On May 1, 2020, the Department of Health and Human Services (HHS) published two Final Rules in the Federal Register targeted at improving interoperability and patient access to health information. One Rule from HHS’ Office of the National Coordinator for Health Information (ONC) and another from its Centers for Medicare and Medicaid Services (CMS).
In its March 9, 2020 press release announcing the Final Rules, HHS stated that “these final rules mark the most extensive healthcare data sharing policies the federal government has implemented, requiring both public and private entities to share health information between patients and other parties while keeping that information private and secure.”[i] The US healthcare industry is already feeling the impact of these rules. Many believe that the long-hoped-for destination of improved care and reduced cost is finally in sight. Others fear that this latest turn will only lead to increased costs and decreased privacy and security of patients’ electronic health information.
In this blog, I will examine the latest government policy turn away from promoting the adoption of healthcare technology and toward promoting interoperability of that technology. I will review how that turn is expressed in the requirements of the new Rules and concerns raised at the potential impact of the regulations on the privacy and security of electronic health information. Finally, I will take a look at the possible implications for the industry.
What the New Final Rules Look to Accomplish
The new Final Rules implement portions of the Cures Act, contribute to fulfilling Executive Order 13813[ii] and support President Trump’s MyHealthEData initiative[iii]. How the rules accomplish this is summarized below.
The ONC Final Rule, titled the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program[iv], implements the interoperability provisions of the Cures Act to facilitate the flow of information between providers, payers, and patients. It hopes to achieve this by making changes to ONC’s health information certification program, regulating information blocking, and implementing standards for application programming interfaces (APIs) to exchange healthcare information. The new certification requirements apply to certified health IT developers. The API requirements apply to these same vendors but also healthcare providers and healthcare information networks.
The CMS Final Rule, titled the Medicare and Medicaid Programs; Patient Protection and Affordable Care Act; Interoperability and Patient Access for Medicare Advantage Organization and Medicaid Managed Care Plans, State Medicaid Agencies, CHIP Agencies, and CHIP Managed Care Entities, Issuers of Qualified Health Plans on the Federally-facilitated Exchanges, and Health Care Providers[v], requires payer-to-payer data exchange, use of the ONC API standards when implementing Patient Access APIs and Provider Directory APIs, and adopting conditions of participation (CoP) notice requirements. The CMS Final Rule applies to Medicare Advantage Organizations, Medicaid Managed Care Plans, State Medicaid Agencies, State Children’s Health Insurance Program (CHIP) Agencies, Managed Care Entities, and Federally-facilitated Exchanges.
The Resulting Debate Over Security and Privacy
When first proposed, the Rules met with controversy, particularly over the implications for the security and privacy of protected health information. The debate or concerns fell into four areas:
- HIPAA will generally not cover the third-party app providers, and user’s private health information will be sold and exploited.
- Transfers may include information that an enrollee or beneficiary does not want exchanged, such as mental health, substance abuse, women’s health, and family history.
- APIs are generally risky, and the required FHIR standard is new; therefore, it does not make sense to allow unregulated third-party apps access through an API at this time.
- Provider HIPAA liability for the information provided through an API or for denial or discontinuance of access through the API.
HHS addressed each of these concerns in its Response to Public Comments.
HHS’ response to this argument is that individuals are entitled to their health information. The public is now much more familiar with technology and, in particular, applications provided for use on devices such as smartphones. The Federal Trade Commission (FTC) enforces violations of privacy policies, and there are state privacy laws and regulations as well. Furthermore, healthcare organizations are welcomed and encouraged to offer education and awareness training to the public on the use of third-party applications and the risks to the security and privacy of their health information. However, organizations may not actively prevent an individual’s use of a third-party application except as provided in the regulations.
There were several public comments related to concerns commenters have around the transfer of particularly sensitive. Examples include information such as mental health, women’s health, substance abuse, or family history. Commenters worry that providers may discriminate based on this information. Commenters also expressed concern family members’ information will be shared through the APIs without the individuals’ consent as part of family history.
In response to these concerns, HHS stated that payers’ privacy and security obligations under the HIPAA Rules and 42 CFR part 2 are not changed by this Final Rule. HHS is continuing to work on standards for parsing and segmenting data for consent and privacy management purposes. The health information the Rules require shared at this time includes claims and encounter data as well as the data contained in the USCDI version 1. Family history is not a specific data class within the USCDI. As a result, HHS does not believe this should be an issue.
There were several concerns raised around the security of the APIs, which are software intermediaries that allows two applications to talk to each other. One might think of an API as a contract between two applications that facilitates requests for information and responses. API implementations can be quite complex, and errors in their implementation and vulnerabilities in protocols used can result in unauthorized disclosures of information in the connected application.
