Final CMS Interoperability Rules Come without Privacy Requirements

By
Original story posted on: March 16, 2020

The rule does not set requirements for the privacy and security of the apps and the data they contain

The Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS) final interoperability rules were released last week, about a year after the proposed rules were published.

These groundbreaking rules provide requirements for electronic health records (EHRs) and federally administered health plans to make data available to patients in a standardized, mobile-friendly method, using HL7 FHIR standards. The rules also provide strict prohibitions against data blocking (like excess charges or technological hurdles), as well as specific exceptions to the prohibition (for privacy and security issues).

The rules will provide patients the ability to select their own applications to download certain clinical data from provider EHRs and claim data from the health plans. The clinical data exchange will also take place among providers, enabling them to share data from their EHRs in a standardized manner.  

While the application exchange requires only a certain subset of data to be available, EHRs will also be required to make the complete set of data for a patient available for exchange, as well as a complete set of data for all patients. This will make switching providers easier for patients, and switching EHRs easier for providers.

The CMS rule also requires Medicare-participating acute-care hospitals, long-term care hospitals, inpatient rehabilitation facilities, psychiatric hospitals, children’s hospitals, cancer hospitals, and critical access hospitals to send electronic notifications to receiving providers when an inpatient is admitted, discharged, or transferred.

While the notification requirement mentioned above will be required six months after the rule is published, there are much longer time frames for the exchange requirements.

Some of the key dates include the following:

  • No later than 24 months after publication, new HL7® FHIR®API capability must be rolled out.
  • No later than 36 months after publication, EHI export capability must be rolled out.
  • Six months after publication, compliance starts for information blocking rules for the limited data exchanged through apps.
  • Twenty-four months after publication, compliance with exceptions will be required for the full set of electronic health information.

ONC and CMS envision a robust market of applications for consumers to use in both acquiring their data, and more importantly, using their data to help manage their health. The rule sets the standards for the data acquisition, but does not set any other requirements for the application capabilities or the privacy and security of the apps and the data they contain. 

The final rule made some minor changes to definitions and some of the blocking criteria, as well as revising the compliance dates. Despite the long time between the proposed and final rules, there does not appear to be any significant changes between them.
Stanley Nachimson, MS

Stanley Nachimson, MS is principal of Nachimson Advisors, a health IT consulting firm dedicated to finding innovative uses for health information technology and encouraging its adoption.   The firm serves a number of clients, including WEDI, EHNAC, the Cooperative Exchange, the Association of American Medical Colleges, and No World Borders.  Stanley is focusing on assisting health care providers and plans with their ICD-10 implementation and is the director of the NCHICA-WEDI Timeline Initiative.  He serves on the Board of Advisors for QualEDIx Corporation.

Stanley served for over 30 years in the US Department of Health and Human Services in a variety of statistical, management, and health technology positions.  His last ten years prior to his 2007 retirement were spent in developing HIPAA policy, regulations, and implementation planning and monitoring, beginning CMS’s work on Personal Health Records and serving as the CMS liaison with several industry organizations, including WEDI and HITSP.  He brings a wealth of experience and information regarding the use of standards and technology in the health care industry.

Related Stories

  • COVID-19 Sparks New EHR Template
    The new template was designed by a former ED physician. Front-line emergency departments facing an onslaught of patients suspected of contracting the novel coronavirus that causes COVID-19 now have a new tool designed to help them quickly diagnose patients. The…
  • CMS Publishes MS-DRG Information for COVID-19 and Relaxes Other Regulations
    Latest information comes in the wake of the coronavirus pandemic. The Centers for Medicare & Medicaid Services (CMS) has published Medicare Severity Diagnosis Related Group (MS-DRG) information related to COVID-19, effective April 1, 2020. The diagnosis will be a Major…
  • Care Management Services: Get Paid for What you are Already Doing
    Defining Medicare’s chronic care management services. CCM services are generally non-face-to-face services provided to Medicare beneficiaries who have multiple (two or more) chronic conditions expected to last at least 12 months, or until the death of the patient. These services…