Understanding the CMS and ONC Interoperability Rules for Payers

For years, leaders in the health care industry have talked about empowering consumers to manage their own health care. Since HIPAA rules first established that plans and providers needed to provide patients with access to their records, technology has evolved significantly. Faxes, print outs and portable drives are no longer required for someone to share claims records with a new doctor. With the recent finalization of interoperability rules for health plans, electronic health information (EHI) access has officially entered the internet and mobile app age.

On March 9, 2020, two rules were issued by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS) to implement interoperability and patient access provisions of the bipartisan 21st Century Cures Act (Cures Act). The goal is empower patients with access to their medical information so they can make better health care decisions. The CMS Interoperability and Patient Access final rule, CMS-9115-F, outlines how health plans need to provide online access to provider directories and patient records. The ONC rule specifies the interoperability data and technology standards for sharing medical records between patients, providers and payers. These data specifications break down electronic health record system silos so records can follow a patient from provider to provider and payer to payer.

We’ve dug into the rules extensively to put together the key points health plans need to know, so you can begin preparing for compliance deadlines.

Standardizing data access

Before diving into the more specific requirements, plans have to consider the rule requirements for standard access to data. The final rule requires CMS-regulated health plans to provide access to provider and patient claims and clinical data via application programing interfaces (APIs). APIs facilitate the rapid exchange of EHI giving patients access their health information at no cost. Plans must now ensure that their information systems can communicate with third-party users, which include consumer health apps. The technical standard for APIs, finalized by the ONC, adopts the Health Level® 7 (HL7 Fast Healthcare Interoperability Resources® (FHIR) release 4.0.1). This interoperability standard facilitates the exchange of health care information between organizations with RESTful APIs.

For patient records access, plans will need to establish a secure and trusted connection with a third-party application requesting patient data in accordance with the ONC’s implementation specifications for OAuth and OpenID. The access must include authentication and authorization for API users with tokens for access to data for a single patient, verification of the patient, and the ability to revoke access at the patient’s discretion. The plan needs to provide technical documentation to help applications use the API and its responses, as well as relevant terms and conditions, and it must also test and monitor the APIs.

With standardized data access, plans are required to:

  • Share provider data more broadly with third parties through a Provider Directory API
  • Give patients access to their data, through a patient access API
  • Facilitate patient information transfer between payers, through a payer-to-payer exchange

There are additional requirements around information blocking, federal/state data exchange and event notifications, but let’s focus on the three requirements mentioned above:

#1. Sharing provider data more broadly: Provider Directory API

  • Who is impacted: The Provider Directory API rules apply to CMS-regulated payers including Medicare Advantage (MA) organizations, Medicaid and CHIP Fee-for-Service (FFS) programs, Medicaid managed care plans, and CHIP managed care entities, excluding Qualified Health Plan (QHP) issuers on the Federally-facilitated Exchanges (FFEs) since they already provide this with machine readable files.
  • What is required: Plans must provide public access to provider network data including name, address, phone number and specialties. For Medicare Advantage Prescription Drug Plans (MAPD) pharmacy directory details must include names, address, phone number, number of pharmacies and mix (the type of pharmacy, such as retail). The data must be made available no later than 30 calendar days after a payer receives provider directory information or updates to provider directory information.
  • When is the deadline for compliance: Applicable plans need to comply by January 1, 2021. Although, as a result of COVID-19 development, CMS has just announced the new requirements will not be enforced until July 1, 2021.
  • Considerations for health plans: The API must provide public access to provider data, so plans should ensure they have a robust infrastructure to support third-party access for bulk data transfers.

#2. Empowering consumers to control their own health data: Patient Access API

  • Who is impacted: This rule applies to CMS-regulated payers, specifically MA organizations, Medicaid FFS programs, Medicaid managed care plans, CHIP FFS programs, CHIP managed care entities, and QHP issuers on the FFEs, excluding issuers offering only Stand-alone dental plans (SADPs) and QHP issuers offering coverage in the Federally-facilitated Small Business Health Options Program (FF-SHOP). For QHP issuers on the FFEs, they must comply for plan years beginning on or after January 1, 2021.
  • What is required: Plans are required to provide secure, patient-authenticated access to historical data going back to date of service of January 1, 2016. This includes claims and encounters with capitated providers (including cost), clinical data (including lab results when maintained by the plan), and formulary and preferred drug lists. The data must be made available no later than one (1) business day after adjudication or processing. Plans must use the U.S. Core Data for Interoperability (USCDI) version 1 as the content and vocabulary standard for clinical data.
  • When is the deadline for compliance: Applicable plans need to comply by January 1, 2021. Although, as a result of COVID-19 development, CMS has just announced the new requirements will not be enforced until July 1, 2021.
  • Considerations for health plans: The original proposed rules included multiple APIs to account for the fact that different data sets exist in different systems, and often different locations. The final rules require one unified gateway to access claims and encounters, and clinical data, and formularies and drug lists. In addition, covered entities are still required to comply with HIPAA Privacy and Security Rules for data under their control. This means plans will need to ensure reasonable safeguards to protect PHI. While plans aren’t responsible for ensuring whether a specific app used by the patient includes safeguards, they will need to safeguard access to PHI with member authentication.

#3. Facilitating data sharing as patients change insurers: Payer-to-Payer Exchange

  • Who is impacted: The rules apply to CMS-regulated payers, excluding Medicaid FFS and CHIP FFS plans.
  • What is required: Delivery of member data between payers based on the USCDI data set.
  • When is the deadline for compliance: Applicable plans are to comply by January 1, 2022.
  • Considerations for health plans: To maximize their investments in FHIR resources and APIs plans can use Patient Access API for data exchange, although it is not required.

Clearly there is a lot of opportunity within the new interoperability rules, as well as a lot of work to do to prepare. The industry still needs to work through some practical details and processes. The interoperability community of plans, providers and health IT vendors have banded together collaborate, refine and operationalize interoperability. Groups like the Da Vinci Project and CARIN Alliance are working to drive forward on the final rule and help provide people with digital access to their health information. HealthSparq is proud to be involved in these efforts and our own Interoperability Services came from our participation in interoperability events with these groups.

January 2021 will be here in no time. If you’re interested in learning more about the final rules and some of our lessons learned/tips for health plans—check out our webinar.