HHS Releases Final Interoperability and Information Blocking Rules

Share this article on:

On March 6, 2020, the Office of Information and Regulatory Affairs’ Office of Management and Budget announced it has completed its review of the rules proposed by two HHS agencies in February 2019 to tackle interoperability and information blocking.

On March 9, 2020 the HHS’ Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator of Health Information Technology (ONC) released their final rules which change how healthcare delivery organizations, health insurers, and patients exchange health data.

The interoperability and information blocking rules were required by the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) and the 21st Century Cures Act of 2016. They are intended to make it easier for healthcare data to be exchanged between providers, insurers, and patients and are a key part of creating a patient-centric healthcare system and put patients in control of their own health records.

“These rules are the start of a new chapter in how patients experience American healthcare, opening up countless new opportunities for them to improve their own health, find the providers that meet their needs, and drive quality through greater coordination,” explained HHS Secretary, Alex Azar.

Easy Access to Patient Records Through APIs

One of the ways that patients are given easy access to their health data is through the use of application programming interfaces (APIs). APIs can be leveraged to connect different IT systems and software solutions to allow data to be easily transferred from one to the other. The use of APIs has driven innovation in many sectors, but they have not been adopted in healthcare to give patients easy access to their medical records. The final rules will ensure that changes.

The use of APIs will allow healthcare providers to easily share a patients’ electronic health records with other healthcare organizations with different EHR systems. It will also allow patients to have their healthcare data, including medical records, sent to a third-party health app if thy so wish. The rules also include provisions to ensure that patient data contained in electronic health records is provided to patients at no additional cost when it is accessed electronically.

Improving Interoperability of Health Data

The CMS Interoperability and Patient Access final rule, part of the Trump Administration’s MyHealthEData initiative, is aimed at improving interoperability and patient access to healthcare data. “[The] final rule is focused on driving interoperability and patient access to health information by liberating patient data using CMS authority to regulate Medicare Advantage (MA), Medicaid, CHIP, and Qualified Health Plan (QHP) issuers on the Federally-facilitated Exchanges (FFEs),” explained CMS in the Interoperability and Patient Fact Sheet, published on March 9, 2020.

The lack of effective exchange of healthcare data has had a negative effect on patient outcomes and is also contributing to high healthcare costs. The CMS final rule removes barriers to information sharing to give patients easy access to their healthcare data, it will improve interoperability, drive innovation, and reduce the burden on payers and providers. When patient health information moves freely, patient care can be coordinated easily, costs can be reduced, and patient outcomes are likely to improve.

“Delivering interoperability actually gives patients the ability to manage their healthcare the same way they manage their finances, travel and every other component of their lives. This requires using modern computing standards and APIs that give patients access to their health information and gives them the ability to use the tools they want to shop for and coordinate their own care on their smartphones,” said Don Rucker, M.D., national coordinator for health information technology.

Final Rules Will Drive Innovation

In addition to requiring healthcare providers to share medical records with third party apps at the request of patients, the CMS rule also calls for health insurers to share cost information with third-party apps. This will give patients information about the out-of-pocket expenses they are likely to incur. This will allow patients to plan and budget for medical bills.

“The days of patients being kept in the dark are over,” said CMS Administrator Seema Verma. “These rules begin a new chapter by requiring insurance plans to share health data with their patients in a format suitable for their phones or other device of their choice. We are holding payers to a higher standard while protecting patient privacy through secure access to their health information. Patients can expect improved quality and better outcomes at a lower cost.”

The CMS final rule also requires CMS-regulated payers to make provider directory information available publicly via a standards-based API. This will encourage innovation and will allow third-party app developers to create services that allow patients to find providers that can offer care and treatment. These apps could also be used by clinicians to find other providers to help with care coordination.

The CMS rule also calls for payer-to-payer clinical health data exchange to allow patients to take their data with them when they change payers and to create a cumulative health record with their current payer. “Having a patient’s health information in one place will facilitate informed decision-making, efficient care, and ultimately can lead to better health outcomes,” explained the CMS.

Preventing Information Blocking

The ONC’s 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule details information blocking practices such as anti-competitive behavior which are prohibited and reasonable and necessary activities that are not classed as information blocking and are permitted. One area where problems will be eased is the sharing of screenshots and videos related to EHR use. Many EHR providers prohibit the use screenshots and videos, when these are important for communicating about usability, the user experience, and interoperability.

The CMS has confirmed that starting in late 2020, using data collected for the 2019 performance year data, the CMS will be reporting clinicians, hospitals, and critical access hospitals that are believed to be engaging in information blocking practices based on how they attested to certain Promoting Interoperability Program requirements.

Patient Privacy and Data Security

The proposed rules will improve interoperability and reduce information blocking, but there has been fierce criticism of the rules by some groups, mostly in relation to patient privacy. Both the American Hospital Association (AHA) and the American Medical Association (AMA) have been vocal critics of the rules criticized the rules, with one of the main issues related to the sharing of health records with third-party apps.

Healthcare providers are required to comply with HIPAA and must ensure safeguards are implemented to ensure patient data is protected. Health app developers and other entities not required to comply with HIPAA, may not have appropriate privacy protections in place. There is also considerable potential for secondary uses of patient health information without the knowledge of patients.

The AHA and AMA are not alone. Many privacy advocates and health systems have expressed concern about the proposed rules and patient privacy. Last year, Epic wrote to the HHS Secretary voicing concern and even threatened legal action if patient privacy was not protected. The letter was signed by 60 healthcare systems.

The CMS and ONC have made patient privacy a key priority. Both the CMS and ONC want to ensure patient data flows freely, but also that patient privacy is protected. To ensure the privacy and security of patient data in transit, the ONC and CMS have adopted the Health Level 7® (HL7) Fast Healthcare Interoperability Resources® (FHIR) Release 4.0.1 as the standard to support data exchange via APIs.

That standard ensures patient privacy and security for the transfer of health data but does not cover patient data once it has been transferred to a third party. To address risks after data has been transferred, healthcare organizations are permitted to ask third-party app developers to attest to certain privacy provisions, such as whether there will be any secondary uses of patient data and to make sure patients are informed about what those secondary uses will be.

Author: HIPAA Journal

Share This Post On