If your inbox looks like mine, it is flooded with white papers and webinars explaining how to implement and comply with the final interoperability rules recently published by CMS and ONC. The regulatory details in these two rules are legion – and affected parties will need help to understand the requirements and their implications for compliance. It’s also important to take a step back and understand the larger impact of these rules working in tandem. Together, they have a very broach reach, beyond any previous health IT rules. In fact, between the two agencies, they impact most public and private sector payers, health care providers, technology companies with certified products, and health information networks/exchanges. What will that mean for the sharing of health information?

The CMS Rule. In a nutshell, the CMS rule on Interoperability and Patient Access directs the many health plans and payers CMS regulates to make claims data and other enrollee information available to third-party apps via standardized application programming interfaces (APIs) when an individual asks them to do so. For example, an enrollee may authorize an app that they use to manage their diabetes or another health condition to collect claims data from visits to doctors and hospitals. Or, a consumer may agree to be part of a health care shopping app that collects and shares price and quality data on comparative health care services. CMS is also requiring plans and payers to make available via APIs the directory information of which physicians, hospitals and other providers participate in the plan, which may also fuel apps that help consumers locate and compare services within their area. The deadline for these CMS provisions was recently extended six months to July 1, 2021 due to the COVID-19 pandemic .

The CMS rule applies to Medicare Advantage organizations, state Medicaid and Children’s Health Programs (fee-for-service and managed care), and most Qualified Health Plans offering products on the federally facilitated exchanges. According to data from CMS and the Kaiser Family Foundation, more than 100 million people have coverage through these sources.[1] The new rule does not apply to traditional Medicare, which is the fee-for-service program run by CMS that covers an additional 44 million people.[2] However, CMS already allows API access to its fee-for-service claims data via its Blue Button 2.0 initiative. Only the health plans that CMS does not regulate, such as those sold on state-run exchanges, or employer-sponsored plans not sold through the federally facilitated exchange, are unaffected.

In addition to these new requirements for plans and payers, CMS already regulates how hospitals and physicians use electronic health records (EHRs) through its Promoting Interoperability Programs. CMS requires providers to make a core set of clinical data available to third-party apps through APIs, at the direction of patients. Over time, these APIs will use the same standards as those required of plans.

The ONC Rule. The ONC’s 21st Century Cures Act: Interoperability, Information Blocking and the ONC Certification Program rule provides the technical requirements for the standardized APIs, as well as many other requirements for certified health IT products such as EHRs. The implementation dates for these aspects of the rule vary and ONC has extended its certification program deadlines by three months.

Importantly, ONC also finalized its approach to implementing the prohibition on information blocking that Congress included in the 21st Century Cures Act. The information blocking rules will be effective in November and are intended to ensure that individuals and entities are not improperly blocking the flow of electronic health information for things like patients’ access to their own information or the ability of health care professionals to access information needed for care.

The information blocking rules apply to many actors – far beyond the hospitals and physicians that received federal incentives to adopt EHRs and the companies that make certified EHRs. The affected actors include health care providers, health information networks/exchanges, and developers of certified health IT products. The group of health care providers touched by these rules encompasses doctors, hospitals, nursing facilities, surgery centers, pharmacies, and laboratories, among others. And, the definition of a health information network could bring in any organization that facilitates sharing of electronic health information among two or more entities (other than itself) for health care treatment, payment or operations.

The details of investigation and enforcement for information blocking have yet to be finalized but were laid out in a recent proposed rule from the Office of the Inspector General, the enforcement agency. Each violation carries up to a $1 million civil monetary penalty for technology developers and health information exchanges/networks. For health care providers, the OIG will investigate complaints, but defer to CMS and other agencies to administer “appropriate disincentives,” which could take the form of payment penalties.

Who is not covered? Neither CMS nor ONC regulates the actions of app developers and other companies that make use of the APIs plans and providers must make available.[3]  Similarly, these actors generally do not face the same restrictions on the use of patient data (and significant penalties for misuse) that providers, payers, and clearinghouses face under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA-covered entities generally may only share patient data to facilitate treatment, payment and health care operations, without specific authorization.

For organizations not covered by HIPAA, privacy is primarily regulated by the Federal Trade Commission as part of its mission to protect consumers from unfair and deceptive trade practices. While the FTC has outlined best practices for mobile health apps, the privacy bar is much lower for commercial app developers than for health care providers covered by HIPAA. Many parties have raised concerns about this difference in privacy expectations, but CMS and ONC have stated that consumers should ultimately be the ones to decide how and with whom to share their health data. While the CMS and ONC interoperability rules are now final, the privacy conversation is widely expected to continue, and has been heightened due to use of apps to assist contact tracing and other efforts to fight the pandemic.

Looking forward. These rules fundamentally change the expectations for sharing health information.  Essentially, CMS and ONC are saying that a payer, provider, or other entity holding electronic health information must share it if asked to do so by a patient or an entity that has a legal right to receive it. The agencies seek  to empower patients, increase innovation, and set the stage for increased transparency in health care.

The full implications of this broad re-ordering of the regulatory expectations are not yet known, but the broad reach of the rules will no doubt increase the impact. As health care navigates its way to a post-pandemic “normal,” it will have to factor in how to create and leverage a more liquid exchange of data – while still protecting the privacy of sensitive health information.

[1] 22 million people covered by Medicare advantage https://www.kff.org/medicare/issue-brief/a-dozen-facts-about-medicare-advantage/; 72.4 million covered by Medicaid and CHIP https://www.kff.org/medicaid/fact-sheet/analysis-of-recent-declines-in-medicaid-and-chip-enrollment/; and 8.3 million through the FFE https://www.cms.gov/newsroom/fact-sheets/2020-federal-health-insurance-exchange-enrollment-period-final-weekly-enrollment-snapshot.

[2] https://www.kff.org/medicare/fact-sheet/medicare-advantage/.

[3] App developers could be affected by the ONC rules if they also make certified technology or meet the definition of a provider or a health information exchange or network.