Final CMS Interoperability Rules Come without Privacy Requirements

By
Original story posted on: March 16, 2020

The rule does not set requirements for the privacy and security of the apps and the data they contain

The Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS) final interoperability rules were released last week, about a year after the proposed rules were published.

These groundbreaking rules provide requirements for electronic health records (EHRs) and federally administered health plans to make data available to patients in a standardized, mobile-friendly method, using HL7 FHIR standards. The rules also provide strict prohibitions against data blocking (like excess charges or technological hurdles), as well as specific exceptions to the prohibition (for privacy and security issues).

The rules will provide patients the ability to select their own applications to download certain clinical data from provider EHRs and claim data from the health plans. The clinical data exchange will also take place among providers, enabling them to share data from their EHRs in a standardized manner.  

While the application exchange requires only a certain subset of data to be available, EHRs will also be required to make the complete set of data for a patient available for exchange, as well as a complete set of data for all patients. This will make switching providers easier for patients, and switching EHRs easier for providers.

The CMS rule also requires Medicare-participating acute-care hospitals, long-term care hospitals, inpatient rehabilitation facilities, psychiatric hospitals, children’s hospitals, cancer hospitals, and critical access hospitals to send electronic notifications to receiving providers when an inpatient is admitted, discharged, or transferred.

While the notification requirement mentioned above will be required six months after the rule is published, there are much longer time frames for the exchange requirements.

Some of the key dates include the following:

  • No later than 24 months after publication, new HL7® FHIR®API capability must be rolled out.
  • No later than 36 months after publication, EHI export capability must be rolled out.
  • Six months after publication, compliance starts for information blocking rules for the limited data exchanged through apps.
  • Twenty-four months after publication, compliance with exceptions will be required for the full set of electronic health information.

ONC and CMS envision a robust market of applications for consumers to use in both acquiring their data, and more importantly, using their data to help manage their health. The rule sets the standards for the data acquisition, but does not set any other requirements for the application capabilities or the privacy and security of the apps and the data they contain. 

The final rule made some minor changes to definitions and some of the blocking criteria, as well as revising the compliance dates. Despite the long time between the proposed and final rules, there does not appear to be any significant changes between them.
Stanley Nachimson, MS

Stanley Nachimson, MS is principal of Nachimson Advisors, a health IT consulting firm dedicated to finding innovative uses for health information technology and encouraging its adoption.   The firm serves a number of clients, including WEDI, EHNAC, the Cooperative Exchange, the Association of American Medical Colleges, and No World Borders.  Stanley is focusing on assisting health care providers and plans with their ICD-10 implementation and is the director of the NCHICA-WEDI Timeline Initiative.  He serves on the Board of Advisors for QualEDIx Corporation.

Stanley served for over 30 years in the US Department of Health and Human Services in a variety of statistical, management, and health technology positions.  His last ten years prior to his 2007 retirement were spent in developing HIPAA policy, regulations, and implementation planning and monitoring, beginning CMS’s work on Personal Health Records and serving as the CMS liaison with several industry organizations, including WEDI and HITSP.  He brings a wealth of experience and information regarding the use of standards and technology in the health care industry.

Related Stories

  • CMS announces end of emergency blanket data waiver for nursing homes
    The move comes amid localized spikes in COVID-19 cases occurring nationwide. Federal officials said Friday that they are ending an emergency blanket waiver intended to reduce administrative burden on nursing homes amid the continuing COVID-19 pandemic. The Centers for Medicare…
  • CMS Guidance for Remote Patient Monitoring (RPM)
    The Centers for Medicare & Medicaid Services (CMS) has provided some guidance within the “Medicare and Medicaid Programs Policy and Regulatory Revisions in Response to the COVID-19 Public Health Emergency” interim final rule (IFR), allowing for remote patient monitoring, or…
  • CMS Announces Broadened Coverage for Essential Diagnostic Testing amid COVID-19
    Agencies have implemented legislation guaranteeing coverage of COVID-19 diagnostic testing, including antibody testing, and certain related services without cost sharing for enrollees with private health coverage. As coverages and regulations continue to broaden, often on a day-to-day basis, guidelines related…