CMS Releases Proposed Rule to Advance Interoperability and the Exchange of Medical Record and Plan Information


CMS issued a long-awaited proposed rule aimed at enhancing interoperability and increasing patient access to health information. If finalized, CMS’s proposed rule may require hospitals and payors to make significant investments in their health information technology to comply with the new requirements. In this On the Subject, we analyze CMS’s proposals, which include a new requirement that CMS-regulated payors and agencies offer application programming interfaces, and a new Medicare condition of participation that would require hospitals that have implemented EHRs to send electronic patient event notifications to communicate transitions of care.

In Depth

On February 11, 2019, the Centers for Medicare & Medicaid Services (CMS) issued a long-awaited proposed rule aimed at enhancing interoperability and increasing patient access to health information (the Proposed Rule). CMS’s Proposed Rule would require CMS-regulated payors and agencies (Covered Plans and Agencies) to implement application programming interfaces (APIs) that allow patient information to be shared more readily between patients, health care providers and payors. The Proposed Rule would also require hospitals that have adopted electronic health records (EHRs) to engage in event reporting with community providers and others as a condition of participation (CoP) in the Medicare program. CMS hopes that these new requirements will allow patients to have greater access to their health information and improve care coordination between hospitals and other health care providers. If finalized, hospitals and payors may need to make significant investments in their health information technology to comply with the new requirements.

The public will have 60 days to submit comments following official publication of the Proposed Rule in the Federal Register, which we expect to occur in the near future.

1. Application Programming Interface

CMS proposes to require Medicare Advantage (MA) plans, Medicaid state agencies, Medicaid managed care plans, Children’s Health Insurance Program (CHIP) agencies, CHIP Managed Care entities, and issuers of qualified health plans (QHPs) in Federally-Facilitated Exchanges (FFEs), except for stand-alone dental plans (SADPs) (i.e., Covered Plans and Agencies), to adopt and implement an “openly published” API that permits third-party software applications to retrieve—at the direction of the patient—a significant amount of clinical and payment information. CMS proposes requiring compliance by January 1, 2020 for MA plans and QHP issuers in FFEs, and by July 1, 2020 for Medicaid FFS, Medicaid managed care plans and CHIP managed care entities. The information made available through the Covered Plan or Agency’s API would consist of (1) data concerning adjudicated claims, including claims data for payment decisions that may be appealed, were appealed, or are in the process of appeal, and provider remittances and enrollee cost-sharing pertaining to such claims and (2) clinical data, including laboratory results, if the Covered Plan or Agency manages any such data. The Proposed Rule requires Covered Plans and Agencies to make claims data and laboratory results available no later than one business day after the Covered Plan or Agency receives the data.

For MA plans, the API must also allow access to a provider directory of the MA organization’s network of contracted providers, including names, addresses, phone numbers and specialties, updated no later than 30 business days after changes are made to the provider directory. For MA organizations that offer Part D plans, the API must allow the third-party application to retrieve:

  • Standardized data concerning adjudicated claims for covered Part D drugs, including remittances and enrollee cost-sharing, no later than one business day after a claim is adjudicated;
  • Pharmacy directory data, including the number, mix and addresses of network pharmacies; and
  • Formulary data that includes covered Part D drugs and any tiered formulary structure or utilization management procedure which pertains to those drugs.

Covered Plans and Agencies also would be (upon request) required to forward patient information to new plans or other entities designated by the requesting beneficiary for up to 5 years after the beneficiary has disenrolled with the plan. The API technology must meet health information technology standards established by the Office of the National Coordinator for Health Information Technology (ONC).

While the open API initiative in the Proposed Rule specifically applies to Covered Plans and Agencies, CMS also expressed the hope that other stakeholders, such as state-operated exchanges and private payors, would adopt similar requirements for access to information and interoperability so that even more patients can broadly access their health information and better manage care.

With the exception of SADPs in FFEs, Covered Plans and Agencies would also be required to participate in trusted health information exchange networks that meet criteria for interoperability. The trusted exchange network selected by the Covered Plan or Agency must be able to: (1) exchange PHI in compliance with all applicable state and federal laws; (2) connect both inpatient EHRs and ambulatory EHRs; and (3) support secure messaging or electronic querying by and between patients, providers and payers. ONC has not yet finalized the Trusted Exchange Framework and Common Agreement (TEFCA), a set of policies and procedures for interoperable exchange to which CMS could eventually align this trusted exchange participation requirement. CMS has requested comment in the Proposed Rule on whether it should require plans and agencies to participate in trusted exchanges that meet the requirements of TEFCA once finalized by ONC.

