Two new federal rules will make it easier for consumers to access, use and transmit their personal healthcare information using an app on their smartphone or tablet. The regulations implement prior legislation and advance the current Administration’s intent to empower patients to be better consumers and transform the healthcare industry.
The two final rules were released on March 9 by the Department of Health and Human Services (DHHS): from the Office of the National Coordinator for Health Information Technology (ONC), the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program final rule; and, from the Centers for Medicare and Medicaid Services (CMS), the final rule on Interoperability and Patient Access.
The new regulations build on provisions in the omnibus 21st Century Cures Act (Act). Enacted in 2016, the Act included interoperability requirements to enable the secure exchange and use of electronic health information by consumers through a “trusted framework” in a more patient-friendly manner. The increased access will give consumers more control over their healthcare information and decisions, hopefully driving healthcare providers and payers to improve quality, efficiency and service.
The mobile technology and protocols to make this happen are already in use in the retail, banking and travel industries.
Updating Health IT Requirements
The interoperability requirements specified in the final ONC 21st Century Cures Act regulations update criteria established for health IT technical certification, meaning the health information technology meets standards set by DHHS for use with Medicare, Medicaid and other programs. The update sets the technical requirements for the development of user-friendly applications (apps) that will enable consumers to access and use, at no cost, their electronic health information in their medical record.
The CMS final rule on interoperability and patient access requires CMS-regulated payers to have “secure, standards-based” application programming interfaces (APIs) enabling patients to access claims, encounter, and cost data electronically through apps. The CMS-regulated payers are the health plans serving the Medicare Advantage, Medicaid and CHIP programs and qualified health plans on the federal exchanges, with the exception of stand-alone dental plans and plans in the federally facilitated Small Business Health Options Program (SHOP).
Hospitals and others have voiced concern about enabling patients’ personal health information to be shared across third-party apps. Healthcare providers, insurers, and their business associates are generally covered by the Health Insurance Portability and Accountability Act (HIPAA) Rules, which require protection and privacy of all health information. However, third-parties that receive health information directly from consumers are generally not subject to HIPAA. This discrepancy was highlighted by Ascension President and CEO Joseph Impicciche, who stated that the rules “lack the necessary guardrails to protect consumers from actors such as third party apps that are not required to meet the same stringent privacy and security requirements as hospitals. This could lead to third party apps using personal health information in ways in which patients are unaware.”
On March 9, 2020, DHHS’ Deputy National Coordinator for Health Information Technology, Don Rucker, MD, admitted that the final rule does not offer explicit mandates for third-party app privacy requirements, in part, for legal reasons. CMS acknowledges that in “liberating health information,” DHHS is trying to balance assurance of privacy and security with patients’ right to access their health information. But DHHS officials made clear the patient bears some responsibility in protecting personal health information. Rucker said patient choice will drive the decision to access the information, and it is patient choice that must “make sure that the third-party’s policies and data practices will meet your expectations. Especially because once this data is outside your health care provider’s hands it will not be covered by the Health Insurance Portability and Accountability Act (HIPAA) Rules.”
The final ONC Rule also finalizes the Act’s provisions related to the prevention of information-blocking practices and anti-competitive behavior. The Act prohibits “information blocking,” defined broadly to mean practices that are likely to interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information. The rule identifies eight exceptions—reasonable and necessary activities which are likely to interfere with the access to and exchange of electronic health information but under certain conditions do not constitute information blocking.
An example of an exception to the information blocking restrictions is the case of a healthcare provider who, under specified conditions, will not fulfill a request to exchange a patient’s information in order to prevent harm to the patient. Other examples include protecting the security of the patient’s information, again, under specified conditions, or in the case of a national disaster that prevents exchange of the information.
CMS plans to start publicly reporting possible information blockers. The intent is to identify for consumers any providers that may be less willing to support patient access and use of electronic health information.
Interoperability Rule Timeline
By January 1, 2021, CMS-regulated payers must implement the patient access API. Due to the COVID-19 pandemic, a CMS spokesperson said the agency was evaluating the rule’s projected timeline and its API requirements. However, as of April 16, 2020, no official delay has been announced.
For more information about regulatory requirements relating to access and exchange of patient health data, contact a member of the Husch Blackwell Healthcare Law team.