Question

Explain why, even though the rules guaranteeing access have been enhanced, it's still difficult for patients to access their health data and how do the finalized CMS and ONC rules enhancing patient access affect how organizations manage healthcare information. Pay special attention to include the expanded use of health data apps, mobile access to healthcare information, and the concepts of information blocking and data withholding.

please answer in two pages

thanks in advance

Answer 1

The Centers for Medicare & Medicaid Services (CMS) published its highly anticipated final rule aimed at enhancing interoperability and increasing patient access to health information. CMS’s final rule will require hospitals and payors to make significant investments in their health information technology to comply with the new requirements, effective six months following publication of the final rule in the Federal Register for hospitals, and January 1, 2021, for payors. In this On the Subject, we analyze the final rule requirements, which include a new requirement that CMS-regulated payors offer application programming interfaces, and a new Medicare condition of participation that requires hospitals with electronic health record systems to send electronic patient event notifications to communicate transitions of care.

On March 9, 2020, the US Department of Health and Human Services (HHS) Centers for Medicare & Medicaid Services (CMS) announced a final rule aimed at enhancing interoperability and increasing patient access to health information. The final rule requires CMS-regulated payors and agencies (Covered Plans and Agencies) to implement application programming interfaces (APIs) that allow patient information to be shared more readily between patients, healthcare providers, payors and third-party applications selected by patients. APIs could improve patients’ ability to gain access to their health information and share key medical history information with other providers and payors. Notably, however, HIPAA does not apply to many third-party applications that patients would use to access their data, raising stakeholder concerns about the privacy and security of information shared through APIs.

The final rule also requires hospitals that have adopted electronic health record systems to engage in electronic event reporting of patient admissions, discharges and transfers to patients’ primary care practitioners as a condition of participation (CoP) in the Medicare program. Hospitals and payors may need to make significant investments in health information technology (IT) to comply with the new requirements, which go into effect six months following publication of the final rule for hospitals, and on January 1, 2021, for payors.

This highly anticipated final rule has already garnered responses from key industry players, including America’s Health Insurance Plans, the nationwide association of health insurers, which stated that it shares HHS’s vision for expanded consumer data access but “remain[s] gravely concerned that patient privacy will still be at risk when health care information is transferred outside the protections of federal patient privacy laws.” The association cautioned that “any new rules must ensure we protect patient privacy, reduce health care costs, and get personalized information into the hands of patients.”

On the same day that CMS released the final rule, the HHS Office of the National Coordinator of Health IT (ONC) released a final rule implementing the information blocking provisions of the 21st Century Cures Act and updates to ONC’s health IT certification program. A separate On the Subject about the ONC final rule is forthcoming.

The Covered Plan or Agency must make the following information available through the API:

• Data concerning adjudicated claims and encounter data, including claims data for payment decisions that may be appealed, were appealed, or are in the process of appeal, and provider remittances and enrollee cost-sharing pertaining to such claims

• Clinical data, including laboratory results, if the Covered Plan or Agency manages such data.

The Covered Plans and Agencies must make this information available no later than one business day after a claim is adjudicated or the Covered Plan or Agency receives the data.

For MA plans, Medicaid and CHIP fee-for-service programs, Medicaid managed care plans and CHIP managed care entities, the API must also allow access to a provider directory of the payor’s network of contracted providers, including names, addresses, phone numbers and specialties, updated no later than 30 calendar days after the payor receives the information or an update.

For MA organizations that offer Part D plans, the API must allow the third-party application to retrieve:

• Standardized data concerning adjudicated claims for covered Part D drugs, including remittances and enrollee cost-sharing, no later than one business day after a claim is adjudicated

• Pharmacy directory data, including the number, mix and addresses of network pharmacies

• Formulary data that includes covered Part D drugs and any tiered formulary structure or utilization management procedure that pertains to those drugs.

