The CMS Interoperability and Patient Access Final Rule

December 22nd, 2020

The Centers for Medicare and Medicaid Services (CMS) Interoperability and Patient Access Final Rule is a mouthful, but it’s also an important step for improving how health data is accessed and shared. While the rule may be beneficial in certain ways, it’s not without its risks. It opens up the door for patient data to be shared with third-party app developers outside of the tight confines of HIPAA regulations, which could lead to more breaches of sensitive data.

CMS Interoperability and Patient Access Final Rule

The 21st Century Cures Act, HHS, Interoperability and Patient Access

In 2016, Congress passed the 21st Century Cures Act. Among its many other provisions, it aimed to push for the enhanced access and interoperability of health information. In response to this legislation, the Department of Health and Human Services (HHS) developed two separate but related rules, each one originating from from different divisions of the Department.

One was the Centers for Medicare and Medicaid Services (CMS) Interoperability and Patient Access Rule. This applies to Medicare Advantage, Medicaid, Qualified Health Plan issuers on Federally-facilitated Exchanges, as well as CHIP. The rule regulates these entities, requiring them to improve patient access and the interoperability of electronic health information.

The other is the Office for the National Coordinator for Health Information Technology (ONC) Cures Act Final Rule. It regulates the interoperability provisions of the 21st Century Cures Act, including the stipulations that mandate information exchange and information blocking via APIs. It also holds IT developers accountable. You can learn about this rule in more detail by clicking on the above link.

The first drafts of these rules were published in 2019, with the final versions completed in May of 2020. Various aspects of the regulations will go into effect over the next couple of years, with the first requirements beginning on January 1, 2021.

What Does the CMS Interoperability and Patient Access Final Rule Cover?

The CMS Interoperability and Patient Access Final Rule regulates Medicare Advantage, Medicaid, Qualified Health Plan issuers on Federally-facilitated Exchanges, as well as CHIP. It uses the authority that CMS has over these providers to improve patient access and interoperability.

One key component requires them to implement data exchange systems that meet the ONC’s API standards. These Fast Healthcare Interoperability Resources (FHIR) set out how the entities will need to establish data exchange APIs that facilitate access to patient data in a secure and private manner.

Under the current system, patient care can be hampered because healthcare data may not be exchanged effectively between entities. This can lead to higher costs and poorer outcomes. The CMS rule aims to break down the existing barriers, seeking to improve data access and interoperability and coordination between the various parties.

The new rules will give both patients and payers options relating to how their data will be protected and shared with third parties. The FHIR API must give them easy access to information such as their claim details and costs, all through easy-to-use third party apps. These app developers will have to attest to certain privacy provisions.

The CMS-regulated payers will be forced to make provider directory information publicly available via an API. This will allow third-party app developers to use this information to create services that assist patients with their healthcare and treatment. Developers will also be able to create apps that help clinicians coordinate with other providers. The relevant organizations will have to implement Provider Directory APIs by January 1, 2020.

The CMS-regulated entities will also be required to exchange certain patient clinical data whenever patients request them to. This will allow patients to take their information with them, maintaining a cumulative health record, even if they they move to a new payer. This aims to ensure that all relevant information is available, regardless of if a patient has switched plans.

The CMS Interoperability and Patient Access Final Rule also mandates that states will have to update certain enrollee data daily, rather than monthly, starting from April 1, 2022.

From late 2020 onward, CMS will be publicly reporting hospitals and clinicians that may be blocking or refusing to share information as mandated. This will allow patients to choose providers who facilitate easy access to their health information.

At the same time, CMS will also be publicly reporting providers that do not list or update their digital contact information in the National Plan and Provider Enumeration System (NPPES). This includes information like their secure digital endpoints. CMS’ reporting will encourage providers to update this secure contact information, enhancing the ability for various parties to exchange data in a safe manner.

Hospitals will also be required to send electronic patient event notifications when patients are admitted, discharged, or transferred to other facilities. This aims to improve coordination and make it easier to follow up on patients, regardless of where they are transferred.

How Does the CMS Interoperability and Patient Access Final Rule Affect HIPAA Compliance and Security

From the outside, many of these rules look like they will have a positive impact on patient care. However, they aren’t without controversy, with some fearing the potential repercussions of third-party app developers having access to sensitive patient data.

One of the big issues is that HIPAA regulations will not generally apply in situations where these third-party app developers access patient health data through the APIs. While other privacy laws do apply, these vary between states and situations.

There is a lot at stake when it comes to patient health information. These records tend to be incredibly detailed, sensitive, and highly desirable to hackers. If they are exposed, they can cause immense damage to the lives of the affected patients.

This type of information has been guarded so tightly by regulations like HIPAA because of its immense importance and ability to cause harm. Moving away from these protections into a patchwork of regulations without the same oversight could expose patient data to far greater risks.

While the tandem of the CMS Interoperability and Patient Access Final Rule alongside the ONC Cures Act Final Rule feature provisions that could be helpful, it’s important to be cautious. They move sensitive health data into a new frontier where a lot could go wrong. Healthcare organizations and third-party app developers need to tread carefully, while patients should only seek out apps from the most reputable entities.