Health Information Compliance Alert

Health It Compliance:

Prepare Now for These 5 Data Policy Rollouts

Hint: Data blocking faux pas will go live eventually.

With COVID-19 dominating the news, you may have missed the latest Medicare rule on interoperability. Read on for the specifics.

Context: The Centers for Medicare & Medicaid Services (CMS) in coordination with the HHS Office of the National Coordinator for Health Information Technology (ONC) issued intersecting rules to circumvent patient data blocking and improve health information exchanges (HIEs). The rules were published in the Federal Register on May 1.

Reasoning: In the new rules, the feds tie together past program provisions with promised value, cost, and pro-patient policies. “Delivering interoperability actually gives patients the ability to manage their healthcare the same way they manage their finances, travel and every other component of their lives,” said ONC National Coordinator Don Rucker, MD, in a release.

Though the feds’ outlook on the health IT and patient access change-ups is rosy, providers may find the required implementations quite an undertaking, especially with a nebulous timeline due to COVID-19.

Take a look at five CMS updates from the agency’s “Interoperability and Patient Access final rule” that may impact your practice in the coming months and years:

1. Expect to be called out on data blocking. CMS plans to harness Promoting Interoperability programs’ attestations to peg information blocking offenders. Plus, the agency intends to publicly release the data blocking stats from reporting clinicians, hospitals, and critical access hospitals (CAHs) — so that beneficiaries can factor that into their provider choices.

“A CMS website and the Physician Compare website will display any ‘no’ responses by eligible providers and thereby implicitly indicate which providers have attested that they are in compliance with the information blocking requirements,” explain attorneys Whitney Snow, Nesrin Garan Tift, and Elizabeth S. Warren with Bass, Berry & Sims PLC in online analysis.

2. See new API requirements. Payers — Medicare Advantage organizations, fee-for-service (FFS) programs, Medicaid managed care plans, CHIP FFS programs, CHIP managed care entities, and Qualified Health Plan issuers on the federally-facilitated exchanges — must now offer patients a secure, standards-based application programming interface (API). In coordination with ONC, CMS will require payers to utilize HL7 FHIR Release 4.0.1 for APIs.

3. Presume provider data will be in an API directory. The agency mandates that payers include a comprehensive provider database in their APIs for public viewing. This easy access to providers’ information will motivate third-party developers to create more innovative and intuitive apps for patients — and also for clinicians to connect with other specialists when coordinating care, CMS maintains.

4. Have your contact information handy online. In the near future, “providers who don’t list or update their digital contact information in the National Plan and Provider Enumeration System (NPPES)” will be publicly reported, CMS insists.

5. Tack on another Medicare CoP. CMS will add a new Medicare Condition of Participation (CoP) for hospitals, including CAHs and psychiatric hospitals, related to sending “electronic patient event notifications of a patient’s admission, discharge, and/or transfer to another healthcare facility or to another community provider or practitioner,” agency guidance says.

“Using the COPs as the enforcement vehicle for this requirement places a hospital’s participation in Medicare at risk in the event of noncompliance,” argue Snow, Tift, and Warren.

Coincidentally, commenters on the “enforcement structure” found the proposals “draconian” since “a single minor infraction would be judged in light of the nature and extent of the hospital’s noncompliance and the risk it poses to patient health and safety,” the attorneys continue. CMS disagreed with commenters and pushed the policy through anyway.

HIPAA: According to CMS, the requirements don’t overlap with HIPAA, but commenters argued to the contrary on several of the measures, the rule shows. In addition, the rule asserts that the feds will accept “reasonable” attempts at compliance with the terms of the mandates — without defining “reasonable” or outlining enforcement for “unreasonable.”

Resources: Review the final rule at www.govinfo.gov/content/pkg/FR-2020-05-01/pdf/2020-05050.pdf and review CMS guidance on the policies at www.cms.gov/Regulations-and-Guidance/Guidance/Interoperability/index.