Interoperability Rules Primer: Stakeholders’ Key Concerns as Final Regulations Set to Drop

Jan. 7, 2020
The ONC final rule is expected to be released later this month, and stakeholders are anxiously waiting to see if their core concerns around information blocking and third-party apps will be addressed

It’s been nearly a year since federal officials stunned the healthcare and health IT community with two proposed rules on interoperability and patient access during the week of HIMSS19. Now, we’re just weeks—or perhaps even days—away from the final versions of these regulations. What are the key considerations for stakeholders to keep in mind as they await for the rules to drop?

For some background, the proposals—one from the Office of the National Coordinator for Health IT (ONC) and one from the Centers for Medicare & Medicaid Services (CMS)—were separate, but at the same time very much aligned. Broadly, the two proposals—about 1,200 pages combined—look to further advance the nation’s healthcare interoperability progress. They represent great significance for health IT stakeholders, who will now be more under the microscope than ever before as it relates to their efforts in making sure that health information is seamlessly moving—while not restricting such efforts.

For example, key elements of the ONC rule are related to application programming interface (API) standards, electronic health record (EHR) certification, and EHR vendor business practices and behaviors. It also has a significant section devoted to information blocking with potentially hefty fines for violators.

The CMS rule, meanwhile, proposes a mandate that would require all Medicare Advantage (MA) organizations, state Medicaid and CHIP fee-for-service (FFS) programs, Medicaid managed care plans, CHIP managed care entities, and QHP (qualified health plan) issuers in FFEs (federally-facilitated exchanges) to ensure that patient claims and other health information are available to patients through third-party applications and developers by 2020. The rule also proposes that payers in CMS programs be required to participate in a health information network of their choosing.

In the weeks following the release of the proposals, trade groups such as the American Medical Association (AMA), the College of Healthcare Information Management Executives (CHIME), Premier, the American Health Information Management Association (AHIMA), and more than a dozen others, wrote to government officials asking for more time to review the rules and properly comment, noting that the rules “were comprehensive, detailed and intertwined.” These associations ended up getting this wish, at least, granted—government officials extended the public comment period to June.

As the summer months went on, it was originally expected that the final regulations would drop sometime in November or December since certain elements were slated to kick in early in 2020. But as time passed, it became clear that the government would hold off until January, at the earliest, to release the final versions. 

To this end, the CMS rule was sent to the Office of Management and Budget (OMB) within the White House for review in late September, and about a month later, the ONC rule was delivered to the White House office. But according to the Fall 2019 agenda from OMB, it’s possible that the rule from CMS might not be finalized until 2022 as it was moved to a “long-term action item.” Essentially, this gives the federal agency three years from when the rule was first proposed—February 2019—to finalize it.

As we noted in late November, “While it should be noted that there’s no guarantee the CMS rule will be pushed back that far, it does give the feds a lot more time to work with.” According to OMB policy, “We schedule all Medicare final regulations for publication within the three-year standardized time limit in the current unified agenda. We do not intend to delay publishing a Medicare final regulation for three years if we are able to publish it sooner.”

Healthcare Innovation has more recently heard that the ONC rule is excepted to drop sometime around the time when the department’s annual meeting takes place, which is set for Jan. 27.

What will stakeholders be looking for?

Of course, those who the rules will impact want to know which elements from the proposals will be modified to satisfy industry stakeholders’ pressing issues. For example, some folks have attested that the proposed information blocking exceptions—of which there are seven—are “both complex and confusing.” One example of this is “significant confusion around the definition of ‘electronic health information’ or EHI, which forms the basis for much of the policies in the rule,” according to a group of leading health IT groups that penned a letter to members of Congress back in September, asking them to use their oversight authority to ensure that federal health officials improve certain elements of the rules. National Coordinator for Health IT, Don Rucker, M.D., has contended that for the most part, the exceptions outlined in the rule are “common sense types of things,” and were established after more than 100 meetings with health IT stakeholders.

Nonetheless, one group—the Health Innovation Alliance (HIA)—also went as far as to formally call on ONC specifically to rescind its regulation, noting that the information blocking exceptions to the proposed rule are so vague that "they will produce a market worse than today's status quo." More on HIA’s specific complaints around the information blocking elements of the rule can be read here.

Indeed, in its proposal, ONC implements the information blocking provisions of the 21st Century Cures Act, which defined information blocking as interfering with, preventing, or materially discouraging access, exchange, or use of electronic health information. Violators can be subjected up to a $1 million fine if they are found to be bad actors.

