On March 9, 2020, the Department of Health and Human Services (HHS) announced final rules seeking to give patients more access to, and control of, their health data. The final rules were issued by the Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare and Medicaid Services (CMS). The ONC rule is available here and the CMS rule here. Both rules implement interoperability and patient access provisions from the 21st Century Cures Act and the Trump administration’s MyHealthEData initiative.

HHS describes the finalizing of these rules as “the most extensive healthcare data sharing policies the federal government has implemented, requiring both public and private entities to share health information between patients and other parties while keeping that information private and secure.” The rules focus on data interoperability, preventing information blocking, and facilitating patient access to electronic health records (EHRs). The rules are effective 60 days after publication in the Federal Register.

Below are some highlights:

Data Interoperability

The ONC rule changes the minimum commonly available baseline data requirements for interoperable exchange required for EHR certification. Certification now requires that EHRs meet United States Core Data for Interoperability (USCDI) standards, replacing the previously used Common Clinical Data Set (CCDS). The USCDI is a standardized data set that “includes “clinical notes,” allergies, and medications among other important clinical data, to help improve the flow of electronic health information and ensure that the information can be effectively understood when it is received.” The CCDS standard and supplemental requirements will remain valid for 24 months after the date of this rule’s publication in the Federal Register. This requirement of increased data interoperability is one of many changes the rules make to the EHR certification requirements.

Preventing Information Blocking

The ONC rule also uses the EHR certification requirements to prevent information blocking which is behavior likely to interfere, prevent, or discourage the use of electronic health information. Some examples of information blocking include implementing health IT in nonstandard ways that burden the use of electronic health information, implementing practices that restrict authorized access for treatment and other permitted purposes, and implementing health IT in a way likely to prevent transitions between health IT systems and lead to fraud, waste, abuse, or stifle innovation. The finalized rule makes a condition of EHR certification, that EHR developers not engage in information blocking, and that EHR developers also provide HHS with assurances they will not engage in information blocking. Moreover, the final rule prohibits EHR developers from using EHR contracts to limit certain communications about health IT usability, user experience, interoperability, and security, allowing providers to communicate about these issues.

While the ONC rule focuses on preventing information blocking, it also creates eight exceptions to information blocking when it is reasonable and necessary to interfere, prevent, or discourage the use of electronic health information. The exceptions are located at 45 C.F.R. §§ 171.201-205, 171.301-303. They involve special circumstances involving patient safety, privacy and security, and necessary business practices. Information blocking civil monetary penalties will not apply when exceptions are met.

Facilitating Patient Access

The rules also aim to increase patient EHR access. The ONC rule establishes new standards-based application programming interface (API) requirements. According to HHS, APIs “allow patients to access their data through any third-party application they choose to connect to the API,” including smartphone applications. Under the ONC rule, EHR certification will require developers of Health IT Modules – which are “any service, component, or combination thereof that can meet the requirements of at least one certification criterion adopted by the Secretary” – to “publish APIs and allow electronic health information from such technology to be accessed, exchanged, and used without special effort through the use of APIs or successor technology or standards.” This will allow patients to securely obtain electronic health information from their provider’s medical record using the smartphone app of their choice.

The CMS rule also attempts to increase access using APIs. The rule requires that beginning January 1, 2021, Medicare Advantage, Medicaid, CHIP, and, for plan years beginning on or after January 1, 2021, plans on the federal Exchanges share claims and other health information with patients via a Patient Access API. This is again targeted at allowing patients to connect third-party applications to their data using the API to facilitate access.

Condition of Participation 

The CMS rule also creates a new Condition of Participation (CoP) for all Medicare and Medicaid participating hospitals encouraging access by “requiring them to send electronic notifications to another healthcare facility or community provider or practitioner when a patient is admitted, discharged, or transferred.” CMS has done this by creating a new standard for electronic transmission at 42 C.F.R. § 482.24(d). It requires that hospitals using an electronic medical records system or other electronic administrative system demonstrate:

  1. The system is operational and used for the exchange of patient health information.
  2. The system sends notifications that must include at least patient name, treating practitioner name, and sending institution name.
  3. Consistent with federal and state law and regulations, and not inconsistent with the patient’s expressed privacy preferences, the system sends notifications at the time of:
    1. Registration at the emergency department
    2. Admission to the hospital’s inpatient services
    3. The patient’s discharge or transfer from the hospital’s emergency department
    4. The patient’s discharge or transfer from the hospital’s inpatient services
  4. The system sends the notifications to all applicable post-acute care services providers and suppliers, the patient’s primary care physician, or any other provider the patient indicates is primarily responsible for his or her care.

The CMS rule indicates this change to the CoPs will be effective 6 months after the rule is published in the Federal Register, to give providers time to come into compliance.

As mentioned above, the highlights discussed in this post offer a glimpse at some of the new requirements. As the rules impact payors, providers, health IT vendors, and patients, interested parties should review the finalized rules for applicable new requirements.

This post was authored by Anna Gurevich and Michael Lisitano and is also being shared on our Health Law Diagnosis blog. If you’re interested in getting updates on developments affecting health information privacy and HIPAA related topics, we invite you to subscribe to the blog. Michael is a legal intern at Robinson+Cole and is not yet admitted to practice law.