On March 9, 2020, the Department of Health and Human Services (HHS) issued two final rules aimed at improving patient access to electronic health information (EHI), as well as the standardization of modes of exchange for EHI.  The rules, which were issued by the Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services (CMS), implement provisions of the 21st Century Cures Act and introduce new requirements for increasing interoperability.  We previously covered the proposed rules, which were released on March 4, 2019.

ONC’s final rule focuses on preventing information blocking and providing patients with greater control over their health data and is an important step towards promoting greater care coordination across various settings of care.  The rule directly regulates healthcare providers, developers of certain health IT, health information exchanges, and health information networks, and raises strategic considerations for companies partnering with these regulated stakeholders.  Key provisions of the final rule include:

  • Standardized Criteria for APIs: The final rule establishes standards for application programing interfaces (APIs) to improve the exchange of EHI and to enable patients to access their health information at no cost. Developers must ensure that their systems can communicate with third-party users, which include consumer apps.  ONC finalized the technical standard for API, adopting the Health Level® 7 (HL7) Fast Healthcare Interoperability Resources® (FHIR) 4.0.1.
  • Information Blocking and Exceptions: The Cures Act prohibits “information blocking,” defined broadly to mean practices that are likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI.  The rule finalizes the seven “reasonable and necessary” exceptions to the Cures Act’s prohibition of information blocking that were included in the proposed rule.  These include, for example, activities to protect patient safety, privacy, and the security of EHI.  The final rule also adds an eighth “Content and Manner Exception,” under which it will not be information blocking for an actor to limit the manner in which it responds to a request to access, exchange, or use EHI or the contents of the response, provided certain conditions are met.  Actors that engage in practices that do not meet one of the eight exceptions will not automatically be considered to have engaged in information blocking; instead, such practices will be evaluated on a case-by-cases basis.  Vendors, providers, and others will have six months to comply with the information blocking provision.  Enforcement of associated civil monetary penalties (CMPs) will not begin until the CMP rules are established through future rulemaking.
  • Conditions and Maintenance of Certification: The final rule establishes Conditions and Maintenance of Certification requirements for health IT developers.  The conditions require, for example, assurances that the developer will not engage in information blocking, compliance with API technical requirements, and real-world testing.
  • Access, Exchange, and Use Definitions: The final rule revised the proposed rule’s definitions of “access,” “exchange,” and “use.”  ONC made clear that “access” includes the ability or means necessary to make EHI available for exchange and not only for use.  ONC stated that the definition of “exchange” includes all transmissions, and is not limited to one-way transmissions.

CMS’s final rule on interoperability and patient access to health data applies to certain federally regulated payers, including Medicaid, the Children’s Health Insurance Program (CHIP), Medicare Advantage (MA), and certain Qualified Health Plan (QHP) issuers on the federally-facilitated exchanges (FFEs).[1]  The final rule establishes policies to improve the exchange of health data to facilitate greater patient access to EHI.  Key provisions of the final rule (which largely track the proposed rule) include:

  • Patient Access API: The final rule requires health plans to implement and maintain a standards-based Patient Access API that meets the technical standards finalized in ONC’s final rule.  The Patient Access API must make certain health data available, including at a minimum, adjudicated claims, encounters with capitated providers, and some clinical data.  Plans must make data with a date of service on or after January 1, 2016, available through the Patient Access API.  Plans must also permit third-party applications to access and retrieve health data through the Patient Access API, with the approval and at the direction of a current enrollee.  The Patient Access API must be fully implemented by January 1, 2021 (or for QHP issuers on the FFEs, by the first day of plan years beginning on or after January 1, 2021).
  • Provider Directory API: Plans must make provider directory information available through a public-facing Provider Directory API accessible on the plan’s website.  Directory information must include, at a minimum, provider names, addresses, phone numbers, and specialties, plus pharmacy information for MA plans that offer prescription drug benefits (MA-PDs).  All information must be made available within 30 days of a plan receiving new or updated provider directory information.  The Provider Directory API must be fully implemented by January 1, 2021.
  • Payer-to-Payer Data Exchange: The final rule requires MA organizations, Medicaid and CHIP managed care entities, and QHP issuers on the FFEs to coordinate care between plans by exchanging specific data elements from the content and vocabulary standard finalized in ONC’s final rule.  The CMS final rule clarifies that plans must send specific data, with the approval and at the direction of a current or former enrollee, to “any other payer identified by the enrollee.”  A plan is required to send data received under the payer-to-payer exchange only in the electronic form and format in which it was received.  Moreover, plans are required to exchange only data corresponding to dates of service on or after January 1, 2016.  Plans must fully implement the payer-to-payer data exchange by January 1, 2022 (or for QHP issuers on the FFEs, by the first day of plan years beginning on or after January 1, 2022).
  • Publication of Information Blocking: The final rule provides that, beginning in late 2020, CMS will publicize a list of clinicians and hospitals that may be engaging in information blocking practices that could prevent the disclosure and use of EHI, based on the providers’ responses to attestation statements.
  • Admission, Discharge, and Transfer Notifications: The final rule modifies the Conditions of Participation for Medicare- and Medicaid-participating hospitals that utilize electronic medical records systems or other electronic administrative systems.  The rule requires hospitals, including psychiatric hospitals and critical access hospitals, to send electronic notifications of a patient’s admission, discharge, or transfer to all applicable post-acute care services providers, primary care practitioners and groups, and other practitioners and groups identified by the patient as primarily responsible for his or her care and who need to receive information on the patient’s status for treatment, care coordination, or quality improvement purposes.  This requirement will become effective six months after publication of the final rule.

