HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HHS Releases Final Interoperability and Information Blocking Rules

On March 6, 2020, the Office of Information and Regulatory Affairs’ Office of Management and Budget announced it has completed its review of the rules proposed by two HHS agencies in February 2019 to tackle interoperability and information blocking.

On March 9, 2020 the HHS’ Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator of Health Information Technology (ONC) released their final rules which change how healthcare delivery organizations, health insurers, and patients exchange health data.

The interoperability and information blocking rules were required by the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) and the 21st Century Cures Act of 2016. They are intended to make it easier for healthcare data to be exchanged between providers, insurers, and patients and are a key part of creating a patient-centric healthcare system and put patients in control of their own health records.

“These rules are the start of a new chapter in how patients experience American healthcare, opening up countless new opportunities for them to improve their own health, find the providers that meet their needs, and drive quality through greater coordination,” explained HHS Secretary, Alex Azar.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Easy Access to Patient Records Through APIs

One of the ways that patients are given easy access to their health data is through the use of application programming interfaces (APIs). APIs can be leveraged to connect different IT systems and software solutions to allow data to be easily transferred from one to the other. The use of APIs has driven innovation in many sectors, but they have not been adopted in healthcare to give patients easy access to their medical records. The final rules will ensure that changes.

The use of APIs will allow healthcare providers to easily share a patients’ electronic health records with other healthcare organizations with different EHR systems. It will also allow patients to have their healthcare data, including medical records, sent to a third-party health app if thy so wish. The rules also include provisions to ensure that patient data contained in electronic health records is provided to patients at no additional cost when it is accessed electronically.

Improving Interoperability of Health Data

The CMS Interoperability and Patient Access final rule, part of the Trump Administration’s MyHealthEData initiative, is aimed at improving interoperability and patient access to healthcare data. “[The] final rule is focused on driving interoperability and patient access to health information by liberating patient data using CMS authority to regulate Medicare Advantage (MA), Medicaid, CHIP, and Qualified Health Plan (QHP) issuers on the Federally-facilitated Exchanges (FFEs),” explained CMS in the Interoperability and Patient Fact Sheet, published on March 9, 2020.

The lack of effective exchange of healthcare data has had a negative effect on patient outcomes and is also contributing to high healthcare costs. The CMS final rule removes barriers to information sharing to give patients easy access to their healthcare data, it will improve interoperability, drive innovation, and reduce the burden on payers and providers. When patient health information moves freely, patient care can be coordinated easily, costs can be reduced, and patient outcomes are likely to improve.

“Delivering interoperability actually gives patients the ability to manage their healthcare the same way they manage their finances, travel and every other component of their lives. This requires using modern computing standards and APIs that give patients access to their health information and gives them the ability to use the tools they want to shop for and coordinate their own care on their smartphones,” said Don Rucker, M.D., national coordinator for health information technology.

Final Rules Will Drive Innovation

In addition to requiring healthcare providers to share medical records with third party apps at the request of patients, the CMS rule also calls for health insurers to share cost information with third-party apps. This will give patients information about the out-of-pocket expenses they are likely to incur. This will allow patients to plan and budget for medical bills.

“The days of patients being kept in the dark are over,” said CMS Administrator Seema Verma. “These rules begin a new chapter by requiring insurance plans to share health data with their patients in a format suitable for their phones or other device of their choice. We are holding payers to a higher standard while protecting patient privacy through secure access to their health information. Patients can expect improved quality and better outcomes at a lower cost.”

The CMS final rule also requires CMS-regulated payers to make provider directory information available publicly via a standards-based API. This will encourage innovation and will allow third-party app developers to create services that allow patients to find providers that can offer care and treatment. These apps could also be used by clinicians to find other providers to help with care coordination.

The CMS rule also calls for payer-to-payer clinical health data exchange to allow patients to take their data with them when they change payers and to create a cumulative health record with their current payer. “Having a patient’s health information in one place will facilitate informed decision-making, efficient care, and ultimately can lead to better health outcomes,” explained the CMS.

Preventing Information Blocking

The ONC’s 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule details information blocking practices such as anti-competitive behavior which are prohibited and reasonable and necessary activities that are not classed as information blocking and are permitted. One area where problems will be eased is the sharing of screenshots and videos related to EHR use. Many EHR providers prohibit the use screenshots and videos, when these are important for communicating about usability, the user experience, and interoperability.

The CMS has confirmed that starting in late 2020, using data collected for the 2019 performance year data, the CMS will be reporting clinicians, hospitals, and critical access hospitals that are believed to be engaging in information blocking practices based on how they attested to certain Promoting Interoperability Program requirements.

Patient Privacy and Data Security

The proposed rules will improve interoperability and reduce information blocking, but there has been fierce criticism of the rules by some groups, mostly in relation to patient privacy. Both the American Hospital Association (AHA) and the American Medical Association (AMA) have been vocal critics of the rules criticized the rules, with one of the main issues related to the sharing of health records with third-party apps.

Healthcare providers are required to comply with HIPAA and must ensure safeguards are implemented to ensure patient data is protected. Health app developers and other entities not required to comply with HIPAA, may not have appropriate privacy protections in place. There is also considerable potential for secondary uses of patient health information without the knowledge of patients.

