On March 9th, the U.S. Department of Health and Human Services (HHS) finalized two rules that are designed to give patients access to their health data and to increase interoperability among health care providers and payers using health information technology.  The two rules, issued by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS), implement interoperability and patient access provisions of the 21st Century Cures Act.  A primary aim of the 21st Century Cures Act was to push the healthcare industry to facilitate interoperability of healthcare data across the spectrum, including amongst health care payers, providers, patients and technology vendors.  For decades, HHS has largely relied on the industry to enable interoperability through a market-driven approach that would, in theory, benefit industry while achieving the interoperability goals established by the regulators. Unfortunately, it has been observed that the theory behind a market-driven approach has not been manifested in reality. In reality, the market-driven approach has allowed industry to monetize data by limiting data sharing and, in turn, impeding the benefits of interoperability which rely upon data sharing to promote improved care coordination, better patient outcomes, and material cost reductions. In order to bend the curve toward interoperability, the new HHS rules are designed to provide for binding and specific steps to "free" health care data and recognize the aforementioned benefits.

The HHS rules are collectively intended to provide a stronger mandate to the industry.  This blog focuses on the rule issued by CMS, which is available here, and is principally focused on stimulating the payer industry to foster interoperability. Using its authority to regulate Medicare Advantage, Medicaid, CHIP, and Qualified Health Plan issuers on the Federally-facilitated Health Insurance Exchanges, CMS is requiring both public and private entities to share health information between patients and other parties. A brief summary of the key requirements in the CMS rule is below:

  • Patient Access API: The CMS-regulated payers listed above, with certain exceptions, are required to implement and maintain a secure, standards-based application programming interface (API) that allows patients to easily access their claims and encounter information, including cost, as well as a defined sub-set of their clinical information through third-party applications of their choice.  These payers are required to implement the Patient Access API beginning January 1, 2021.
  • Provider Directory API: The CMS-regulated payers listed above, with certain exceptions, are also required by to make provider directory information publicly available via a standards-based API. According to CMS, making this information broadly available in this way will encourage innovation by allowing third-party application developers to access information so they can create services that help patients find providers for care and treatment, as well as help clinicians find other providers for care coordination, in the most user-friendly and intuitive ways possible. These payers are required to implement the Provider Directory API by January 1, 2021.
  • Payer-to-Payer Data Exchange: CMS-regulated payers are required to exchange certain patient clinical data (specifically the U.S. Core Data for Interoperability (USCDI) version 1 data set) at the patient's request, allowing the patient to take their information with them as they move from payer to payer. These payers are required to implement a process for this data exchange beginning January 1, 2022.
  • Improving the Dually Eligible Experience by Increasing the Frequency of Federal-State Data Exchanges The rule updates requirements for states to exchange certain enrollee data for dual eligible Medicare-Medicaid beneficiaries from monthly to daily. States are required to implement this daily exchange starting April 1, 2022.
  • Public Reporting and Information Blocking:Beginning in late 2020, and starting with data collected for the 2019 performance year data, CMS will publicly report eligible clinicians, hospitals, and critical access hospitals (CAHs) that may be information blocking based on how they attested to certain Promoting Interoperability Program requirements.
  • Digital Contact Information:CMS will begin publicly reporting in late 2020 those providers who do not list or update their digital contact information in the National Plan and Provider Enumeration System.
  • Admission, Discharge, and Transfer Event Notifications:CMS is modifying Conditions of Participation to require hospitals, including psychiatric hospitals and CAHs, to send electronic patient event notifications of a patient's admission, discharge, and/or transfer to another healthcare facility or to another community provider or practitioner.

Generally speaking, the health care industry response to the CMS rule has been warm.  Most health care stakeholders support – at least in concept – efforts to improve access to clinical, encounter, claims, and other types of data that can be shared among patients, plans, and federal agencies through APIs. Most health care stakeholders also support discouraging information blocking, capturing more electronic addresses for providers, and requiring hospitals to electronically send admission, discharge, and transfer notifications.

That said, there are a few areas where stakeholders have voiced concern.

  • Privacy and Security: Many have criticized the rule because, once providers send patient data to third-party APIs, that data would no longer be protected under the Health Insurance Portability and Accountability Act (HIPAA). Since third party app developers are generally not obligated to comply with HIPAA, health care stakeholders are concerned that they may use patients' sensitive health care information in unscrupulous ways, including for advertising and other commercial purposes unrelated to patient care.
  • Confidentiality and Business Advantage: Payers will likely be required to share data with their direct competitors in connection with the CMS rule man. This could result in increasing difficulty to preserve competitive advantages with respect to pricing and network administration.
  • Cost: Particularly for smaller entities, but also true for more robust organizations, compliance with the CMS rule will require significant investment in technology (e.g., API development) and services which will have a significant impact on the bottom line of payers.

Many are also concerned about the strict timelines in which payers must comply with the rule's requirements, fearing they may need more time than the rule provides.

This blog is the first in a series intended to provide insights to health care providers and payers and emphasize the importance of understanding and complying with the HHS rules and their requirements.  In the coming weeks, we will be producing additional blog posts that will provide further input into the ONC rule as well as the principles around information blocking that both rules emphasize.  There is no doubt that the health care industry supports the goal of these rules, which is to give patients better access to their healthcare data to enable them to make informed healthcare decisions and better manage their care.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.