CMS Issues Proposed Rule on Interoperability, Patient Information

While primarily directed at plans, if finalized, the Proposed Rule would impose significant new requirements on payers and providers alike, including requiring CMS-regulated payers to develop application program interfaces (“APIs”) that facilitate sharing of information between patients, payers and providers, and new hospital conditions of participation requiring hospitals to report admission, discharge and transfer events to other providers to participate in the Medicare program. The Proposed Rule would also leverage attestations under the Medicare and Chip Reauthorization Act (“MACRA”) where providers would confirm that they are not engaging in information blocking, and a website where the names of providers who refused to complete such attestations, or responded “no” to any of the attestations, would be publicly listed.

Comments on the proposed rules, which were published in the Federal Register on March 4th, 2019, must be received by May 3rd, 2019.

APIs and Care Coordination

Application Programming Interfaces

In its discussion of APIs, the Proposed Rule explains the agency’s belief that “every American should be able, without special effort or advanced technical skills, to see, obtain, and use all electronically available information that is relevant to their health, care, and choices – of plans, providers, and specific treatment options.” The Proposed Rule would require Medicare Advantage (“MA”) organizations, state Medicaid agencies, Medicaid managed care plans, Children’s Health Insurance Program (“CHIP”) agencies, CHIP managed care plans, and issuers of qualified health plans (“QHPs”) in federally-facilitated exchanges (“FFEs”), but not stand-alone dental plans offered in FFEs, to adopt and implement an “openly published” API, which will allow third-party software applications to retrieve, with the approval and at the direction of the patient, clinical and payment information. The information that CMS proposes to make accessible through APIs includes adjudicated claims (including cost), encounters with capitated providers, provider remittances, enrollee cost sharing, clinical data, including lab results when available, provider directory information, and formularies (when applicable).

CMS believes that because consumers perform daily tasks on smart phones using secure applications, consumers should be able to obtain and use health information in the same manner. CMS notes that it has received comments over the course of other undertakings expressing concern about risks to privacy—notably under HIPAA—as well as security. With regard to HIPAA, CMS points readers to existing guidance from the DHHS Office of Civil Rights (“OCR”), as well as Federal Trade Commission (“FTC”) recourse, but simultaneously encourages comment on these matters.

CMS also proposes that plans will be required to do routine testing and monitoring of APIs to assure that compliance with HIPAA and security requirements are maintained, particularly around protected health information (“PHI”).

Health Information Exchange and Care Coordination Across Payers

The Proposed Rule would require the CMS-regulated payers listed above to maintain a process enabling the electronic exchange of the types of data that would be accessible through APIs (also listed above). When received from another payer, the information would need to be integrated into the receiving payer’s medical records about the patient. Payers would be required to accept data from any other health plan that has treated a patient during the preceding five years, and to send a patient’s data to any plan that covers the patient for up to five years after the patient’s disenrollment from the plan. Such transfers of information would be facilitated through a “Trusted Exchange Framework” to improve interoperability, which is further discussed below.

API Access to Published Provider Directory Data

The Proposed Rule would require CMS-regulated payers to make their provider directory information available through APIs. Specifically, payers would need to make standardized information about their provider networks available through an API, which third-party software applications could access and publish. CMS believes that this would enable a referring provider to securely send patient information to a receiving provider.

Care Coordination Through Trusted Exchange Networks

The Proposed Rule would require payers regulated by CMS to participate in trusted exchange networks as a way to improve interoperability. The goal of trusted exchange networks is to facilitate interoperability extending beyond a single health system or point-to-point connections between payers, patients and providers. CMS is proposing that as of January 1, 2020, MA Plans, Medicaid and CHIP managed care plans, and QHPs in FFEs must participate in a trusted exchange network that is capable of exchanging PHI in compliance with applicable federal and state law, is capable of connecting to inpatient electronic health records (“EHRs”) and ambulatory EHRs, and supports securing messaging or electronic querying by and between providers, payers and patients. This portion of the Proposed Rule builds on the Trusted Exchange Framework that ONC released for comment in January 2018.

Information Blocking Attestations

The Proposed Rule seeks to further implement information blocking provisions introduced under MACRA. MACRA’s “meaningful use” provisions require eligible professionals, hospitals and critical access hospitals (“CAHs”) to demonstrate they have not “knowingly and willfully” restricted the compatibility or interoperability of certified EHR technology (“CEHRT”). CMS explains that information blocking “could be considered to include the practice of withholding data, or intentionally taking action to limit or restrict the compatibility or interoperability of health IT,” and that it understands “that health care providers may limit or prevent data exchange in an effort to retain patients.”