Third-party app concerns

CHIME recently wrote to members of Congress, cautioning Reps. Fred Upton, (R-MI) and Diana DeGette (D-CO) that the proposed ONC interoperability rule does not sufficiently address Cures’ directives to protect patient data privacy and ensure health IT security. Third-party apps are currently not required to follow data blocking policies under ONC's proposed rule, according to CHIME. What’s more, smartphone apps created by third-party developers and not by providers or business associates covered under the Health Insurance Portability and Accountability Act (HIPAA) are not subject to HIPAA rules, even if a breach occurs.

CHIME wrote in its letter, “The ONC proposed rule does not, in its current form, appear to include those technology companies that manage apps, nor does it cover the third-party apps themselves under proposed data blocking policies as among the actors who must comply with these policies. Therefore, unless these policies are changed, a big chunk of the healthcare sector like providers and EHR vendors will have to abide by one set of rules governing promoting the sharing of patient information, and third-party apps and those managing the app ecosystem will not. This will create an unlevel playing field and further perpetuate the notion that healthcare apps are the Wild West.”

To this end, as detailed in a recent New York Times piece on medical data privacy, the AMA, American Hospital Association (AHA), and other groups said they have met with health regulators to push for changes to the rules. Without federal restrictions in place, the groups argued, consumer apps would be free to share or sell sensitive details like a patient’s prescription drug history. And some warned that the spread of such personal medical information could lead to higher insurance rates or job discrimination, according to the NYT article.

Yet federal healthcare officials believe that by requiring software developers to publish APIs and integrate them into their EHRs, consumers can more easily access and download their medical data to third-party apps of their choosing. As such, it’s unclear how these provisions might be altered, if they are at all, in the final regulation.

“App ecosystems have helped transformed many industries such as travel and shopping, and they can do the same in healthcare,” Rucker has previously stated, while also adding that “patients have to make conscious decisions on if they want their data to be downloaded to the [third-party] app.”

CMS rule pushed back?

As noted, it appears as if the ONC final rule will drop before the CMS one, per OMB’s Fall 2019 agenda. Some prominent groups who represent the health plan stakeholders that the CMS rule will directly impact—such as America’s Health Insurance Plans (AHIP)—noted in its comments to the federal agency that “the implementation timeline for the open-API should be phased-in, tied to the development of relevant standards, with full compliance starting no earlier than 2022.”

Similarly, in comments sent to the government back in June, the American Medical Informatics Association (AMIA) stated that while it supports the API proposals, the government’s timelines were too aggressive, given the state of standards development and adoption. For instance, CMS would have required the adoption of new data standards proposed by ONC as part of the U.S. Core Data for Interoperability by January 2020. But ONC is not expected to require certified health IT to generate such data until January 2021 at the earliest, AMIA noted. It now seems possible—if not probable—that these folks will be getting their wishes in this area granted.

To address these issues, AMIA recommended CMS establish a phased approach to require payer data be made available to beneficiaries via open API. The first phase would include claims and encounter data; the second phase would include clinical data and lab results; and the third phase would include drug benefit, pharmacy directory, and formulary data. AMIA noted that CMS may want to consider the use of ONC’s Certification Program to align standards and implementation decisions across stakeholders who generate and use these datatypes.

In the end, federal rulemaking is a give-and-take process in which government officials purposely can be tougher in their proposals knowing they will eventually concede on certain items after hearing public comments. Given the complexity and magnitude of these rules, healthcare stakeholders certainly will be expecting more of the same whenever the final rules are released.

Healthcare Innovation will continue to update readers on these developments.

Sponsored Recommendations

Enhancing Remote Radiology: How Zero Trust Access Revolutionizes Healthcare Connectivity

This content details how a cloud-enabled zero trust architecture ensures high performance, compliance, and scalability, overcoming the limitations of traditional VPN solutions...

Spotlight on Artificial Intelligence

Unlock the potential of AI in our latest series. Discover how AI is revolutionizing clinical decision support, improving workflow efficiency, and transforming medical documentation...

Beyond the VPN: Zero Trust Access for a Healthcare Hybrid Work Environment

This whitepaper explores how a cloud-enabled zero trust architecture ensures secure, least privileged access to applications, meeting regulatory requirements and enhancing user...

Enhancing Remote Radiology: How Zero Trust Access Revolutionizes Healthcare Connectivity

This content details how a cloud-enabled zero trust architecture ensures high performance, compliance, and scalability, overcoming the limitations of traditional VPN solutions...