[co-author: Daniel Weinstein, Law Clerk]
On March 9, 2020, the Centers for Medicare and Medicaid Services ("CMS") and the Office of the National Coordinator for Health Information Technology ("ONC") each released final rules generally intended to ease both access to and ability to share patient health data and related information. CMS Administrator, Seema Verma, stated after last year's release of the proposed rules that "The government spent more than $36 billion to encourage the adoption of electronic health records, but failed to make sure that the systems could actually talk to each other." The final rules, the CMS "Interoperability and Patient Access final rule" and the ONC "Cures Act final rule," together have the potential to promote interoperability of technologies that collect and store patient data, breaking down the data silos that currently characterizes the health care industry. The new standards are receiving mixed reactions, with the requirements potentially providing new insights and control for patients, as well as opportunities for the tech companies that will develop and sell the new data tools, but also raising concerns regarding consumer privacy protections, including impacts on the mining and selling of patient data by third party apps and technology companies. Industry actors are also concerned about the potentially substantial costs involved, over the next six months, to implement the rules' various requirements.
The final rules have important implications for clients operating in the health care space. In particular, significant upgrades may be required to various clients' information technology systems, software, and applications. Clients should be aware of the new standards governing interoperability of health applications, especially as they apply to electronic health records ("EHRs") and information blocking practices, and should work with vendors and counsel to adjust practices appropriately. Additionally, while the final rules have the potential to change the care coordination landscape through providers' and payors' use of more timely and accessible health information, affected clients must also rapidly restructure internal operating policies and procedures to effectively comply with the rules' new conditions. For many, this may require substantial infrastructural investments and the establishment or comprehensive revision of internal compliance programs to ensure the correct transfer and use of patient health information.
According to CMS Administrator, Seema Verma, the final rules primarily aim to "unleash" the free flow of data between health care payors, providers, and patients with the hope that liberating health data in such a way will help to achieve coordinated care, better health outcomes, and reduced costs. To help accomplish this, the rules update health information technology certification requirements, such as those applicable to EHRs, and encourage health care industry actors and technology developers to adopt standardized application programming interfaces ("APIs") that facilitate interoperability of data shared among smartphone applications, payors, and providers. This may enable those consumers who have smartphone applications to pull health data into a single platform from various sources; patients can then access their health information using Health Insurance Portability and Accountability Act ("HIPAA") compliant software and processes incorporated into the APIs. In doing so, the final rules intend to empower consumers to choose what data to share, and with which parties such data is shared.
One stated goal of the final rules is to improve patient mobility within the health care system, allowing consumers' health information to follow them to different payors and providers. In furtherance of this aim, the final rules update the Medicare and Medicaid Conditions of Participation to mandate that participating hospitals send electronic notifications to another healthcare facility or community provider or practitioner upon patient care events and transitions. CMS-regulated payors are required to implement APIs that adhere to the rules' standards by January 2, 2021, while qualified health plans must implement such APIs in advance of plan years beginning January 1, 2021. CMS-regulated payors must also make provider directory information publically available using such APIs. These tight timeframes mean that affected clients must immediately start planning and implementing business changes in order to comply with the new rules.
When describing the proposed rules in 2019, Administrator Verma also said that "privacy and security should be 'top of mind' when building apps and services that help patients manage their healthcare." Yet, concerns remain regarding the effectiveness of the rules' consumer protection measures. The rules' new privacy measures center on mandating more disclosures to consumers regarding how health data is collected, stored, and used. In addition, certain providers' and payors' progress toward implementation and attestations regarding information blocking will eventually be publicly reported by CMS, supposedly enabling consumers to factor electronic access to their own medical information into their care decisions. Furthermore, application developers must attest to various privacy protection provisions, such as if data has any secondary uses, and inform consumers of such attestations. However, the effectiveness of such measures in protecting patient data may be challenging, especially given the limitations of HIPAA applicability and third party application developers' and operators' ongoing collection, storage, and use of patient data.
Proskauer will issue additional updates and analyses in the coming weeks which will delve more into the specifics of these rules and their impact on our clients' businesses.
To view the CMS final rule, please visit: https://www.cms.gov/Regulations-and-Guidance/Guidance/Interoperability/index.
To view the ONC final rule, please visit: https://healthit.gov/curesrule.