To implement these interoperability requirements, CMS adopted three attestations that providers must make regarding their use of CEHRT, confirming that they are not engaging in information blocking. The attestations require the clinician to confirm that they did not knowingly and willfully restrict compatibility or interoperability of CEHRT, implemented technologies, standards and procedures needed to ensure that CEHRT was connected and operating optimally at all times, and responded in good faith and timely to requests to retrieve or exchange electronic health information. There are parallel regulatory requirements for hospitals and CAHs.

The Proposed Rule would make the responses of clinicians, hospitals and CAHs to these attestations public. Specifically, a new indicator would be added on Physician Compare for clinicians and medical groups that respond “no” to any of the attestations, and a new CMS website would post the names of hospitals and CAHs that do the same.   This information would be posted beginning in late 2020 during the 2019 reporting period.

CMS is seeking comments on how to implement this public reporting initiative, including where to post the names and how frequently they should be posted.

Revised Conditions of Participation for Hospitals, Psychiatric Hospitals and Critical Access Hospitals

The CMS Proposed Rule announces that the agency expects to finalize two previously proposed rules involving conditions of participation relating to interoperability this year. The first new conditions of participation would require hospitals, psychiatric hospitals and CAHs to send electronic patient event notifications when a patient is admitted, discharged and transferred to another community provider or facility. These automated, electronic communications would be sent by the discharging provider to a facility or community provider that the patient identifies, and would include basic patient demographic and diagnostic information. CMS explains that the EHR systems that hospitals, CAHs and psychiatric hospitals presently use generate these messages using admission, discharge and transfer (“ADT”) messages.

The only hospitals to which these requirements would apply are those with EMR systems capable of generating information for patient event notifications. To satisfy this condition of participation, such hospitals would need to demonstrate the following:

1. the notification capacity of the EHR system is operational and compliant with federal and state laws governing the exchange of PHI;
2. the system uses the content exchange standard in the ONC Proposed Rule;
3. the system sends notifications with the minimum PHI required – the patient’s name, the treating practitioner’s name, the name of the sending institution, and the patient diagnosis (unless this is prohibited by law);
4. when the patient is admitted, the system sends notifications that allow for the exchange of health information to practitioners, patient care team members, and post-acute services providers and suppliers who receive the notification for purposes of care coordination, treatment or quality improvement, have an established care relationship with the patient that is relevant to such patient’s care, and the hospital is “reasonably certain” that they receive the notifications; and
5. either immediately before or at the time of the patient’s hospital discharge, the system dispatches notifications to the individuals listed in item 4, above.
6. While the new hospital conditions of participation are only required for inpatients, CMS hopes that hospitals will expand these practices to the care of additional patients. The requirements for CAHs and psychiatric hospitals generally mirror the requirements for hospitals.

Provider Digital Contact Information

The 21st Century Cures Act required the Secretary of the Department of Health and Human Services to establish a digital contact information index, which CMS accomplished by updating the National Plan and Provider Enumeration System (“NPPES”) to capture the digital contact information of providers and facilities. However, because CMS has found that many providers are not adding their digital contact information or ensuring that it is up-to-date, CMS is proposing to publicly report the names and national provider identifiers (“NPIs”) of providers who fail to add their digital contact information to the NPPES beginning in the second half of 2020.

RFIs on Advancing Interoperability Across the Care Continuum, Improving Patient Matching

The Proposed Rule contains two RFIs involving health information technology, suggesting future regulatory action in this area.

First, CMS is seeking comment on strategies for advancing interoperability across care settings. CMS highlights its concern about a lack of implementation of CEHRT in post-acute care, behavioral health, and home and community-based service settings. Such facilities should take note of this RFI, as CMS issued it in anticipation of future rulemaking. Thus, while the full Proposed Rule’s application is limited to hospitals, CAHs and psychiatric hospitals, it appears likely that similar requirements will be imposed upon post-acute care, behavioral health, and home and community-based providers in the near future.

Second, CMS requested comments about how to improve patient matching efforts. Patient matching refers to efforts to match information about a patient that is held by multiple providers. “Matching” such records allow providers to construct a more complete picture of a patient’s medical history. CMS notes that the lack of a unique patient identifier (“UPI”) across the Medicare program has long stood in the way of safe and secure exchanges of PHI, but that Congress has encouraged DHHS to examine ways to use patient matching.

Hooper, Lundy & Bookman will continue monitoring these developments. If you have questions or are interested in submitting comments, contact Jeremy Sherer or Amy Joseph in Boston at 617-532-2700, or Marty Corry or Monica Massaro in Washington, D.C. at 202-580-7700, or your regular Hooper, Lundy & Bookman contact.