The AHA and AMA are not alone. Many privacy advocates and health systems have expressed concern about the proposed rules and patient privacy. Last year, Epic wrote to the HHS Secretary voicing concern and even threatened legal action if patient privacy was not protected. The letter was signed by 60 healthcare systems.

The CMS and ONC have made patient privacy a key priority. Both the CMS and ONC want to ensure patient data flows freely, but also that patient privacy is protected. To ensure the privacy and security of patient data in transit, the ONC and CMS have adopted the Health Level 7® (HL7) Fast Healthcare Interoperability Resources® (FHIR) Release 4.0.1 as the standard to support data exchange via APIs.

That standard ensures patient privacy and security for the transfer of health data but does not cover patient data once it has been transferred to a third party. To address risks after data has been transferred, healthcare organizations are permitted to ask third-party app developers to attest to certain privacy provisions, such as whether there will be any secondary uses of patient data and to make sure patients are informed about what those secondary uses will be.

COVID-19 Pandemic Highlights Importance of Interoperability in Healthcare

The COVID-19 pandemic has highlighted the importance of interoperability in healthcare. The pressure placed on healthcare providers by the massive increase in patients requiring treatment for COVID-19, has meant many healthcare providers have had to expand their facilities outside of their walls. They have opened new testing facilities, have had to rapidly expand remote care services, and boost telehealth and virtual appointments. All of these changes in response to the COVID-19 pandemic require the seamless flow of information to ensure care can be properly coordinated.

Information related to COVID-19 needs to be shared by public health officials with a diverse range of healthcare organizations. That information is required to ensure patients receive the best possible care. Healthcare providers and business associates also need to share patient information, including emerging information on symptoms and treatments, with other healthcare providers and to support public health and health oversight activities.

With resources stretched, many healthcare providers are contracting with third party vendors to provide telehealth services. Those vendors need access to medical records and must send information gathered during telehealth visits directly to electronic medical record systems. With many patients now receiving virtual care, healthcare providers have had to deploy remote monitoring solutions for their patients. Those solutions must also be able to communicate with EHRs. Without this interoperability, there will naturally be disruption to clinical workflows.

Unfortunately, the current state of interoperability in healthcare is hampering the flow of information. Without full interoperability, information is restricted to silos and care coordination is difficult. Healthcare organizations that were already struggling with interoperability are likely to face even greater problems in the current climate.

Without interoperable healthcare systems, it is not possible for patient information to be collected and viewed across different health plans, healthcare providers, clinics, and public health agencies, and that will naturally have a negative impact on patient care.

HHS Takes Steps to Ease Burden on Healthcare Providers During the COVID-19 Pandemic

As is the norm during public health emergencies, the Secretary of the HHS issued a limited HIPAA waiver for certain provisions of the HIPAA Privacy Rule. The move will see OCR waive penalties and sanctions for noncompliance with a limited number of Privacy Rule provisions for 72 hours after hospitals have implemented their disaster protocol (further information).

To ensure the flow of critical healthcare information is not impeded by HIPAA restrictions and HIPAA compliance does not get in the way of COVID-19 response efforts, the HHS has introduced unprecedented flexibilities to HIPAA requirements to further ease the burden on HIPAA covered entities and their business associates.

HHS Relaxes HIPAA Compliance Requirements

With the healthcare industry under tremendous strain, maintaining compliance with HIPAA becomes even more difficult. To ease the burden on healthcare providers, the HHS has issued Notices of Enforcement Discretion and will not be imposing sanctions and penalties on healthcare providers and business associates for noncompliance with certain provisions of HIPAA Rules.

On March 17, 2020, a Notice of Enforcement Discretion was announced covering the good faith provision of telehealth services during the COVID-19 public health emergency. To ease the burden on healthcare providers, OCR is allowing the use of everyday communications tools to help with the provision of telehealth services. Platforms which would not normally be considered fully HIPAA compliant can be used to communicate with patients and provide remote care. Teleconferencing and video communications tools such as FaceTime, Facebook Messenger Chat, Google Hangouts, Zoom, Skype, and WhatsApp can be used to help healthcare providers assess a greater number of patients. However, public-facing platforms such as Facebook Live and TikTok cannot be used.

On April 2, 2020, OCR announced a further Notice of Enforcement Discretion to allow business associates of HIPAA covered entities use and disclose protected health information to support public health and health oversight activities during the COVID-19 pandemic. Business associates will not face sanctions and penalties for disclosures of PHI to Federal public health authorities and health oversight agencies such as the CMS and the CDC, state health departments, and state emergency operations centers, even though such disclosures may not be explicitly stated in their business associate agreements. The disclosures are now permitted provided the business associate notifies the appropriate covered entity about any such use or disclosure within 10 days.

On April 9, 2020, OCR announced a Notice of Enforcement Discretion covering community-based testing sites. Sanctions and penalties will not be imposed on covered entities and business associates in relation to the good faith participation in the operation of COVID-19 testing sites for the duration of the national public health emergency.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.