Just two months after the U.S. Department of Health and Human Services (HHS) finalized two rules on interoperability and patient access, we are in the middle of the COVID-19 public health crisis. How is this new context changing the perception of the rules and the implementation timelines? Critics say the rules’ compliance timelines are unrealistic, while proponents argue that increased patient access to health data is now more important than ever. What are the implications of the partial postponement announced on April 21st?
On March 9, 2020, the HHS Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services (CMS) released two final rules. The rules implement the interoperability and patient access provisions of the 21st Century Cures Act (Cures Act) and support President Trump’s MyHealthEData initiative.
Interoperability in healthcare is the secure, timely, and appropriate sharing of health data across seamlessly connected information systems. The CMS rule finalizes policies that will increase patient access to their health data and drive the health system toward interoperability, while the ONC rule explains and standardizes the technical infrastructure necessary to fulfill those requirements.
Together, these rules increase transparency in America’s healthcare system and constitute the most significant health data sharing regulations to date. The rules give patients access to their health information on their smartphones, yet the potential downside of this capability is that their data may become less secure.
It is still unclear whether COVID-19 will delay or accelerate stakeholders’ compliance with the interoperability rules’ deadlines, but the national expansion of telehealth during this pandemic has highlighted the importance of readily accessible and transferable health data.
Interoperability has been an Increasing Federal Priority since 2004
These new rules build on the momentum created over the last 15 years to promote health information technology (HIT) and interoperability, including:
- HHS’ establishment of ONC in 2004;
- Congress’ enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, which allotted $20 billion for the deployment of electronic health records (EHRs);
- Congress’ enactment of the Medicare Access and CHIP Reauthorization Act (MACRA) in 2015, which rewards clinicians for meaningful use of certified EHR systems; and
- Congress’ enactment of the bipartisan Cures Act in 2016, which aims to increase the role of ONC and HHS in promoting interoperability among distinct EHR systems.
These and other legislative efforts provided tens of billions of dollars in funding for HIT and health information exchange (HIE), building our legal and technical infrastructure for interoperability and increasing patients’ access to their data.
The two March rules detail processes and standards to promote access to more health data for more people. Third-party medical record smartphone apps like Apple’s Health Records app have been launched over the last decade, but none are federally certified. Nor do they use a standardized application programming interface (API) or load health data straight from users’ providers and insurers. Because of this, CMS has framed these two rules as its “first phase” of rulemaking to promote interoperability.
The draft regulations for this “first phase” were controversial, and the final rules remain the subject of much debate. Some stakeholders argue in favor of the rules, saying that abundant data sharing will allow providers to take care of their patients more efficiently and effectively, and will facilitate patient access to their medical information and knowledge of provider and service options. Skeptics have expressed concern about patient data security, implementation costs, and “unrealistic” compliance timelines, especially in light of the COVID-19 pandemic and its pressure on health systems across the country.
Overview of Rules
CMS’ “Interoperability and Patient Access” Rule Requires Increased Data Sharing
CMS issued this rule in an effort to advance interoperability and empower patients to obtain their own health data with ease and security. The rule builds on CMS’ Medicare Blue Button 2.0 (which allowed beneficiaries to view their claims data in mobile apps) by establishing secure, regimented API requirements for patient access to APIs through their own choice of a third-party app. It also requires the public reporting of any provider or payer that participates in information blocking, an act in which a party knowingly and unreasonably interferes with the exchange or use of electronic health information (EHI), often for competitive gain. The rule will affect an estimated 17.5 million individual market enrollees.
- Providers must share patient information with other providers
The rule requires all hospitals participating in Medicare and Medicaid (with sufficient EHR notification systems) to send notifications to the patient’s primary care provider and any other relevant acute care providers when the patient experiences an admission, discharge, and/or transfer (ADT) event. The rule also updates federal-state information exchange requirements for states.
- Payers must share enrollee data
Select payers will have to share claims data and other health information with patients, if they request it, through the Patient Access API. If requested, payers must also ask for their enrollees’ health data from their former health plan. Payers are encouraged to share data with each other using payer-to-payer HIE. The rule applies to payers that offer individual qualified health plans (QHPs) in federal marketplace states, Medicare Advantage plans (including Medicare Advantage dual-eligible special needs plans), all types of Medicaid and CHIP managed care plans (including managed care organizations, prepaid inpatient health plans, or prepaid ambulatory health plans), and state Medicaid and CHIP agencies that offer fee-for-service programs.
