On March 9, the U.S. Department of Health and Human Services (HHS) finalized two new rules intended to give patients secure access to their health data and facilitate the flow of information between health care providers and payers. These rules, issued by the Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare and Medicaid Services (CMS), implement key provisions of the 21st Century Cures Act, a bipartisan law passed in December 2016 which sought to increase interoperability of health data and foster market competition.
The new rules issued by HHS make four important changes to electronic health information: They establish data exchange standards, require open application programming interfaces (APIs), support data exchange between payers, and prevent information blocking practices. These changes will help improve access to data for patients, providers, and others delivering value and improving outcomes in health care.
Data Exchange Standards
First, the ONC’s new rule expands the clinical data elements that electronic health record (EHR) systems are required to make available to other health information systems. EHRs must now meet United States Core Data for Interoperability (USCDI) standards. These standards replace the previously used Common Clinical Data Set (CCDS) and specify that health data for exchange must include clinical notes, vital signs, and medications among other important clinical data. The new standards provide a technical framework for data exchange by standardizing how health data is captured, accessed, and shared. It’s an important step in strengthening a nationwide, interoperable health information exchange.
Application Programming Interfaces
ONC’s new rule also requires health care providers give patients free access to their health data through secure, standards-based application programming interfaces (APIs). Previously, patients had a right to access their medical records, but providers could charge patients to obtain copies and did not have to provide it in a standard online format. Under the new rule, certified EHR systems must have APIs that allow patients to easily access clinical and payment information through any third-party application they choose, including smartphone apps. Further, the API certification criterion requires that services must not only be able to export data for a single patient but must also be able to export data for multiple patients for providers who want to change their EHR system vendor.
The CMS rule expands on this to require CMS-regulated payers—including Medicare Advantage organizations, Medicaid programs, and CHIP fee-for-service programs—adopt patient APIs as well as provider directory APIs. Provider directory APIs publicly publish information about a payer’s network of providers, including names, addresses, phone numbers, and specialties.
Providing access through an API is important as it fosters innovation in health care to give better information, more conveniently, to patients and their providers. Patients can use smartphone apps to gain visibility of the services available to them and tailor their healthcare decisions to suit their needs. The ability of third-party apps to source health and provider data not only provides new choices in health care but offers an opportunity to generate additional value to consumers through supplementary services, such as disease specific apps and provider comparison apps. Similarly, providers can choose systems that help them provide better care. A 2014 report by RAND and the American Medical Association (AMA) found that poor EHR usability and the inability to exchange health information between EHR products was a significant cause of professional dissatisfaction among physicians. Easing the movement of clinical data allows providers to benefit from a more competitive marketplace where the choice of systems sits with them and not their provider. More importantly, lowering the barriers for third-parties entering the healthcare market makes the industry more competitive and helps achieve the goals first laid out in the 21st Century Cures Act.
Payer-to-Payer Data Exchange
Beyond just payer-to-patient APIs, the CMS final rule also requires that as of January 1, 2022, CMS-regulated payers will have to exchange certain patient clinical data, specifically the U.S. Core Data for Interoperability, with other payers at the patient’s request. By allowing a patient to take their health information from payer to payer centralizes data at the individual level and builds an aggregate view with the patient as the source. This further facilitates the flow of data in the healthcare system, and by extension competition in the market.
The final key regulations are those aimed at addressing the problem of “information blocking.” This term, specific to healthcare, describes the practice of some healthcare providers and intermediaries who interfere in the exchange of patient data for their own economic advantage. For example, a healthcare provider may be incentivized to implement their EHR in a way that makes it difficult for a patient to access their health information to impede them taking their business elsewhere. Or a technology vendor may restrict transitions between health IT systems by using nonstandard data sets to hinder their consumers from using competing products.
The CMS rule seeks to prevent such practices by publicly reporting clinicians and hospitals that may be engaged in information blocking based on how they attest to implementing their EHR in an annual report. The ONC rule adds to this by defining eight practices that do not constitute information blocking. For example, it will not be information blocking for an actor to engage in practices that are necessary to prevent harm to a patient or to protect an individual’s privacy, provided certain conditions are met.
Any companies that engage in information blocking activities outside of these exceptions will be subject to enforcement actions under the information blocking provision for civil monetary penalties. For CMS-regulated payers, bad actors will be publicly displayed on the Physician Compare website and may be subject to a reduction of Medicare reimbursement under the CMS Merit-based Incentive Payment System program. All reporting is due to begin in late 2020, starting with data collected for the 2019 performance year data. The goal is to curtail anti-competitive behavior by shaping provider reputation. Coupled with more provider information from APIs, this can empower patients seeking to compare physicians and hospitals looking for alternative payers.
Overall, the rules issued by HHS have been an important step in implementing the patient access and interoperability provisions set out in the 21st Century Cures Act. Notably however, third-party apps are not required to follow data blocking policies as ONC does not have statutory authority to vet third-party apps and what they do with consumer data. This is one reason why it will be important for Congress to pass comprehensive data protection legislation that includes a data portability requirement for sensitive data such as health care information.
Image Credits: Flickr user NIH Image Gallery