CMS proposed a rule Monday to require Medicaid, the Children's Health Insurance Program, Medicare Advantage plans and health plans in the federal Affordable Care Act exchanges provide their 125 million patients with free electronic access to their personal health data, including medical claims, by 2020.
A separate but related Office of the National Coordinator for Health Information Technology proposed rule calls on the industry to adopt standardized application programming interfaces, or APIs: the part of the server that receives requests and sends responses between computer systems. It also would put into effect the information blocking provisions of the bipartisan 21st Century Cures Act by identifying what does and does not constitute information blocking.
Industry reaction was mixed. The AHA is pushing back against a provision that would require electronic event notification as a condition to take part in Medicaid and Medicare. Insurers also flagged potential concerns, including increased administrative costs.
The rules, which stagnated in the Office of Management and Budget's Office of Information and Regulatory Affairs since late September, are part of an ongoing push by government to enable interoperability of health systems.
ONC chief Don Rucker emphasized the importance of patients being able to see all of their medical records together, regardless of provider. "We think both of our rules will really strike a blow to get transparency for the American public," he said.
The proposed changes build on CMS' MyHealthEData and Blue Button 2.0 initiatives, and would require healthcare providers and payers to leverage open data sharing technologies to make it easier for patients to switch between plans, companies and sites of care.
Last year's Blue Button 2.0 initiative created an API for Medicare fee-for-service. Now, CMS is proposing that MA plans, state Medicare and CHIP programs, CHIP managed care entities, Medicaid managed care plans and qualified health plans in the federal exchanges "implement, test, and monitor" a Health Level Seven FHIR-compliant API.
The agency wants those plans to make their provider directories available to current and potential enrollees through the API technology, too (excepting the federal exchanges, which already do so).
Rucker said the administration hopes insurers will carry over those practices to private plans. "We feel like because they're building it for these three very significant programs ... it's going to have such a large impact. They're going to be making the investment already, they should be able to offer this to their privately insured patients as well," he said.
CMS finalized regulations that use potential payment reductions to encourage providers to improve electronic patient access to their PHI just last year as well.
Payers in its programs would be required to participate in a trusted exchange network, an online network that automatically verifies the security and identity of participants to enable the free flow of information.
CMS also plans to publicly report any players that participate in information blocking: practices that limit interoperability, whether purposefully or otherwise. The agency hopes that the public shaming will incentivize businesses to prioritize the free flow of information. Still, businesses would self-report their compliance.
Pushback from industry
Hospitals are not on board with a provision that would require them to send electronic notifications when a patient is admitted, discharged or transferred. HHS said such notifications are "low-cost and easy to achieve" with any EHR, but underused by providers.
The American Hospital Association said the additional mandate for hospitals will be a burden and recommended the agency update the existing exchange infrastructure.
"We cannot support including electronic event notification as a condition of participation for Medicare and Medicaid. We believe that CMS already has better levers to ensure the exchange of appropriate health information for patients," AHA said in a statement.
The American Health Information Management Association praised the rule "at first glance," particularly for its considerations on the issues of privacy and security of information.
"Additionally, we are pleased that CMS's proposed rule includes a request for information on leveraging CMS's authority to improve patient identification, AHIMA CEO Wylecia Harris said in a statement.
America's Health Insurance Plans had a more muted initial reaction, hinting at concerns the privacy and security efforts don't go far enough to protect patient data. "As we review the proposed rules, we will focus on ensuring it further protects patients, minimizes administrative burdens, and establishes clear data standards and operational protocols to put meaningful information into the hands of patients, providers, and insurance providers," AHIP CEO Matt Eyles said in a statement.
ONC's proposal deals more with the nitty-gritty of fostering interoperability. Along with adopting standardized APIs and defining information blocking under Cures, the rule is aimed at giving consumers free electronic access to their structured and unstructured health information.
The agency plans to update the 2015 Edition certification EHR criteria to ensure health IT systems send and receive electronic health information in a synchronous manner, while allowing patients to export and view their data.
The rule allows seven "reasonable and necessary" exceptions to the definition of information blocking: preventing harm, promoting electronic health information privacy, promoting information security, recovering reasonably incurred costs, responding to infeasible requests, licensing interoperability elements and maintaining and improving health IT performance.
Businesses will not be subject to civil penalties or other legal measures if their actions satisfy one or more of these exceptions, ONC says.
Many IT groups are frustrated it has taken so long for the government to step in. In August, more than a dozen members of the broad-based coalition Health IT Now sent a letter to ONC and the Office of the Inspector General warning that it is "past time" to implement data blocking statues.
OMB received the long-awaited ONC proposal Sept. 17, and the CMS interoperability proposal four days later.
The budget office took sped past a 90-day window to review the proposed rule clarifying what exactly constitutes information blocking, mandated under the 21st Century Cures Act of 2016. The law bans health IT vendors, providers or other entities from knowingly restricting or blocking the exchange of electronic health information.
Under Cures, HHS and ONC are required to regulate and improve the interoperability of healthcare information, taking action against any malfeasance or wrongdoers impeding the electronic flow of patient data. The bodies can impose up to $1 million in financial penalties per violation.
In October, the administration issued guidance to inform providers participating in the Quality Payment Program's Merit-based Incentive Payment System when and how to attest that they're not engaged in data blocking.
The twin rules build off one another's strictures. The CMS proposal says players must conform to the API standards outlined by ONC's for health IT. Both also include synchronous content and vocabulary standards for clinical data classes through the U.S. Core Data for Interoperability standard.
Experts expect ONC to release the Trusted Exchange Framework and Common Agreement soon to bolster the new rules. TEFCA would provide a technical, nationwide framework for health data sharing, though some stakeholders worry connecting health IT systems without addressing underlying patient matching challenges will result in an overflow of data without ways to sort it.
CMS requested feedback on interoperability and health IT adoption in post-acute care settings, patient matching and how to best improve patient care. ONC is also asking stakeholders for comment on transparency in pricing when it comes to data access.
Comments are due in early April.