BACKGROUND IMAGE: stock.adobe.com
The 2020 HIMSS Global Health Conference & Exhibition may have been canceled Thursday due to coronavirus concerns, but federal regulators wasted no time in announcing that two long-awaited health IT rules finally have been released.
The finalized interoperability and information blocking rules from the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS) will require healthcare organizations give patients access to data through standardized APIs within the next two years, said Don Rucker, national coordinator for ONC, during a media briefing Monday. The rules also focus on data sharing between health insurers, as well as exceptions to information blocking, or situations that do not constitute healthcare organizations keeping data from patients.
Both ONC's information blocking and interoperability rule, and CMS' patient data access rule, were finalized amid concerns about patient privacy. Organizations, including EHR vendor Epic, voiced concerns that there weren't enough privacy protections in place to keep patient data safe.
Proposals for the two rules were unveiled at last year's event and it was rumored they would drop in conjunction with President Trump's last-minute addition to this year's HIMSS speaker lineup, which was slated to start today.
ONC's interoperability rule
ONC's interoperability rule mandates that healthcare organizations use FHIR-based APIs to connect patient-facing and consumer-grade apps to patient EHRs. It's part of the Trump administration's push to consumerize healthcare.
At the start of the year, one of the biggest EHR vendors, Epic, publicly expressed concerns on sharing patient data with third-party apps because of the lack of outlined privacy protections. During the media briefing, Rucker addressed those concerns head on, saying that the apps will use the same, secure API technology used in banking apps. Additionally, Rucker said providers will be able to let patients know in a "deliberate, straight-forward way" what information they're consenting to sharing through a patient authentication process.
"That is not snuck in on the side," Rucker said. "It's central to the way that patients allow an app to get access to their information. We've empowered providers to communicate the privacy issues in that process."
Rucker said a second part of the finalized ONC rule identifies activities that do not constitute information blocking, which is the interference of a healthcare organization with the sharing of health data, and establishes new rules to prevent information blocking practices by healthcare providers, developers of certified health IT and health information exchange networks, as required by the 21st Century Cures Act.
The rule also requires health IT developers to meet certification requirements to ensure interoperability. Health IT developers must comply with requirements such as assuring that they are not restricting communication about a product's usability or security so that nurses and doctors are able to discuss safety and usability issues without being bound by what Rucker said has historically been called a "gag clause."
The finalized ONC rule also replaces the Common Clinical Data Set (CCDS) data elements standard with the U.S. Core Data for Interoperability (USCDI) data set for the exchange of data within APIs. The USCDI is a defined set of data that includes clinical notes such as allergies and medications. The data set will support data exchange, Rucker said.
"These are standardized sets of data classes and data elements ... to help improve this flow of information," he said.
CMS patient access rule
The ONC rule goes hand in hand with the CMS rule, which aims to open data sharing between the health insurance system and patients.
Starting in 2021, the CMS patient data access rule will require all health plans that do business with the federal government to share data with patients through a standards-based API. The push to make it easier for patients to access health data follows a model CMS implemented with Blue Button 2.0, an API which gives Medicare beneficiaries the ability to connect their claims data to apps of their choosing, such as research apps.
The rule also requires health plans to make their provider directory available through an API, so patients know if their physician is in their insurance network.
"This will allow innovative third parties to design apps that will help patients evaluate which plan networks are right for them and potentially avoid surprise billing by having a clear picture of which clinicians are in network," CMS administrator Seema Verma said during Monday's media briefing.
Starting in 2022, Verma said insurance plans will also be required to share patient information with each other, which will enable patients to take data with them as they move between plans.
Additionally, effective six months from today, CMS is changing the participation conditions for Medicare- and Medicaid-participating hospitals as part of the rule. To ensure they are supporting care coordination for patients, Verma said the rule requires the hospitals to send admission, discharge and transfer notifications so patients receive a "timelier follow-up supporting better care and better health outcomes."
"The Trump administration is pushing the healthcare system forward," Verma said. "We are breaking down barriers to a seamless, data-driven healthcare system. The result of these two rules will be a more intuitive and convenient experience for American patients."