What You Need to Know about the New Health Data Interoperability Regulations

On March 9, the U.S. Department of Health and Human Services (HHS) released two long-awaited health data interoperability regulations. With a 474-page rule from the Centers for Medicare Medicaid Services (CMS) and a 1,244-page rule from the Office of the National Coordinator for Health Information Technology (ONC), HHS published the rules under the headline, "HHS Finalizes Historic Rules to Provide Patients More Control of Their Health Data."

The rules implement the key interoperability provisions of the 21st Century Cures Act and support the Trump Administration’s broader health data patient access and transparency efforts. But more importantly, they create new compliance obligations for nearly every healthcare industry stakeholder: physicians, hospitals, insurers, information networks and exchanges, and health IT companies. 

Labeled historically important and scattered across 1,700+ pages of regulatory text, these new mandates will likely be very difficult for busy healthcare organizations to digest in the coming weeks and months. To help your organization get started, here is a quick rundown of what you need to know about the new health data interoperability regulations:

1. The rules are years in the making and will have an impact for years to come. The 114th Congress passed the bipartisan 21st Century Cures Act into law in December 2016, in part to require ONC to issue these interoperability rules. Now, following the controversial February 2019 proposed rule and an extended public comment period, we are just seeing ONC publish the final rules more than three years later. And with deadlines for the major provisions of the rule set for six, 24, and 36 months from today, implementation of the Cures Act is shaping up to be nearly a decade-long process. As with all major regulations, it will also be subject to future regulatory changes, and unsurprisingly, industry lobbying for certain changes has already begun. 
2. CMS’s rule includes data sharing mandates for insurers and hospitals. In a matter of only six months, hospitals will now be required to provide electronic admission, discharge, and/or transfer (ADT) notifications to other healthcare facilities, primary care physicians, and designated care team members.  Starting January 2021, insurers operating in government markets—Medicare, Medicaid, CHIP, ACA—will be required to provide patient claims data through application programming interfaces (APIs). CMS finalized these rules with very aggressive compliance timelines and despite significant pushback from the hospital and insurer lobbies. Taken together, these rules should provide greater access to hospital ADT and insurance claims information for patients and physicians, to the likely benefit of some physician-led organizations in risk-based payment models such as accountable care organizations (ACOs).  
3.  ONC’s rule includes new EHR certification requirements. As required by the Cures Act, ONC’s rule includes a long list of new EHR certification criteria (required product functions) and program requirements (specific business practices and actions) that EHR companies will have to meet to maintain federal certification. For most of the new criteria, certified EHR companies will be required to complete development, certification testing, and client upgrades within 24 months of the official publication date of the final rule in the Federal Register. One major new requirement will be the use of an API that meets the HL7 Fast Healthcare Interoperability Resources (FHIR) Release 4 standard and implementation specifications.
   
   Aside from the new criteria, the Conditions and Maintenance of Certification Requirements is a list of six new business practices or actions that EHR companies must meet to maintain certification.The new requirements are for certified EHR companies to: (1) not violate the new information blocking rules; (2) provide assurances regarding the exchange, access, and use of electronic health information; (3) not restrict certain client communications (i.e., gag clauses and screen shots); (4) abide by certain business and contractual practices regarding APIs; (5) conduct “real world” product testing on an annual basis; (6) and make certain product attestations twice per year.  
4.  ONC’s rule finalizes certain information-blocking polices, but also delays enforcement. The Cures Act law defined information blocking as “any practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” The law also made information blocking illegal—punishable with civil fines—for EHRs, HIEs, information networks, hospitals, and physicians. This regulation finalizes policies related to implementation and enforcement of this prohibition, including the scope of information that applies and a critical list of “reasonable and necessary” exceptions that serve as safe harbors. The rule also establishes an initial compliance deadline of six months from the publication date (likely September 2020), while stressing that no enforcement actions will occur until the HHS Office of the Inspector General (OIG) releases a separate regulation regarding policies for the civil monetary penalties (expected soon). From months six through 24 months following the publication date, the scope of health information protected by information blocking will be limited to the data elements in the United States Core Data for Interoperability (USCDI). After 24 months (estimated to be March 2022), the scope will be extended to include all data a patient would have the right to request a copy of, pursuant to the HIPAA Privacy Rule. As for 4.the “reasonable and necessary” exceptions, ONC included a list of eight in the final rule: (1) preventing harm; (2) privacy; (3) security; (4) infeasibility; (5) health it performance; (6) content and manner; (7) fees; (8) licensing. Each category includes detailed descriptions of circumstances when the exceptions would apply. 
5.  The rules will take years to fully implement, but policymakers and industry lobbyists are already working on Cures 2.0 legislation and regulations. Powerful insurer and provider groups announced their opposition to the final rules within hours of their release, arguing they threaten patient privacy by allowing personal health information to flow to third-party applications that are not covered by HIPAA.  Provider groups also expressed concerns that the new data-sharing requirements will increase administrative and physician burdens at a time when reducing them is a priority. In addition to these concerns, healthcare organizations will soon be forced to confront the significant ongoing financial costs of meeting all of these mandates. As a result, lobbying for delays, exceptions, and changes to the rules is expected to accelerate. Members of Congress have already begun discussions about the privacy implications of these rules and whether this new “app economy” will require additional or separate regulatory oversight. While the outcome of these efforts is unknown, future changes to these regulations are inevitable.

NextGen Healthcare clients who are interested in learning more about these rules can register for this month’s Health Reform Simplified webinar, scheduled for Thursday, March 19 at 4:00pm ET, click here to register