The Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) on March 9, 2020, released separate but related final rules addressing interoperability, information blocking, patient access to data and electronic health record (EHR) certification criteria. Notably, not much changed from the proposed regulations. Both agencies are moving forward despite some industry pushback.
The Final Rules draw on the policies advanced in the 21st Century Cures Act (Cures Act), directing ONC and CMS to develop policies that foster the interoperable exchange of health information between stakeholders. Among other provisions, the Cures Act urged the implementation of application programming interfaces (APIs) to modernize data exchange and better facilitate patient access to their health information.
The ONC rule finalizes significant changes to the health information technology (IT) certification program that will require developers to update to their technology. The Final Rule also clarifies how the healthcare industry can prevent information blocking among healthcare providers, health IT developers, exchanges and health information networks. However, stakeholders have expressed concern that the Final Rule does not address protecting private patient data from third parties.
The CMS rule finalizes the agency's plan to improve access to the clinical, encounter, claims and other types of data that can be shared among patients, plans and federal agencies through Fast Healthcare Interoperability Resources (FHIR)-standard APIs. The Final Rule also finalizes ways that CMS can discourage information blocking, capture more electronic addresses for providers and require hospitals to send admission, discharge electronically and transfer notifications.
Below is a summary of the significant provisions from each Final Rule:
The policies in the ONC Rule directly impact healthcare providers, developers of Certified Health IT, health information networks and exchanges. They will also affect any entity that creates, accesses or exchanges electronic health information as part of its business model.
ONC's Final Rule streamlines and updates definitions of the kinds of "Actors" to which the information blocking provisions apply.
The ONC rule implements the information blocking provisions of the 21st Century Cures Act. The Cures Act created a new legal prohibition against information blocking – defined as any practice that is likely to interfere with, prevent or materially discourage access, exchange or use of electronic health information.
Compliance with the information blocking prohibition is required for a limited set of data starting six months from the date of publication of the Final Rule (estimated September 2020), and beginning 24 months after the date of publication with respect to all EHI (estimated March 2022).
However, enforcement of information blocking civil monetary penalties (CMP) will not begin until established by future notice and comment rulemaking by the Office of the Inspector General (OIG). As a result, Actors would not be subject to penalties until CMP rules are final.
Providers, health IT developers, health information exchanges and health information networks are all considered "Actors" in the prevention of information blocking. ONC finalized eight exceptions (up from seven in the Proposed Rule) to the definition of information blocking. An Actor will not be subject to enforcement actions under the information blocking provision for CMP or appropriate disincentives if the Actor's practice satisfies at least one exception. However, failure to meet the conditions of an exception does not automatically mean a practice constitutes information blocking. A practice failing to meet all conditions of an exception only means that the practice would not have guaranteed protection from CMPs or appropriate disincentives. The practice would instead be evaluated on a case-by-case basis to assess the specific facts and circumstances.
The eight exceptions are as follows:
ONC updated the definition of EHI that was previously defined broadly. The Final Rule narrows the definition to mean electronically protected health information (ePHI) as defined in HIPAA, to the extent that ePHI would be included in a designated record set. This requirement is regardless of whether the records are used or maintained by or for a covered entity as defined under HIPAA. De-identified data is excluded from the definition of EHI. Also, EHI will not include psychotherapy or information compiled in reasonable anticipation of, or for use in, civil, criminal or administrative actions or proceedings.
As noted above, compliance with the information blocking rule for all EHI as defined under the Final Rule is not required until 24 months from publication of the Final Rule. From six months after publication through the 24-month deadline, the scope of EHI subject to the information blocking prohibition will be limited to only data types described in the USCDI. In other words, a grace period between all the data and the data provided in USCDI.
The Final Rule updates the 2015 Edition Health IT Certification criteria. Certification criteria have been removed, revised or newly added to support evolving health IT standards and interoperability. Among various changes, the Final Rule adds the two technical certification criteria (Electronic Health Information Export and Standardized API for Patient and Population Services) and two privacy and security criteria (Encrypt Authentication Credentials and Multifactor Authentication).
ONC also advanced the removal of the Common Clinical Data Set (CCDS) definition and its references from the 2015 Edition and is replacing it with the adoption of the USCDI standard (this provision was included in the draft Trusted Exchange Framework and Common Agreement). The USCDI is a standardized set of health data classes and constituent data elements for nationwide, interoperable health information exchange. The USCDI includes more data than CCDS. For example, clinical notes.
IT developers must update their software to comply within 24 months for revised and 36 months for newly added criteria.
CMS, in partnership with the ONC, identified Health Level 7® (HL7) FHIR Release 4.0.1 as the foundational standard to support data exchange via secure application programming interfaces (APIs).
In response to widespread privacy concerns with non-HIPAA-covered direct-to-consumer applications, CMS repeatedly noted that it does not have the authority to regulate third-party applications and referred to the Federal Trade Commission's (FTC) authority over these entities.
Also, regarding privacy, CMS placed new emphasis on requiring health plans to educate their enrollees about the risks associated with sending personal health data to third-party apps that are not regulated by HIPAA privacy protections. Plans must post privacy and security resources to a public website, including a discussion about a third-party app's secondary use of data.
