On July 1, a final rule by the Centers for Medicare & Medicaid Services (CMS) took effect that opens up patient access to healthcare data.
When the interoperability rule was issued in 2020, former CMS Administrator Seema Verma said the rule will help bring the health system’s data-sharing capacity out of the “stone age.”
“These rules begin a new chapter by requiring insurance plans to share health data with their patients in a format suitable for their phones or other device of their choice. We are holding payers to a higher standard while protecting patient privacy through secure access to their health information. Patients can expect improved quality and better outcomes at a lower cost,” Verma said.
The Interoperability and Patient Access final rule requires, among other things, that Medicaid, the Children’s Health Insurance Program (CHIP), Medicare Advantage (MA) plans and qualified health plans make enrollee data immediately accessible.
The final rule was launched Jan. 1, but enforcement of the rule was delayed because of the pandemic.
As part of the rule, CMS-regulated payers, specifically MA organizations, Medicaid fee-for-service programs, Medicaid managed care plans, CHIP fee-for-service programs and CHIP managed care entities, have to implement and maintain a patient access API that will allow data sharing with health apps. The patient access API must meet the ONC Cures Act Final Rule technical standards, the latest release of Health Level 7 Fast Healthcare Interoperability Resources.
With the rule in effect, patients should be able to get access to adjudicated claims, provider encounters and clinical data no more than one business day after a claim is adjudicated or a patient encounters a provider, according to the rule.
Payers also have to make provider directory information publicly available via a standards-based API.
Down the road, payers also will have to exchange certain patient clinical data, specifically the U.S. Core Data for Interoperability, at the patient’s request. Organizations will have to implement a process for this data exchange by Jan. 1, 2022.
Minal Patel, M.D., CEO and founder of Abacus Insights, said the CMS mandate is a necessary “first step” to enable patients to have better access to health data.
“But simply following the mandate is a missed opportunity to innovate and create real change in the ways in which we experience healthcare,” Patel told Fierce Healthcare. “Health plans that choose to use the mandate to go beyond compliance can spur a whole new wave of innovation when they become adept at analyzing and sharing valuable information across multiple stakeholders. This is truly a rare case where compliance and transformation go hand in hand.”
Abacus Insights is a cloud-based technology company that offers a healthcare data integration and interoperability platform for large insurers.
As it currently stands, payers’ ability to comply with the new mandate varies across large and small organizations, experts say.
For larger health plans that already had APIs in place for communicating with providers, getting into compliance was not a heavy lift, according to Sean Sullivan, senior associate with law firm Alston & Bird.
“Smaller health plans were struggling to meet the July 1 deadline. They are less likely to have these tools in place prior to the requirement,” he said.
“Plans are finding it to be more of a technical challenge to develop the technology and the capability to connect their existing database to this standardized API format,” said Elinor Hiller, partner at Alston & Bird.
The interoperability mandate is a sign of an overall trend with CMS pushing and the industry moving on its own toward more interoperability to help put patients in charge of their own care and their own health records, Sullivan said.
“It’s a tremendous opportunity for developers to work with payers and to build the backbone of technology behind them and to build apps that can aggregate data for patients,” he said.
App developers now have the potential to build population health and data analytics tools on top of all this health plan data. But opening up patient data also raises privacy and security risks as patients’ health plan information is not protected by healthcare data privacy laws like HIPAA once it’s downloaded to a third-party app, Sullivan said.
“One concern that comes up among payers as they create an interface where, based on a patient request, that request for data could be executed by a third party: You’re just having more data flowing through the system. That raises inherent questions and concerns about data breaches,” Hiller said.
For health insurers operating in multiple states, consent for the sharing of health information can be complicated as rules vary from state to state, Patel noted.
Health plans are responsible for ensuring health data are protected no matter where care is provided. This requires implementing appropriate security measures such as multifactor authentication, endpoint patching, IP whitelisting and credentialing to ensure these data remain protected, he said.
The early lessons learned from the hospital price transparency rule include that compliance can be tricky, said Patel.
“Plans really need to make sure their technical partners understand healthcare data and have both expertise in technology, security and healthcare,” he said.
At the end of the day, interoperability is about the experience health plans provide to their members.
“Health plans need to be able to track data from any digital health application through the provider visit to the final claims processing. When this journey is seamless and complete, members will have access to all of their data, providers can make better-informed treatment decisions, and plans can create more personalized benefits,” Patel said.