HHS’ Sweeping Interoperability and Information Blocking Final Rules Bring Patient Health Data Access into the 21st Century
This Featured Article is contributed by AHLA's Health Information and Technology Group.
- March 13, 2020
- Heather B. Deixler , Latham & Watkins LLP
- Felicia M. Alexander , Latham & Watkins LLP
- Andrea Olson , Latham & Watkins LLP
On March 9, 2020, the U.S. Department of Health and Human Services (HHS) issued two expansive final rules that implement interoperability and data access provisions of the 21st Century Cures Act (Cures Act), to provide patients with improved access to their health information (collectively, the Final Rules).[1] The new rules aim to promote interoperability, innovation, and patient empowerment for electronic health information (EHI), and seek to curtail "information blocking." These new requirements will have industry-wide impacts, imposing significant obligations on providers, payers, and health IT vendors, while also presenting significant new opportunities. The Final Rules focus on information sharing and patient control of health care records as key components in the transition toward a value-based health care system. As HHS Secretary Alex Azar stated, "These rules are the start of a new chapter in how patients experience American healthcare, opening up countless new opportunities for them to improve their own health, find the providers that meet their needs, and drive quality through greater coordination."[2]
HHS' Office of the National Coordinator for Health Information Technology's (ONC's) final rule (ONC Final Rule)[3] both builds upon the Cures Act and revises the 2015 Edition Health IT Certification Criteria.[4] It is designed to promote interoperability between patients and other health care industry players through sweeping data sharing requirements. Moreover, the ONC Final Rule purports to encourage the development and widespread use of health care applications that provide access to patient EHI. ONC also takes aim at "information blocking" practices—in other words, anticompetitive actions by health care industry participants. The ONC Final Rule attempts to increase patient access to EHI, which should empower patients to take ownership of their health care data and decision making.
The Centers for Medicare & Medicaid Services (CMS) final rule (CMS Final Rule)[5] focuses on many of the same interoperability and patient access issues as the ONC Final Rule, but applies to CMS-regulated payers, including Medicare Advantage organizations, Medicaid and Children's Health Insurance Program (CHIP) fee-for-service programs, Medicaid and CHIP managed care plans, and qualified health plan issuers offering plans on the federal health exchanges. The CMS Final Rule aims to empower patients with control of their health information, enabling patients to move between payers and providers and maintain their own comprehensive historical records of clinical and administrative information. Besides the key areas below, the CMS Final Rule includes some updated requirements for the exchange of data between state and federal programs, specifically for those patients who are dually eligible for Medicare and Medicaid.
Highlights and Key Areas of Focus
Fulfilling the promise of the Cures Act, the stated objectives of the Final Rules are to promote patient access to EHI. In particular, the agencies have focused the new rulemaking on:
- Interoperability: The ONC Final Rule mandates that both public and private health care entities share EHI among patients and other health care entities, while ensuring that such data remains protected. The ONC Final Rule narrows the definition of EHI, which is now limited to electronic protected health information (as defined under the Health Insurance Portability and Accountability Act (HIPAA)), to the extent that it would be included in a designated record set, regardless of whether the records are used or maintained by or for a covered entity. The interoperability requirements are designed to allow patients to more easily transfer their EHI between payers and health care providers, while patients maintain access to their own EHI. Notably, ONC has indicated that when patients choose their third-party applications to maintain their EHI, there will "generally not be a need for 'vetting' on security grounds."[6] Commenters raised potential privacy concerns with respect to the health information disclosed to third-party applications chosen by individuals, which may not be subject to HIPAA, asserting that such applications would have access to information "in ways the HIPAA Rules would not permit," and further suggesting that "individuals would incorrectly blame the hospital or health plan if a third-party app developer sold their EHI or used it for marketing or other purposes."[7] To set a baseline of data classes and data elements that may be used for interoperable exchange, ONC has finalized the adoption of the United States Core Data for Interoperability (USCDI). To provide IT developers with additional flexibility, ONC has also greenlighted the use of the Standards Version Advancement Process (SVAP), which allows developers to certify their products to new versions of the USCDI on a voluntary basis prior to future rulemaking explicitly calling for the use of updated versions of the USCDI.
Similarly, the CMS Final Rule requires "payer-to-payer data exchange" of specified data to coordinate care when a patient moves between payment systems. CMS is also creating a Condition of Participation that will require participating hospitals, including psychiatric hospitals and Critical Access Hospitals, to send electronic notifications to another health care facility or provider when a patient is admitted, discharged, or transferred. CMS did not, however, finalize the proposal for required participation in a "trusted exchange network," a coordinated legal agreement that would allow network-to-network data sharing, noting that the development of the Trusted Exchange Framework remains ongoing.