Notably, CMS did not finalize its proposal to require certain health plans to participate in trust exchange networks to improve interoperability.  Commenters generally supported the proposal, but some raised concerns that CMS should wait until ONC developed a mature Trusted Exchange Framework and Common Agreement (TEFCA) before finalizing the requirement.  CMS stated that, due to these and other concerns, it was not finalizing the policy at this time.

[1] The final rule does not apply to QHP issuers offering only stand-alone dental plans (SADPs) or offering coverage only in the federally-facilitated Small Business Health Options Program Exchanges (FF-SHOPs).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Anna D. Kraus Anna D. Kraus

Anna Durand Kraus advises on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (“HHS”) gives her broad experience with, and valuable insight into…

Anna Durand Kraus advises on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (“HHS”) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and HIPAA privacy and security. Anna is co-chair of the firm’s Health Care Industry practice group.

Anna regularly advises clients on Medicare reimbursement matters, particularly those arising under Part B and the Part D prescription drug benefit. She also has extensive experience with the Medicaid Drug Rebate program. She assists numerous pharmaceutical and device manufacturers, health care providers, pharmacy benefit managers, and other health care industry stakeholders to navigate the challenges and opportunities presented by the Affordable Care Act.

Anna is a trusted adviser on health information privacy, security and breach notification issues, including those arising under the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Her background in this area dates back to the issuance of the original HIPAA privacy regulations.

Anna’s clients depend on her to guide them through compliance with the Anti-Kickback statute, the Stark regulations, and other laws preventing fraud and abuse in the health care industry. Her deep knowledge of these laws has made her an important component of the firm’s representation of pharmaceutical companies and health care organizations under federal investigation or facing allegations under the False Claims Act. In addition, clients contemplating acquisitions in the health care sector rely on her to guide due diligence efforts.

Photo of Rujul Desai Rujul Desai

Rujul Desai advises clients on drug pricing, market access, reimbursement, strategic contracting, and regulatory solutions for drugs, biologicals, devices, and diagnostics. He brings deep experience with biopharma, specialty pharmacy, and pharmacy benefit management (PBM) companies.

Rujul has held a number of leadership roles…

Rujul Desai advises clients on drug pricing, market access, reimbursement, strategic contracting, and regulatory solutions for drugs, biologicals, devices, and diagnostics. He brings deep experience with biopharma, specialty pharmacy, and pharmacy benefit management (PBM) companies.

Rujul has held a number of leadership roles in the biopharma, PBM, and specialty pharmacy industry, including with CVS Caremark, UCB, and most recently as Vice President at Avalere Health. He has led engagements across a wide range of U.S. and global market access and reimbursement issues, including optimizing new product launches, pricing, PBM and payer formulary access, value-based contracting, distribution network design, patient access and hub services, affordability programs, e-prescribing, digital health, and the use of health economic data and modeling.

Rujul is an author of the U.S. chapter of a global treatise on drug pricing and reimbursement.

Rujul was a Captain in the Medical Services Corps of the U.S. Army Reserves, and served in active duty in Iraq.

Photo of Tara Carrier Tara Carrier

Tara Carrier is an associate in Covington’s Boston office, where she is a member of the Health Care and White Collar Defense and Investigations Practice Groups. Tara focuses her practice on representing clients in the life sciences and health care industries in a…

Tara Carrier is an associate in Covington’s Boston office, where she is a member of the Health Care and White Collar Defense and Investigations Practice Groups. Tara focuses her practice on representing clients in the life sciences and health care industries in a variety of regulatory and compliance matters, including fraud and abuse, health information privacy and compliance with HIPAA, promotion and advertising, market access, pricing and reimbursement activities, and other related areas. In addition, Tara has experience representing clients in government investigations and conducting targeted internal investigations covering a broad range of health care compliance issues. She also counsels clients on mitigating compliance risks and implementing and operating under HHS OIG Corporate Integrity Agreements.

Tara is an author of the U.S. chapter of a global treatise on drug pricing and reimbursement.

In addition to her life sciences practice, Tara maintains an active pro bono practice, with a particular focus on reproductive rights.