- States must send data to CMS
Starting April 1, 2022, states must send dual-eligible enrollee data to CMS every day (instead of the current monthly rate) to improve beneficiary care coordination.
The CMS rule does not apply to the broader commercial market or insurers that offer employer-sponsored health insurance, Small Business Health Options Program (SHOP) plans, or stand-alone dental plans. Nor does it apply to insurers that offer QHPs through state-based marketplaces on the federal platform.
This image displays the CMS Rule implementation timeline as of Monday, April 27, 2020. Dates ending with a * have been updated in line with the implementation timeline delays announced April 21, 2020.
ONC’s “21st Century Cures Act” Rule Lays the Groundwork for Secure Data Exchange
ONC’s final rule addresses information blocking and HIT certification. It implements the information blocking provisions of the Cures Act and identifies eight exceptions from information blocking penalties. The rule promotes common data through the new formatting standard, the U.S. Core Data for Interoperability (USCDI), which includes new certification rules. The most significant new requirements are:
- The export of EHI maintained by health IT products, and
- The standardization of APIs.
The USCDI facilitates nationwide HIE and advances the rule’s mandate that patients can access all of their electronic health information, structured or unstructured, at no cost to them.
ONC’s rule also mandates that HIT developers prove that they have enacted multiple privacy and security measures, including multi-factor authentication. It also creates certified HIT channels wherein providers may share visual communication of EHRs (e.g., screenshots, video), which currently is prohibited in most EHR contracts.
If HIT developers, payers, and other key organizations (other than providers) do not comply, they face a fine of up to $1 million. The penalty for providers will be decided in future regulation.
This graphic displays regulatory dates for ONC's Cures Act Final Rule. Its scheduled publication date in the Federal Register is May 1, 2020. CMS’ postponement of several provisions of its “Interoperability and Patient Access” rule may affect ONC’s timeline. Source: ONC
Impact of the New Rules on Key Stakeholders
Patients Can Access Health Data on Their Smartphones, but May Face Privacy Risks
These rules are designed to empower patients. They will be able to access their health data in one place, instead of having to log into multiple individual provider and payer portals. More information will be available to patients, including providers’ contact information, the names of providers that participate in information blocking, and the patient’s health records (available on an app of their choosing). Increased ADT event notifications and HIE should improve patient care coordination.
However, the push to store personal health data on third-party apps comes with risks to personal security. Once information has been loaded into an app, it is no longer subject to federal security measures or regulations. The authority to create privacy protections lies with Congress, not CMS, which means that related rulemaking is unlikely to occur before the COVID-19 outbreak subsides.
This means that the burden of reviewing app terms and conditions will likely fall on consumers if their provider or payer doesn’t post recommendations and resources. Organizations like the American Medical Informatics Association and the American Medical Association have pressed for new requirements that would solicit privacy and security confirmations from app developers.
Consumer advocacy groups like the Society for Participatory Medicine express that they want to require third-party apps to “follow codes of conduct and disclose how the data will be used in clear, easy to understand terms.”
Patients also face the likelihood that costs to insurance companies for complying with this rule will be shifted to their enrollees’ premiums.
Providers Face a Compliance Burden before Experiencing Benefits of Interoperability
Providers will be able to more easily share patient information and coordinate care, and will still be able to block patient information from other providers and payers if the situation falls under one of the eight exceptions. On the other hand, many providers must now send ADT event alerts, share patient data through APIs (if requested), and send dual-eligible enrollee data to HHS daily. Concerned parties cite a lack of “appropriate guardrails” for patient data after it is transferred out of the HIPAA-protected environment to third-party apps.
These rules will likely have a disproportionate effect on some providers. Post-acute care facilities have not faced as much pressure or funding to develop their HIT systems, and will probably require more HIT development. The American Hospital Association argued that hospitals’ burden of proof to demonstrate that they did not block patient information is excessive, and urged ONC to extend related implementation deadlines. Likewise, America’s Essential Hospitals urged both CMS and ONC to reduce burden on hospitals through measures such as not adding HIE requirements to the Medicare conditions of participation.
