skip to main content

CMS Interoperability Final Rule: Impact on Health Care Providers

Health IT

The Centers for Medicare and Medicaid (CMS) published a final rule on May 1, 2020 implementing the interoperability requirements of the 21st Century Cures Act (Cures Act). The CMS Final Rule, along with a companion final rule published by the Office of the National Coordinator for Health IT (ONC),1 are the latest government efforts to drive the electronic access, exchange, and use of health information across care settings, which despite years of regulatory action pursuant to the HITECH Act, has to date not been achieved due to barriers to information exchange in the U.S. health care system. 

The CMS Final Rule will significantly impact healthcare providers by moving the health care industry into an environment in which patients who move from payor to payor, and provider to provider, can have their clinical and administrative information travel with them. 85 Fed. Reg. 25511. In addition, pursuant to the CMS Final Rule, hospitals, including psychiatric and critical access hospitals (CAHs), will be subject to a new Condition of Participation (CoP) standard requiring that they send notifications through their electronic medical record or other electronic administrative system to all of a patient’s providers when a patient is admitted to the emergency department, discharged, or transferred. Below, we describe the background to the CMS Final Rule and the provisions most relevant to health care providers, and set forth next steps for providers preparing to come into compliance with the rules. 

Background

In 2016, Congress passed the bi-partisan Cures Act, which called for all electronically accessible health information to be accessed, exchanged, and used “without special effort on the part of the user.”2  The Cures Act was passed in part to respond to evidence that despite the government’s efforts over the past ten years to compel health care providers through regulation and financial incentives to adopt electronic health records (EHR), the EHR systems that had been adopted were largely not compatible across health care systems and care settings. 

A Final Rule published by ONC on the same day as the CMS Final Rule implements the Cures Act in part by specifying a standardized core clinical data class set (by adopting the United States Core Data for Interoperability (USCDI) standard), which must be used by certified health IT developers. The ONC Final Rule also requires the health care industry to adopt standardized application programming interfaces (APIs),3  a technology that facilitates the creation of applications that can access the data or features of a software system, application, or other service. APIs are the foundation of smartphone applications (apps), and have enabled seamless, user-friendly data exchange via apps in many industries, for example, the online banking and travel-booking industries. The mandated combination of standardized APIs and USCDI standard is intended to create compatibility regarding what data EHR systems must be able to exchange, and how they must do so. The goal of these provisions is to create the technical foundation for an environment in which secure and easily accessible structured electronic health information can be more easily exchanged across care settings and accessed by individual patients for free using apps. The ONC Final Rule is discussed in more detail here. 

CMS Final Rule

Requirements for Hospitals

The key provision in the CMS Final Rule that impacts health care providers is a new CoP requiring that hospitals, including psychiatric and CAHs send admission, transfer, and discharge event notifications.   The Final Rule revises 42 CFR 482.24 by adding a requirement for hospitals to send electronic patient event notifications of a patient’s admission, discharge, and/or transfer to another health care facility or to another community provider or practitioner. The event notifications must convey, at a minimum, the patient’s basic personal or demographic information, the name of the sending institution, and, if not prohibited by other applicable law, the patient’s diagnosis. Compliance with the proposed standard shall be determined by the hospital demonstrating to the surveyor or accrediting organization that its system (i) is fully operational, (ii) uses the content exchange standard incorporated by reference at 45 CFR. 170.205(a)(4)(i), (iii) sends notifications that include the minimum required information, and (iv) sends notifications directly, or through an intermediary, at the time of the patient’s admission to the hospital and either immediately prior to or at the time of the patient’s discharge and/or transfer from the hospital. 

Only hospitals with an EHR system with the technical capacity to generate information for electronic patient notifications, defined as a system conformant with the Admission, Discharge and Transfer (ADT) messaging standard Health Level Seven (HL7) Messaging Standard Version 2.5.1 (HL7 2.5.1) incorporated by reference at 45 CFR 170.205(a)(4)(i) are subject to this aspect of the Final Rule. 

Some commentators to the proposed rule raised concerns about the privacy of the patient notifications, asking whether patient consent would be required to send a patient notification, whether hospitals would be able to honor a patient’s request to opt-out of the notification system, and how hospitals should address cases where they cannot confirm the identify of a provider, or where transmission could otherwise risk improper disclosure of Protected Health Information (PHI). (85 Fed. Reg. 25601). In response, CMS emphasized that nothing in the Final Rule should be construed to supersede the Health Insurance Portability and Accountability Act (HIPAA) or other state or federal laws related to the privacy of patient information. Generally, to the extent that the HIPAA Privacy Rule does not require patient authorization in order for a health care provider to disclose PHI to another provider for treatment purposes, the new CoP would not require patient authorization before a notification can be sent. CMS clarified that it did not intend to prevent hospitals from honoring a patient’s preferences if the patient requests that their information not be shared via notification. Hospitals must make “reasonable efforts” to ensure their systems send notifications to the specified recipients, and must have processes in place to identify the providers that should be receiving the notifications. Where a hospital cannot confirm the identity of a receiving provider, they are not obligated to send a notification. Finally, hospitals are not required to share patient information through a notification where prohibited by other federal (as, for instance, Alcohol and Drug Patient Records covered by 42 CFR, Part 2) or state law (as, for instance, in a state that required patient consent before any information related to mental health treatment can be disclosed). This may require some hospitals that have drug and alcohol treatment or inpatient psychiatric units to segregate data that must be accompanied by a written consent.

