinical trial site.

You know the FDA allows expanded access (its term) or compassionate use (the more colloquial term) of investigational drugs when patients without other treatment options are not eligible for clinical trials, but you’ve heard that it is a complicated and time-consuming process. You wonder whether it is even an option for your patient, who would need to decide quickly if she is going to have an abortion. Nevertheless, you decide to try. You do an internet search for “FDA expanded access” and send a message to the FDA email address you find. You quickly get a response informing you that you need to contact the company whose drug you wish to try on your patient to see if it is willing to provide its drug; if so, then you will work with that company to prepare an application for FDA review.

As you don’t remember the name of the company that was developing the drug, you can’t just directly contact it. Instead, on ClinicalTrials.org, you search for “expanded access” and get 719 results. You then try “compassionate use,” getting 602 results, and “pre-approval access,” with 4 results. Unfortunately, when you add “Zika” to your search, you get zero results, regardless of whether you use “expanded access,” “compassionate use,” or “pre-approval access.” Rather than giving up, you do a search using just the keyword “Zika,” intending to call all the listed clinical trials to see if one of the trial sponsors can help your patient, even though she isn’t eligible to join their trial.

The first clinical trial listed is run by Big Successful Pharmaceutical. You go to its website and see that its pre-approval policy posted there. The policy directs you to send an email to a specified address or call a certain number. You call, and the person who answers takes down your request and says you will get a response within 5 business days.

It used to be rare for a company to make its pre-approval access policy public. According to an October 2016 report by Avalere Health, a search of 100 publicly traded pharmaceutical and biotechnology companies found that only 19 companies included their pre-approval access policies on their websites. However, legislation enacted in December 2016 (the 21st Century Cures Act) mandated that “the manufacturer or distributor of one or more investigational drugs for the diagnosis, monitoring, or treatment of one or more serious diseases or conditions make publicly available” its pre-approval access policy. This policy must include (1) contact information for the drug company; (2) procedures for making requests; (3) the general criteria the company uses to evaluate both the requests and its responses to such requests; (4) how long the company will take to acknowledge receipt of requests; and (5) a link or other reference to information about clinical trials for the drug. When Avalere re-ran its study in March 2017, it found that the number of companies with publicly available pre-approval access policies had more than doubled.

The impetus for this legislative requirement was the desire to make the pre-approval access process more patient-friendly. Prior to the 21st Century Cures provision, not only was information about how to submit pre-approval requests to specific companies lacking, but some companies simply did not respond to inquiries. The new rule requires companies to be more forthcoming about their policies and give requesters a timeline for when they can expect an answer. Importantly, the policy mandates that companies have a policy; however, this does not mean that they necessarily offer access: a company’s pre-approval access policy can be that it does not grant pre-approval access to its drugs.

In June 2017, another new tool was unveiled. This is the Expanded Access Navigator (http://navigator.reaganudall.org/), which offers physician- and patient-specific instructions on how to pursue expanded access. In addition to information about how to search ClinicalTrials.gov to find drugs that may be relevant, the Expanded Access Navigator has an alphabetical company directory with links the companies’ websites and information about their expanded access policies and contact information for placing a request. Thus far the Expanded Access Navigator mainly has information relevant to oncology, but it will be adding additional companies and expanding into different therapeutic areas.

One of the reasons that it is important for you to have a designated contact is because different pharmaceutical companies delegate pre-approval decision-making to different people. It could be the chief medical officer, the regulatory liaison, the CEO, the head of the team developing the new drug, the legal team, or some other staff member. Just as there is no industry-wide consensus on who should respond to such requests, there is no agreement on what the answer should be. Some companies feel strongly that they shouldn’t provide unapproved drugs to patients outside of clinical trials, while others are willing to do so as long as it wouldn’t interfere with their trials. Some companies may be willing to provide access in theory but do not have enough drug to make provision a reality, and still others might have policies stipulating that access will be granted only after a certain point in the clinical testing of the drug — for example, after it has been proven relatively effective in a Phase 2 trial, or perhaps after the trials are complete and the drug is under review by the FDA. Yet another area where there is no industry-wide consensus is what to do with patients who appeal a denial. These are the patients who might turn to the media, online petitions, and Twitter and Facebook to try to pressure a company into granting access to its unapproved drugs.

In your case, you get a response the next day informing you that  the company has received so many requests for their investigational drug that it has decided to open an expanded access program (EAP). This is like a clinical trial, in that it collects some data, but its inclusion criteria are less demanding than those of the “real” trials. Your patient, who couldn’t participate in the clinical trial because she has difficulty traveling and lived several hours away from the closest trial location, can participate in the EAP. Because the EAP is collecting less data than is the trial, your patient’s pre- and postnatal visits can be conducted at your hospital instead of her having to travel to the trial site.

