The Centers for Medicare & Medicaid Services (CMS) published its highly anticipated final rule aimed at enhancing interoperability and increasing patient access to health information. CMS’s final rule will require hospitals and payors to make significant investments in their health information technology to comply with the new requirements, effective six months following publication of the final rule in the Federal Register for hospitals, and January 1, 2021, for payors. In this On the Subject, we analyze the final rule requirements, which include a new requirement that CMS-regulated payors offer application programming interfaces, and a new Medicare condition of participation that requires hospitals with electronic health record systems to send electronic patient event notifications to communicate transitions of care.
On March 9, 2020, the US Department of Health and Human Services (HHS) Centers for Medicare & Medicaid Services (CMS) announced a final rule aimed at enhancing interoperability and increasing patient access to health information. The final rule requires CMS-regulated payors and agencies (Covered Plans and Agencies) to implement application programming interfaces (APIs) that allow patient information to be shared more readily between patients, healthcare providers, payors and third-party applications selected by patients. APIs could improve patients’ ability to gain access to their health information and share key medical history information with other providers and payors. Notably, however, HIPAA does not apply to many third-party applications that patients would use to access their data, raising stakeholder concerns about the privacy and security of information shared through APIs.
The final rule also requires hospitals that have adopted electronic health record systems to engage in electronic event reporting of patient admissions, discharges and transfers to patients’ primary care practitioners as a condition of participation (CoP) in the Medicare program. Hospitals and payors may need to make significant investments in health information technology (IT) to comply with the new requirements, which go into effect six months following publication of the final rule for hospitals, and on January 1, 2021, for payors.
This highly anticipated final rule has already garnered responses from key industry players, including America’s Health Insurance Plans, the nationwide association of health insurers, which stated that it shares HHS’s vision for expanded consumer data access but “remain[s] gravely concerned that patient privacy will still be at risk when health care information is transferred outside the protections of federal patient privacy laws.” The association cautioned that “any new rules must ensure we protect patient privacy, reduce health care costs, and get personalized information into the hands of patients.”
On the same day that CMS released the final rule, the HHS Office of the National Coordinator of Health IT (ONC) released a final rule implementing the information blocking provisions of the 21st Century Cures Act and updates to ONC’s health IT certification program. A separate On the Subject about the ONC final rule is forthcoming.
Read on for a summary of the key requirements and implications of the CMS final rule, and recommended next steps for payors and hospitals. For a review of our past coverage on these rules, please visit our Regulatory Sprint to Coordinated Care Resource Center.
Application Programming Interfaces
Under the final rule, Covered Plans and Agencies—which include Medicare Advantage (MA) plans, Medicaid state agencies, Medicaid managed care plans, Children’s Health Insurance Program (CHIP) agencies, CHIP Managed Care entities, and issuers of qualified health plans in federally facilitated exchanges, except for stand-alone dental plans—must adopt and implement an “openly published” API that permits third-party software applications to retrieve, at the direction of the patient or health plan member, a significant amount of clinical and payment information. The API technology must meet health IT standards established by ONC. Covered Plans and Agencies must comply by January 1, 2021.
The Covered Plan or Agency must make the following information available through the API:
- Data concerning adjudicated claims and encounter data, including claims data for payment decisions that may be appealed, were appealed, or are in the process of appeal, and provider remittances and enrollee cost-sharing pertaining to such claims
- Clinical data, including laboratory results, if the Covered Plan or Agency manages such data.
The Covered Plans and Agencies must make this information available no later than one business day after a claim is adjudicated or the Covered Plan or Agency receives the data.
For MA plans, Medicaid and CHIP fee-for-service programs, Medicaid managed care plans and CHIP managed care entities, the API must also allow access to a provider directory of the payor’s network of contracted providers, including names, addresses, phone numbers and specialties, updated no later than 30 calendar days after the payor receives the information or an update.
For MA organizations that offer Part D plans, the API must allow the third-party application to retrieve:
- Standardized data concerning adjudicated claims for covered Part D drugs, including remittances and enrollee cost-sharing, no later than one business day after a claim is adjudicated
- Pharmacy directory data, including the number, mix and addresses of network pharmacies
- Formulary data that includes covered Part D drugs and any tiered formulary structure or utilization management procedure that pertains to those drugs.
While the open API initiative in the final rule specifically applies to Covered Plans and Agencies, CMS also expressed the hope that other stakeholders, such as state-operated exchanges and private payors, will adopt similar requirements for access to information and interoperability so that even more patients can broadly access their health information and better manage care.
Payor-to-Payor Data Exchange
In addition to proposing payor-to-patient exchanges through APIs, CMS also finalized its proposal to require MA plans, Medicaid managed care plans, CHIP managed care entities and qualified health plan issuers on the federally facilitated exchanges to forward patient information maintained within the ONC-identified US Core Data Set for Interoperability to other payors designated by the requesting patient for up to five years after the patient has disenrolled from the plan (with the approval and direction of the patient). CMS anticipates that payors will leverage the API they put in place to comply with patient access requirements to additionally provide other payors access to the same data. CMS allows payors to use other methods of data exchange to accomplish this requirement, however. Covered Plans and Agencies must comply with the payor-to-payor exchange requirement by January 1, 2022.