While the open API initiative in the final rule specifically applies to Covered Plans and Agencies, CMS also expressed the hope that other stakeholders, such as state-operated exchanges and private payors, will adopt similar requirements for access to information and interoperability so that even more patients can broadly access their health information and better manage care.

Payor-to-Payor Data Exchange

In addition to proposing payor-to-patient exchanges through APIs, CMS also finalized its proposal to require MA plans, Medicaid managed care plans, CHIP managed care entities and qualified health plan issuers on the federally facilitated exchanges to forward patient information maintained within the ONC-identified US Core Data Set for Interoperability to other payors designated by the requesting patient for up to five years after the patient has disenrolled from the plan (with the approval and direction of the patient). CMS anticipates that payors will leverage the API they put in place to comply with patient access requirements to additionally provide other payors access to the same data. CMS allows payors to use other methods of data exchange to accomplish this requirement, however. Covered Plans and Agencies must comply with the payor-to-payor exchange requirement by January 1, 2022.

Notably, CMS elected to not finalize its proposal to require Covered Plans and Agencies to participate in trusted health information exchange networks. CMS noted that although some commenters showed support for the proposal, other commenters noted the need for a mature Trusted Exchange Framework and Common Agreement (TEFCA), a set of policies and procedures for interoperable exchange, to be put in place first. ONC published a second draft TEFCA on April 19, 2019, but has not yet finalized it.

Hospital Condition of Participation

CMS finalized its proposal to adopt a Medicare hospital CoP that requires hospitals, psychiatric hospitals and critical access hospitals (CAHs) that have electronic event notification capabilities to send electronic notifications upon a patient’s admission, discharge or transfer to or from the hospital’s emergency department or inpatient service department. The CoP becomes effective six months after the final rule’s publication in the Federal Register.

CMS modified the CoP slightly from the proposed rule. The final CoP does not require hospitals to include diagnosis information within the notification. Instead, the notification must include at a minimum the patient’s name, treating practitioner name and sending institution name. The CoP does not require hospitals to send notifications to all providers that have an “established care relationship” with the patient, but only to the patient’s established primary care practitioner or other practitioner or practice group identified by the patient as primarily responsible for the patient’s care.

CMS stated that electronic patient event notifications, or automated electronic communications from discharging providers to another facility, could improve care coordination and potentially reduce readmissions by making a receiving provider aware of the care the patient has received elsewhere. However, this CoP creates a new set of requirements on top of existing Promoting Interoperability measures that CMS adopted to incentivize the use of health IT to improve care. Hospitals must already spend significant resources to achieve the Promoting Interoperability measures, and the new CoP requirement will likely increase hospitals’ overall compliance burden with respect to health IT implementation.

Recommended Next Steps

The final rule will have a significant impact on Covered Plans and Agencies and hospitals. These entities should consider taking several practical steps in response to the final rule.

Recommendations for Covered Plans and Agencies

Covered Plans and Agencies should consider the following next steps in response to the final rule:

• Assess the technological capabilities of IT systems and quickly make any necessary adjustments to offer an API that is consistent with ONC standards

• Develop user guides or other resources that explain how a plan member or patient may obtain data through the API and protect their privacy by only selecting reputable third-party applications

• Work with other Covered Plans and Agencies to develop technical mechanisms and policy frameworks for connecting and sharing data in accordance with the payor-to-payor exchange requirement, which becomes effective in 2022.

Recommendations for Hospitals and CAHs

Given the aggressive timelines in the final rule, hospitals will soon need to assess the capabilities of existing IT systems and their readiness to send electronic notifications as required by the new CoP. Even with necessary systems in place, hospitals should review their intake and discharge workflows to ensure that they are consistently identifying the practitioner primarily responsible for patients admitted to the emergency and inpatient departments. To the extent that hospitals are not consistently capturing this information, they should consider revising their policies, procedures and training to emphasize the importance of obtaining the information, and should set up event notifications to the identified individual or group practice.