New rules from CMS and ONC hold few surprises for devotees of the regulatory process – a niche crowd, admittedly. Both agencies thoroughly communicated and responded to the industry at every step. What’s more, the functional aspects in these requirements are already being done — somewhere in the U.S. healthcare system.
According to the 21st Century Cures Act, patients should be able to move from health plan to health plan or from provider to provider and have their data go with them. CMS and ONC, to make this happen, spelled out the minimum that payers and providers must do at scale. All must implement FHIR-standard APIs. CMS-regulated plans, collectively providing coverage for anyone without employer-provided insurance or the uninsured, need member-facing functionality that most do not currently provide. ONC’s version applies to providers, HIEs, and their vendors with certified HIT products.
The 21st Century Cures Act said that patients should be able to move from health plan to health plan or from provider to provider and have their data go with them.
Some of the highlights:
Information Blocking Timeline
ONC laid out a 36-month timeline for information blocking compliance. For the first 6 months, everyone is on the honor system. After that, non-compliance could attract enforcement. Some person, human or corporate, must complain first; no authority will seek out information blockers. HHS’ Office of Inspector General (OIG) will have to complete its own rulemaking process before it can wield its scariest enforcement stick: the legislatively mandated Civil Monetary Penalties (CMP). CMP could begin will the later of 1.) ONC’s timeline or 2.) when OIG’s CMP rulemaking process is complete. Until then, no one need worry about CMPs. Whew.
Outstanding TEFCA Issues
How participation in a network governed by the Common Agreement of TEFCA fame will affect information blocking compliance and enforcement is unclear. Many believe that TEFCA compliance should be a safe harbor from information blocking enforcement. ONC will probably seek some middle ground between TEFCA adherence as an absolute shield and the incandescent fury of CMP.
eHI Significantly Narrowed
By popular demand, ONC backed off its initial, broad set of data elements that shall not be blocked in favor of HIPAA’s designated record set. Moreover, far fewer organizations will have to meet this requirement compared to the proposed rule. In just over three years, EHR vendors will need to be able to export that data from a single patient and all patient’s data to make it easier for providers to switch EHRs. We’ll have to see how that last part goes.
Patient Privacy and Security Education
The last, best chance to inform patients that some third parties have larcenous intent will be pop-up education about the privacy and security risks of third-party apps before they authorize that app to access their eHI. This provision, the 9th exception to information blocking in all but name, gives providers and developers the opportunity to warn patients about what could happen to the data. It puts the onus on providers and their vendors to police third parties and what they do with patient data. The individual, once educated, is free to surrender their data to whomever they choose. Maybe it really is time for Congress to update HIPAA for the 21st century.
New Payer Requirements
HHS’ new patient access rule builds on BlueButton, an Obama-era program. Its current iteration gives Medicare FFS beneficiaries access to their own claims via APIs. Beginning in 2021, Medicare Advantage, Medicaid, CHIP, and plans on the federal exchanges will be required to provide the same APIs to their beneficiaries.
Medicare and Medicaid hospitals will need to send ADT notices to some other provider (e.g. PCP, SNF) to support better care coordination. Medicare-regulate plans will, at member request, be required to send member data to any other plan. Plans will also need to make their provider directories API-accessible.
Providers on Final Approach, Payers at Stall Speed
Vendors of certified HIT are in OK, if not perfect, shape to support these new requirements in the time required. FHIR support is nearly universal, as are REST interfaces. While FHIR adoption is still low, knowledge of its potential benefits is widespread. Providers as a group see a clear path to capitalize on the benefits these rules aim to deliver.
HHS plainly wants all payers and plans to follow its lead with patient access, provider directories, and pushed ADTs. Its thinking is that if a payer organization makes the IT investment to comply for its CMS-regulated plans, API-enablement for all of its plans is incremental. Payers as a group don’t know what FHIR is and have little reason to embrace modern API-based development and integration. CMS-regulated plans will need to rapidly evaluate these rules and begin planning for early 2021.