Historic changes are coming as a result of interoperability final rules released by the US Department of Health and Human Services (HHS) earlier this year. The two main purposes of the new regulations are to advance data sharing between health systems and grant patients unprecedented control over their care via mobile apps of their choice.
The rules will gradually start to take effect in November 2020 and impact all major industry players — hospitals, health insurers, and health IT developers. Below, we’ll explore the timeline and what stakeholders must do to comply with new policies.
Adopting new interoperability standards: what is FHIR and USCDI?To enable nationwide sharing of health related data, all key players will have to implement two new standards to fuel smooth data exchange. This includes:
- the 4th version of Fast Healthcare Interoperability Resources from HL7 International (HL7 FHIR), and
- US Core Data for Interoperability (USCDI).
How interoperability in healthcare will work using FHIR-based APIs, according to the final rules.USCDI outlines what pieces of information must be shared on a patient’s request. The standard replaced the prior Common Clinical Data Set (CCDS) expanding it with two data classes:
- clinical notes, both structured and unstructured, and
- provenance, or extra information about who created the data and when it was created.
USCDI data classes and elements. Source: HIMSS ReportWidespread transition to USCDI data exchange via FHIR-based APIs will expedite the realization of the guiding principle behind the final rules — to make healthcare like any other consumer service by enabling consumers to “shop” for providers and insurers right on their smartphones.
The full list of interoperability rules, players affected, and compliance timeframes.All that said, let’s look at the most pressing requirements involving new standards in more detail.
Information Blocking provisionWho is affected: healthcare providers, health IT developers
Compliance date: November 2, 2020
Information blocking occurs when something prevents access to electronic health information (EHI), its use, and exchange. This includes restrictions enforced by licenses, contracts, and organization policies, limiting technological measures, or cases when a healthcare provider simply refuses to provide necessary data.
The rule developed by the Office of the National Coordinator for Health Information Technology (ONC) requires EHR system developers to enable access to their software via FHIR-based APIs. Healthcare providers, at their end, must utilize the APIs to give patients easy access to USCDI data elements. While patients have been able to get personal health information, hospitals didn’t have to deliver data in a standard online format.
The fine for violation of the rule can be as high as $1 million for IT vendors, while penalties for providers are not yet specified. However, there are situations when information blocking is acceptable. For example, it won’t be considered a violation if data is temporarily unavailable due to a natural disaster, Internet outage, or maintenance activities. To learn more, you can read the official document explaining information blocking exceptions.
It’s worth noting that a denial of data access that doesn’t fall within exceptions won’t automatically be regarded as a violation. Each situation will be judged separately to identify whether or not information blocking has happened.
Admission, Discharge, and Transfer (ADT) Notifications provisionWho is affected: hospitals participating in Medicare and Medicaid health plans
Compliance date: November 2, 2020
Under the ADT provision, hospitals are required to send alerts to practitioners and care managers when a patient is registered in an emergency department, admitted to a hospital, transferred to another facility, or discharged to their home.
The messages must include the following data:
- the patient’s name,
- the treating provider’s name, and
- the sending institution’s name.
Real-time ADT notifications are expected to improve patient care via health information exchange. The provision also aims at detecting patient leakage, identifying frequent users of healthcare systems, and preventing avoidable readmissions.
Patient Access API and Provider Directory API provisionWho is affected: CMS-regulated payers
Compliance date: January 1, 2021
This provision obliges insurers regulated by the Centers for Medicare and Medicaid Services (CMS) to implement two types of FHIR-based APIs. The Patient Access API will allow health plan enrollees to request data on claims, costs, and clinical data. All this information must be available no later than one business day after a payer receives it.
A separate public-facing API will give patients access to accurate and up-to-date provider directories — listings of hospitals, pharmacies, clinicians, and other entities participating in a particular plan. At a bare minimum, the data must include provider names, addresses, phone numbers, and specialties. This will enable patients to get information on providers and, as a result, make well-informed decisions on their care.
Payer-to-Payer Data Exchange provisionWho is affected: CMS-regulated payers
Compliance date: January 1, 2022
Beyond payer-to-patient data sharing, by 2022 CMS-regulated payers must be ready to exchange patient clinical data between themselves on an enrollee’s request. This measure further supports the ability of patients to easily coordinate their care and switch between health plans. The provision also facilitates the smooth flow of electronic data within the healthcare systems.
