Massive Rule Drops at HIMSS19: CMS, ONC Propose New Regulations to Transform the Future of Interoperability and Patient Access

Feb. 11, 2019
The two rules—separate but very related—outline new provisions around requiring interoperable activities while giving patients easier access to their electronic health data

Through two immense proposed rules released this morning, the first day of the HIMSS19 conference in Orlando, federal health officials are pulling an array of levers that fall under the core aim to improve interoperability and patient access to data.

The two proposed rules—one from CMS (the Centers for Medicare & Medicaid Services) and one from ONC (the Office of the National Coordinator for Health IT) are separate, but at the same aligned as the two agencies within HHS (the Department of Health & Human Services) look to further advance the nation’s healthcare interoperability progress. The two rules represent great significance for health IT stakeholders, who will now be more under the microscope than ever before as it relates to their efforts in making sure that health information is seamlessly moving—while not restricting such efforts.

The ONC rule, titled “21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT," is 724 pages in length, and according to federal health IT officials, is designed to increase innovation and competition by giving patients and their healthcare providers secure access to health information and new tools, allowing for more choice in care and treatment. It calls on the healthcare industry to adopt standardized application programming interfaces (APIs), which will help allow individuals to securely and easily access structured electronic health information (EHI) using smartphone applications, officials attested.

In the ONC proposed rule, a provision also exists requiring that patients can electronically access all of their digital health data (structured and/or unstructured) at no cost. What’s more, the rule implements the information blocking provisions of the 2016 Cures Act, which defined information blocking as interfering with, preventing, or materially discouraging access, exchange, or use of electronic health information.

The new ONC rule proposes seven exceptions to the definition of information blocking. As it outlines, there are four specific healthcare “actors” regulated by the information blocking provision: providers, certified health IT developers, HIEs (health information exchanges) and HINs (health information networks). The seven proposed exceptions include:

  1. Preventing harm;
  2. Promoting the privacy of EHI;
  3. Promoting the security of EHI;
  4. Recovering the costs reasonable incurred;
  5. Responding to requests that are infeasible;
  6. Licensing of interoperability elements on reasonable and non-discriminatory terms; and
  7. Maintaining and improving health IT performance.

An ONC fact sheet on the seven exceptions can be seen in more detail here.

In a session at HIMSS19 in Orlando on Monday morning, Steven Posnack, executive director, ONC’s Office of Technology, noted that the first three actors listed—developers, HIEs and HINs—are subject to up to a $1 million fine per information blocking violation, if they are found to be bad actors. Providers are not subjected to a monetary fine, Posnack noted, adding that exceptions will be reviewed by ONC and the OIG (Office of Inspector General).

Also in the ONC rule are various other conditions related to APIs and standards. The rule calls for health IT developers to publish APIs and allow health information from such technology to be accessed, exchanged, and used without special eff­ort through the use of APIs or successor technology or standards, as provided for under applicable law. Through the APIs, a developer must also provide access to all data elements (the United States Core Data for Interoperability (USCDI)) of a patient's EHR to the extent permissible under applicable privacy laws, the rule calls for.

Notably, the rule further proposes to require the use of the FHIR (Fast Healthcare Interoperability Resources) standard for APIs.

Health IT developers must also test the real-world use of the technology for interoperability in the type of setting in which such technology would be marketed, while providing attestation every six months to all the Conditions of Certification specified in the Cures Act, except for the “EHR reporting criteria submission,” as that reporting program has not yet been developed.

What’s more, ONC is calling for the removal of the CCDS (Common Clinical Data Set) definition and its references from the 2015 Edition and replacing it with the USCDI standard. “This will increase the minimum baseline of data classes that must be commonly available for interoperable exchange,” ONC believes.

Finally, ONC has developed ten recommendations for the voluntary certification of health IT for pediatric care that does not include a separate certification program for pediatric care and practice settings.

“By supporting secure access of electronic health information and strongly discouraging information blocking, the proposed rule supports the bi-partisan 21st Century Cures Act. The rule would support patients accessing and sharing their electronic health information, while giving them the tools to shop for and coordinate their own healthcare,” Don Rucker, M.D., National Coordinator for Health IT, said in a prepared statement, while encouraging all stakeholders to submit comments on the rule.

