HHS Releases Final Interoperability Rules

Ken Terry

March 10, 2020

More than a year after proposing rules to implement the interoperability provisions of the 21st Century Cures Act, the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONC) announced their complementary final rules on March 9.

The ONC regulations require electronic health record (EHR) vendors to use a standard type of application programming interface (API) that will allow patients to download their EHRs to smartphone apps of their choice for free.

ONC has adopted the Fast Healthcare Interoperability Resources 4.0 standards framework for these APIs and the apps that plug into them. All certified EHRs must include APIs that use this standard, and most of the leading ones already do.

In addition, the final rule prohibits information blocking by software developers, healthcare providers, and health information exchanges/networks (HIEs/HINs). The information blocking provisions will become effective 6 months after the rule's publication in the Federal Register.

There will be civil monetary penalties for violation of these regulations, but it's unclear who they'll apply to or what they'll be. ONC is still working out the details with the US Department of Health and Human Services' (HHS') Office of Inspector General, which will deliver a rule-making proposal "very soon," said Steven Posnack, deputy national coordinator of health IT, at an ONC press conference held March 9.

The CMS Interoperability and Patient Access rule requires private health plans that do business with the government to give patients access to claims data through the same kind of API required in EHRs.

Among the types of insurers that must provide this access are those that own Medicare Advantage, Medicaid and/or Children's Health Insurance Program plans, and issuers of qualified health plans on the federally facilitated insurance exchanges. The private carriers must also provide API access to their provider directories to help patients choose the plans that best meet their needs.

In addition, the CMS rule specifies that, as a condition of participation in Medicare and Medicaid, hospitals must supply admission-discharge-transfer data to other healthcare facilities and community providers, such as primary care physicians. This requirement will go into effect 6 months after the rule is published in the Federal Register.

"These rules [from CMS and ONC] are the start of a new chapter in how patients experience American healthcare, opening up countless new opportunities for them to improve their own health, find the providers that meet their needs, and drive quality through greater coordination," said HHS Secretary Alex M. Azar in a news release.

Sweeping Impact

The new rules are expected to have a sweeping impact on the healthcare industry when they are fully rolled out. The regulations that require the release of EHR data to patients will affect most hospitals and physicians and their patients. Eighty-five million people are enrolled in health plans that will have to provide them with claims data starting January 1, 2021, said CMS Administrator Seema Verma at a March 9 press conference.

At the press conference, Azar explained the goal of the interoperability rules. "From the patient perspective, these rules mean access and portability. You will have access to your records, and records will be portable from doctor to doctor."

Verma said that the aim of the CMS rule is to allow patients to download their health information and share it with other providers as they make their healthcare journey.

However, the mechanism for doing so is limited. The APIs mandated by ONC allow patients to download their information to smartphone apps from multiple providers and assemble a combined health record. The data can only travel one way, however, because it's read-only. Most EHRs don't allow write-back to their databases, so patients will have to share their records as documents with other providers.

Asked about this at the ONC press conference, National Coordinator for Health IT Don Rucker, MD, acknowledged the problem and noted that there are additional issues to consider. Among these are the possibility of overloading EHRs with data from third-party apps and the question of how physicians would be paid for looking at the outside data and considering it in their medical decision making.

Gradual Rollout

In the ONC proposed rule, there were seven exceptions to the information blocking prohibition. For example, information blocking was permissible if it avoided violating state or federal privacy laws, if it was required for security purposes, if a provider couldn't segment the requested electronic health information (EHI), or if the EHR was offline for maintenance.

An eighth exception was added to the final rule. This establishes the content that an EHR vendor, provider, or HIE/HIN must provide to patients over time and the manner in which these entities must furnish that content.

For the first 6 months after the rule's publication, these "actors" can continue to restrict information flow without penalty. After that, they must respond to a patient request to "access, exchange or use EHI" by releasing at least the data elements contained in the United States Core Data for Interoperability, including problems, medications, allergies, specified "clinical notes," lab values, demographic data, and information about the provenance of the data. In the third year, they must provide all HIPAA-covered EHI.

Industry Positions

Some major industry stakeholders expressed their concerns about various facets of the CMS and ONC interoperability rules before they were finalized. The American Hospital Association (AHA) made it clear that it was still not satisfied in a statement released after the government announced its final rules.

"Today's final rule fails to protect consumers' most sensitive information about their personal health," said Rick Pollack, president and CEO of the AHA, in a statement emailed to Medscape Medical News. "The rule lacks the necessary guardrails to protect consumers from actors such as third-party apps that are not required to meet the same stringent privacy and security requirements as hospitals. This could lead to third-party apps using personal health information in ways in which patients are unaware."

Epic, one of the largest EHR vendors, also blasted the proposed rule in January on similar privacy grounds, according to Fiercehealthcare. Last June, the EHR Association said the regulation was too broad and went beyond Congress' intent in the 21st Century Cures Act, as reported by Medscape Medical News.

Medical associations have been more receptive to the regulation. In a statement released on March 9, the American Medical Association (AMA) said it had engaged regularly with policy makers on elements of the ONC rule.

However, the AMA noted it would closely monitor the implementation of the rule in areas such as privacy, gag clauses in vendor contracts that prevent physicians from publicizing problems with their EHRs, and the exceptions to the information blocking provisions.

ONC and CMS have taken steps in the final rule to address privacy concerns. For one thing, CMS is requiring app developers to attest that they protect the privacy of EHI that patients authorize to be delivered to their apps.

In addition, Rucker said, the patient authorization process gives providers the ability to educate patients about what they're consenting to. He said he expected that providers would help patients understand that when they exercise their right to access data from an EHR, the data are no longer governed by HIPAA and are under their control.

"Patients should choose their lives, their health, and their control [over data]," he said. "That shouldn't be a third-party decision. It's a basic human right."

Similarly, Azar said, "We're taking these actions while maintaining and strengthening patient privacy protections. Patient privacy should never stand in the way of patient control."

For more news, follow Medscape on Facebook, Twitter, Instagram, and YouTube.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.