Notably, CMS elected to not finalize its proposal to require Covered Plans and Agencies to participate in trusted health information exchange networks. CMS noted that although some commenters showed support for the proposal, other commenters noted the need for a mature Trusted Exchange Framework and Common Agreement (TEFCA), a set of policies and procedures for interoperable exchange, to be put in place first. ONC published a second draft TEFCA on April 19, 2019, but has not yet finalized it.
Hospital Condition of Participation
CMS finalized its proposal to adopt a Medicare hospital CoP that requires hospitals, psychiatric hospitals and critical access hospitals (CAHs) that have electronic event notification capabilities to send electronic notifications upon a patient’s admission, discharge or transfer to or from the hospital’s emergency department or inpatient service department. The CoP becomes effective six months after the final rule’s publication in the Federal Register.
CMS modified the CoP slightly from the proposed rule. The final CoP does not require hospitals to include diagnosis information within the notification. Instead, the notification must include at a minimum the patient’s name, treating practitioner name and sending institution name. The CoP does not require hospitals to send notifications to all providers that have an “established care relationship” with the patient, but only to the patient’s established primary care practitioner or other practitioner or practice group identified by the patient as primarily responsible for the patient’s care.
CMS stated that electronic patient event notifications, or automated electronic communications from discharging providers to another facility, could improve care coordination and potentially reduce readmissions by making a receiving provider aware of the care the patient has received elsewhere. However, this CoP creates a new set of requirements on top of existing Promoting Interoperability measures that CMS adopted to incentivize the use of health IT to improve care. Hospitals must already spend significant resources to achieve the Promoting Interoperability measures, and the new CoP requirement will likely increase hospitals’ overall compliance burden with respect to health IT implementation.
Information Blocking and Public Reporting
The final rule discourages clinicians from engaging in the practice of information blocking by requiring the public display, via an indicator on the Physician Compare website, of physicians and other clinicians who fail to attest as part of the CMS Merit-based Incentive Payment System (MIPS) program that they:
- Did not knowingly and willfully take action to limit or restrict the compatibility or interoperability of certified health IT
- Implemented technologies and practices to ensure that their certified health IT is connected and compliant with applicable law
- Responded in good faith and in a timely manner to requests to retrieve or exchange electronic health information.
Clinicians who fail to attest “yes” to the above statements would receive a potential reduction of Medicare reimbursement under MIPS, in addition to the negative indicator on the CMS Physician Compare website, which is available to patients who are seeking to compare Medicare-participating physicians and other clinicians.
CMS also requires eligible hospitals and CAHs to make “yes/no” attestations concerning their use of certified health IT in order to participate in the CMS Promoting Interoperability program. A hospital or CAH’s failure to attest “yes” will result in a negative indicator on a future CMS website that will display hospitals’ attestations under the Medicare Promoting Interoperability program.
CMS included these reporting requirements in the final rule to discourage hospitals and clinicians from engaging in information blocking. CMS expects to post the information for both clinicians and hospitals in late 2020.
Recommended Next Steps
The final rule will have a significant impact on Covered Plans and Agencies and hospitals. These entities should consider taking several practical steps in response to the final rule.
Recommendations for Covered Plans and Agencies
Covered Plans and Agencies should consider the following next steps in response to the final rule:
- Assess the technological capabilities of IT systems and quickly make any necessary adjustments to offer an API that is consistent with ONC standards
- Develop user guides or other resources that explain how a plan member or patient may obtain data through the API and protect their privacy by only selecting reputable third-party applications
- Work with other Covered Plans and Agencies to develop technical mechanisms and policy frameworks for connecting and sharing data in accordance with the payor-to-payor exchange requirement, which becomes effective in 2022.
Recommendations for Hospitals and CAHs
Given the aggressive timelines in the final rule, hospitals will soon need to assess the capabilities of existing IT systems and their readiness to send electronic notifications as required by the new CoP. Even with necessary systems in place, hospitals should review their intake and discharge workflows to ensure that they are consistently identifying the practitioner primarily responsible for patients admitted to the emergency and inpatient departments. To the extent that hospitals are not consistently capturing this information, they should consider revising their policies, procedures and training to emphasize the importance of obtaining the information, and should set up event notifications to the identified individual or group practice.
If you would like assistance in complying with any of the new requirements, please contact one of the authors or your regular McDermott lawyer.
Our experienced team, which includes several attorneys who previously worked at the US Department of Health & Human Services (HHS), has advised many clients on the potential impact of the HHS proposed rules on their businesses and has analyzed the final rules. We will host a series of webinars to discuss the final rules. Details are below and you may register by clicking here.
- March 23, 2020: ONC Final Information Blocking Rule
- March 26, 2020: CMS Interoperability Rule
- March 31, 2020: Navigating the New ONC Requirements for APIs