2. Hospital Conditions of Participation

CMS further proposes to modify the CoPs for hospitals, Critical Access Hospitals (CAHs), and other hospital classifications to require these participating hospitals to send electronic patient event notifications upon a patient’s transition to another provider or care setting. CMS would require hospitals to include the patient’s basic personal information as well as his or her diagnosis (to the extent not prohibited by other applicable law) in the report.

CMS hopes that this proposal will result in hospital EHR systems having a baseline capability to generate messages that conform to common standards (e.g., Admission, Discharge or Transfer messaging) that may be received and processed by a wide range of providers. Electronic patient event notifications, or automated, electronic communications from discharging providers to another facility, could improve care coordination and potentially reduce readmissions by making a receiving provider aware of the care the patient has received elsewhere.

We note that these CoPs would create a new set of requirements related to the use of EHRs that are separate from the existing Promoting Interoperability measures. Hospitals must already spend significant resources to achieve the Promoting Interoperability measures, and the new proposed CoP requirement will likely increase hospitals’ overall compliance burden with respect to EHRs. The Proposed Rule does not establish a defined timeframe for adopting these new CoPs and instead requests comment on what would be a reasonable timeframe.

3. Information Blocking and Public Reporting

CMS also proposed to further discourage health care providers from engaging in the practice of information blocking by requiring the public display of clinicians, through an indicator on the Physician Compare website, who fail to attest as part of the CMS Promoting Interoperability program that they:

  • Did not knowingly and willfully take action to limit or restrict the compatibility or interoperability of certified EHR technology;
  • Implemented technologies and practices to ensure that their certified EHR technology is connected and compliant with applicable law; and
  • Responded in good faith and in a timely manner to requests to retrieve or exchange electronic health information.

CMS requires hospitals and clinicians to make these “yes/no” attestations to participate in the Promoting Interoperability incentive program for the use of EHR technology. If a health care provider failed to attest “yes” under the proposal, not only would the provider face a potential reduction of Medicare reimbursement, but also a negative indicator on the CMS Physician Compare website – a resource available to patients who are seeking to compare participating Medicare providers. Similarly, CMS proposes that a hospital’s failure to attest “yes” would result in a negative indicator on a future CMS website that will display hospitals’ attestations under the Medicare Promoting Interoperability Program. CMS hopes that these proposed public reporting requirements, the required attestations under the Promoting Interoperability program and the guidance on what constitutes information blocking in ONC’s 21st Century Cures Proposed Rule will discourage Medicare hospitals and clinicians from engaging in information blocking. For our coverage of the information blocking provisions of ONC’s proposed rule, please read our separate On the Subject.

4. Health IT Requests for Information

CMS issued two requests for information (RFIs) related to interoperability and health IT adoption in post-acute care settings, and the role of patient matching in interoperability and improved patient care.

CMS’s incentive programs for the adoption of EHRs have never applied to post-acute care facilities. Perhaps in part due to the absence of incentives, EHR adoption by post-acute care facilities has lagged behind hospitals and clinicians reimbursed under the Medicare Physician Fee Schedule. In the Proposed Rule, CMS notes that hospitals frequently transition Medicare patients to post-acute care facilities such as a skilled nursing facility (SNF) and, based on a national survey, only 29 percent of SNFs can send or receive health information. CMS is seeking input on how it can more broadly incentivize the adoption of interoperable health IT systems and the use of interoperable data across long-term and post-acute care settings. In particular, CMS is seeking comment on whether standardized patient assessment data elements defined by CMS under the IMPACT Act would be appropriate to incorporate into national interoperable data elements—the United States Core Data for Interoperability (USCDI)—established by ONC in the 21st Century Cures proposed rule.

CMS is also seeking public comment on potential strategies to improve patient matching between health information technology systems. Consistently used patient matching strategies could potentially make it easier to combine patient information housed in multiple EHRs or exchanges. CMS is particularly interested in public comment on the security and privacy risks associated with patient matching through algorithms versus the risks inherent with use of a unique patient identifier (UPI). Currently, the creation of a government-issued UPI is prohibited by statute due to privacy concerns, but Congress has opened the door for the US Department of Health and Human Services (HHS) to coordinate private sector efforts to adopt UPIs. CMS also requested comment on whether it should leverage the newly established Medicare ID, which has replaced Social Security Numbers on Medicare ID cards, by requiring Medicaid and CHIP agencies to use the Medicare ID for dually eligible beneficiaries.

Comments are due within 60 days of the date of the Proposed Rule’s publication in the Federal Register. If you would like assistance in preparing comments, please contact one of the authors or your regular McDermott lawyer.