Interpreting the Move Toward Interoperability

On May 1, 2020, the Department of Health and Human Services (HHS) published two Final Rules in the Federal Register targeted at improving interoperability and patient access to health information. One Rule from HHS’ Office of the National Coordinator for Health Information (ONC) and another from its Centers for Medicare and Medicaid Services (CMS).

In its March 9, 2020 press release announcing the Final Rules, HHS stated that “these final rules mark the most extensive healthcare data sharing policies the federal government has implemented, requiring both public and private entities to share health information between patients and other parties while keeping that information private and secure.”[i] The US healthcare industry is already feeling the impact of these rules. Many believe that the long-hoped-for destination of improved care and reduced cost is finally in sight. Others fear that this latest turn will only lead to increased costs and decreased privacy and security of patients’ electronic health information.

In this blog, I will examine the latest government policy turn away from promoting the adoption of healthcare technology and toward promoting interoperability of that technology. I will review how that turn is expressed in the requirements of the new Rules and concerns raised at the potential impact of the regulations on the privacy and security of electronic health information. Finally, I will take a look at the possible implications for the industry.

What the New Final Rules Look to Accomplish

The new Final Rules implement portions of the Cures Act, contribute to fulfilling Executive Order 13813[ii] and support President Trump’s MyHealthEData initiative[iii]. How the rules accomplish this is summarized below.

The ONC Final Rule, titled the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program[iv], implements the interoperability provisions of the Cures Act to facilitate the flow of information between providers, payers, and patients. It hopes to achieve this by making changes to ONC’s health information certification program, regulating information blocking, and implementing standards for application programming interfaces (APIs) to exchange healthcare information. The new certification requirements apply to certified health IT developers. The API requirements apply to these same vendors but also healthcare providers and healthcare information networks.

The CMS Final Rule, titled the Medicare and Medicaid Programs; Patient Protection and Affordable Care Act; Interoperability and Patient Access for Medicare Advantage Organization and Medicaid Managed Care Plans, State Medicaid Agencies, CHIP Agencies, and CHIP Managed Care Entities, Issuers of Qualified Health Plans on the Federally-facilitated Exchanges, and Health Care Providers[v], requires payer-to-payer data exchange, use of the ONC API standards when implementing Patient Access APIs and Provider Directory APIs, and adopting conditions of participation (CoP) notice requirements. The CMS Final Rule applies to Medicare Advantage Organizations, Medicaid Managed Care Plans, State Medicaid Agencies, State Children’s Health Insurance Program (CHIP) Agencies, Managed Care Entities, and Federally-facilitated Exchanges.

The Resulting Debate Over Security and Privacy

When first proposed, the Rules met with controversy, particularly over the implications for the security and privacy of protected health information. The debate or concerns fell into four areas:

  1. HIPAA will generally not cover the third-party app providers, and user’s private health information will be sold and exploited.
  2. Transfers may include information that an enrollee or beneficiary does not want exchanged, such as mental health, substance abuse, women’s health, and family history.
  3. APIs are generally risky, and the required FHIR standard is new; therefore, it does not make sense to allow unregulated third-party apps access through an API at this time.
  4. Provider HIPAA liability for the information provided through an API or for denial or discontinuance of access through the API.

HHS addressed each of these concerns in its Response to Public Comments.

Commenters assume that many, if not most, third-party app vendors will be providing their applications directly to the public, and the HIPAA Security, Privacy and Breach Notification rules will not apply. Instead of the protections of HIPAA, third party app developers’ use of the information would be covered under the app’s terms of use and privacy policy. The concern expressed by commenters is that many app users will not read or understand the user agreement and privacy policy, so they will not knowingly consent to the use or sale of their information by the third-party app provider. The third-party app providers will, in turn, monetize the data, distribute it widely, not protect it, and exploit it to the detriment of the individual whom the information relates. Together these two factors will effectively defeat the purposes of HIPAA.

HHS’ response to this argument is that individuals are entitled to their health information. The public is now much more familiar with technology and, in particular, applications provided for use on devices such as smartphones. The Federal Trade Commission (FTC) enforces violations of privacy policies, and there are state privacy laws and regulations as well. Furthermore, healthcare organizations are welcomed and encouraged to offer education and awareness training to the public on the use of third-party applications and the risks to the security and privacy of their health information. However, organizations may not actively prevent an individual’s use of a third-party application except as provided in the regulations.

There were several public comments related to concerns commenters have around the transfer of particularly sensitive. Examples include information such as mental health, women’s health, substance abuse, or family history. Commenters worry that providers may discriminate based on this information. Commenters also expressed concern family members’ information will be shared through the APIs without the individuals’ consent as part of family history.