Payers Stand to Benefit from Interoperability, but Face Implementation Costs
One advantage to payers is the promise of improved care coordination and communication across health plans. However, payers have opposed the rules, asserting that they present multiple burdens and a tight timeline to enact significant structural changes, including plan-to-plan information sharing, maintenance of provider directories, and daily federal-state data exchange. They are also wary of the high estimated implementation costs associated with first-year API development and annual maintenance.
To comply with the rule, payers must make patient data available through APIs connected to third-party apps. Payers argue that they already have customized pricing tools and enrollee portals, but CMS maintains that it will be more beneficial for consumers to have all of their health and insurance data in one place rather than on multiple online portals.
Payer associations have reacted differently to the rules. The Alliance of Community Health Plans (ACHP) reacted favorably to the rules, citing the need for collaboration with HHS to ensure security of patient data. Despite this support, ACHP also praised HHS for delaying the rule implementation deadlines to reduce pressure on health plans during COVID-19. Meanwhile, America’s Health Insurance Plans (AHIP) expressed opposition to expanded patient data sharing.
EHR Vendors Protest the ONC Rule, then Collaborate with ONC and HHS to Improve Patient Outcomes
The main benefit to EHR vendors is that the rules will provide a roadmap for standardizing their API for the national platform. They will no longer need to constantly reformat data for submission to different APIs.
One drawback of the rules for EHR vendors is that they will need to transition from CCDA to the USCDI, the new data formatting standard. Additionally, due to the nature of the required changes, it may be difficult to comply with the rules’ timelines and scope of regulated data.
Epic Systems, the largest EHR vendor (which can earn up to $1 billion per EHR system installation), was the most vocal opponent of the rules. Epic, joined by about 60 health systems and life sciences companies, sent a letter to HHS Secretary Alex Azar opposing the rules. They argued that the rules will be “overly burdensome on our health system and will endanger patient privacy" and jeopardize the security of health data. They are supportive of HHS’ goal to make patients’ health data more accessible to them, but oppose the potential costs. They are working closely with ONC and HHS to minimize negative consequences for patients.
COVID-19 May Ultimately Facilitate Interoperability Expansion, but Has Prompted Delays in the Rules’ Implementation Timelines
The pandemic may shift the national healthcare landscape towards interoperability and HIT more quickly and to a greater extent than anticipated and facilitate the adoption of these two rules. Due to the social distancing protocols of the COVID-19 pandemic, providers are rapidly adopting telehealth technologies. To support this development, on March 6, 2020, CMS expanded access to Medicare telehealth services by offering reimbursement to clinicians who participate. On March 20, CMS released two telehealth toolkits and resource repositories for both general practitioners and end-stage renal disease providers. States are also encouraging this effort by providing resources and HIPAA-compliant communication platforms.
Although the need for interoperability may be greater to address the pandemic, some providers argue that efforts to comply with the new rules could impede providers’ ability to fight COVID-19. To address this concern, CMS announced on April 21 that it would delay several implementation deadlines for its rule.
However, others contend that the need for comprehensive, secure data sharing is greater now than ever before and that any delays in the HHS rules’ implementation timeline may interfere with national progress toward interoperability. Cynthia Fisher, a patient data transparency advocate, noted in Politico that with increased demand for telemedicine and lab testing, there is an unprecedented need for quick data sharing among clinical organizations.
How IMPAQ Supports Interoperability and Patient Access
IMPAQ’s subject matter experts in HIT, quality measurement, health insurance marketplaces, and value-based care are committed to the thoughtful development and evaluation of HIE networks that securely share patient data. In-house HIT experts such as Craig Schneider, Maggie Lohnes, and Michelle Lefebvre bring decades of combined experience with health information exchange, EHR design and implementation, healthcare-related data standards, and value-based care programs. In collaboration with IMPAQ’s advanced analytics team, our experts will continue to track the implementation of these rules and update readers as they evolve.
Your Source for Solutions
IMPAQ is a policy research and analytics firm committed to tracking these two rules and the effects of these policies on patients, stakeholders, and the broader health care industry. Through cutting-edge research, advanced analytics, and technology capabilities, our experts bring deep policy expertise to help our clients understand and comply with new regulations.