Two HHS agencies on Monday unveiled final versions of companion interoperability and information-blocking proposals they proposed last year.
The long-awaited rules from the CMS and HHS' Office of the National Coordinator for Health Information Technology are designed to revamp how providers, insurers and patients exchange health data.
"From the start of our efforts to put patients and value at the center of our healthcare system, we've been clear: Patients should have control of their records, period. Now that's becoming a reality," HHS Secretary Alex Azar said in a statement. "These rules are the start of a new chapter in how patients experience American healthcare, opening up countless new opportunities for them to improve their own health, find the providers that meet their needs, and drive quality through greater coordination."
The rules, a provision of the 21st Century Cures Act, are designed to make it easier for providers, insurers and patients to exchange health data, in large part by requiring providers and insurers to adopt standardized application programming interfaces, or APIs—protocols that connect IT systems like electronic health records with third-party apps.
The CMS said later this year it will begin publicly reporting eligible clinicians and hospitals that may be engaging in information-blocking, based on how they attested to certain Promoting Interoperability Program requirements for the 2019 performance year.
Medicare and Medicaid participating hospitals will also be required to electronically notify other healthcare facilities or community providers when a shared patient is admitted, discharged or transferred. The CMS has said its goal is to better coordinate care between facilities, but healthcare organizations have said that could be a heavy lift for hospitals to establish which physicians at which facilities have a treatment relationship with each patient.
"Doctors are forced to provide care with an incomplete clinical picture, especially at a time when the healthcare system could be under stress with the handling of the COVID virus, the urgent need for coordinated care could not be clearer," CMS Administrator Seema Verma said during a press call.
The proposed rules, which the agencies published in February 2019, drew backlash from provider and technology groups alike, with many citing issues related to patient privacy.
The CMS said its rule allows payers to ask app developers to attest to certain privacy provisions, such has whether they allow secondary use of a patient's data.
"Health plans have significant data on the people they serve," Verma said. "Our policies now require those payers to step up to the plate and share that wealth of data directly with patients."
The ONC has stressed that patients will be able to authorize which types of data they want to receive through a selected app.
"We've bound into the patient authentication process the ability of providers to give notice and to let patients know what they're consenting to," said Dr. Don Rucker, HHS national coordinator for health information technology. "It is absolutely central to the way that patients allow an app to get access to their information."
A major concern over the proposals shared by the American Hospital Association and the American Medical Association related to patient privacy. Under the proposed rules, patients would be able to download their health data from providers and insurers using a smartphone app of their choice, even though app developers aren't held to privacy standards like HIPAA.
"We are working with plans to educate patients about what they should look for in terms of privacy when they are selecting an app so they have the tools and information they need," Verma said.
For example, an app developer must attest that it has a privacy policy written in plain language that addresses how it shares clinical data.
But hospitals are concerned that sensitive patient information could still be vulnerable to misuse and exploitation by third-party apps because "most individuals don't closely read the terms and conditions," said Ashley Thompson, the AHA's senior vice president for public policy analysis and development.
"We don't think the rule puts in place the appropriate guardrails to protect our patients," Thompson said. "You can't really put the genie back in the bottle once the data is transferred out of that HIPAA-protected environment."
The CMS doesn't have the authority to directly regulate third-party apps, the agency said in its final rule. That limits its ability to enforce patient privacy protections.
"Apps are required to abide by the privacy regulations from the (Federal Trade Commission)," Verma said in a call with reporters.
HHS leaders including Azar in the weeks leading up to the final rule's release voiced commitment to the proposals, which often involved taking the agencies' critics to task.
"I want to be quite clear: Patients need and deserve control over their records," Azar said at the ONC's annual meeting in January. "Unfortunately, some are defending the balkanized, outdated status quo and fighting our proposals fiercely."
He added: "Scare tactics are not going to stop the reforms we need."
Epic Systems Corp. launched perhaps the strongest campaign against the changes, with CEO Judy Faulkner urging the company's customers to sign a letter to HHS opposing the rules. Faulkner also said the EHR giant might sue the department if it finalized the interoperability proposals without addressing concerns over privacy protections, according to Politico.
Epic at the time told Modern Healthcare that they wanted to work with HHS to "fix the proposed rule and make sure it's a good one" and that "we have no interest in pursuing a lawsuit."
About 60 health systems signed Epic's letter, CNBC reported.
That said, roughly three-quarters of leaders and staff at healthcare provider organizations said they thought the rules as proposed would have a mildly positive to very positive impact on the industry, according to a recent report from market research firm Reaction Data.
The CMS' rule also builds on the Trump administration's ongoing price transparency efforts, requiring insurers to share enrollee cost-sharing information. While previous CMS rulemaking already proposed requiring insurers to give patients online access to an estimate of their out-of-pocket costs, the interoperability final rule reaffirms this by requiring them to share that with third-party apps using APIs.
"It is critical for patients to better understand healthcare costs and be able to plan and budget as well as possible," the rule reads. "Having cost information, which is already accessible to patients, available to them in a more easy-to-understand presentation would allow patients to get the maximum benefit from this information."
The ONC, however, stopped short of requiring hospitals to disclose how much patients would be charged for services as part of its final information-blocking rule.
In its proposal, the ONC had suggested including price information under the broader umbrella of health data that it would require providers to share with patients, which it refers to in the rule as electronic health information, or EHI. Healthcare groups including the AHA had strongly opposed the suggestion last year, arguing it would extend past the goals of the Cures Act.
The ONC in its final rule scaled back its proposed definition of EHI to match HIPAA's definition of electronic protected health information.
"By doing so, we believe we have eliminated any perceived burden and actors will be in a situation that will permit them to readily and continually comply with the information-blocking provision," the rule reads.
Healthcare providers, developers of certified health IT and health information exchanges have six months after the ONC's rule is published in the Federal Register to begin complying with the information-blocking provisions. Additional rulemaking from HHS' Office of Inspector General is needed before HHS can begin enforcing civil monetary penalties on those that engage in information blocking.
The ONC has been "working closely" with the OIG and other HHS agencies on rulemaking related to civil monetary penalties for information-blocking, said Steve Posnack, the ONC's deputy national coordinator for health IT, on a call with reporters Monday.
"That will be coming out very soon," he said.