Q3 b.well buzz Newsletter

Dynamic Shifts in Regulatory Landscape and Their Impact on Your Organization


The b.well team is tracking an accelerated pace of regulatory activity since the year began. This recap focuses on five key areas where regulatory guidance, federal rulemaking and state-based legislation is shaping the consumer health experience. We track these activities to help transform compliance into trust-enhancing consumer experiences, and connect interoperability requirements with business opportunities to gain early mover advantages.

OCR Guidance

OCR sub-regulatory guidance reminds HIPAA-covered entities and business associates to collect a valid HIPAA authorization before using third party tracking technologies that collect Personal Identifiable Information (PII), or enter into business associate agreements with tracking technology service providers. The guidance broadly says Protected Health Information (PHI) includes any PII collected through online and mobile resources of HIPAA-regulated entities when they indicate a consumer’s interest or need for particular health care services and items.

b.well & Customer Impact

b.well strives to keep consumer data secure, has proactively deprecated its use of Google Analytics, and has confirmed it does not use technologies from Meta or other vendors that track consumer activity across the internet. In order to safely understand user behavior, b.well only uses third party tools for measuring user behavior where a business associate agreement (BAA) or data protection agreement is in place.

Industry Impact

The OCR guidance is part of a broader trend of scrutiny where tracking technologies and sensitive health data intersect. We are already seeing Google’s policies adapt to OCR’s guidance, and expect more states and the FTC will use their available policy levers to protect consumer health privacy from behavioral advertising or surveillance-like data practices. Other evidence of this includes the FTC’s action against Better Health, announced March 3, 2023, and the Washington My Health My Data Act, both described below. FTC’s has also proposed updates to its Health Breach Notification Rule, which we plan to summarize in the next quarterly newsletter.

Google Play Policy Changes

In April 2023, Google Play made significant changes to its app approval practices, which is causing apps released by healthcare organizations to be rejected at a higher rate. These changes are more prescriptive in the way prominent disclosures must be displayed to users, the content of these disclosures, and the way consents are drafted and obtained. On the one hand, the added prescriptiveness is welcomed; at an earlier time, apps were rejected without detailed guidance to understand the basis for rejection. On the other hand, the same processes approved till recently are now being rejected because they don’t fit the prescription. b.well is troubleshooting these changes, so you don’t have to. The important thing to understand is that Google Play’s automated processes and policies are not always in sync, and a bit of trial and error is now becoming routine as developers learn how to meet criteria in Google Play’s automated app release processes. These impacts will continue as some developer policies go into effect later in December 2023. An example includes an ability for consumers to automatically select when they want their data to be deleted from an application. Our product team already has this functionality on our roadmap for the 4th quarter of 2023.

Changes in Google Play’s app approval processes appear to follow periods of broader public scrutiny, which is leading to more consumer privacy across internet and mobile technologies. Examples of this scrutiny include the recent OCR Guidance about tracking technologies, and consumer privacy legislation in California, Colorado, Connecticut, Utah, Virginia, and now Washington.

Washington My Health My Data Act

On May 3, 2023, Governor Inslee of Washington signed the My Health My Data Act. The law prohibits use of precise location to detect a consumer’s presence in proximity to health care facilities in Washington. Starting March 31, 2024, entities conducting business in Washington will face more rigorous disclosure and consumer opt-in consent requirements to collect, share, and use consumer health data, to honor withdrawals of consent, and to honor data portability and data deletion requests. The law also requires a revocable authorization to sell consumer health data, similar to a HIPAA authorization. The authorization goes beyond a HIPAA authorization in requiring a 1-year expiration period. Businesses will not be allowed to condition access to goods and services on a consumer signing the authorization. The law includes provisions that apply directly to downstream service providers, and when a consent is withdrawn, service providers of regulated entities would be required to honor that change.

b.well and Customer Impact

Many of the changes align to b.well’s privacy policy and underlying consumer trust framework, requiring minor changes to our disclosures and consents. This is because b.well aligns our privacy and data practices to the CARIN Alliance Code of Conduct, which sets a high bar for consumer health privacy. The b.well team plans to update its customer implementation playbooks and supporting materials to help customers align to Washington’s upcoming changes.

Industry Impact

The Washington law, as is true with other U.S. states enacting consumer privacy legislation, illustrates a growing alignment towards concepts and language already used in the General Data Protection Regulation. For this reason, privacy policies and practices may begin to adopt more of the language and concepts of the GDPR – speaking of data subjects, for example, and looking at “processing instructions” between an information controller and processor, in compliance programs. 

CMS Prior Auth and Advanced Interop

This proposed rule (CMS-0057-P) would require CMS-regulated payers to implement Application Programming Interfaces (APIs) for payer-to-payer exchange, provider access, and access to prior authorization requirements, to complement existing APIs for provider directories and patient access. If finalized as proposed, payers will be required to support these new APIs by January 1, 2026. The rule proposal excludes prior authorization for prescription drugs. In a related proposal, CMS recommended an update of X12 standards to exchange health care attachments, which could also assist with automating prior authorization submission workflows.

b.well & Customer Impact

b.well submitted comments directly to and through the CARIN Alliance, endorsing the rule proposals. We also engage with FHIR accelerator communities, including CARIN and DaVinci, to participate in prior authorization interoperability activities. We encourage customers to consider participation in these activities to get more experience before the “go live” date and influence the standards with real world testing. 