In response to these concerns, HHS stated that payers’ privacy and security obligations under the HIPAA Rules and 42 CFR part 2 are not changed by this Final Rule. HHS is continuing to work on standards for parsing and segmenting data for consent and privacy management purposes. The health information the Rules require shared at this time includes claims and encounter data as well as the data contained in the USCDI version 1. Family history is not a specific data class within the USCDI. As a result, HHS does not believe this should be an issue.

There were several concerns raised around the security of the APIs, which are software intermediaries that allows two applications to talk to each other. One might think of an API as a contract between two applications that facilitates requests for information and responses. API implementations can be quite complex, and errors in their implementation and vulnerabilities in protocols used can result in unauthorized disclosures of information in the connected application.

HHS responded to these concerns by stating that they believe that the security protocols at 45 CFR 170.215 are sufficient to authenticate users and authorize individuals to access their data. Also, the HIPAA Security Rule requirements still apply until an organization uploads the information into the third-party app or other recipient’s system. The safeguards under the Rule, such as risk analysis, technical evaluations, audit, and encryption, apply to the required APIs.

There were several concerns related to the potential of HIPAA liability for issues with the API. The fears expressed were mostly associated with the use of the data after it is accessed. In its response, HHS was relatively clear on where the boundary line of HIPAA liability resides, and it is at the point where the data enters the third-party application. The security and privacy of ePHI within the organization’s environment, passing through the API or over the Internet to the third-party app, is still the responsibility of the organization for HIPAA compliance purposes. Furthermore, if an organization determines through HIPAA risk analysis that the exchange of information with a particular app or third-party developer is too risky, it may deny access.

The Challenges of Implementation and Compliance

The table below lists the original compliance dates for requirements under the new Rules. Some of these dates have changed due to COVID-19. Organizations should check with HHS for the most current deadlines.

Compliance DateRequirementCovered Parties
May 1, 2020ONC Rule – Information Blocking all elements of EHI in Cures ActHealthcare Providers, Health IT Developers of certified health IT, Health Information Networks
November 1, 2020ONC Rule – Information Blocking (EHI USCDI data elements)Healthcare Providers, Health IT Developers of certified health IT, Health Information Networks
November 1, 2020ONC Rule – API RequirementsCertified API Developers with API Technology certified to the criteria in 45 CFR § 170.315(g)(7), (8), or (9)
November 1, 2020CMS Rule – Condition of Participation (CoP) notice requirements -real-time patient event notificationsAcute care hospitals, psychiatric hospitals, and Critical Access Hospitals
January 1, 2021CMS Rule – Patient Access and Provider Directory APIsCMS Regulated Payers
January 1, 2022CMS Rule – Patient requested payer to payer data exchangeCMS Regulated Payers
May 1, 2022ONC Rule – All API Information Sources technology certified to the ONC Rules’ new criterion under 45 CFR § 170.315(g)(10)Certified API Developers previously certified to the criterion in 45 CFR § 170.315(g)(8)

The cost associated with implementing the new Rules is not trivial. HHS estimates it will cost organizations billions of dollars to implement and maintain the required APIs and data exchanges. The risks associated with implementing the APIs are high. It is quite likely that developers and IT administrators will make mistakes. It is also inevitable that hackers will go after these APIs. Together, these threats will cost organizations millions more as a result of data breaches.

Are these projected costs so high as to justify not going forward with the new requirements? Those calling the shots in the federal government and particularly at HHS do not think so. They are probably right if the new Rules deliver us to the hoped-for destination of improved care at a reduced cost. If, however, these new Rules don’t achieve that goal, then the industry will be left to wonder where to turn next or whether we are searching for a destination that might not exist.

Contact Jon with your comments and questions at For further insight on how to manage data flow through APIs, review the Clearwater on-demand webinar Responding to Privacy and Security Concerns Surrounding APIs and Consumer Health Apps. To learn more about how to develop your interoperability compliance strategy, review the Clearwater on-demand webinar Understanding the Exceptions to Information Blocking. [i] “HHS Finalizes Historic Rules to Provide Patients More Control of Their Health Data.” HHS.Gov, U.S. Department of Health and Human Services, 9 March 2020, available at [ii] 82 FR 48385, 12 October 2017, Promoting Healthcare Choice and Competition Across the United States [iii] “Trump Administration Announces MyHealthEData Initiative to Put Patients at the Center of US Healthcare System.” CMS.Gov, Centers for Medicare & Medicaid Services, 6 March 2018, available at [iv] [v]


Sign up to receive our monthly newsletter featuring resources curated specifically to your concerns.

Related Blogs

With Us