The patient notification CoP is effective May 1, 2021. 85 Fed. Reg. 25601. 

Requirements for Payors

The CMS Final Rule builds on the technical foundation established by the ONC Final Rule, and implements several major policies designed to promote interoperability with respect to CMS-regulated payors (i.e., MA organizations, Medicaid, CHIP Fee-For-Service (FFS) plans, CHIP managed care entities, and Qualified Health Plans (QHPs) on the Federally Facilitated Exchanges (FFEs)) and to certain health care providers. The first key requirement in the CMS Final Rule is that CMS-regulated payors must maintain a standards-based “Patient Access API.” The Patient Access API provides a means through which third party apps can retrieve certain health data for the patient’s use pursuant to the authorization of the patient. The CMS Final Rule standardizes the technology that must be used in the Patient Access API (consistent with the ONC Final Rule), and defines the data that must be accessible via the Patient Access API (adjudicated claims, encounters with capitated providers, and a subset of clinical data).

The CMS Final Rule also requires the same CMS-regulated payors to make standardized information about their provider networks available through a Provider Directory API. This provision is intended to enable apps to create services that help patients find providers for care and treatment, and to help clinicians find other providers for care coordination, in a more user-friendly, intuitive way than has been possible to date. 

CMS-regulated payors will also be required to exchange certain patient clinical data (the U.S. Core Data for Interoperability (USCDI) version 1 data set) with each other at the patient’s request, which will enable patients to take their data with them as they move from payor to payor. 

The CMS Final Rule goes a step further than the ONC Final Rule in addressing the privacy concerns of stakeholders concerned about the regulation opening the door to third party apps obtaining patient data, despite the fact that such apps are not subject to the HIPAA Privacy or Security Rule. The ONC Final Rule specifies that it is not information blocking for health care providers to provide information to patients about the associated risks with sharing their health information with third-party apps, provided they do so in an accurate and non-discriminatory way. The CMS Final Rule, however, requires payors to share educational resources with patients to help them be informed about the risks of sharing data with third-party apps. 85 Fed. Reg. 25549. In addition, the Final Rule encourages – but does not require - CMS-regulated payors to require that third-party apps attest to having certain privacy and security provisions in their privacy policy prior to providing the app with access to the Patient Access API. Id. CMS-regulated payors may then inform patients whether the third-party app has attested to having the basic privacy and security protections. 85 Fed. Reg. 25550. 

Next Steps for Providers

The new rules are designed to improve transparency and access for patients; however, they place new requirements on CMS-regulated payors, providers, and Health IT developers and vendors. In addition to preparing to make patient notifications through the EHR system, hospitals should take an inventory of affected payors and evaluate payor agreements in order to prepare for new requirements imposed by payors. Payors and providers will need to work together to operationalize the Patient and Provider Directory APIs. Payors will need providers’ cooperation as they develop a strategy to meet the effective dates for the new requirements over the next two years.

In addition, hospitals should conduct a legal analysis of how the new CoPs and other data blocking requirements will impact existing privacy policies, as well as how HIPAA and other state privacy laws will intersect with new interoperability requirements. 

These initiatives will ultimately require investments in IT to meet operational deadlines and to ensure that the educational and privacy elements of the new regulations are met. 

Footnotes:

1 See ONC, 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, 85 Fed. Reg. 25642 (May 1, 2020) (“ONC Final Rule”). 
2 42 U.S.C. 300jj(9). 
3 An API can be thought of as a set of commands, functions, protocols, or tools published by one software developer (‘‘A’’) that enable other software developers to create programs (applications or ‘‘apps’’) that can interact with A’s software without other software developers needing to know the internal workings of A’s software, all while maintaining consumer privacy data standards. See CMS Final Rule, 85 Fed. Reg. 25515.

Disclaimer: This post does not offer specific legal advice, nor does it create an attorney-client relationship. You should not reach any legal conclusions based on the information contained in this post without first seeking the advice of counsel.

About the Authors

Elizabeth M. Hein is an Associate in the Firm’s Health Care Practice Group, providing legal services to the Firm’s health care clients in litigation, regulatory, and compliance matters.

Read more >

Cynthia A. Haines is a Principal in the Firm's Health Care Practice Group and Co-Chair of its Information Privacy & Security Practice Group. She counsels and represents clients on state and federal health law and related regulatory and compliance issues, including: surveys; licensure; Medicare/Medicaid; compliance; audits; accreditation; payment matters; HIPAA security and privacy compliance; insurer compliance with federal, state and local laws, regulations and policies; and voluntary disclosures.

Read more >