HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HHS Extends Comment Period on Proposed Rules to Improve ePHI Interoperability

The Department of Health and Human Services has extended the deadline for submitting comments on its proposed rules to promote the interoperability of health information technology and electronic protected health information.

Two new rules were released on February 11, 2019 by the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS). The purpose of the new rules is to support the secure access, exchange, and use of electronic health information. The rules cover technical and healthcare industry factors that are proving to be barriers to the interoperability of health information and are limiting the ability of patients to gain access to their health data.

The deadline has been extended to give the public and industry stakeholders more time to read the proposed rules and provide meaningful input that can be used to help achieve the objectives of the rules. The extension has come in response to feedback from many stakeholders who have asked for more time to review the rules, which have potential to cause a range of issues for healthcare organizations.

Two other factors influenced the decision to extend the deadline. There appeared to be some confusion over HIPAA and whether healthcare providers are accountable for how patients use their health data. To help clear up the confusion, the HHS’ Office for Civil Rights has released a new FAQ for providers which explains the HIPAA right of access in relation to health apps used by patients, application programming interfaces (APIs) used by healthcare providers’ electronic health record systems, accountability, and general information on access rights and health IT.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Also, the ONC has recently released the second draft of its Trusted Exchange Framework and Common Agreement (TEFCA), which could be factored into comments. While there is not a great deal of overlap between TEFCA and the ONC/CMS proposed rules, they all operate in the same space.

Healthcare industry stakeholders have until to June 3, 2019 to review the new rules and submit meaningful feedback.

Final Interoperability Rules Finally Issued on March 9, 2020

It took more than a year, but on March 9, 2020, the CMS and ONC both announced the release of their complimentary final interoperability rules.

These rules have been called “transformative” by the HHS as they will provide patients with “unprecedented safe, secure access to their health data.” With easy access to their healthcare data, patients will be empowered to make informed decisions about their healthcare to better manage their care – An essential part of a value-based healthcare system.

One of the key aims of the new rules is to give Americans easy access to their healthcare data and allow them to manage their healthcare in a similar way to managing their finances. With access to their healthcare data – medical records and claims information – they will be able to shop around for healthcare services and get the level of care they need at the best price.

“In today’s digital age, our health system’s data sharing capacity shouldn’t be mired in the stone age. Unfortunately, data silos continue to fragment care, burden patients, and providers, and drive up costs through repeat tests,” said CMS Administrator Seema Verma. “These rules begin a new chapter by requiring insurance plans to share health data with their patients in a format suitable for their phones or other device of their choice. We are holding payers to a higher standard while protecting patient privacy through secure access to their health information. Patients can expect improved quality and better outcomes at a lower cost.”

The new rules will help to spur innovation by providing easy access to healthcare data through APIs, and they should spell an end to information blocking, helping to ensure that patient health information flows freely, regardless of the EHR system used to create the records.

The ONC Final Rule

One of the main elements of the ONC final rule is the requirement for all EHR vendors to use a standard application programming interface (API). The ONC has adopted the Fast Healthcare Interoperability Resources 4.0 standards framework covering all certified EHRs and healthcare apps. The standard API will allow patients to download copies of their healthcare records to a smartphone app of their choice, free of charge.

The ONC has established rules to prevent information blocking. The ONC final rule establishes the reasonable and necessary activities that do not constitute information blocking practices and prohibits certified EHR vendors, health information exchanges, healthcare providers, and software developers from blocking the flow of healthcare data. These information blocking rules take effect 6 months after the publication of the ONC final rule in the Federal Register, after which financial penalties will be issued when information blocking is discovered. The ONC is working closely with the US Department of Health and Human Services’ (HHS’) Office of Inspector General on the financial penalties and a rule-making proposal will soon be released.

The ONC final rule also requires EHRs to provide the necessary clinical data to promote new business models of care, which must include, through the U.S. Core Data for Interoperability (USCDI), demographic data to assist with patient matching, clinical notes, allergies, medications, and other important healthcare data. This will help to ensure that healthcare data can be easily understood when it is received.

The CMS Interoperability and Patient Access Final Rule

The CMS Interoperability and Patient Access final rule requires private health plans that do business with the government (through Medicare Advantage, Medicaid, CHIP, and federal Exchanges) to allow patients access to their claims data through the Patient Access API. API access must also be provided to their provider directories. This will allow patients to easily see which providers are covered by their health plan, which will help them choose the provider that will best meet their healthcare needs. This information could be sent to the health application of the patients choice, and could allow claims data to be merged with EHR data. Patients will be able to take their claims and healthcare data with them as they switch health plans and move between different providers in the healthcare system. Starting January 1, 2021, the 85 million individuals that have been enrolled in health plans will be provided with their claims data through the API.

All Medicare and Medicaid participating hospitals are required to send admission, discharge, and transfer data electronically to other healthcare facilities. This requirement will allow the receiving provider to provide appropriate follow up care, which should help to improve patient outcomes. This aspect of the final rule takes effect 6 months from the date the final rule is published in the Federal Register.

Beginning April 1, 2022, states will be required to send enrollee data daily for Medicare and Medicaid beneficiaries, which will help to improve care coordination and ensure patients get access to the services they need, when they need them, and that those services are billed appropriately first time.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.