In March 2020, unrelated to but somewhat obscured by the coronavirus disease 2019 pandemic, the Office of the National Coordinator for Health Information Technology at the US Department of Health and Human Services announced a new landmark medical information–sharing rule, referred to as the 21st Century Cures Act final rule.1  The rule is complex and governs many facets of health information technology, including electronic health records (EHRs). One aspect, regarding the need for pediatric certification aspects of EHRs, brings a welcome acknowledgment of the unique needs of children.

The first part of the rule is currently scheduled to go into effect on April 5, 2021, and has the potential to significantly empower patients and their families and increase their engagement in their own health care; however, there are specific pediatric implications and challenges. The pediatric health care provider community must play a critical role in implementing these rules in a safe and meaningful way for children and their guardians.

In brief, the new rules provide a framework to facilitate patient, family, and provider access to medical records, significantly increasing the types of electronic health information (EHI) that must be easily and electronically accessible to patients and guardians and to providers who care for those patients. The rules also require health providers to send this EHI to third-party applications (apps) upon a patient’s (or patient guardian’s) request and authorization. The types of data that must initially be shared are covered in the new US Core Data for Interoperability and include clinical notes, immunizations, laboratory test results, medications, demographics, problems, and vital signs data, including growth curve data.1  In 2022, the data that must be shared are supposed to expand to all EHI.1 

These new rules create a fine line for the pediatric community to walk to reap the potential benefits while avoiding harmful unintended consequences. The positive implications of this rule include increased access to pediatric health information that could enhance engagement of guardians (biological, adoptive, and foster parents) in their child’s health care and equip them with critical data to share with other health providers or schools. These rules could also empower and enable adolescents to start managing their own health needs as they transition into adulthood.

The potential harmful unintended consequences for children and adolescents relate primarily to the risk of having their health data inappropriately exposed or shared in ways that can compromise their privacy and even their safety.2  This inappropriate exposure could come in the form of (1) guardians inappropriately getting access to private or protected adolescent data,3,4  (2) guardians sharing children’s health data broadly before the children are of the age to control their own data,2  (3) patients or guardians providing data to a third-party app that gets compromised or inappropriately shares data, or (4) adolescents sharing their own data without fully understanding the lifelong implications.

When faced with the challenge of managing this new complexity in stewardship of child and adolescent data, there is also the risk that health systems, governments, and companies may respond by limiting the application of the new information-sharing rules in pediatric populations. This could result in excluding children and their guardians from the development and adoption of new patient engagement tools.

For example, the new federal information-sharing rules appropriately defer to state adolescent privacy and data-sharing laws, which vary significantly across the country.5,6  In many cases, there is technically not a solution within current EHR software to allow clinicians and health systems to fully comply with both state adolescent privacy laws and the full intention of the federal information-sharing rules. Pediatric health providers are forced to turn to “infeasibility” and “content and manner” exceptions in the rollout of the rule,1  which may significantly limit access to health data for adolescents and their guardians.

Perhaps the most controversial and potentially concerning aspect of the new rules is the requirement for providing health data in an easy-to-download manner for third-party apps. Depending on one’s perspective, the good and the bad news is that right now, there are no third-party health care apps in the market that meaningfully enable this data sharing for pediatrics. There are several third-party apps available for downloading and aggregating EHI (eg, Apple Health Records [Apple Inc, Cupertino, CA], CommonHealth [The Commons Project, New York, NY], MyFHR [CareEvolution, Inc, Ann Arbor, MI]). However, these apps have yet to fully develop appropriate pediatric workflows.

There are several specific potential issues with third-party apps that deserve consideration. First, third-party apps do not fall under the protections of the Health Insurance Portability and Accountability Act but instead fall under regulation from the Federal Trade Commission. Most patients and families are unlikely to appreciate this difference in how their health information is protected. Second, third-party health apps do not have clear security requirements or standardized requirements for consent to share health data, which makes it challenging to judge the trustworthiness of the app and creates risk for unintended sharing of health data. Third, health apps may have different standards for how they aggregate health data from different sources (duplicate medications, generic versus brand names, laboratory values with different units, etc), which could be confusing for patients and families. Fourth, most existing health apps are not yet able to reliably segregate and store data for the guardian and the children on the same mobile device, which is particularly important for meaningful use in pediatrics. Additionally, third-party apps may not follow best practice standards for display of pediatric health information,7,8  such as display of height and weight data on a growth curve, leading to the potential loss of valuable contextual information as the data are downloaded. Finally, there are specific challenges in how third-party apps segregate and protect sensitive adolescent data from a guardian that may violate recommended best practices for adolescents.3,4,9 

There are promising developments in industry that have the potential to allow children and their proxies to benefit from the data access, transparency, and engagement opportunities being ushered in with these new rules. However, pediatric health care providers have a responsibility to help educate pediatric guardians and adolescents about these tools and to advocate for continued development of appropriate pediatric functionality and safeguards. The immediate steps that the pediatric health care community should take are to (1) become familiar with these new rules and help educate other frontline clinicians; (2) work with American Academy of Pediatrics councils and local chapters to understand and inform state laws that may limit the implementation of these federal rules in pediatrics; (3) engage in education and advocacy directly with children, adolescents, and their families to enable and ensure meaningful advances in health care transparency and engagement10 ; and (4) continue to help educate industry partners to develop appropriate pediatric functionality in EHRs and third-party apps79  (see Table 1).

