The Office of the National Coordinator (ONC) and the Centers for Medicare and Medicaid (CMS) have proposed final rules on interoperability, data blocking, and other activities as part of implementing the 21st Century Cures Act.
In this series, we will explore ideas behind the rules, why they are necessary, and the expected impact. Given that these are complex and controversial topics are open to interpretation, we invite readers to respond with their own ideas, corrections, and opinions.
Interventions to Address Market Failures
Many of the rules proposed by CMS and ONC are evidence-based interventions aimed at critical problems that market forces have failed to address.
One example of market failure is the long-standing inability of health care providers and insurance companies to find a way to exchange patient data. Each has critical data the other needs and would benefit from sharing.
And, as CMS noted, health plans are in a “unique position to provide enrollees a complete picture of their clams and encounter data.”
Despite that, technical and financial issues, as well as a general air of distrust from decades of haggling over reimbursement, have prevented robust data exchange.
Remarkably, this happens in integrated delivery systems which, in theory, provide tight alignment between payers and providers in a unified organization.
With so much attention focused on requirements for health IT companies like EHR vendors and providers, it is easy to miss the huge impact that the new rules are likely to have on payers.
But make no mistake, if implemented as proposed, these rules will have a profound impact on the patient’s ability to gather and direct the use of their personal health information (PHI). They will also lead to reduced fragmentation and more complete data sets for payers and providers alike.
Overview of Proposed CMS Rules on Information Sharing and Interoperability
The proposed CMS rules affect payers, providers, and patients stating that they:
- Require payers to make patient health information available electronically through a standardized, open application programming interface (API)
- Promote data exchange between payers and participation in health information exchange networks
- Require payers to provide additional resources on EHR, privacy, and security
- Require providers to comply with new electronic notification requirements
- Require states to better coordinate care for Medicare-Medicaid dually eligible beneficiaries by submitting buy-in data to CMS daily
- Publicly disclose when providers inappropriately restrict the flow of information to other health care providers and payers
These rules apply to:
- Health care providers
- State Medicaid and Children’s Health Insurance Program (CHIP) agencies
- Insurers that offer qualified health plans (QHPs)
- Medicare Advantage plans
- Medicaid and CHIP managed care plans
While, the broader commercial market, employer-sponsored health insurance, and stand-alone dental plans are currently exempted from these rules, the hope is that some will still adopt these new approaches.
Data Exchange Requirements for Payers
CMS has proposed substantial data exchange requirements that define both the types of information to be shared and, where appropriate, the technical approach and standards to be followed.
One key requirement is to implement and maintain an open API that enables third-party applications (some with approval from the patient) to easily retrieve a variety of information as shown in the table below:
**QHP insurers are NOT required to comply with the provider directory or drug formulary requirements through API since this information must already be provided to the marketplace in a machine-readable format and is highly accessible.*
Other key data management provisions include:
- Payers must be able to exchange data elements outlined in the United States Core Data for Interoperability (USCDI) standards.
- Payers must incorporate received data into their own records.
- When a patient (member) requests it, the payer must (1) accept data from a patient’s prior health plan for up to five years, (2) send data to other health plans for up to five years, (3) send data to a recipient designated by the patient for up to five
The proposed rules for exchanging data should lead to reduced fragmentation and more complete data sets for payers, providers, and patients.
Importantly, the rules also specify response times where possible:
- Claims, encounters, and clinical data must be available through the API no later than one business day after a claim is processed or the data is received by the payer.
- Provider directory data must be updated within 30 business days of changes to the directory.
- No specific timeframe for submitting pharmacy directory or formulary information.
A key issue will be the payer’s dependence on providers sharing data with them in a timely manner so the payer can meet these requirements.
CMS is urging payers to consider whether their contracts with providers should include timing standards regarding the submission of claims and encounter data.
API Standards for Payers
CMS and ONC have been moving in tandem to address interoperability and information blocking. It’s no surprise CMS will require payers to comply with a separate ONC proposed rule to use APIs to meet certain technical standards and address standardized content and vocabulary for data available through the API.
They also address behaviors that can limit interoperability or lead to information blocking. A good example is the requirement to deliver clinical data which mandates USCDI be available via a standard FHIR API. Other requirements specify (among other things) that:
- The API must be publicly accessible on a payer’s website and accompanied by documentation on technical aspects (such as API syntax, function names, and various other parameters).
- Payers cannot require a reader to pay a fee to access the documents, receive a copy via email, or agree to receive future communications before making the documentation available.
- Payers can deny or discontinue a third party’s connection to their API if the payer determines—using objective, verifiable criteria —that the connection threatens the security of protected health information (PHI).
- Payers can make non-standardized data available through their APIs but are required to ensure that their API documentation provides enough information to developers to handle this information.
“It is critical for patients to have access to their data…plans that do business with CMS, [must] aggregate that information and make it available through an API. We really hope developers will take our lead and build on that, while maintaining the highest levels of privacy and security.”
Kate Goodrich, MD, director of the Center for Clinical Standards and Quality CMS
Economic Impact on Payers
In general, the rules proposed by CMS and ONC are subject to a Regulatory Impact Analysis (RIA) to estimate the costs and benefits of specific rules.
Interestingly, CMS suggests that promoting data exchange between payers and participating in a trusted health information exchange may qualify as “quality improvement activities” for purposes of an insurer’s medical loss ratio.
This is an important consideration for payers since these costs could be counted against the requirement to spend 80 or 85 percent of premium revenue on claims and quality improvement.
Data Must Flow for the Benefit of All
An overarching theme of the proposed rules is that patient data should flow freely and in the direction of the patient unless there is a compelling, common-sense exception (seven of which are spelled out in detail).
The proposed rules for payers reflect this theme and directly address the long-standing failure of market forces to encourage robust information sharing.
They also hold the real promise of benefiting patients, health care providers, and payers by enabling better care at a lower cost!