CMS-regulated payers, specifically Medicare Advantage organizations, Medicaid Fee-for-Service (FFS) programs, Medicaid managed care plans, Children's Health Insurance Program (CHIP) FFS programs, CHIP managed care entities and Qualified Health Plan (QHP) issuers on the Federally-facilitated Exchanges (FFEs), excluding issuers offering only stand-alone dental plans (SADPs) and QHP issuers offering coverage in the Federally-facilitated Small Business Health Options Program (FF-SHOP), are required to implement and maintain a secure, standards-based (HL7 FHIR Release 4.0.1).
These payers are required to implement a standards-based (HL7 FHIR) Patient Access Open API beginning Jan. 1, 2021 (for QHP issuers on the FFEs, plan years beginning on or after Jan. 1, 2021) that allows third-party apps to retrieve, with the approval of a current enrollee, any adjudicated claims (including provider remittances and enrollee cost-sharing), encounters with capitated providers, clinical data (including lab results) that plans have maintained with a date of service on or after Jan. 1, 2016.
In the Final Rule, CMS confirmed that states and managed care plans must make adjudicated claims and encounter data available through the API for all Medicaid- or CHIP-covered services, including long-term services and supports (LTSS), i.e., social determinant data related to long-term care waiver services, such as in-home care, meal preparation or delivery, and transportation.
Data must be made available no later than one business day after a claim is adjudicated or encounter data are received. Regarding claims data, CMS acknowledged that giving people access to past cost information (from claims data) does not mean that they can negotiate or impact future healthcare costs, but it may "help them plan for future services."
In response to widespread privacy concerns with non-HIPAA-covered direct-to-consumer applications, CMS repeatedly noted that it does not have the authority to regulate third-party applications and referred to FTC's authority over these entities. CMS also placed new emphasis on requiring health plans to educate their enrollees about the risks associated with sending personal health data to third-party apps that are not regulated by HIPAA privacy protections.
Also of note, CMS proposed requiring that payers in CMS programs be able to participate in a trusted exchange network, which verifies the security and identity of participants and lets providers and plans share information regardless of what health IT network they belong. One thing to note is that plans do not have to join a trusted exchange network right away. CMS agreed with commenters that work on the Trusted Exchange Framework, and Common Agreement (TEFCA) needs to progress further before finalizing this part of the rule.
As of Jan. 1, 2022, CMS payers must comply with patients' requests to send their clinical data, inclusive of the elements defined in the U.S. Core Data for Interoperability (USCDI) version 1 data set, to other CMS payers, to ensure that the new payer has patients' complete records if they change plans. USCDI version 1 includes high-level clinical data including allergies, clinical notes, patient goals and health concerns, immunizations, laboratory tests and results, medications, procedures and vital signs. As expected, the USCDI standard aligns with the ONC Rule's definition and exceptions for information blocking and the same API standard for exchanging patients' electronic health information.
Starting on April 1, 2022, state agencies will be required to exchange Medicare and Medicaid dual enrollee data daily with CMS. Currently, states are only required to exchange this data monthly.
Regarding providers, CMS finalized the conditions of participation (CoP) to require facilities to send key event notifications to other providers caring for a patient known as admit-discharge-transfer (ADT) notices. In contrast to the Proposed Rule, this requirement includes event notification requirements for any patient who accesses services in hospital emergency departments or any inpatient hospital services.
The new CoP for all Medicare and Medicaid participating hospitals requires that hospitals using an electronic medical records system or other electronic administrative system demonstrate:
1. The system is operational and used for the exchange of patient health information.
2. The system sends notifications that must include at least a patient name, treating practitioner name and sending institution name.
3. Consistent with federal and state law and regulations, and not inconsistent with the patient's expressed privacy preferences, the system sends notifications at the time of:
4. The system sends the notifications to all applicable post-acute care services providers and suppliers, the patient's primary care physician or any other provider that the patient indicates is primarily responsible for his or her care.
The Final Rule does not include the proposed requirement that the notifications include diagnosis information, although hospitals may decide to include diagnosis or additional information beyond the minimum required.
The change to the CoPs will be effective six months (estimated September 2020), after the Final Rule is published in the Federal Register. This is a short time frame for hospitals to send electronic notifications about admission, discharges or transfers because CMS believes that the content exchange standard is common to many EHR systems.
By late 2020, eligible clinicians, hospitals and critical access hospitals (CAHs) must attest that they support electronic access to health information, and list or update their digital contact information to the National Plan and Provider Enumeration System (NPPES) or CMS will publicly report them (e.g., Physician Compare).
By Jan. 1, 2021, plans must make standardized information about their provider networks available through a published Provider Directory API.
CMS sought public comment on promoting interoperability among model participants and other healthcare providers as part of the design and testing of innovative payment and service delivery models. No additional information has been released from the Center for Medicare and Medicaid Innovation (CMMI) about these plans, and CMS did not propose any new regulations for comment in the Final Rule.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem. Moreover, the laws of each jurisdiction are different and are constantly changing. If you have specific questions regarding a particular fact situation, we urge you to consult competent legal counsel.
Please note that email communications to the firm through this website do not create an attorney-client relationship between you and the firm. Do not send any privileged or confidential information to the firm through this website. Click "accept" below to confirm that you have read and understand this notice.