HHS Releases Final Interoperability Rules Intended to Give Patients Direct Access to Health Data

Fennemore Craig Client Alert

HHS Releases Final Interoperability Rules Intended to Give Patients Direct Access to Health Data

On March 9, 2020, the U.S. Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (“ONC”) and the Centers for Medicare & Medicaid Services (“CMS”) announced two final interoperability rules intended to give patients more direct access to their healthcare data.

The rules have several key points that will impact hospitals, health plans and providers in as little as six (6) months:

  • Within six (6) months, Medicare- and Medicaid-participating hospitals will be expected to send providers a notification when a patient is admitted to, discharged from or transferred to a hospital.
  • Beginning in late 2020, CMS will issue reports on providers and hospitals that are engaging in information-blocking. The reports will be available to the public.
  • In 2021, all health plans that do business with Medicare, Medicaid and CHIP, and all exchange plans, will be required to share health data with their patients via a secured application programming interface (“API”) at no cost to the patient. The rules require that the data be presented in an easy to follow format.
  • By 2021, the information contained in the API must include provider directories.
  • By 2022, CMS-regulated providers will be required to exchange certain data at a patient’s request via a dedicated data exchange.

ONC and CMS have indicated that the rules are intended to give patients access to their health records on their smartphones so that care can be better coordinated and to keep patients better informed. ONC and CMS are trying to strike a balance between providing increased access and protecting patient privacy.

As with most things at the intersection of technology, health data and privacy, the rules are not without controversy. Many health plan providers are concerned that they push the cost of notifications and API development on to them. In addition, both America’s Health Insurance Plans and the American Hospital Association raised security concerns since the final rule does not include explicit privacy-related mandates for third-party applications.

This topic is developing fast, and providers, hospitals and health plans need to be aware of the new rules, particularly as key provisions take effect soon.

Resources: