The Interoperability and Patient Access final rule (CMS-9115-F) delivers on the Administration’s promise to put patients first, giving them access to their health information when they need it most and in a way they can best use it. As part of the Trump Administration’s MyHealthEData initiative, this final rule is focused on driving interoperability and patient access to health information by liberating patient data using CMS authority to regulate Medicare Advantage (MA), Medicaid, CHIP, and Qualified Health Plan (QHP) issuers on the Federally-facilitated Exchanges (FFEs).
Lack of seamless data exchange in healthcare has historically detracted from patient care, leading to poor health outcomes, and higher costs. The CMS Interoperability and Patient Access final rule establishes policies that break down barriers in the nation’s health system to enable better patient access to their health information, improve interoperability and unleash innovation, while reducing burden on payers and providers. Patients and their healthcare providers will have the opportunity to be more informed, which can lead to better care and improved patient outcomes, while at the same time reducing burden. In a future where data flows freely and securely between payers, providers, and patients, we can achieve truly coordinated care, improved health outcomes, and reduced costs.
Privacy, Security, and Standards
Ensuring the privacy and security of patient information is a top priority for CMS. Identifying the right standards can help data flow securely and efficiently. CMS, in partnership with the Office of the National Coordinator for Health Information Technology (ONC), has identified Health Level 7® (HL7) Fast Healthcare Interoperability Resources® (FHIR) Release 4.0.1 as the foundational standard to support data exchange via secure application programming interfaces (APIs). CMS is adopting the standards for FHIR-based APIs being finalized by HHS in the ONC 21st Century Cures Act rule at 45 CFR 170.215. These requirements support the privacy and security of patient information.
Patients have a right under HIPAA to access their health information. We believe they also have a right to know their health information is exchanged in a way that ensures their privacy and security. We are working to balance these important issues in a way that empowers patients to be in charge of their healthcare.
This rule finalizes new policies that help liberate health information and move the healthcare system toward greater interoperability.
Patient Access API: CMS-regulated payers, specifically MA organizations, Medicaid Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP FFS programs, CHIP managed care entities, and QHP issuers on the FFEs, excluding issuers offering only Stand-alone dental plans (SADPs) and QHP issuers offering coverage in the Federally-facilitated Small Business Health Options Program (FF-SHOP), are required to implement and maintain a secure, standards-based (HL7 FHIR Release 4.0.1) API that allows patients to easily access their claims and encounter information, including cost, as well as a defined sub-set of their clinical information through third-party applications of their choice. Claims data, used in conjunction with clinical data, can offer a broader and more holistic understanding of an individual’s interactions with the healthcare system, leading to better decision-making and better health outcomes. These payers are required to implement the Patient Access API beginning January 1, 2021 (for QHP issuers on the FFEs, plan years beginning on or after January 1, 2021).
Provider Directory API: CMS-regulated payers noted above (except QHP issuers on the FFEs) are required by this rule to make provider directory information publicly available via a standards-based API. Making this information broadly available in this way will encourage innovation by allowing third-party application developers to access information so they can create services that help patients find providers for care and treatment, as well as help clinicians find other providers for care coordination, in the most user-friendly and intuitive ways possible. Making this information more widely accessible is also a driver for improving the quality, accuracy, and timeliness of this information. MA organizations, Medicaid and CHIP FFS programs, Medicaid managed care plans, and CHIP managed care entities are required to implement the Provider Directory API by January 1, 2021. QHP issuers on the FFEs are already required to make provider directory information available in a specified, machine-readable format.
Payer-to-Payer Data Exchange: CMS-regulated payers are required to exchange certain patient clinical data (specifically the U.S. Core Data for Interoperability (USCDI) version 1 data set) at the patient’s request, allowing the patient to take their information with them as they move from payer to payer over time to help create a cumulative health record with their current payer. Having a patient’s health information in one place will facilitate informed decision-making, efficient care, and ultimately can lead to better health outcomes. These payers are required to implement a process for this data exchange beginning January 1, 2022 (for QHP issuers on the FFEs, plan years beginning on or after January 1, 2022).
Improving the Dually Eligible Experience by Increasing the Frequency of Federal-State Data Exchanges: This final rule will update requirements for states to exchange certain enrollee data for individuals dually eligible for Medicare and Medicaid, including state buy-in files and “MMA files” (called the “MMA file” after the acronym for the Medicare Prescription Drug, Improvement and Modernization Act of 2003) from monthly to daily exchange to improve the dual eligible beneficiary experience, ensuring beneficiaries are getting access to appropriate services and that these services are billed appropriately the first time, eliminating waste and burden. States are required to implement this daily exchange starting April 1, 2022.
Public Reporting and Information Blocking: Beginning in late 2020, and starting with data collected for the 2019 performance year data, CMS will publicly report eligible clinicians, hospitals, and critical access hospitals (CAHs) that may be information blocking based on how they attested to certain Promoting Interoperability Program requirements. Knowing which providers may have attested can help patients choose providers more likely to support electronic access to their health information.
Digital Contact Information: CMS will begin publicly reporting in late 2020 those providers who do not list or update their digital contact information in the National Plan and Provider Enumeration System (NPPES). This includes providing digital contact information such as secure digital endpoints like a Direct Address and/or a FHIR API endpoint. Making the list of providers who do not provide this digital contact information public will encourage providers to make this valuable, secure contact information necessary to facilitate care coordination and data exchange easily accessible.
Admission, Discharge, and Transfer Event Notifications: CMS is modifying Conditions of Participation (CoPs) to require hospitals, including psychiatric hospitals and CAHs, to send electronic patient event notifications of a patient’s admission, discharge, and/or transfer to another healthcare facility or to another community provider or practitioner. This will improve care coordination by allowing a receiving provider, facility, or practitioner to reach out to the patient and deliver appropriate follow-up care in a timely manner. This policy will be applicable 12 months after publication of this rule.
To view the CMS Interoperability and Patient Access final rule, visit https://www.cms.gov/Regulations-and-Guidance/Guidance/Interoperability/index.
To view the ONC 21st Century Cures Act final rule, visit https://healthit.gov/curesrule.