On March 9, 2020, the Department of Health and Human Services (HHS) issued two final rules aimed at improving patient access to electronic health information (EHI), as well as the standardization of modes of exchange for EHI.  The rules, which were issued by the Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services (CMS), implement provisions of the 21st Century Cures Act and introduce new requirements for increasing interoperability.  We previously covered the proposed rules, which were released on March 4, 2019.

ONC’s final rule focuses on preventing information blocking and providing patients with greater control over their health data and is an important step towards promoting greater care coordination across various settings of care.  The rule directly regulates healthcare providers, developers of certain health IT, health information exchanges, and health information networks, and raises strategic considerations for companies partnering with these regulated stakeholders.  Key provisions of the final rule include:

  • Standardized Criteria for APIs: The final rule establishes standards for application programing interfaces (APIs) to improve the exchange of EHI and to enable patients to access their health information at no cost. Developers must ensure that their systems can communicate with third-party users, which include consumer apps.  ONC finalized the technical standard for API, adopting the Health Level® 7 (HL7) Fast Healthcare Interoperability Resources® (FHIR) 4.0.1.
  • Information Blocking and Exceptions: The Cures Act prohibits “information blocking,” defined broadly to mean practices that are likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI.  The rule finalizes the seven “reasonable and necessary” exceptions to the Cures Act’s prohibition of information blocking that were included in the proposed rule.  These include, for example, activities to protect patient safety, privacy, and the security of EHI.  The final rule also adds an eighth “Content and Manner Exception,” under which it will not be information blocking for an actor to limit the manner in which it responds to a request to access, exchange, or use EHI or the contents of the response, provided certain conditions are met.  Actors that engage in practices that do not meet one of the eight exceptions will not automatically be considered to have engaged in information blocking; instead, such practices will be evaluated on a case-by-cases basis.  Vendors, providers, and others will have six months to comply with the information blocking provision.  Enforcement of associated civil monetary penalties (CMPs) will not begin until the CMP rules are established through future rulemaking.
  • Conditions and Maintenance of Certification: The final rule establishes Conditions and Maintenance of Certification requirements for health IT developers.  The conditions require, for example, assurances that the developer will not engage in information blocking, compliance with API technical requirements, and real-world testing.
  • Access, Exchange, and Use Definitions: The final rule revised the proposed rule’s definitions of “access,” “exchange,” and “use.”  ONC made clear that “access” includes the ability or means necessary to make EHI available for exchange and not only for use.  ONC stated that the definition of “exchange” includes all transmissions, and is not limited to one-way transmissions.

CMS’s final rule on interoperability and patient access to health data applies to certain federally regulated payers, including Medicaid, the Children’s Health Insurance Program (CHIP), Medicare Advantage (MA), and certain Qualified Health Plan (QHP) issuers on the federally-facilitated exchanges (FFEs).[1]  The final rule establishes policies to improve the exchange of health data to facilitate greater patient access to EHI.  Key provisions of the final rule (which largely track the proposed rule) include:

  • Patient Access API: The final rule requires health plans to implement and maintain a standards-based Patient Access API that meets the technical standards finalized in ONC’s final rule.  The Patient Access API must make certain health data available, including at a minimum, adjudicated claims, encounters with capitated providers, and some clinical data.  Plans must make data with a date of service on or after January 1, 2016, available through the Patient Access API.  Plans must also permit third-party applications to access and retrieve health data through the Patient Access API, with the approval and at the direction of a current enrollee.  The Patient Access API must be fully implemented by January 1, 2021 (or for QHP issuers on the FFEs, by the first day of plan years beginning on or after January 1, 2021).
  • Provider Directory API: Plans must make provider directory information available through a public-facing Provider Directory API accessible on the plan’s website.  Directory information must include, at a minimum, provider names, addresses, phone numbers, and specialties, plus pharmacy information for MA plans that offer prescription drug benefits (MA-PDs).  All information must be made available within 30 days of a plan receiving new or updated provider directory information.  The Provider Directory API must be fully implemented by January 1, 2021.
  • Payer-to-Payer Data Exchange: The final rule requires MA organizations, Medicaid and CHIP managed care entities, and QHP issuers on the FFEs to coordinate care between plans by exchanging specific data elements from the content and vocabulary standard finalized in ONC’s final rule.  The CMS final rule clarifies that plans must send specific data, with the approval and at the direction of a current or former enrollee, to “any other payer identified by the enrollee.”  A plan is required to send data received under the payer-to-payer exchange only in the electronic form and format in which it was received.  Moreover, plans are required to exchange only data corresponding to dates of service on or after January 1, 2016.  Plans must fully implement the payer-to-payer data exchange by January 1, 2022 (or for QHP issuers on the FFEs, by the first day of plan years beginning on or after January 1, 2022).
  • Publication of Information Blocking: The final rule provides that, beginning in late 2020, CMS will publicize a list of clinicians and hospitals that may be engaging in information blocking practices that could prevent the disclosure and use of EHI, based on the providers’ responses to attestation statements.
  • Admission, Discharge, and Transfer Notifications: The final rule modifies the Conditions of Participation for Medicare- and Medicaid-participating hospitals that utilize electronic medical records systems or other electronic administrative systems.  The rule requires hospitals, including psychiatric hospitals and critical access hospitals, to send electronic notifications of a patient’s admission, discharge, or transfer to all applicable post-acute care services providers, primary care practitioners and groups, and other practitioners and groups identified by the patient as primarily responsible for his or her care and who need to receive information on the patient’s status for treatment, care coordination, or quality improvement purposes.  This requirement will become effective six months after publication of the final rule.

Notably, CMS did not finalize its proposal to require certain health plans to participate in trust exchange networks to improve interoperability.  Commenters generally supported the proposal, but some raised concerns that CMS should wait until ONC developed a mature Trusted Exchange Framework and Common Agreement (TEFCA) before finalizing the requirement.  CMS stated that, due to these and other concerns, it was not finalizing the policy at this time.

[1] The final rule does not apply to QHP issuers offering only stand-alone dental plans (SADPs) or offering coverage only in the federally-facilitated Small Business Health Options Program Exchanges (FF-SHOPs).