Just as you’re breathing a sigh of relief about how easy the process turned out to be, you get bad news. Although the EAP is in the process of being set up, it will not be started in time for your patient, who needs treatment urgently, as she has decided that she would rather have an abortion that give birth to a Zika-affected child. The company informs you that it is still willing to provide its drug to your patient, but you’ll have to go through what is called the single-patient IND route.

Your contact at the company instructs you to complete form FDA 3926, which is available online. You say that you’ve heard that it can take 100 or more hours to complete and that your patient doesn’t have that kind of time. But your company contact tells you that the 100-hour estimate applied to the drug company, when it completed paperwork prior to beginning clinical trials. The form you need to submit, with the company’s help if necessary, should take 45 minutes, at most, to complete.

Once the form is filled out, you send it to the FDA, which will review it to see if it raises any red flags or if the agency has any suggestions on how to improve your proposed treatment plan. By law, the FDA must respond within 30 days; however, its reviewers understand that these requests are often time-sensitive, so they screen them as quickly as possible. In fact, emergency requests are typically reviewed in one day or less and non-emergency requests are usually reviewed within four days. Furthermore, the company tells you that historically the FDA has approved the vast majority of requests for expanded access. Indeed, online you find FDA statistics showing that it approves 99% of pre-approval access requests.

The next morning you get a call from the FDA: the agency will permit you to try the investigational drug on your patient and her fetus. However, there is one more step to take before you can do so—you need to get permission from your hospital’s institutional review board (IRB). The IRB is charged with reviewing research projects proposed to be conducted at the institution, making sure they are ethically acceptable before human subjects can be enrolled. In this case, what they are reviewing is not a research project (even though it involves an investigational drug) but clinical care, albeit of a new, innovative sort that may not actually work. As such, you are not sure how to present your plan for trying this investigational drug to the IRB.

You call the drug company for advice, and a representative offers to send you its clinical trial consent form. You modify the form, removing language about the trial but keeping information about the potential risks and benefits of the drug to mother and fetus. You then call your hospital’s IRB and explain that you wish try an unapproved drug on one of your patients, as she has no approved therapeutic options; that the company is willing to provide the drug; that the FDA is willing to let the request proceed; and that now you need the IRB’s approval. The IRB staff member tells you to send him your proposed informed consent form and that the board will review it as quickly as possible. You know it normally takes a while for your IRB to review submissions, so you are relieved to hear that they will review it quickly. You are also a bit skeptical! Later that day, you call again to check on your submission and to emphasize its time-sensitivity, and you are informed that you’ll have an answer tomorrow. You call your patient to update her and then do the same to the pharmaceutical company, which tells you it will express ship the drug to you so you can use it as soon as you have permission from the IRB.

In our scenario, it all works out:  the IRB approves your submission, the drug arrives on time, the patient consents to receive the drug and takes it with no problems, and she goes on to deliver a healthy child. You have new, hard-won knowledge about how to request unapproved investigational drugs. Very likely you think the process was more complicated that it should be, especially given the time-sensitivity of your request, but upon reflection you realize that the biggest problem you encountered was figuring out what to do and in what order. You vow to share your knowledge with your colleagues and students. Overall, however, you are appreciative of the guidance provided by the company, the FDA, and your IRB, and your patient is grateful that you went above and beyond to try to help her have a healthy child.

The purpose of walking through the above scenario has been to demystify the process of seeking access to an investigational drug outside of a clinical trial through the FDA’s Expanded Access Program. Secondarily, the above scenario was intended to quash several myths. One such myth is that it requires 100 hours or more to complete the FDA’s expanded access paperwork. Another such myth is that the FDA has ultimate control over access to investigational drugs via expanded access. In this case, access to the drug hinged on the company’s willingness to provide it. If the company had said no, the FDA cannot “force” the company to provide an investigational drug. Once the company agreed to provide the drug, the FDA does have approval power, but over 99% of the time, the agency permits pre-approval access requests to proceed. The FDA review is no rubber stamp, however. The agency does important work reviewing the proposal and providing feedback on such issues as dosage, dose schedule, etc. Furthermore, the FDA requires that physicians notify them of any severe or unexpected adverse events that occur in the patient after the drug is administered. This allows the FDA staff to have better understanding of what may happen with the drug should it receive another request to use it in a patient. The physician’s IRB also has approval power over the plan to use an investigational drug in a patient.

Obviously, the above scenario is idealized. Despite recent efforts like the Expanded Access Navigator, physicians (particularly those who are not researchers) may not be able to figure out what investigational drugs may be promising or which company to contact for a specific drug. The company may not post its access policy (despite federal regulations requiring it to do so), or it may not respond to a request. Misunderstanding how to obtain access to investigational drugs outside of clinical trials may result in physicians spending time petitioning the FDA for access when, in reality, it is the companies that have the initial and most significant role in deciding whether to grant requests for access. And, as mentioned before, there is no industry-wide consensus on how to handle appeals when companies deny a request for access.