TABLE 1

Education and Advocacy for Safe and Meaningful Pediatric EHI Sharing

Target AudienceActivity and Message
Frontline clinicians Engage and empower frontline clinicians with knowledge about this rule and tools for talking with patients and families about sensitive medical data and potential risks of sharing that data. 
Patients and families Educate patients and families so that they can more meaningfully engage with their own health care while protecting potentially sensitive data.9  
Local health care system (information technology and operational leaders) Engage with your local health IT department to ensure appropriate configuration of EHRs and patient portals for children, adolescents, and proxies.710  Much of this will happen at the local level, especially given individual state laws around adolescent privacy.5,6  
Industry (EHR and third-party health app vendors) Educate EHR vendors and advocate for continued development of functionality to facilitate sharing of the appropriate data with adolescents versus proxies via patient portals.3,4,9  
 Educate app developers to ensure that appropriate pediatric functionality and safeguards are built into third-party apps.7  
Policy makers At the state level, advocate for appropriate protections for adolescent privacy.3,4,9  
 At the federal level, advocate for clarification and expansion of privacy laws to protect pediatric health data that are shared with third-party apps. 
Target AudienceActivity and Message
Frontline clinicians Engage and empower frontline clinicians with knowledge about this rule and tools for talking with patients and families about sensitive medical data and potential risks of sharing that data. 
Patients and families Educate patients and families so that they can more meaningfully engage with their own health care while protecting potentially sensitive data.9  
Local health care system (information technology and operational leaders) Engage with your local health IT department to ensure appropriate configuration of EHRs and patient portals for children, adolescents, and proxies.710  Much of this will happen at the local level, especially given individual state laws around adolescent privacy.5,6  
Industry (EHR and third-party health app vendors) Educate EHR vendors and advocate for continued development of functionality to facilitate sharing of the appropriate data with adolescents versus proxies via patient portals.3,4,9  
 Educate app developers to ensure that appropriate pediatric functionality and safeguards are built into third-party apps.7  
Policy makers At the state level, advocate for appropriate protections for adolescent privacy.3,4,9  
 At the federal level, advocate for clarification and expansion of privacy laws to protect pediatric health data that are shared with third-party apps. 

As champions of concepts such as the medical home and family-centered care, pediatric providers have long embraced the fundamental ideas of participatory care. The new federal rules place health care on the brink of an exciting shift, and as always, the pediatric provider community has a critical responsibility to help children, adolescents, and families navigate their way safely into this new era.

Dr Pageler drafted the initial manuscript and reviewed and revised the manuscript; Drs Webber and Lund reviewed and revised the manuscript; and all authors approved the final manuscript as submitted and agree to be accountable for all aspects of the work.

FUNDING: No external funding.

EHI

electronic health information

EHR

electronic health record

1.
Office of the National Coordinator for Health Information Technology, Department of Health and Human Services
. 21st Century Cures Act: interoperability, information blocking, and the ONC Health IT Certification Program. Available at: https://www.federalregister.gov/documents/2020/05/01/2020-07419/21st-century-cures-act-interoperability-information-blocking-and-the-onc-health-it-certification. Accessed November 15, 2020
2
Bala
N
.
Why are you publicly sharing your child’s DNA information? The New York Times
.
3
Confidentiality in adolescent health care: ACOG committee opinion, number 803
.
Obstet Gynecol
.
2020
;
135
(
4
):
e171
e177
4
Committee on Adolescence
.
Achieving quality health services for adolescents
.
Pediatrics
.
2016
;
138
(
2
):
e20161347
5
Guttmacher Institute
.
An overview of consent to reproductive health services by young people
.
2020
.
6
English
A
,
Bass
L
,
Dame Boyle
A
,
Eshragh
F
.
State Minor Consent Laws: A Summary
, 3rd ed.
Chapel Hill, NC
:
Center for Adolescent Health & the Law
;
2010
7
Wald
JS
,
Haque
SN
,
Rizk
S
, et al
.
Enhancing health IT functionality for children: the 2015 children’s EHR format
.
Pediatrics
.
2018
;
141
(
4
):
e20163894
8
Spooner
SA
;
Council on Clinical Information Technology, American Academy of Pediatrics
.
Special requirements of electronic health record systems in pediatrics
.
Pediatrics
.
2007
;
119
(
3
):
631
637
9
Blythe
MJ
,
Del Beccaro
MA
;
Committee on Adolescence
;
Council on Clinical and Information Technology
.
Standards for health information technology to ensure adolescent privacy
.
Pediatrics
.
2012
;
130
(
5
):
987
990. Reaffirmed December 2018
10
Webber
EC
,
Brick
D
,
Scibilia
JP
,
Dehnel
P
;
Council on Clinical Information Technology
;
Committee on Medical Liability and Risk Management
;
Section on Telehealth Care
.
Electronic communication of the health record and information with pediatric patients and their guardians
.
Pediatrics
.
2019
;
144
(
1
):
e20191359

Competing Interests

POTENTIAL CONFLICT OF INTEREST: The authors have indicated they have no potential conflicts of interest to disclose.

FINANCIAL DISCLOSURE: The authors have indicated they have no financial relationships relevant to this article to disclose.