Skip to Main Content.

Newly published federal rules will now give more power to consumers in controlling their personal health care information. On May 1, the Centers for Medicare and Medicaid Services (“CMS”) released a final rule which seeks to help patients utilize their health care information in a seamless transition from payer to provider. Once implemented, consumers will be able to view all of their health care information in a familiar method, such as on a mobile phone application.

The release of CMS’ rule coincided with the Office of the National Coordinator for Health Information Technology (“ONC”) and the Department of Health and Human Services’ (“HHS”) release of a separate rule discussing the interoperability, information blocking, and certification requirements for a health information technology program. Together, the two rules will require both payers and providers to update current policies and implement new programs ensuring that their data is compliant.

The effective dates of these rules were extended due to the COVID-19 pandemic. CMS has extended its implementation timeline for payers and providers until early 2021. ONC has stated that its rules will go into effect six months after publication, meaning compliance will not be required until November 2, 2020.

Interoperability and Application Programming Interface

First, it is important to understand the meaning of the term “interoperability.” Interoperability is the ability for different information systems, devices, or applications to connect and exchange data. An example of this is a Fitbit transferring information to your mobile phone. Interoperability plays a major role in the health care IT space, as dozens of systems need to communicate patient information across numerous platforms. To make this transfer of data useful, the platforms need to be interoperable. For a previous discussion regarding the role of interoperability, information blocking, and the use of application programming interfaces, please see our post, “Information Blocking and the API Standard: Proposed Rules Look to Shake-up Data in the Healthcare Industry.”

Currently, the lack of data exchanges in the health care industry has prevented optimal patient care and increased costs for payers. By allowing both patients and providers to share information more easily, CMS believes that this will lead to better care and improved patient outcomes. The implementation of the new interoperability rules intends to provide patients more control over their health care information. As stated in a fact sheet by CMS, “[t]he Interoperability and Patient Access final rule (CMS-9115-F) delivers on the Administration’s promise to put patients first, giving them access to their health information when they need it most and in a way they can best use it.” The goal of this rule is to ensure that all players in the industry utilize the same, standardized methods for their data, thereby making all health care platforms interoperable and useful to both providers and patients.

Starting January 1, 2021, CMS-regulated payers such as Medicare organizations, Medicaid Fee-for-Services (“FFS”), Medicaid managed care, Children Health Insurance Program (“CHIP”) FFS programs, CHIP managed care entities, and Qualified Health Plans on the Federally-facilitated Exchanges will be required to implement and maintain a protected application programming interface (“API”) that allows patients to easily review their claims, encounter information, and provider directories. It will need to be a standardized app across the industry, allowing individuals to utilize their information no matter who the provider or payer happens to be.

The API will be a third-party app that users can download and view on their phones, much as they would use any other mobile app. In addition to providing more information to the consumer, the new rules will allow CMS-regulated payers to exchange patient clinical data with other payers in a more seamless fashion. This exchange of information will allow consumers to make more informed decisions when obtaining health care services and give them greater mobility in utilizing different payers.

Still, payers and providers will need to be extremely cognizant of privacy concerns when creating API’s for consumers. Covered entities such as providers and payers will need to make sure that all information shared on the API complies with HIPAA. Granting third-party app developers access to health care data to create APIs may create regulatory risk. Covered entities will need to be cautious, and API developers will need to be closely monitored to ensure the safety of protected health information. CMS recently published best practices for app developers and payers.

Information Blocking

ONC has released new rules surrounding information blocking issues at the same time as CMS’ release of its interoperability rules. The 21st Century Cures Act prohibits any health information technology developer from taking part in information blocking. The Cures Act defined “information blocking” as anything that interferes with or discourages access, exchange, or use of electronic health information (“EHI”). While the definition was provided in the Cures Act, it did not give examples of which actions fall outside the scope of what is considered information blocking. The new ONC rule has clarified its position and listed several examples of permitted activities. The eight exceptions are:

  • Practices that are reasonable and necessary to prevent harm to a patient or another person;
  • Practices that are reasonable and necessary to protect the privacy of an individual’s EHI;
  • Practices that are reasonable and necessary to promote the security of EHI;
  • Practices where a person declines to provide access to EHI because doing so is infeasible;
  • Practices that are reasonable and necessary to maintain and improve the overall performance of health information technology;
  • Practices where an actor reasonably limits the content of its response to, or the manner in which it fulfills, a request to access, exchange, or use EHI;
  • Practices where an actor is permitted to recover certain costs reasonably incurred in connection with accessing, exchanging, or using EHI; and
  • Practices where an actor licenses interoperability element on reasonable and non-discriminatory terms.

While the new rule provides additional clarity regarding permitted activities, simply because an action does not meet one of the above exceptions does not automatically mean it is prohibited. These activities will be examined on a case-to-case basis to determine whether the actor is in compliance with the regulations. In its published rules outlining new civil monetary penalties (“CMP”) for information blocking, HHS stated that health care professionals who make innocent mistakes will not be subject to CMPs. Each allegation would be based upon the unique facts and circumstances given. But the rules do give insight into the priorities placed by HHS when determining the assessment of CMPs.

In summary, these new rules will create a number of compliance hurdles for providers and payers alike. If you have questions about these final rules or any other regulatory requirements, Frost Brown Todd’s Insurance Regulation & Risk Management team can help. Please contact Matt Wagner (513-651-6978, or Bill Williams (317-237-3815, for more information.

To provide guidance and support to clients as this global public-health crisis unfolds, Frost Brown Todd has created a Coronavirus Response Team. Our attorneys are on hand to answer your questions and provide guidance on how to proactively prepare for and manage any coronavirus-related threats to your business operations and workforce.