Providers get extra breathing room on deadline. Don’t let new requirements for health data blocking catch you unawares — and put you at risk. Then: Last year, the Centers for Medicare & Medicaid Services and the HHS Office of the National Coordinator for Health Information Technology (ONC) published twin interoperability proposals to address data exchange issues in healthcare and act on provisions outlined in the 21st Century Cures Act. Now: Last month, CMS and ONC followed up their proposals with the “CMS Interoperability and Patient Access final rule” and the “ONC 21st Century Cures Act final rule,” which cover a wide range of IT and patient-focused requirements. “Unfortunately, data silos continue to fragment care, burden patients, and providers, and drive up costs through repeat tests,” acknowledged CMS Administrator Seema Verma in a release. “These rules begin a new chapter by requiring insurance plans to share health data with their patients in a format suitable for their phones or other device of their choice.” Verma added, “We are holding payers to a higher standard while protecting patient privacy through secure access to their health information. Patients can expect improved quality and better outcomes at a lower cost.” Over the past couple of years, the feds have focused on a central theme in their health IT policy making: Patients, not providers or organizations, should have control of patients’ health information. In both the ONC and CMS final rules, the agencies offer guidance on data sharing, IT tools, and regulatory standards, including new patient access applications, enforcement, vendor guidelines, and payer rules on health information exchanges (HIEs). “The new rules also prohibit certain ‘information blocking’ by providers, health information exchanges and networks, and IT developers,” explains New York-based attorney Ada Kozicz with Rivkin Radler in online analysis. Providers “that restrict access, exchange or use of electronic health information are considered anti-competitive and will not be permitted,” Kozicz stresses. “As CMS drives toward a value-based system of care, the rule seeks to make patients more informed regarding their healthcare decision-making and to improve care coordination,” note attorneys Whitney Snow, Nesrin Garan Tift, and Elizabeth S. Warren with Bass, Berry & Sims in online analysis. The final rule also includes a laundry list of data exchange mandates and public reporting actions with the onus on providers, payers, and their associates to implement the requirements along a staggered timeline. Plus, CMS aims to loop in auxiliary agencies like the HHS Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) to ensure patients’ privacy rights are in check, the final rule fact sheet suggests. For example, while delivering on promises to have patients’ health data at the ready, payers can also “ask third-party application developers to attest to certain privacy provisions, such as whether their privacy policy specifies secondary data uses, and inform patients about those attestations,” CMS says. With the push to readily exchange patient data through various avenues between providers, payers, and third parties, it’s still fuzzy how the agency will address HIPAA, state, or other regulatory requirements in its data sharing renaissance. Timeline: CMS is delaying enforcement and will exercise enforcement discretion for an additional six months past the original June 30 date, Snow, Swift, and Warren note. Note: The CMS final rule is at www.govinfo.gov/content/pkg/FR-2020-05-01/pdf/2020-05050.pdf and the ONC final rule is at www.healthit.gov/curesrule/.