- Innovation: The ONC Final Rule calls for the health care industry to share health data with patients in an easily accessible app-based format, available to patients at no cost. Patients must be able to both access and download their EHI via such apps. The ONC Rule also provides for the adoption of standardized application programming interfaces (API), which will form the backbone of these apps, to encourage ease of patient access to EHI. Specifically, the new rule creates API certification criteria for two types of API-based products—those designed for accessing a single patient's data and those that focus on the data of multiple patients. These requirements are ostensibly designed to spark the development of new third-party apps and encourage use of such apps by patients to engage with their own health data. Increased competition in the market for such apps is also intended to provide patients with more choice with respect to engaging with their own health data.
The CMS Final Rule similarly requires payers to implement two types of APIs through which third-party programmers can build apps to give patients access to health information. First, payers must create "Patient Access APIs" to allow patients to access their own EHI—specifically, claim and encounter information, as well as clinical data. Second, payers must create "Provider Directory APIs" that provide directory information so patients can find information on providers and clinicians. The application requirements must meet the same standards outlined in the ONC Final Rule. CMS hopes this streamlined access will lead to improvements both in patient decision making and health outcomes.
- Information Blocking: As required under the Cures Act, the ONC Final Rule finalizes the definition of "information blocking" (e.g., anticompetitive behaviors) and implements eight exceptions for certain "reasonable and necessary" activities that ONC has noted are likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI, but would be reasonable and necessary if certain conditions are met. The exceptions are divided into two categories: (1) exceptions that involve not fulfilling requests to access, exchange, or use of EHI, and (2) those that involve procedures for fulfilling such requests. The ONC Final Rule is designed to add flexibility, allowing communication about health IT usability and the user experience, interoperability, and security. The ONC Final Rule requires health IT developers to comply with such anti-information blocking regulations as a Condition of Certification.
CMS will handle information blocking by publicly reporting those clinicians, hospitals and Critical Access Hospitals that attest to information blocking via the Medicare Fee-for-Service Promoting Interoperability Program.
The information blocking prohibitions will go into effect six months from publication of the Final Rules, and enforcement of the information blocking civil monetary penalties will begin following additional rulemaking from the Office of Inspector General.
- Patient Empowerment: The Final Rules seek to empower patients by providing for easier access, exchange, and use of EHI. As HHS Secretary Azar noted, "From the start of our efforts to put patients and value at the center of our healthcare system, we've been clear: Patients should have control of their records, period. Now that's becoming a reality."[8] With access to their health data at their fingertips, patients will be better equipped to make decisions about their health care options. The CMS Final Rule addresses patient data access and portability with the innovation requirements above, but also with traditional information access tools. For example, CMS will publish names of providers that fail to list or fail to update digital contact information in the National Plan and Provider Enumeration System, with the hope that this will encourage providers to keep the digital contact information index up to date and accessible for patients as required under the Cures Act.
The authors wish to thank Alisa Chestler, Baker, Donelson, Bearman, Caldwell & Berkowitz P.C., for her insightful comments to the alert.
Endnotes
[1] HHS Press Release: HHS Finalizes Historic Rules to Provide Patients More Control of Their Health Data (Mar. 9, 2020), https://www.hhs.gov/about/news/2020/03/09/hhs-finalizes-historic-rules-to-provide-patients-more-control-of-their-health-data.html.
[2] Id.
[3] Department of Health and Human Services, Office of the National Coordinator for Health Information Technology, 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule (Mar. 9, 2020), https://www.healthit.gov/curesrule/download (ONC Final Rule).
[4] See HealthIT.gov 2015 Edition (last accessed Mar. 12, 2020), https://www.healthit.gov/topic/certification-ehrs/2015-edition.
[5] Centers for Medicare & Medicaid Services, Medicare and Medicaid Programs: Patient Protection and Affordable Care Act; Interoperability and Patient Access for Medicare Advantage Organization and Medicaid Managed Care Plans, State Medicaid Agencies, CHIP Agencies and CHIP Managed Care Entities, Issuers of Qualified Health Plans on the Federally-facilitated Exchanges, and Health Care Providers (Mar. 9, 2020), https://www.cms.gov/files/document/cms-9115-f.pdf (CMS Final Rule).
[6] ONC Final Rule, at 466 of 1244.
[7] Id. at 674 of 1244.
[8] HHS Press Release, supra note 1.