Austin Dobson

CMS and ONC Rules: What They Mean for You

September 1, 2021

Impact on Health IT Vendors, Providers, and Payers

In March 2020, the Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) released rules that have far reaching implications for healthcare providers, payers, and health IT vendors.

The two rules are designed to implement interoperability and patient access provisions of the 21st Century Cures Act, a bipartisan bill signed into law in 2016, with the goal of empowering patients with access to their medical data so that they can make informed decisions about their health.

Read about U.S. Government Regulations and Compliance

The rules were entered into the Federal Register on May 1, 2020, which started the clock on compliance timelines. Several deadlines were set for early 2021; however, because of the COVID-19 pandemic, CMS and ONC have relaxed some deadlines.

Here, we highlight some important aspects of each rule and explain how different stakeholders will be affected by the rules. We also explain how Lyniate can help stakeholders meet compliance deadlines.

CMS and ONC: What’s the Difference?

While CMS and ONC are separate divisions under the U.S. Department of Health and Human Services (HHS), they often coordinate efforts to surface different aspects of the same intention. In the case of these two rules, the intention is to make data more broadly available using APIs.

Who Is Impacted by the Rules?

  • Healthcare provider organizations
  • Developers of Certified health IT
  • Health information exchanges
  • Health information networks
  • Payers

Industry Impacts

Taken together, what do the rules mean for health IT vendors, provider networks, and payers? While we don’t have a crystal ball, the following table illustrates — based on past healthcare regulations, such as the HITECH Act — which aspects of the rules will have greater impact on the industry. Decoupling the silos from vendors that have largely controlled patient healthcare data will dramatically change the dynamic in which these organizations are viewed.



CMS and ONC Rules: Impact on Health IT Vendors

As they consider how they will comply with these rules, developers of health IT solutions should ask themselves following:

  • In what formats does your organization store all data comprising the USCDI?
  • What type of data is stored in your organization?
  • What systems do you connect with, and where is protected health information housed?
  • If you store patient protected health information in your system, you must have a FHIR API that allows patients to access their data.

CMS and ONC Rules: Impact on Providers

As they consider how they will comply with these rules, leaders of provider organizations should ask themselves the following:

How are you managing ePHI? Is your organization — either intentionally or inadvertently — blocking information?

  • Do you have the technical capability for bulk data sharing?
  • Do you have the technical capability to meet the CMS’s Condition of Participation requirement of sending real-time e-Notifications to patient-identified providers?
  • Are you prepared to educate your patients about the benefits and risks of accessing their data using third-party apps?

CMS and ONC Rules: Impact on Payers

As they consider how they will comply with these rules, leaders of payer organizations should ask themselves:

Do you have the technical infrastructure to implement and maintain a secure, standards-based Patient Access API that allows patients to easily access their claims and encounter information, including cost, as well as a defined sub-set of their clinical information through third-party applications of their choice?

  • Do you have the technical infrastructure to implement a FHIR-based Provider Directory API?
  • Do you have in interoperability solution that integrates easily with your existing systems?
  • How will your infrastructure support all requirements for payer-to-payer exchange?
  • Do you have the infrastructure to build, manage, maintain, expose, and govern FHIR APIs?
  • Can your vendor partners enable use cases outside of the CMS requirements, such as those outlined by the DaVinci Project and SMART on FHIR?

And Keep in Mind:

By failing to meet this requirement, vendors risk losing ONC certification, as well as being named on the ONC’s list of information-blocking offenders.

  • Vendors must rely on the Oauth 2.0 protocol to ensure patient data security.
  • Vendors that have taken the “walled garden” approach to storing patient data will have to restructure business models regarding how they store and allow access to patient data.
  • For the first two years after the rules go into effect, data access and exchange will be restricted to USCDI, which is the minimum data you need to be able to transmit as a vendor, as a provider organization is that core data set.

How Lyniate Can Help

Lyniate’s primary products — Corepoint and Rhapsody — were the first integration engines on the market to feature built in FHIR capabilities.

Lyniate continues to invest and expand our current native FHIR capabilities, ensuring our products can enable interoperability success in tomorrow’s regulatory climate, while adding critical business value today.

Corepoint and Rhapsody can fit into virtually any infrastructure footprint. Because we specialize in healthcare interoperability, our products can support interaction with virtually any other system vendors will find within a health IT ecosystem.

With our suite of FHIR-native tools implementations can be built quickly and efficiently.

Lyniate has the best in KLAS services team for the interoperability market and can provide health IT vendors the resources to meet tight implementation timelines.

Lyniate partners with a number of innovative, trusted health IT vendors and consulting groups that can assist with compliance concerns.

How Lyniate Can Help You Accelerate FHIR Deployments

FHIR can be used in a variety of workflows for everything from remote patient-monitoring devices to large multi-facility hospital information systems. FHIR not only enables new workflows, such as those related to patient engagement, but also more traditional communications between applications. The current versions of Corepoint and Rhapsody integration engines can be used to support workflows in many ways, with or without FHIR, such as:

  • Traditional application-to-application interoperability within the four walls
  • External connectivity
  • HIEs/ACOs
  • National exchanges
  • Mobile applications
  • Home health devices

Let’s Talk

Have a question about how the CMS and ONC rules will affect your organization? Drop us a line and we’ll get in touch with you.

Related Blogs

How State HIEs Are Advancing Interoperability

Abigael Grippe

How State HIEs Are Advancing Interoperability

Read more

Abigael Grippe

TEFCA: Everything Healthcare Organizations Need to Know

Read more
Lyniate_Rapid_illustration_api_gateway_manager (1)

Lyniate Team

Lyniate introduces Rapid, a healthcare API gateway

Rapid is a healthcare API gateway and manager designed to help health teams create and safeguard APIs, including Fast Healthcare Interoperability Resources (FHIR)-based APIs like those required by the CMS Interoperability and Patient Access Rule.

Read more