March 11, 2020
Health Care Alert
Health Care Alert
This alert was co-authored by Jacalyn Smith and Meredith LaMaster.
The Centers for Medicare and Medicaid Services and the Office of the National Coordinator for Health Information Technology issued final rules implementing Title IV of the 21st Century Cures Act and Executive Order 13813.
On March 9, 2020, the Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) issued final rules implementing Title IV of the 21st Century Cures Act (the “Cures Act”) and Executive Order 13813. The final rules are intended to promote interoperability and support the access, exchange, and use of electronic health information (EHI). The rules also are intended to reduce burdens and costs related to accessing EHI and to reduce occurrences of information blocking.
The CMS final rule outlines a number of policies to regulate Medicare Advantage (“MA”) organizations, Medicaid, CHIP, and Qualified Health Plan issuers on the Federally-Facilitated Exchanges. The rules require these organizations to implement and maintain a Patient Access Application Programming Interface (API) that allows patients to access certain portions of their clinical information, claims data, and encounter information through an app chosen by the patient. The CMS final rule also requires MA organizations, Medicaid Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP FFS programs, and CHIP managed care plans (collectively “CMS Regulated Payors”) to implement a Provider Directory API, allowing patients to use their chosen app to access provider directory information to help determine “in network” providers. The Patient Access API and the Provider Directory API must be implemented by January 1, 2021.
The CMS final rule also requires CMS Regulated Payors to electronically exchange certain clinical data at the request of the patient. This requirement takes effect on January 1, 2022.
Who is affected by the final rule? The ONC final rule focuses on four types of actors: (1) providers; (2) health IT developers; (3) health information networks (HINs); and (4) health information exchanges (HIEs), (collectively, the “Actors”). However, it also impacts any person, provider, or corporation that accesses, exchanges, or transfers EHI.
EHI includes electronic protected health information (ePHI), as defined in HIPAA, to the extent the ePHI is maintained in a HIPAA designated record set. Note that the records do not have to be used or maintained by or for a HIPAA covered entity to fall within the definition of EHI. Until 24 months after the ONC rule’s publication date, for purposes of the information blocking definition, EHI is limited to those data elements in the United States Core Data for Interoperability (USCDI) standard set forth in the ONC final rule
The Cures Act defines information blocking as a practice performed by the Actors that is apt to interfere with, preclude, or substantially hinder access, exchange, or use of EHI. Actors may not engage in prohibited information blocking or other actions that inhibit allowable exchange, access, and use of EHI.
Recognizing the importance of protecting patient safety and promoting the privacy and security of EHI, the ONC Final Rule includes several exceptions to the prohibition of information blocking including:
Failure to fall within one of these enumerated exceptions is not fatal and does not automatically subject the Actor to penalties. Rather, an Actor’s practice will be assessed on a case-by-case basis to determine whether there was impermissible information blocking and interference with EHI records.
The final rule also impacts the ONC Health IT Certification Program. The Health IT Certification Program creates a set of standards for health IT software platforms, particularly APIs.
Certification Requirements. Certification now requires that APIs provide access to all data elements of a patient’s record without additional burdens. Third-party applications must register with an authorized server. ONC established that the review process for third-party applications cannot not violate the information blocking rules. Certified Health IT Developers cannot institute any vetting process for applications that are facilitating patient access to EHI.
Real World Testing. Health IT Developers that create Health IT Modules must certify that one or more of the certification criteria focused on interoperability and data exchange or availability has been met. Every Developer must create real world testing plans. Developers must submit a metric for each certification criteria that applies to their modules. They must also work with the ONC- Authorized Certification Bodies (ONC-ACB) to determine when the testing plans must be submitted. Health IT developers are required to publish the testing plan by December 15 of each year.
Condition of Certification. The final rule also impacts how Health IT Developers can communicate about specific information. Health IT Developers cannot restrict communication related to the usability, interoperability, and security of health information technology. Health IT Developers cannot restrict communications about patients’ experience using APIs or other third-party applications. They cannot prohibit communication about the business practices of Health IT Developers.
Portions of the ONC final rule become effective 60 days after publication, including certain communication restrictions on Health IT Developers. Recognizing that compliance takes time, many of the provisions have delayed implementation dates. For instance, compliance with the information blocking provisions is required six months from the date of publication of the ONC final rule. Real-world testing plans are due on December 15, 2020.
To follow this initial overview of the newly-released CMS and ONC final rules, our Nixon Peabody health care team intends to publish more in-depth guidance on the nuances of these regulations for health care facilities, clinicians, and Health IT Developers.
The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.