One byproduct of the lack of understanding of how to seek pre-approval access has been the proliferation of so-called “Right to Try” laws on the state level and, currently, as bills before Congress. Right to Try advocates incorrectly identify the FDA as the sticking point in efforts to obtain non-trial access to investigational medical products. Seeking to remedy the perceived problem, these laws state that FDA approval is not needed to use the products under certain circumstances (most commonly, in terminally ill patients, with informed consent, and on a doctor’s recommendation). The state laws raise constitutional issues in their effort to wrest from the federal government the power to regulate the use of unapproved medical products. More important, these laws fail to acknowledge that any obstacle to a patient achieving pre-approval access is far more likely to arise from companies being unwilling to give out their drugs than from the FDA refusing a submission.

The libertarian Goldwater Foundation is the architect and main proponent of the Right to Try movement. This group continues to cite the 100-plus-hours-to-complete FDA-forms assertion in explaining why it has targeted the FDA. Although that figure was never accurate, in 2016 the FDA rolled out form FDA 3926, which was created only for single-patient requests and takes just 45 minutes to complete. Supporters of Right to Try laws also frequently say that the problem with the FDA is that it is slow: that patients are dead or too ill to be helped by the time the FDA approves a submission. While there may be a range of FDA response times to requests, by law the agency must respond within 30 days or the request is allowed to proceed. As mentioned above, the FDA normally reviews emergency requests in a day or less and non-emergency requests in a median of four days. Thus, FDA foot-dragging is not a problem. The right to try movement’s identification of the FDA as the chief obstacle to patients being able to access investigational drugs outside of clinical trials is the product of libertarian anti-regulatory ideology rather than fact.

It may be that the main barrier to patients getting access to pre-approval drugs is lack of familiarity with the process. Hopefully this essay has illuminated and demystified that process. However, seeking investigational drugs outside of clinical trials will still be challenging, and there is much work to be done: educating patients and physicians, guiding the pharmaceutical industry in the development of best practices concerning how to respond to requests, and assisting IRBs in providing appropriate and timely reviews of proposals. But the mere fact that this article needed to be significantly updated a year after publication is indication that change is happening quickly.

Senate leaders now say they won’t consider companion legislation to the House-passed 21st Century Cures Act until September, after months of delay.  Lawmakers would then have to reconcile the differing House and Senate versions, presumably by year’s end during a lame-duck Congress.

We believe the summer delay is a good thing, and that Congress should actually extend consideration of the complex legislation into 2017 when must-pass FDA funding through industry user-fees will be on the congressional calendar.   That way, lawmakers can debate the implications of the proposed bills in the context of the resources FDA needs.

Why further delay?  Because the legislation—which makes substantial changes to the way the Food and Drug Administration (FDA) approves drugs and devices—is flawed.  As currently crafted, it lowers standards for drug and device approvals and safety, and risks adding to the rising cost of prescription drugs.
The ostensible rationale for the legislation—being pushed by drug and device companies—is that the FDA stifles innovation and advances in treatment by approving drugs and devices too slowly compared with other countries.

That premise is faulty.  Nearly two-thirds of the novel drugs approved in 2015, for example—29 of 45, 64 percent — were approved in the United States before being approved in any other country. The proportion was even higher in 2012 and 2013. Moreover, the majority of those drugs (60 percent) took advantage of existing FDA expedited review programs—fast track, breakthrough, priority review, and accelerated approval—and nearly half (47 percent) were approved to treat rare or orphan diseases.

As for devices, research shows that “it takes the same amount of time or less for patients to gain access to innovative, high-risk medical devices” in the U.S. compared to Germany, France, Italy, and Britain.

The House and Senate bills ignore the above facts. They essentially seek to speed-up the approval process by relaxing FDA’s safety and effectiveness standards. And to make that more palatable, sponsors have attached the changes to increases in funding for the National Institutes of Health and the FDA.
But while the public supports increases in biomedical research funding, it is deeply skeptical about lowering the standards for drug and device approval. In the most recent poll on this issue, just under 60 percent of Americans opposed changing federal regulations to speed the development and approval of drugs, according to a STAT-Harvard poll released in May. Respondents’ main concern: faster approval would allow products on the market that don’t work or are unsafe.

The survey echoed a previous poll by Consumers Union that found 82 percent of Americans believe that preventing safety problems is more important than limiting safety testing to speed the clearance or approval of devices or promote innovation.

The House’s 21st Century Cures Act received broad bipartisan support in part because it put a significant amount of money for research on the table. The House bill pledges a $9 billion increase in mandatory funding for the National Institutes of Health over five years, gaining the support of universities and medical schools. It also promises $550 million to the FDA (which, according to the CBO’s analysis, would not fully pay for the additional workload the Act assigns the FDA).