Payers don’t have to update or correct data received from another payer. They are also free to choose a method of electronic exchange including the use of APIs. But in the future, the rule may require to utilize FHIR-based APIs only. So, it makes sense to adopt the new standard for sharing data with other payers from the very beginning.
New Standardized API Functionality provisionWho is affected: healthcare providers, health IT developers
Compliance date: May 2, 2022
Final Rules require hospitals to use two types of API-enabled functionality — for single patients and for groups of patients. This so-called Standardized API for Patient and Population Services will replace the current “Application access — data category request” criterion.
API services focusing on a single patient will deal with third-party apps used to access personal medical data and with solutions implemented by health care providers to enhance their workflow.
In turn, population-level API services will cater to the needs of applications that improve healthcare management, help hospitals deliver better care for multiple patients, support machine learning, big data analytics, and other powerful computing techniques.
EHI Export Capability provisionWho is affected: healthcare providers, health IT developers
Compliance date: May 2, 2023
Today exchangeable electronic health information is restricted to the USCDI standard. However, it is anticipated that the scope of information exposed via APIs will significantly increase. By 2023, EHI will likely cover other elements, including administrative and billing data that is often stored and managed in separate practice management systems, outside the core EHR systems. Under the EHI Export Capability provision, actors will have to provide access to additional information, currently kept in fragmented databases.
Key steps to meet the new requirementsThe final rules have drawn an avalanche of criticism — and not without a reason. The most often cited issues are immaturity of FHIR 4.0, the lack of time to thoroughly test all the technologies, and the impact of COVID-19, diverting resources. But the deadlines are already set, and all that is left to do is to meet them. Here are key steps hospitals and health plans have to follow — according to experts in healthcare law and technology.
Review existing systemsThe ONC encourages expanding interoperability of existing infrastructure rather than to entirely replacing it. So, step one should be “a thorough review of all existing systems — not just a technical review, but a process review,” argues Brennan Mason, the chief marketing officer at Bridge Connector, which offers data-driven workflow automation to solve health IT interoperability challenges. It’s necessary to understand how your data points “touch the patient experience and flow (or not) into each other”.
Put a plan in placeWhen the whole picture is captured, it’s important to shape a compliance roadmap. “While enforcement will not kick in until November 2, practices should start working with EMR or EHR providers now to have a plan in place for record requests,” — Heather Macre, healthcare attorney at Fennemore Craig recommends. “These policies should include what records are subject to the new rules, the manner in which patient identities will be confirmed, how to spot abuse, etc. They also should take into account both state and federal law”.
Consider a cloud services provider for interoperabilityA relatively fast and cost-effective way to create an interoperable infrastructure on top of the existing system is to use cloud services supporting the FHIR standard. Among leaders who help care providers, payers, developers, device makers and everyone working with health data achieve interoperability are:
- Azure API for FHIR
- IBM FHIR Server
- Google Cloud Healthcare API
- Oracle Healthcare Data Repository
- Connected Consumer Health Solution
Educate staff and patientsTo meet requirements of the final rules — and specifically the information blocking provision — “Staff should also be trained in handling requests and this can be combined with HIPAA/HITECH and EMR training” Heather Macre suggests.
Dr Chris Norris, Clinical Associate Professor at the University of California now working with Sleep Standards, adds that health providers and health plans should also consider “educating their patients about the benefits and potential risks involved in using third-party apps to access and aggregate their information.”
CMS authorities also emphasize that hospitals and payers should educate patients on how to choose third-party software and warn of dangers associated with transferring data to an app not covered by HIPAA.
In the end, final rules will bring profitThe HHS anticipates that, when introduced, final regulations will save about $3.3 billion annually. Currently, however, they put a heavy financial burden on hospitals, IT providers, and insurers. For example, the cost of API implementation and maintenance is estimated to be about $1.6 million per organization during the first year.
To make the process less stressful, ONC and CMS — the two designers and initiators of the final rules — set a three to six-month window between the implementation or compliance date and the enforcement discretion date. During this period, each instance of non-compliance will be addressed individually to give the healthcare system additional “flexibility for development and implementation.” The entire transition will take more than two years.
As Heather Macre sums it up, “Interoperability causes a painful uptick in costs but they will go down over time.” Eventually, smooth data exchange will reduce expenses, resulting in more effective treatment plans, enhanced patient experience, and increased productivity. Even more important, it will eventually improve the health of the entire population. At least, the majority of experts hope so.