CMS Rule Focuses on Patient Access

CMS’ rule, “Interoperability and Patient Access Proposed Rule,” while separate from ONC’s, is quite aligned with it in several ways—such as requiring FHIR for APIs. Building on the Blue Button 2.0 API that allows Medicare beneficiaries to electronically access their health data through an app, CMS is now proposing to require Medicare Advantage (MA) organizations, state Medicaid and CHIP fee-for-service (FFS) programs, Medicaid managed care plans, CHIP managed care entities, and QHP (qualified health plan) issuers in FFEs (federally-facilitated exchanges) to implement, test, and monitor an openly-published FHIR-based APIs to make patient claims and other health information available to patients through third-party applications and developers.

CMS is also proposing to require MA organizations, Medicaid managed care plans, CHIP managed care entities, and QHP issuers in the FFEs to support electronic exchange of data for transitions of care as patients move between these plan types. This data includes information about diagnoses, procedures, tests and providers seen and provides insights into a beneficiary’s health and healthcare utilization.

In yet another push on health plans, CMS is proposing that payers in CMS programs be able to participate in a trusted exchange network which would allow them to join any health information network they choose and be able to participate in nationwide exchange of data.  "We propose requiring MA organizations (including MA-PD plans), Medicaid managed care plans, CHIP managed care entities, and QHP issuers in the FFEs to participate in trust networks to improve interoperability," CMS said.

“We have proposed that by 2020, all health plans doing business in Medicare, Medicaid, and through the federal health insurance exchanges, allow their patients to obtain their data through an API. This will allow patients to be true partners in their healthcare,” CMS Administrator Seema Verma said this morning on a press call discussing the rules.

Also significantly, using what Verma called “the strongest lever we have,” the agency is proposing to make it a condition of participation in Medicare that all Medicare-participating hospitals, psychiatric hospitals, and CAHs [critical access hospitals] to send electronic notifications when a patient is admitted, discharged or transferred.

And in regard to information blocking, CMS said it would make public the names of clinicians and hospitals that submitted "no" to three attestation statements committing them to data sharing. “Making this information publicly available may motivate clinicians, hospitals, and CAHs to refrain from information blocking,” CMS said.

“We’re also putting an end to information blocking,” Verma boldly stated on the press call. “The days of holding patients’ data hostage are over. We propose to publicly identify hospitals, doctors, and others who engage in information blocking. Simply put, we’re exposing the bad actors who keep their patients from their data.”

Two RFIs Issued

What’s more, CMS and ONC are also together requesting feedback on how it can leverage its authority to improve patient identification and safety to encourage better coordination of care across different healthcare settings while advancing interoperability. The two agencies are asking for comments on how they can “continue to facilitate private sector efforts on a workable and scalable patient matching strategy.”

Separately, CMS issued another RFI requesting feedback on how it can promote wide adoption of interoperable health IT systems for use across healthcare settings such as long-term and post-acute care, behavioral health, and settings serving individuals who are dually eligible for Medicare and Medicaid and/or receiving home and community-based services.

TEFCA Second Draft Coming

The ONC rule did not include a second draft to TEFCA, the agency’s Trusted Exchange Framework and Common Agreement that aims to establish a framework and common agreement around data sharing. At the HIMSS19 conference on Monday, Elise Sweeney-Anthony, director, ONC’s Office of Policy, noted the idea is that TEFCA will be a voluntarily-signed agreement where networks and organizations will agree that information should be moved in specific ways outlined by the document. The second version of the TEFCA draft is on the way, and then the common agreement will follow that, said Sweeney-Anthony.

She also noted that an RCE (recognized coordinated entity) will be selected and awarded a cooperative agreement by ONC to help the agency implement TEFCA. While ONC will establish the framework and agreement elements, the RCE will be the day-to-day entity to ensure the operational activities that spur interoperability do occur, Sweeney-Anthony said.

Sponsored Recommendations

A Cyber Shield for Healthcare: Exploring HHS's $1.3 Billion Security Initiative

Unlock the Future of Healthcare Cybersecurity with Erik Decker, Co-Chair of the HHS 405(d) workgroup! Don't miss this opportunity to gain invaluable knowledge from a seasoned ...

Enhancing Remote Radiology: How Zero Trust Access Revolutionizes Healthcare Connectivity

This content details how a cloud-enabled zero trust architecture ensures high performance, compliance, and scalability, overcoming the limitations of traditional VPN solutions...

Spotlight on Artificial Intelligence

Unlock the potential of AI in our latest series. Discover how AI is revolutionizing clinical decision support, improving workflow efficiency, and transforming medical documentation...

Beyond the VPN: Zero Trust Access for a Healthcare Hybrid Work Environment

This whitepaper explores how a cloud-enabled zero trust architecture ensures secure, least privileged access to applications, meeting regulatory requirements and enhancing user...