Industry Impact

The proposal signals CMS’ intention to drive interoperability beyond data access to use cases and workflows where scalable data exchange on open standards can  reduce burden for patients, providers, and the health system overall. This broader conception of interoperability lines up with the reasons why our customers select b.well’s digital transformation platform. With b.well, customers can more easily integrate new interoperability requirements on a unified platform.

HIPAA Updates for Reproductive Health Privacy

The OCR proposes a new class of “Prohibited Uses and Disclosures” involving reproductive health services. Under the proposal, covered entities and business associates would be prohibited from using or disclosing PHI if the service(s) are considered lawful. OCR explicitly states that services delivered under the Emergency Treatment and Labor Act (EMTALA) preempt state laws, making services covered by EMTALA lawful. Regulated entities would also be required to collect a signed attestation from PHI requestors when disclosures are requested for health oversight activities, judicial and administrative proceedings, law enforcement purposes, or about decedents to coroners and medical examiners. The attestation would provide assurance that the request is not for a prohibited purpose.

b.well and Customer Impact

If finalized as proposed, customers regulated by HIPAA will have an added legal basis to protect their consumers’ reproductive health privacy. This proposal illustrates the resilience of b.well’s “hybrid” data rights model, which allows data in a consumer’s unified longitudinal health summary to be managed under HIPAA while also being subject to consumer-consented uses and disclosures. The proposal  would strengthen b.well’s ability to protect consumer privacy when consumer health data related to reproductive health is consolidated from multiple sources, even when reproductive health care services are not provided by or paid for by our customers.

Industry Impact

This proposal, if finalized, would strengthen the protections available for health data collected and maintained by HIPAA covered entities and their business associates. Applications that are not provisioned by HIPAA regulated entities or their downstream service providers will need to turn to state and federal laws to fill the gap.

ONC Updates to the ONC Health IT Certification Program and Information Blocking Rule

ONC has proposed updates to the ONC Health IT Certification Program and the Information Blocking Rule. The proposals reflect an ongoing maturation of standards that developers of certified electronic health record (EHR) technologies and API technologies will be expected to meet. The proposal also reflects a clear policy priority to promote interoperability through the Trusted Exchange Framework and Common Agreement (TEFCA), under a proposed Information Blocking safe harbor.

September 1, 2023, marks a pivotal moment in health IT as the HHS begins enforcing penalties for information blocking. As part of these significant updates, it’s essential to recognize the implications and ensure you’re aligned with compliant vendors.

For context, this enforcement could lead to substantial fines — up to $1 million per violation. Those liable for these penalties include:

  • Health IT developers of certified health IT
  • Entities offering certified health IT
  • Health information exchanges
  • Health information networks

Other priorities reflected in the proposal have to do with public health reporting, algorithmic transparency in decision support tools (now called decision support interventions), health equity, and – significantly for b.well and its customers – a reaffirmation of the primacy of patient access and API-based interoperability.

For example, the proposed updates to the ONC Health IT Certification Program include significant operational enhancements for certified patient access APIs. ONC also proposes new semi-annual reporting obligations for electronic medical record (EMR) vendors, to help policymakers and industry learn which tools patients use to access their data, and the types of convenience features and capabilities available through these tools that might encourage them to access their data more.  

ONC’s proposal includes RFIs covering topics that include FHIR-based scheduling APIs, real time benefit tools, lab test interoperability and SMART HealthLinks (QR Codes) to support exchange of authoritative information, following the standard that gained ground with digital COVID-19 vaccine credentials.

b.well and Customer Impact

b.well is excited that ONC is doubling down on patient access and API-based interoperability as well as the level of detail in the ONC’s proposed “Insights Condition of Certification,” which lays out the new semi-annual reporting obligations. This proposal reveals a detailed understanding of consumer health digital tools – not just patient portals but provider-provisioned applications, health information networks, and true “third party applications”. 

The reporting obligations would allow data-driven insights about the number of apps actively connected to patient access APIs, consumer usage of these apps, and the types of FHIR resources being consumed. The reporting has potential to reveal correlations between patient access and access to convenience features like scheduling, secure messaging, and prescription refill requests. This lines up with our long-held view about the power of the b.well platform to help our customers deliver a singular launching-off point for their consumers, where the ability to create a consolidated health summary will be rapidly combined with convenience features. This will help consumers access care for their families and make informed choices that make relevant, personalized prices, and coverage available in real time.  

b.well interprets the ONC RFIs as a signal of ONC’s understanding of patient access as a starting point in the interoperability journey. Directing attention to convenience features like scheduling, real time benefit tools, and SMART HealthLinks is a sign that ONC is committed to the shoppable consumer experience in healthcare.

The ONC proposal also includes a potential safe harbor for TEFCA. TEFCA is not yet live, and much remains to be learned about the costs of transacting through TEFCA and the data rights some QHINs may require to build sustainable business models in document-based exchange using internet technologies (IHE and CCD-A) from the 1990s. While we are hopeful about TEFCA, we urge our customers to understand the fine print. 

With TEFCA, there may be greater costs and a loss of control over data rights. In contrast, b.well aims to increase data access for consumers in a safe and secure way while committing to not sell data. These are examples of the considerations our customers need to think about, and which we think about, as the pricing and contractual terms of TEFCA QHINs become more transparent.

Industry Impact

This proposal reinforces ONC’s commitment to FHIR API-based interoperability, patient access, consumer convenience features, and burden reduction through technology. ONC estimates the proposal’s costs at $742 billion over 10 years, with opportunities for an estimated $1 billion in annual savings. Industry organizations must evaluate how many of these costs are priced into their vendor contracts and what investments they can make to leverage the opportunities presented as part of their strategic planning.