The drug and device industries intensely lobbied House members to pass the legislation. The Pharmaceutical Research and Manufacturing Association (PhRMA) increased its lobbying from $4 million to $5.4 million in the quarter before the 21st Century Cures Act passed. The Advanced Medical Technology Association upped its spending from $550,000 to $740,000 in the same quarter. The Senate’s lobbying database listed more than 1,100 lobbyists working on the legislation.

The Senate legislation—actually, 19 separate bills—is an improvement over the House’s 21st Century Cures Act.  But, on balance, the Senate bills are still weighted heavily in favor of speeding medical products to market by weakening FDA approval standards.

New drugs and devices are often an improvement over existing products, of course.  And when they clearly are, FDA has established pathways to get them to market and patients as fast as possible. The agency, for example, grants more than one-third of requests from industry for “breakthrough” designation for new drugs. But the history of medicine is replete with examples of drugs and devices that caused more harm than good, some of which were approved too hastily — such as Avastin for breast cancer, Vioxx for arthritis, and metal-on-metal hip implants.  Innovative drugs and devices simply must be required to actually work and not harm patients.

Below we list the Senate bills that, in our view, increase risks to patients and those we think would improve public health.
Increases risks and should be rejected or significantly modified:

The MEDTECH Act would prevent the FDA from collecting adverse events due to flawed electronic medical records, and from recalling certain types of defective medical software. Some of this software has had life-threatening flaws in the past, such as oncology electronic medical record systems that calculated and recorded incorrect drug dosages for highly toxic chemotherapy drugs.

The PATH Act would allow antibiotics to be approved with minimal evidence of safety and effectiveness through a “limited population” approval pathway. But, antibiotics approved in this way are promoted by companies so that they are more widely prescribed in order to increase sales. As they are, we won’t have information about whether they’re actually safe or effective for those groups of patients.

The Advancing Breakthrough Devices for Patients Act would encourage shorter and smaller clinical trials for medical devices. Abbreviated clinical trials will make it difficult, if not impossible, to include sufficient participation from subpopulations such as women, seniors, and racial and ethnic minorities in the analysis of the trials. In an increasingly diverse America, this is unacceptable.

The Advancing Hope Act would continue the existing pediatric priority review voucher program through 2022. The program is currently set to expire at the end of September. The program’s ability to stimulate innovation is questionable: a recent GAO review of the program concluded that the six drugs for which vouchers have been awarded so far were in development before the program existed. By allowing drug makers to buy a priority review, the bill removes FDA’s ability to set its work priorities and resource allocations based on public health needs. In a time of threats such as the Zika virus, our government agencies must be able to prioritize public health, and not be bound by vouchers that were sold to the highest corporate bidder.
Would promote innovation and protect public health, and should be passed:

The Preventing Superbugs and Protecting Patients Act will help prevent drug-resistant infections from contaminated duodenoscopes and other reusable medical devices that have caused harm and deaths. If enacted, this bill will require certain reusable medical devices to have validated cleaning, disinfection, and sterilization procedures.

The Next Generation Researchers Act  invests in the brightest young researchers to ensure that the United States remains at the forefront of biomedical research.

The Promoting Biomedical Research and Public Health for Patients Act reduces unnecessary administrative burdens on researchers and encourages compliance with clinicaltrials.gov reporting requirements.

The FDA and NIH Workforce Authorities Modernization Act will make it easier for FDA to recruit and retain top scientific and technical experts by making salaries more competitive with those offered by industry. It will also lead to the development of standards for regenerative medicine — such as regenerating human cells, tissues, or organs to restore or establish normal function.

Lawmakers are also considering adding the REGROW Act to the Senate’s package of bills. The bill would allow complex regenerative medicine therapies to be conditionally approved based on preliminary evidence. Since at least half of all drugs fail in the last stage of testing, many patients could end up receiving therapies that are later found to be unsafe or ineffective.
Looking Ahead

On Saturday June 25, six former FDA commissioners from Democratic and Republican administrations suggested at the Aspen Ideas Festival that Congress make the agency independent of the Department of Health and Human Services — similar to the Securities Exchange Commission, for example. With regulatory purview over products that represent a quarter of the U.S. economy, the group said the FDA is harmed by an unstable federal budget process and persistent political meddling. The group said they would issue a white paper on their proposal for the next administration.

That’s another reason why Congress should postpone consideration of this legislation until 2017.

A version of this post was previously published on the Health Affairs blog.

Paul Brown is Government Relations Manager and Tracy Rupp is Director of Public Health Policy Initiatives at the National Center for Health Research.  Steven Findlay is an independent health care journalist and consumer advocate.