March 10, 2020
Only What Matters in Health Information Policy
After many months of anticipation by health policy and information technology professionals, the federal interoperability final rules are here.
This is one of those unique moments in history where news about something else (the coronavirus) overshadows what would otherwise be a focus of major media outlets this week. Indeed, President Trump himself was supposed to announce these rules at the HIMSS conference in Orlando, Florida this week in front of 40,000+ attendees, but the conference was cancelled due to coronavirus concerns.
[Ironically, if these rules had already been implemented, there would be a much more seamless exchange of information about the coronavirus, but we digress.]
For those of you that have been tracking the interoperability rules, there are few surprises. For those of you that are less familiar, you may be surprised to learn that these rules will generate as big a shift in the health care system as the introduction of ATMs was for banking. It used to be a big pain to get cash or deposit checks, but there are whole generations who have no memory of that time. If this set of policies are implemented as planned, we will say "Remember when it used to be a big pain to get your medical records?"
This is a quick snapshot of our first read of the CMS Interoperability and Patient Access final rule, which is only 474 pages.
We will report soon about the related (and much longer -- 1,244 pages) ONC information blocking and health IT certification final rule.
CMS Interoperability and Patient Access Final Rule
1. Not much changed from the proposed rule. A refresher:
New policies will allow people to request that their health information be transferred to an app on their smartphones, free and fast (plans must make information available within 1 business day of getting a claim settled or receiving encounter data from a provider).
The purpose is to allow Americans, and the clinicians and organizations who are offering them health care services and products, to have real-time access to their comprehensive health care history -- or just the part that they want to know.
The rule applies to health plans and medical providers.
2. Health Plans: the final rule requires Medicare Advantage, Medicaid, CHIP, and Qualified Health Plan (QHP) issuers on the Federally-facilitated Exchanges to make individual health data available upon request. This includes adjudicated claims data, including provider remittances and enrollee cost-sharing, encounter data, clinical data including lab tests. Health plans must also publish updated electronic provider directory information.
3. Health Plans will make the data available by implementing the latest standard for interoperability -- the HL7 FHIR Application Programming Interface (API) -- that allows third parties to access their databases. It is anticipated that health plans will apply these rules across all of their lines of business (not because they are required to, but because it will be a business imperative) -- so employer-sponsored health insurance plans are likely to offer enrollees access to their electronic data too.
4. Health Plan compliance dates are as follows:
By January 1, 2021, plans must implement a standards-based (HL7 FHIR) Patient Access Open API that allows third-party apps to retrieve, with the approval and at the direction of a current enrollee, at a minimum, any adjudicated claims (including provider remittances and enrollee cost-sharing), encounters with capitated providers, clinical data (including lab results) that plans have maintained with a date of service on or after January 1, 2016. Data must be made available no later than one business day after a claim is adjudicated or encounter data are received.
By January 1, 2021, plans must make standardized information about their provider networks available through a published Provider Directory API.
By January 1, 2022, plans must send information to any other payer (payer to payer data exchange) identified by the current or former enrollee that they maintain with a date of service on or after January 1, 2016.
5. Medical Providers: By late 2020, eligible clinicians, hospitals and critical access hospitals (CAHs) must attest that they support electronic access to health information, and list or update their digital contact information to the National Plan and Provider Enumeration System (NPPES), or CMS will publicly report them (e.g., Physician Compare).
6. Hospitals, including psychiatric hospitals and Critical Access Hospitals: Beginning six months after publication of this final rule, it will be a Condition of Participation in Medicare for hospitals to send electronic notifications about a patient’s admission, discharge or transfer to all applicable post-acute care providers, primary care practitioners, or any clinician identified by the patient as primarily responsible for his or her care.
A few takeaways:
Now is a good time. The rule compliance dates are not far away. Only six months for hospitals to send electronic notifications about admission, discharges or transfers, because CMS believes that the content exchange standard is common to many EHR systems.
One thing that plans don’t have to do now. Plans do not have to join a “trusted exchange network” right away -- CMS agreed with commenters that work on the Trusted Exchange Framework and Common Agreement (TEFCA) needs to progress further before finalizing this part of the rule.
Plans may invoke the rules in provider contracts. CMS acknowledged that payers may want to address the timely exchange of information in its provider contracts, but it is not required.
Cost-sharing data is the hidden gem here. CMS acknowledged that giving people access to past cost information (from claims data) does not mean they can (necessarily) negotiate or impact future health care costs … but it may “help them plan for future services.” Who needs price transparency rules?
Social determinants of health data are part of this. Medicaid managed care plans and states must make available data that is related to long-term care waiver services, like in-home care, meal preparation or delivery, and transportation.
Privacy is a big thing. In response to widespread privacy concerns with non-HIPAA-covered direct-to-consumer applications, CMS repeatedly noted that it does not have the authority to regulate third party applications and referred to FTC’s authority over these entities.
Privacy is a really big thing. CMS placed new emphasis on requiring health plans to educate their enrollees about the risks associated with sending personal health data to third party apps that are not regulated by HIPAA privacy protections. Plans must post privacy and security resources to a public website, including a discussion about a third party app’s secondary use of data.
Money, honey. CMS admitted that they may have underestimated how much it will cost health plans to implement these new policies. Was: $788,414. Now there is a low-high range: $788,414 - $2,365,243.
Help is available. There are a lot of guidance materials and tools available here that are repeatedly invoked in the rule, including references to HL7 and CARIN Alliance implementation guides. CMS promised to provide content soon for the privacy educational materials -- so health plans can tailor them according to the needs of their enrollee population.