Pursuant to the 21st Century Cures Act, on March 9, 2020, the Centers for Medicare and Medicaid Services (CMS) and HHS’ Office of the National Coordinator for Health Information Technology (ONC) issued rules governing how medical providers, health insurers, and patients exchange health data. The goal of the rules is to better coordinate patient care, but the rules have been opposed by provider groups, who have cited concerns with patient privacy.

The ONC’s final rule establishes secure, standards-based application programming interface (API) requirements for electronic health records that will allow patients to securely obtain and use their electronic health information from their providers’ medical records for free, using the smartphone application of their choice. At a minimum, the Patient Access API must make adjudicated claims and clinical data available within one business day after a claim is adjudicated or encounter data are received.

CMS’ Interoperability and Patient Access final rule applies the ONC standards to CMS-regulated payers, including Medicare Advantage, Medicaid managed care, and Qualified Health Plan issuers on the federal exchange. The rules require these plans to implement a secure Patient Access API that will allow patients to access their claims data and encounter information, including cost and certain clinical information, through third-party applications of their choice by January 1, 2021. In its Fact Sheet announcing the rules, CMS stated that “[c]laims data used in conjunction with clinical data, can offer a broader and more holistic understanding of an individual’s interactions with the healthcare system leading to better decision-making and better health outcomes.”

CMS-regulated payers are also required to make provider directory information publicly available via a standards-based API by January 1, 2021, and to exchange certain patient clinical data, specifically the U.S. Core Data for Interoperability version 1 data set, at the patient’s request beginning January 1, 2022.

The rules also increase the frequency requirements for states to exchange certain enrollee data for individuals dually eligible for Medicare and Medicaid from monthly to daily starting April 1, 2022. According to the CMS fact sheet, the goal of this requirement is to ensure that dual eligible beneficiaries get access to appropriate services and that these services are billed appropriately the first time, eliminating waste and burden.”

The rules also require public reporting of providers who block information. The 21st Centuries Cures Act defines “information blocking” as “a practice that is likely to interfere with, prevent, or materially discourage access, exchange or use of electronic health information.” The rules identify activities that do not constitute information blocking, such as to protect an individual’s privacy, and establish new rules to prevent information blocking practices. Beginning in late 2020 for data collected for the 2019 performance year, CMS will publicly report eligible clinicians and hospitals that block information based on how they attest to certain Promoting Interoperability Program requirements. For example, for eligible clinicians who participate in the Merit Based Incentive Payments System (MIPS) and for hospitals, CMS will post on its website a list of providers who submit a “no” response to any of three attestations related to the prevention of information blocking.

In order to encourage providers to make their digital contact information public, which CMS believes will facilitate care coordination, CMS will publicly report providers who do not list or update their digital contract information in the National Plan and Provider Enumeration System.

Lastly, beginning six months after publication of the rule in the Federal Register, CMS will modify its Conditions of Participation to require hospitals, including psychiatric and clinical access hospitals, to send electronic patient event notifications of a patient’s admission, discharge, and/or transfer to another healthcare facility or provider.

In a HHS press release announcing the rules, Don Rucker, M.D., national coordinator for health information technology stated: “Delivering interoperability actually gives patients the ability to manage their healthcare the same way they manage their finances, travel and every other component of their lives.” HHS Secretary Alex Azar likewise stated: “From the start of our efforts to put patients and value at the center of our healthcare system, we’ve been clear: Patients should have control of their records, period. Now that’s becoming a reality.”

Organizations representing providers had opposed certain provisions of the rules when they were first proposed and providers remain concerned that the final rules have not addressed their issues with patient privacy. For example, American Hospital Association President and CEO Rick Pollack issued a statement saying:

America’s hospitals and health systems support giving patients greater access and control over their health data. In fact, nearly all hospitals and health systems have made health information available to patients electronically. However, today’s final rule fails to protect consumers’ most sensitive information about their personal health. The rule lacks the necessary guardrails to protect consumers from actors such as third party apps that are not required to meet the same stringent privacy and security requirements as hospitals. This could lead to third party apps using personal health information in ways in which patients are unaware. These guidelines are too important not to get right. We need to stand on the side of the patient by protecting patient privacy and strengthening security in this rule.

Many of Whatley Kallas, LLP’s clients are shifting to value-based care models, which require the timely exchange of health information, with at least some of their payers. Whatley Kallas attorneys will continue to follow these rules as they are implemented. For a link to the ONC final rule, please click here and for a link to CMS’ Interoperability and Patient Access final rule, please click here.