On March 4, 2019, the Department of Health and Human Services (HHS) published two proposed rules to improve patient access to personal health data. The two rules, issued by the HHS Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC), are intended to increase interoperability of electronic health information. These long-anticipated proposals follow legislative action undertaken in the 21st Century Cures Act. HHS indicated that, by increasing interoperability, it intends to empower patients with ownership of their medical histories and increase efficiency and quality of care in the health care industry.

CMS’s proposed rule on interoperability and patient access to health data would require Medicaid, the Children’s Health Insurance Program (CHIP), Medicare Advantage (MA), and Affordable Care Act federally-facilitated exchange (FFE) health plans to ensure patient access to electronic health information (EHI) by 2020. Key provisions of the proposed rule include:

  • Requiring plans to implement application programming interfaces (APIs), which are platforms that allow the transfer of electronic information between different computer systems. Last year, CMS established an API for Medicare fee-for-service plans through the MyHealthEData initiative. The proposed rule extends this initiative to other federal government-funded health plans. CMS indicated that, through the use of an API, it intends for patients to maintain access to their EHI throughout their “healthcare journeys,” even if they switch health plans.
  • Requiring Medicaid, CHIP, and MA health plans to make their entire provider directory available through API technology to facilitate patient access to in-network providers and providers’ ability to coordinate care with other providers. (FFE plans are already required to make their provider directories available and are excepted from this provision.)
  • Requiring MA organizations, Medicaid managed care plans, CHIP managed care entities, and issuers in the FFEs to participate in trust networks that allow the free and secure exchange of information over the internet, despite the use of different health IT networks.
  • Making publicly available a list of clinicians and hospitals that engage in information blocking practices that may prevent the disclosure and use of EHI and therefore undermine the aims of interoperability. By making the information publicly available, CMS hopes to incentivize providers to refrain from information blocking.
  • Requiring that states increase the frequency with which they share data on dually eligible Medicaid and Medicare beneficiaries from monthly to daily.
  • Requiring Medicare-participating hospitals to provide other providers and facilities with “electronic notifications when patients are admitted, discharged or transferred,” in order to improve patient care during transitions between settings and providers.

ONC’s proposed rule focuses on the more technical aspects of increasing interoperability. Key provisions of the rule include:

  • Providing standardized criteria for APIs to help health IT developers build apps patients can use to easily access their data. To reduce financial barriers to API adoption for government health plans, the rule also limits the fees API suppliers can charge and establishes pro-competitive conditions.
  • Establishing the following seven “reasonable and necessary” exceptions to the 21st Century Cures Act’s prohibition of information blocking:
    • Preventing patient harm
    • Promoting the privacy of EHI
    • Promoting the security of EHI
    • Recovering costs reasonably incurred in making EHI accessible
    • Responding to infeasible requests that impose a substantial burden
    • Licensing of interoperability elements on reasonable and non-discriminatory terms
    • Maintaining and improving health IT performance.
  • Establishing Conditions of Certification and Maintenance of Certification for health IT developers. These conditions prohibit information blocking, require assurances that developers will not engage in information blocking, prohibit developers from restricting communications about health IT, require compliance with API technical requirements, require real world testing, and require attestation to compliance with the Conditions and Maintenance of Certification requirements.

These proposed rules are part of a long-term plan to ensure safe and efficient exchange of EHI. Comments on the proposed rules are due May 3, 2019.