HHS Publishes New Health Data Interoperability and Patient Access Rules

10 March 2020 Blog
Authors: Chanley T. Howell
Published To: Privacy, Cybersecurity & Technology Law Perspectives Health Care Law Today

On March 9, 2020, the Department of Health and Human Services (HHS) published two major regulations that will give patients additional access to their health data, while also addressing security of that information. Health information technology interoperability (multiple organizations, networks and software exchanging health information) has been pursued by multiple administrations over the years, and the new rules appear to take a very significant and large step for giving patients effective, efficient and secure access to their healthcare information. This will enable patients to make more informed healthcare decisions, better manage their care and more easily control and access their healthcare information. 

The two rules, issued by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS), address patient access and interoperability initially set forth in the 21st Century Cures Act (Cures Act). These rules signify the most significant healthcare information sharing policies the government has passed, requiring both governmental and private entities to share health information between patients and other parties while keeping that maintaining the privacy and security of that information.

The goals of the rules are to enhance the delivery of healthcare that is affordable, personalized, and puts patients in control. These efforts hoped to advance healthcare information accessibility in the same way individuals can currently manage their finances, travel and every other component of their lives. While there are important reasons why this was the case, healthcare has generally lagged when it comes to individual access and control of that information, and the use of technologies such as mobile apps for accessing and exchanging health information. 

HHS hopes to incentivize the use of modern technology standards and APIs that give patients access to their health information and give them the ability to use the tools they want to shop for and coordinate their own care on their smartphones. “A core part of the rule is patients’ control of their electronic health information which will drive a growing patient-facing healthcare IT economy, and allow apps to provide patient-specific price and product transparency,” said Don Rucker, M.D., national coordinator for health information technology.

To date, large health IT organizations have largely maintained patient information in their own silos, and charging for access to that information. Data silos can fragment care, burden patients, and providers, and drive up costs through repeat tests. The rules should promote patient access and use of their own health information and spurring the use of and development of new smartphone applications for the accessing and use of health information by patients, caregivers, family members and health care providers.

Promoting the exchange of Health Information

The Cures Act generally prohibits “information blocking,” the concept of health IT providers and healthcare providers limiting access to and sharing of health information, but without sufficient details for implementation of the concept. The ONC Final Rule sets forth the reasonable and necessary activities that do not constitute information blocking while establishing new rules to prevent information blocking.

Many electronic health record (EHR) providers use agreements that either prevent or are perceived to prevent users from sharing information related to the EHRs in use, such as screen shots or video. The ONC final rule updates certification requirements for health IT developers and establishes new provisions to ensure that providers using certified health IT have the ability to communicate about health IT usability, user experience, interoperability, and security including (with limitations) screenshots and video, which are important forms of visual communication for such issues.

The ONC final rule also requires EHR technology and IT companies to provide the clinical data necessary, including classifications and categorization, to promote new business models of care. For example, the rule promotes common standards through the U.S. Core Data for Interoperability (USCDI).  The USCDI is a standardized set of health data classes and data elements that are essential for nationwide, interoperable health information exchange. The USCDI includes medications, allergies, clinical notes and other clinical data to help improve the exchange of electronic health information and ensure that the information can be effectively understood when it is received. The standards also include demographic data to support accurate patient identification across care settings.

Promoting Patient Access and New Technology

The ONC rule establishes secure, standards-based application programming interface (API) requirements to support patient access and control of their electronic health information. APIs are the technology that allow mobile apps to exchange data and talked to each other and other data sources. Patients will be able to securely and efficiently obtain and use their electronic health information from their provider’s medical record for free, typically using the mobile app of their choice.

Building on the foundation established by ONC’s final rule, the CMS rule requires health plans in Medicare Advantage and other federal programs to share claims data electronically with patients. Effective January 1, 2021, plans in the federal programs will be required to share claims and other health information with patients in a confidential, secure, understandable, user-friendly electronic format through standard patient access APIs. Patients will have more complete data can therefore make more informed decisions, which in turn should lead to more effective health outcomes.

This APIs can also be used to integrate a health plan’s information to a patient’s electronic health information. By requiring their relevant health information including their claims to be shared with them, patients can more easily move from plan to plan, and provider to provider throughout the healthcare system.

Finally, the CMS rule requires all Medicare and Medicaid participating hospitals to send electronic notifications to healthcare facilities or community providers or practitioners when a patient is admitted, discharged, or transferred (known as ADTs). These ADT notifications lead to better care coordination and improve patient outcomes by allowing a provider, facility, or practitioner to contact the patient and deliver appropriate follow-up care in a timely manner. CMS also requires states to send enrollee data daily beginning April 1, 2022 for beneficiaries enrolled in both Medicare and Medicaid, improving the coordination of care for this population. Thus, beneficiaries will get better access to appropriate services and that these services are billed appropriately the first time, eliminating waste and burden. 

For more information on the ONC final rule, please click here.

For more information on the CMS final rule, please click here.

To view the CMS final rule, please click here.

To view the ONC final rule, please click here.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services