HHS responded to these concerns by stating that they believe that the security protocols at 45 CFR 170.215 are sufficient to authenticate users and authorize individuals to access their data. Also, the HIPAA Security Rule requirements still apply until an organization uploads the information into the third-party app or other recipient’s system. The safeguards under the Rule, such as risk analysis, technical evaluations, audit, and encryption, apply to the required APIs.
There were several concerns related to the potential of HIPAA liability for issues with the API. The fears expressed were mostly associated with the use of the data after it is accessed. In its response, HHS was relatively clear on where the boundary line of HIPAA liability resides, and it is at the point where the data enters the third-party application. The security and privacy of ePHI within the organization’s environment, passing through the API or over the Internet to the third-party app, is still the responsibility of the organization for HIPAA compliance purposes. Furthermore, if an organization determines through HIPAA risk analysis that the exchange of information with a particular app or third-party developer is too risky, it may deny access.
The Challenges of Implementation and Compliance
The table below lists the original compliance dates for requirements under the new Rules. Some of these dates have changed due to COVID-19. Organizations should check with HHS for the most current deadlines.
|Compliance Date||Requirement||Covered Parties|
|May 1, 2020||ONC Rule – Information Blocking all elements of EHI in Cures Act||Healthcare Providers, Health IT Developers of certified health IT, Health Information Networks|
|November 1, 2020||ONC Rule – Information Blocking (EHI USCDI data elements)||Healthcare Providers, Health IT Developers of certified health IT, Health Information Networks|
|November 1, 2020||ONC Rule – API Requirements||Certified API Developers with API Technology certified to the criteria in 45 CFR § 170.315(g)(7), (8), or (9)|
|November 1, 2020||CMS Rule – Condition of Participation (CoP) notice requirements -real-time patient event notifications||Acute care hospitals, psychiatric hospitals, and Critical Access Hospitals|
|January 1, 2021||CMS Rule – Patient Access and Provider Directory APIs||CMS Regulated Payers|
|January 1, 2022||CMS Rule – Patient requested payer to payer data exchange||CMS Regulated Payers|
|May 1, 2022||ONC Rule – All API Information Sources technology certified to the ONC Rules’ new criterion under 45 CFR § 170.315(g)(10)||Certified API Developers previously certified to the criterion in 45 CFR § 170.315(g)(8)|
The cost associated with implementing the new Rules is not trivial. HHS estimates it will cost organizations billions of dollars to implement and maintain the required APIs and data exchanges. The risks associated with implementing the APIs are high. It is quite likely that developers and IT administrators will make mistakes. It is also inevitable that hackers will go after these APIs. Together, these threats will cost organizations millions more as a result of data breaches.
Are these projected costs so high as to justify not going forward with the new requirements? Those calling the shots in the federal government and particularly at HHS do not think so. They are probably right if the new Rules deliver us to the hoped-for destination of improved care at a reduced cost. If, however, these new Rules don’t achieve that goal, then the industry will be left to wonder where to turn next or whether we are searching for a destination that might not exist.
Contact Jon with your comments and questions at email@example.com. For further insight on how to manage data flow through APIs, review the Clearwater on-demand webinar Responding to Privacy and Security Concerns Surrounding APIs and Consumer Health Apps. To learn more about how to develop your interoperability compliance strategy, review the Clearwater on-demand webinar Understanding the Exceptions to Information Blocking. [i] “HHS Finalizes Historic Rules to Provide Patients More Control of Their Health Data.” HHS.Gov, U.S. Department of Health and Human Services, 9 March 2020, available at https://www.hhs.gov/about/news/2020/03/09/hhs-finalizes-historic-rules-to-provide-patients-more-control-of-their-health-data.html [ii] 82 FR 48385, 12 October 2017, Promoting Healthcare Choice and Competition Across the United States [iii] “Trump Administration Announces MyHealthEData Initiative to Put Patients at the Center of US Healthcare System.” CMS.Gov, Centers for Medicare & Medicaid Services, 6 March 2018, available at https://www.cms.gov/newsroom/press-releases/trump-administration-announces-myhealthedata-initiative-put-patients-center-us-healthcare-system [iv] https://www.federalregister.gov/documents/2020/05/01/2020-07419/21st-century-cures-act-interoperability-information-blocking-and-the-onc-health-it-certification [v] https://www.federalregister.gov/documents/2020/05/01/2020-05050/medicare-and-medicaid-programs-patient-protection-and-affordable-care-act-interoperability-and